CloudSEK tracked FortiBleed, a large credential-compromise campaign targeting internet-facing Fortinet FortiGate firewalls and SSL VPN gateways, and found that its headline numbers were inflated by registration data, internal realm names, and non-Fortinet devices rather than verified company breaches. The exposed attacker directory revealed Hashtopolis-based cracking infrastructure, reused passwords, post-exploitation Active Directory tooling, and a revenue-sorted access-selling pipeline, with only a small fraction of the attributed entries confirming real internal compromise. #FortiBleed #FortiGate #Hashtopolis #FortiOS #Kerberos
Keypoints
- The FortiBleed campaign targeted internet-facing Fortinet FortiGate firewalls and SSL VPN gateways worldwide.
- The exposed attacker server contained 319 files showing the full workflow: scanning, cracking, enrichment, quality control, post-exploitation, and access resale.
- The operators used a Hashtopolis 0.14.3 instance and rented Vast.ai GPU workers, with logs indicating about 36 GPUs in use.
- The widely cited 21,632 figure was not a list of verified breached organizations; it mostly reflected FortiGuard registration data and internal Active Directory realm names.
- Password reuse was extensive, with common credentials appearing across many unrelated brands and geographies.
- The toolkit included Active Directory enumeration and spraying scripts such as ad_enum.py, spray_admin.sh, and spray_da.py, showing post-exploitation activity inside victim networks.
- The final output was a revenue-sorted catalogue of SSH and VPN access for sale, and at least one live SSL VPN configuration proved active access into a victim network.
MITRE Techniques
- [T1110.001] Password Guessing â Used in brute-force and password-spraying activity against exposed devices and internal accounts (âbrute forceâ and âspray_admin.sh run Kerberos and SMB password spraying against internal domain controllersâ).
- [T1110.002] Password Cracking â Used offline hash cracking against captured credentials to build a validated dataset (âoffline hash cracking against exposed devicesâ and âhashes were cracked on a ~45-GPU Hashtopolis clusterâ).
- [T1595.001] Active Scanning â Used scanners to locate exposed FortiGate interfaces and other web logins (âscanning located exposed FortiGate interfacesâ and âthe scanners that found targetsâ).
- [T1210] Exploitation of Remote Services â Used working credentials and exposed management interfaces to access devices and pivot into victim networks (âvalidated credentials were used to pivot into networksâ and âlive SSL VPN configuration file pointing into a victim networkâ).
- [T1078] Valid Accounts â Leveraged stolen or reused device credentials for authenticated access (âa verified dataset of working device credentialsâ and âvalidated credentialsâ).
- [T1003.003] OS Credential Dumping: NTDS â Captured Kerberos-related authentication material and internal AD data from compromised environments (âKerberos pre authentication dataâ and âcaptured from inside their networksâ).
- [T1087.002] Domain Account Discovery â Enumerated Active Directory objects and admin-related accounts (âenumerate internal Active Directory environments over LDAP â pulling domain administratorsâ).
- [T1046] Network Service Discovery â Tested SMB access and spidered network shares as part of internal reconnaissance (âtest SMB access and spider network sharesâ).
- [T1021.001] Remote Services: Remote Desktop Protocol â No direct RDP evidence was described; not included.
- [T1589.001] Gather Victim Identity Information: Credentials â Collected and organized credentials, email domains, and registration details for attribution and targeting (âcredential database text file maps each device login to a brand domainâ and âcontact email supplied at FortiGuard registrationâ).
- [T1566] Phishing â Not mentioned in the article; not included.
- [T1105] Ingress Tool Transfer â Deployed tooling and scripts on exposed infrastructure, including automation and cracking components (âtooling, automation scripts, connection strings, scheduled jobsâ).
Indicators of Compromise
- [IP address] Hashtopolis coordination and exposed attacker infrastructure â 85.11.187.8, 85.11.187.28, and 193.8.187.2
- [IP address] Additional Hashtopolis worker/instance hosts â 185.229.26.83, 213.169.49.142, and other 3 IPs
- [File name] Cracking and control scripts found on the exposed server â bot.py, hashpanel.log, and panel.js
- [File name] Credential and target datasets â corps.txt, creds_with_pass.txt, and targets_300M_plus.txt
- [File name] Post-exploitation and filtering tools â ad_enum.py, spray_admin.sh, and clean_honeypots.py
- [File name] Live access configuration â vpn5.conf, described as a working SSL VPN into a victim network
- [Hash format / credential artifact] Captured authentication material â legacy salted-SHA256 FortiOS hashes, PBKDF2 hashes, and krb5pa$18200 Kerberos entries
- [Wordlist / file set] Password-spraying wordlists â pass_ahmad, pass_reza, and other named wordlists