惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
AWS News Blog
AWS News Blog
V
Vulnerabilities – Threatpost
D
Darknet – Hacking Tools, Hacker News & Cyber Security
量子位
博客园 - 叶小钗
AI
AI
T
Tor Project blog
Forbes - Security
Forbes - Security
W
WeLiveSecurity
博客园_首页
爱范儿
爱范儿
J
Java Code Geeks
B
Blog
G
GRAHAM CLULEY
aimingoo的专栏
aimingoo的专栏
Cloudbric
Cloudbric
C
CXSECURITY Database RSS Feed - CXSecurity.com
TaoSecurity Blog
TaoSecurity Blog
L
LINUX DO - 热门话题
阮一峰的网络日志
阮一峰的网络日志
有赞技术团队
有赞技术团队
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Simon Willison's Weblog
Simon Willison's Weblog
云风的 BLOG
云风的 BLOG
Google DeepMind News
Google DeepMind News
H
Help Net Security
博客园 - 三生石上(FineUI控件)
C
Cisco Blogs
C
Cybersecurity and Infrastructure Security Agency CISA
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
P
Palo Alto Networks Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Recent Commits to openclaw:main
Recent Commits to openclaw:main
博客园 - 司徒正美
The Last Watchdog
The Last Watchdog
Blog — PlanetScale
Blog — PlanetScale
T
The Blog of Author Tim Ferriss
S
Secure Thoughts
Spread Privacy
Spread Privacy
F
Fortinet All Blogs
月光博客
月光博客
大猫的无限游戏
大猫的无限游戏
S
SegmentFault 最新的问题
H
Hackread – Cybersecurity News, Data Breaches, AI and More
A
About on SuperTechFans
Security Latest
Security Latest
Webroot Blog
Webroot Blog
Scott Helme
Scott Helme
Hugging Face - Blog
Hugging Face - Blog

