SOCRadar uncovered the broader FortiBleed campaign, in which attackers use the FortigateSniffer tool to turn compromised FortiGate firewalls into passive credential stealers across dozens of protocols. The operation has stolen more than 110 million credentials, hit organizations in nearly 200 countries, and is likely run by Russian-speaking threat actors motivated by financial gain. #FortiBleed #FortiGate #FortigateSniffer #SOCRadar #CISA #Fortinet
Keypoints
- FortiBleed is a large-scale credential harvesting campaign targeting FortiGate firewalls worldwide.
- The FortigateSniffer tool abuses FortiOS diagnostic commands to capture authentication traffic passively.
- Attackers have built 659 harvesting pipelines and stolen more than 110 million credentials.
- The campaign mainly targets SMBs, with strong focus on IT services and high-value organizations.
- Defenders should rotate credentials, enable MFA, remove internet exposure, and review logs immediately.