

























Last updated on 19 June.
A dataset containing valid administrative and VPN credentials for tens of thousands of Fortinet FortiGate firewalls has been attributed to a Russian-speaking threat group, with confirmed impacts across government, critical infrastructure, and multinational corporations. Organizations should verify exposure immediately and rotate credentials.
On June 13, 2026, security researcher Volodymyr "Bob" Diachenko reported on the "FortiBleed" dataset, which allegedly contains valid administrative and SSL VPN credentials for approximately 73,932 FortiGate firewall URLs across 194 countries and more than 21,600 domains. Diachenko attributed the campaign to a Russian-speaking threat group.
Cybersecurity researcher Kevin Beaumont and threat intelligence firm Hudson Rock subsequently validated portions of the dataset. Beaumont confirmed that sampled administrative credentials were authentic. Many affected devices reportedly remained online at the time of disclosure, ran recent FortiOS versions, and had management interfaces exposed to the internet.
Affected organizations span government, telecommunications, financial services, healthcare, manufacturing, and critical infrastructure sectors, including multinational corporations.
According to Diachenko's investigation, threat actors:
Researchers assessed that the dataset likely originated from exported FortiGate configuration files, which enabled offline credential recovery without ongoing access to the targeted devices.
The FortiBleed dataset covers organizations in 194 countries. Confirmed or reported compromises include organizations in Japan, Taiwan, Vietnam, Iraq, and Türkiye. Among those affected is a Turkish NATO defense contractor from which threat actors allegedly exfiltrated classified documents.
Several factors make FortiBleed a high-priority incident:
Insikt Group analysts identified malicious activity originating from the IP address 85[.]11[.]187[.]8, which is linked to the FortiBleed attacks, during internal analysis and associated it with AS211486 within the 85[.]11[.]187[.]0/24 range. Analysts observed HTTP activity on port 9999 on June 7, 2026, and SSH, VNC, RDP, and additional attack-capture-related activity from June 14 to June 15, 2026.
A June 18, 2026 PwnDefend blog post corroborated these findings by independently identifying 85[.]11[.]187[.]8 as a source IP associated with the FortiBleed campaign. The overlap between Insikt Group's internal findings and subsequent public reporting increases confidence in this IP's association with FortiBleed-related credential harvesting, cracking, and follow-on network access activity.
Immediate actions if your organization runs Fortinet:
Recorded Future customers with affected domains will receive automated credential alerts if their organization is in the dataset as sources are ingested into the Platform. Customers can find the main source in the platform as FortiBleed URL, Login, Password (ULP) Credential Leak.
Recorded Future customers can access the full Analyst Note and FortiBleed Intelligence Card in the Recorded Future Portal for additional indicators, affected organization context, and threat actor attribution detail.
Learn how to stay ahead of emerging threats. Understand all of the critical vulnerabilities that may be affecting your organization. Speak to our threat intelligence experts today.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。