Recorded Future

The Threat Isn’t the Frontier Model Iran-Nexus TAG-182 Disseminates MarkiRAT Surveillance Tool Where Expertise Meets Algorithm: The Insikt Group® Intelligence Edge Evaluating Mexico’s New Cybersecurity Plan The Purchase Scam Tactic Headed for the World Cup | Recorded Future The Klue Security Incident and Its Impact on Recorded Future State Digital Surveillance Risk Landscape The Intelligence No One Else Has: Inside Recorded Future’s Proprietary Collection Engine The Intelligence No One Else Has: Inside Recorded Future’s Proprietary Collection Engine Cyber-Enabled Maritime Sanctions Evasion Recorded Future Launches Impact and Metrics Dashboard 2026 FIFA World Cup: What Public Safety Officials Need to Know China's Noncombatant Evacuation Operations: 2005–2025 Russia’s Defense-Based Economy Risks Forcing Putin to Fight Wars May 2026 CVE Landscape Why Holistic Sourcing Wins: The Numbers Behind the Recorded Future Advantage Threats to the 2026 FIFA World Cup Remembering Sir Alex Younger Iran Expands Handala Brand to Physical Threats The Vulnerability Flood Is Now a Board Conversation. Here's How to Lead It. At Mythos Speed: A Defender's Playbook for the AI Vulnerability Surge in 2026 April 2026 CVE Landscape Beyond Acceleration and Automation: How AI + Intelligence Changes Cyber Defense NIST NVD Enrichment Policy Change: Prioritizing Vulnerabilities with Attacker Behavior Signals A Complete History of Cybersecurity: From Early Viruses to AI-Powered Threats The Different Types of Payment Fraud and How to Prevent Them Digital Citizenship Glossary: Key Terms Every Internet User Should Know Quantum Risk Explained Threat Activity Enablers: The Backbone of Today’s Threat Landscape Recorded Future Named a Leader in the 2026 Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies. And there’s more. Hacking Embodied AI Working in London at the World’s Largest Intelligence Company Risk Scenarios for the US’s Strategic Pivot Building with AI: Here's What No Briefing Will Tell You Lazarus Doesn't Need AGI The Money Mule Solution: What Every Scam Has in Common From Overwhelmed to Autonomous: Rethinking Threat Intelligence in 2026 Critical minerals and cyber operations Today, trust is the superpower that makes innovation possible AI Hype vs. Reality: Is AI Really Rewriting the Vulnerability Equation? Evolution of Chinese-Language Guarantee Telegram Marketplaces Emerging Enterprise Security Risks of AI From Bazooka to Fake Nikes Your Supply Chain Breach Is Someone Else's Payday 4 Essential Integration Workflows for Operationalizing Threat Intelligence Recorded Future Iran War: Future Scenario and Business Implications A New Way to Buy Recorded Future: Solutions and Packages Built for the 2026 Threat Landscape March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day VIP Credential Monitoring Blog Third-Party Risk Is an Intelligence Operation. It's Time We Treated It Like One. Understanding and Anticipating Venezuelan Government Actions The Iran War: What You Need to Know Day in the Life: Product Manager at Recorded Future Panorama del cibercrimen en América Latina y el Caribe Latin America and the Caribbean Cybercrime Landscape Panorama do cibercrime na América Latina e Caribe Industrialization of the Fraud Ecosystem Blog The Shift: An Era of Quantum Geopolitics ClickFix Campaigns Targeting Windows and macOS 2025 Year in Review: Malicious, Infrastructure 2025 Identity Threat Landscape Report: Inside the Infostealer Economy: Credential Threats in 2025 February 2026 CVE Landscape: 13 Critical Vulnerabilities Mark 43% Drop from January Latin America's Cybersecurity Turning Point: From Reactive Defense to Threat Intelligence Recorded Future Expands Coverage of Scams and Financial Fraud with Money Mule Intelligence from CYBERA January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day Preparing for Russia’s New Generation Warfare in Europe 2025 Cloud Threat Hunting and Defense Landscape GrayCharlie Hijacks Law Firm Sites in Suspected Supply-Chain Attack Network Intelligence: Your Questions, Global Answers Fragmentation Defined 2025's Threat Landscape. Here's What It Means for 2026 State of Security Report | Recorded Future From 27 Steps to 5: How Recorded Future Reimagined Threat Hunting with Autonomous Threat Operations Rublevka Team: Anatomy of a Russian Crypto Drainer Operation Autonomous Threat Operations in action: Real results from Recorded Future’s own SOC team | Recorded Future PurpleBravo’s Targeting of the IT Software Supply Chain Threat and Vulnerability Management in 2026 Best Ransomware Detection Tools December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity Practitioners Reveal What Makes Threat Intelligence Programs Mature GRU-Linked BlueDelta Evolves Credential Harvesting New ransomware tactics to watch out for in 2026 Digital Threat Detection Tools & Best Practices BlueDelta’s Persistent Campaign Against UKR.NET The $0 Transaction That Signaled a Nation-State Cyberattack China’s Zero-Day Pipeline: From Discovery to Deployment Cyber on the Geopolitical, Battlefield: Beyond the, “Big Fourˮ What’s Next for Enterprise Threat Intelligence in 2026 Palestine Action: Operations and Global Network Implications of Russia-India-China Trilateral Cooperation GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October 5 Real-Word Third-Party Risk Examples When the Digital World Turns Physical: The Expanding Role of Threat Intelligence in Executive Protection Critical React2Shell Vulnerability Under Active Exploitation by Chinese Threat Actors The Bug That Won't Die: 10 Years of the Same Mistake The Hidden Cascade: Why Law Firm Breaches Destroy More than Data Intellexa’s Global Corporate Web The Maturity Gap: The Next Frontier in Threat Intelligence Inside the CopyCop Playbook: How to Fight Back in the Age of Synthetic Media AI Malware: Hype vs. Reality
FortiBleed Campaign Exposing Credentials for 73,932 FortiGate Systems
Insikt Group® · 2026-06-19 · via Recorded Future

Last updated on 19 June.

A dataset containing valid administrative and VPN credentials for tens of thousands of Fortinet FortiGate firewalls has been attributed to a Russian-speaking threat group, with confirmed impacts across government, critical infrastructure, and multinational corporations. Organizations should verify exposure immediately and rotate credentials.

What's Happening

On June 13, 2026, security researcher Volodymyr "Bob" Diachenko reported on the "FortiBleed" dataset, which allegedly contains valid administrative and SSL VPN credentials for approximately 73,932 FortiGate firewall URLs across 194 countries and more than 21,600 domains. Diachenko attributed the campaign to a Russian-speaking threat group.

Cybersecurity researcher Kevin Beaumont and threat intelligence firm Hudson Rock subsequently validated portions of the dataset. Beaumont confirmed that sampled administrative credentials were authentic. Many affected devices reportedly remained online at the time of disclosure, ran recent FortiOS versions, and had management interfaces exposed to the internet.

Affected organizations span government, telecommunications, financial services, healthcare, manufacturing, and critical infrastructure sectors, including multinational corporations.

