~/f4n6 $ grep -r "Massive password-stealing attack hits 75k Fortinet firewalls" ./investigations/ --include="*.md"

Massive password-stealing attack hits 75k Fortinet firewalls

Jeff Davies 18 Jun 2026 7 min read

1. Executive summary

A threat actor has compiled a verified database of working credentials for approximately 75,000 Fortinet / FortiGate firewall devices spanning 21,632 unique corporate domains across 194 countries, in an operation dubbed "FortiBleed" by Hudson Rock. The credentials were obtained by intercepting SSL VPN authentication and cracking harvested hashes on a 45-GPU Hashtopolis cluster, then used (in at least four confirmed cases) to pivot into internal Active Directory environments — including a Turkish NATO defence contractor from which classified defence documents were exfiltrated. Affected named tenants include FoxConn, Samsung, Comcast, Siemens, Lenovo, FedEx, Accenture and Oracle; Kevin Beaumont has independently verified that the credentials are real and that many of the compromised devices are running fairly recent patches. Most compromised devices remain online and reachable. Bottom line for EMEA financial services: any organisation exposing a FortiGate SSL VPN or administrative interface should treat its credentials as compromised, rotate immediately, enforce MFA, and audit for post-authentication activity.

2. Regulatory framing

Article Trigger (fact in this item) Practical impact
DORA Art. 17 — ICT-related incident management process Confirmed credential compromise of FortiGate devices at financial entities triggers a documented incident-handling workflow. Activate the ICT-related incident management process; record timeline, scope and decisions.
DORA Art. 18 — classification of ICT-related incidents and cyber threats The FortiBleed dataset is a verified, large-scale credential compromise affecting ICT assets supporting business functions. Classify the event against the entity's ICT-incident taxonomy; document severity criteria used.
DORA Art. 19 — reporting of major ICT-related incidents to competent authorities Where the credential compromise leads to confirmed unauthorised access of business-critical systems, the incident meets major-incident criteria. Prepare initial, intermediate and final reports to the competent authority within mandated windows.
DORA Art. 28 — ICT third-party risk — general principles Fortinet is an ICT third-party provider; the leak affects the confidentiality/integrity of ICT services delivered. Re-evaluate Fortinet-related third-party risk entries; evidence due diligence in supplier oversight.
DORA Art. 29 — preliminary assessment of ICT concentration risk FortiGate firewalls represent a concentrated ICT dependency; ~50% of internet-exposed FortiGate devices are implicated per Shodan. Run a concentration-risk assessment covering Fortinet footprint and identify substitute/mitigation options.
DORA Art. 30 — key contractual provisions with ICT third-party providers A security incident at an ICT third-party provider engages contractual notification and audit provisions. Invoke Fortinet contractual clauses; require vendor root-cause and remediation evidence.
NIS2 Art. 21(2)(d) — supply chain security measures The compromise of a widely-deployed network security vendor is a textbook supply-chain security event. Apply supply-chain security controls: asset inventory, patch posture, vendor attestations.
NIS2 Art. 23 — incident reporting obligations Confirmed unauthorised access (e.g. AD pivot, exfiltration of defence documents) at in-scope entities triggers reporting. File early warning within 24h, incident notification within 72h where criteria are met.
UK NIS 2018 — OES/RDSP duties UK OES/RDSP operators using FortiGate must treat the leak as a relevant incident affecting network and information systems. Notify the ICO/CSIRT under UK NIS incident-reporting duties; record impact on essential services.

3. Technical analysis & attack chain

  1. Target enumeration. Attackers enumerated Fortinet/FortiGate SSL VPN endpoints at scale. Diachenko reports 1.16 billion credential attempts against 320,777 FortiGate targets and 2.1 billion attempts against 163,650 MSSQL servers, indicating parallel password-spraying / credential-stuffing campaigns.
  2. SSL VPN authentication interception. Credentials were harvested by intercepting SSL VPN authentication flows. The source does not specify whether this was via on-path interception, infostealer logs, or direct extraction from compromised appliances — treat the exact mechanism as unconfirmed.
  3. Offline hash cracking. Harvested hashes were cracked on a 45-GPU Hashtopolis cluster (Hashtopolis is an open-source distributed hash-cracking orchestrator). This indicates offline cracking rather than online brute force for the most expensive targets.
  4. Credential validation. Cracked credentials were validated against the target list to build a "verified working" database of ~75,000 FortiGate logins across 21,632 corporate domains.
  5. Initial access & lateral movement. Validated credentials were used to authenticate to FortiGate SSL VPN and administrative interfaces. From there, attackers pivoted into internal Active Directory environments in at least four confirmed cases.
  6. Impact. At least four organisations fully compromised, including a Turkish NATO defence contractor from which classified defence documents were stolen. Named affected tenants include FoxConn, Samsung, Comcast, Siemens, Lenovo, FedEx, Accenture, Oracle.

