Unit 42 reported the “FortiBleed” campaign, a large-scale password spraying and credential theft operation targeting Fortinet devices, with observed activity also affecting MSSQL and reported Sophos systems. The attackers use curated password lists, steal configuration files and stored credentials, and then crack and reuse them to gain persistent administrative access, while an alleged credential seller appeared on Exploit[.]in. #FortiBleed #Fortinet #Sophos #MSSQL #Exploitin
Keypoints
- Unit 42 identified a large-scale password spraying and credential theft campaign against internet-exposed Fortinet devices.
- The activity was named “FortiBleed” and involved attempted targeting of MSSQL devices, with reports that Sophos devices were also affected.
- Attackers used curated password lists built from prior breaches and successful exploitation to expand future attack attempts.
- The multi-stage intrusion path included password spraying, configuration extraction, offline cracking of stolen credentials, and reuse for persistence.
- Depending on privileges, attackers may have abused privilege escalation vulnerabilities before pulling device configuration files that contained stored credentials.
- An initial access broker on Exploit[.]in claimed responsibility and offered harvested credentials for sale, though Unit 42 had not validated the claim.
- Recommended defenses include MFA, Zero Trust access, changing default credentials, disabling unused accounts, and patching vulnerable systems.
MITRE Techniques
- [T1110.003] Password Spraying – Attackers used broad password guessing against exposed services (‘massive internet-wide scanning and password spraying attempts against Fortinet, Sophos and MSSQL services’).
- [T1005] Data from Local System – They extracted device configuration files and stored credentials from compromised systems (‘pulling device configuration files, including stored credentials’).
- [T1068] Exploitation for Privilege Escalation – The actor may have used a local privilege escalation vulnerability before collecting configurations (‘Depending on the permissions of their initial access, the actor may exploit a privilege escalation vulnerability’).
- [T1555] Credentials from Password Stores – Stored credentials were harvested from device configurations (‘pulling device configuration files, including stored credentials’).
- [T1110.002] Password Cracking – Stolen credentials were cracked offline and reused (‘Offline password cracking of the stolen credentials adds to the password list’).
- [T1078] Valid Accounts – Compromised credentials were used to log into accounts and maintain administrator access (‘to log into compromised devices to establish persistence as an administrator’).
- [T1589.001] Credentials – The actors collected and sold harvested credentials (‘offering the harvested credentials for sale’).
Indicators of Compromise
- [Domains/URLs ] darkweb forum and reported vendor-facing sources – Exploit[.]in, FortiGate
- [CVE References ] referenced by the alleged threat actor – CVE (unspecified)
- [Organizations/Products ] targeted or mentioned systems – Fortinet devices, Sophos devices, MSSQL services
- [Dates ] darkweb sales post timing – June 16, 2026
- [Phone Numbers ] Unit 42 incident response contact numbers – +1 (866) 486-4842, +44.20.3743.3660
Read more: https://unit42.paloaltonetworks.com/large-scale-credential-attacks/