How the Attack Was Executed

According to Diachenko's investigation, threat actors:

  • Conducted approximately 1.16 billion credential attempts against 320,777 FortiGate targets
  • Conducted approximately 2.1 billion credential attempts against 163,650 Microsoft SQL Server (MSSQL) systems
  • Intercepted SSL VPN authentication hashes
  • Used a 45-GPU cluster managed through Hashtopolis to crack hashes and recover plaintext credentials
  • Accessed internal Active Directory environments using recovered credentials

Researchers assessed that the dataset likely originated from exported FortiGate configuration files, which enabled offline credential recovery without ongoing access to the targeted devices.

Scale and Impact

The FortiBleed dataset covers organizations in 194 countries. Confirmed or reported compromises include organizations in Japan, Taiwan, Vietnam, Iraq, and Türkiye. Among those affected is a Turkish NATO defense contractor from which threat actors allegedly exfiltrated classified documents.

Why This Matters

Several factors make FortiBleed a high-priority incident:

  • A subset of credentials have been independently verified as authentic
  • Affected devices in many cases remain online with no indication of remediation
  • The campaign's scale (73,932 firewall URLs, 194 countries) makes this one of the largest confirmed FortiGate credential exposures on record
  • Attribution to a Russian-speaking threat group, combined with confirmed targeting of a NATO defense contractor, raises the likelihood of espionage objectives alongside opportunistic access
  • The offline cracking methodology means organizations may have no logs of the initial credential theft

Timeline of Events

  • June 13, 2026: Researcher Volodymyr Diachenko publicly reports the FortiBleed dataset and attributes activity to a Russian-speaking threat group
  • June 13, 2026: Kevin Beaumont publishes analysis confirming sampled credentials are authentic; notes many affected devices remain online and internet-exposed
  • June 13, 2026: Hudson Rock validates portions of the dataset and releases a free FortiBleed lookup tool for organizations to check domain exposure

Recorded Future Independent Analysis

Insikt Group analysts identified malicious activity originating from the IP address 85[.]11[.]187[.]8, which is linked to the FortiBleed attacks, during internal analysis and associated it with AS211486 within the 85[.]11[.]187[.]0/24 range. Analysts observed HTTP activity on port 9999 on June 7, 2026, and SSH, VNC, RDP, and additional attack-capture-related activity from June 14 to June 15, 2026.

Artifacts identified on this infrastructure were consistent with a full credential harvesting and follow-on intrusion workflow, including:

  • A sniffer log associated with Fortinet credential capture (fg_capture.log);
  • Cracking orchestration files tied to Hashcat, Hashtopolis, and Telegram-coordinated tasking (bot.py, hashpanel.log, setup_hashcat.sh, and setup_hashtopolis.sh;
  • Active Directory and LDAP enumeration scripts (ad_enum.py and ad_full_audit.py);
  • Password-spraying tooling (spray_*.sh, spray_*.py, and spray_results.txt);
  • SMB/DFS collection scripts with staged exfiltration capability backup_dfs.py, backup_dfs2.py, spider.py, and smb_test.py); and
  • Log-clearing markers were also present, indicating efforts to remove evidence of activity.

A June 18, 2026 PwnDefend blog post corroborated these findings by independently identifying 85[.]11[.]187[.]8 as a source IP associated with the FortiBleed campaign. The overlap between Insikt Group's internal findings and subsequent public reporting increases confidence in this IP's association with FortiBleed-related credential harvesting, cracking, and follow-on network access activity.

What You Need to Do Now

Immediate actions if your organization runs Fortinet:

  • Rotate all FortiGate admin and SSL VPN credentials immediately
  • Enforce multi-factor authentication on all remote and administrative access
  • Review Fortinet logs for unusual logins, admin sessions, config changes, and new accounts. Consider replacing devices that have had suspicious activity.
  • Restrict or remove internet exposure for management interfaces
  • Patch FortiOS and review hardening settings
  • Hunt for downstream compromise inside the network if exposed credentials were in use

Recorded Future customers with affected domains will receive automated credential alerts if their organization is in the dataset as sources are ingested into the Platform. Customers can find the main source in the platform as FortiBleed URL, Login, Password (ULP) Credential Leak.

Recorded Future customers can access the full Analyst Note and FortiBleed Intelligence Card in the Recorded Future Portal for additional indicators, affected organization context, and threat actor attribution detail.

Learn how to stay ahead of emerging threats. Understand all of the critical vulnerabilities that may be affecting your organization. Speak to our threat intelligence experts today.