A Russian-speaking initial access broker is behind FortiBleed, a large-scale credential-harvesting campaign that has targeted more than 430,000 FortiGate firewalls and also affected Synology NAS, Sophos firewalls, RDWeb portals, Citrix SSL-VPNs, and MS-SQL servers. The operation uses mass scanning, brute-forcing, and the FortigateSniffer tool to steal credentials and hashes, then crack and reuse them for deeper access and lateral movement. #FortiBleed #FortigateSniffer #FortiGate #Synology #Sophos #RDWeb #Citrix #MS-SQL #HASHBOT
Keypoints
- FortiBleed is a credential-harvesting campaign targeting FortiGate firewalls worldwide.
- The attackers use Masscan, Shodan, and custom tools to find and filter exposed devices.
- FortigateSniffer captures authentication traffic from compromised FortiGate systems.
- Stolen hashes and credentials are cracked with Hashmat and Hashtopolis, then reused for access.
- The operation also targets Synology NAS, Sophos firewalls, RDWeb, Citrix SSL-VPNs, and MS-SQL servers.
Read More: https://thehackernews.com/2026/06/fortibleed-targeted-fortigate-firewalls.html