SOCRadar says the FortiBleed campaign is a multi-vendor credential-harvesting operation run by a likely Russian-speaking initial access broker that has targeted more than 430,000 FortiGate firewalls and compromised over 110 million credentials. The attackers use tools like FortigateSniffer, Masscan, and Shodan to sniff authentication traffic, crack stolen data, and sell access, with activity spanning FortiGate, Sophos SSL-VPN, RDWeb, Citrix SSL-VPN, MSSQL, and Active Directory environments. #FortiBleed #FortigateSniffer #FortiGate #SOCRadar #CyberStrike
Keypoints
- FortiBleed targets more than 430,000 FortiGate firewalls worldwide.
- The operation has been active since at least February and is not Fortinet-exclusive.
- Attackers use FortigateSniffer to capture authentication traffic across 24 protocols.
- The campaign has already exposed over 110 million credentials through multiple harvesting pipelines.
- Stolen access is used for lateral movement, data theft, and resale to other threat groups.
Read More: https://www.securityweek.com/russian-initial-access-broker-behind-fortibleed-campaign/