Technical specifics that matter to a defender

  • Component targeted: FortiGate SSL VPN and administrative interfaces (no specific CVE is named in the source material).
  • Authentication protocol: SSL VPN (typically HTTPS/TCP 443 on FortiGate, with the SSL VPN portal/login paths).
  • Cracking infrastructure: Hashtopolis-managed 45-GPU cluster — a distributed, browser-orchestrated hash-cracking rig.
  • Pivot target: Internal Active Directory environments.
  • Reach: ~50% of all internet-facing Fortinet firewalls per Shodan; most remain online.
  • Patch state: Many compromised devices are on fairly recent patches, indicating the leak is not solely attributable to unpatched appliances — credential reuse, infostealer logs, or pre-auth interception are likely contributors.

Unconfirmed / single-sourced claims (caveated)

  • Attribution to a "Russian-speaking group" (Diachenko, LinkedIn) is unconfirmed; no MITRE-recognised actor profile is supplied in the verified reference data. Treat as unattributed criminal activity.
  • The exact mechanism of "intercepting SSL VPN authentication" is not specified in the source — it could range from infostealer-derived credentials, to on-path attacks, to exploitation of an undisclosed FortiGate weakness.
  • No CVE number, no specific firmware version range, and no specific malware family is named in the source material.

4. Mitigation & containment

P1 — within 24 hours

  • Rotate all credentials associated with FortiGate SSL VPN, administrative interfaces, local admin accounts, and any reused passwords on the FortiGate (admin, local users, RADIUS/LDAP bind accounts, SNMP, REST API admin tokens).
  • Enforce MFA on every FortiGate administrator account and on SSL VPN users where supported.
  • Audit FortiGate logs (forwarded to SIEM) for the last 90 days for: successful SSL VPN logins from unusual geographies/ASNs, admin logins outside change windows, configuration changes, new admin accounts, and VPN tunnel creations.
  • Isolate any FortiGate with evidence of post-authentication activity (AD queries, lateral SMB, unusual outbound) from production networks pending forensic review.
  • Block / restrict SSL VPN and admin UI exposure at the perimeter to known corporate egress ranges; remove public-internet admin access where feasible.

P2 — within 72 hours

  • Reset Active Directory credentials for any account that authenticated through a FortiGate during the suspected window; force a re-authentication cycle.
  • Hunt for indicators of AD compromise: golden/silver ticket anomalies, unusual Kerberos pre-auth, DCSync, new domain admins, suspicious Group Policy changes.
  • Verify firmware against Fortinet's latest PSIRT-validated release for the model; record the running version and last-upgrade date per device.
  • Engage Fortinet support under DORA Art. 30 to obtain written confirmation of any vendor-side compromise indicators and recommended hardening.

P3 — within 7 days

  • Concentration-risk review (DORA Art. 29): map the Fortinet footprint, identify single-vendor dependencies, and document mitigation options (multi-vendor, compensating controls).
  • Third-party risk file update (DORA Art. 28): record the incident, vendor response, and revised risk rating.
  • Tabletop / lessons-learned: feed the incident into the ICT incident management process (DORA Art. 17) and classification outcome (DORA Art. 18); prepare reporting artefacts (DORA Art. 19 / NIS2 Art. 23 / UK NIS 2018) as required.

5. Indicators of compromise

No specific IP addresses, file hashes, domains, or malware artefacts are provided in the source material. The following behavioural indicators are derived from the campaign description.

Type Value Confidence Source
Tool Hashtopolis (distributed hash-cracking orchestrator) High Diachenko via The Register
Campaign name FortiBleed High Hudson Rock
Target surface FortiGate SSL VPN and administrative interfaces High Hudson Rock, Beaumont
Pivot target Internal Active Directory High Diachenko via The Register
Parallel target MSSQL servers (163,650 enumerated) Medium Diachenko via The Register 
tool       Hashtopolis
campaign   FortiBleed

6. Detection

title: FortiBleed — Hashtopolis Activity on FortiGate Management Plane
id: ad6f3c2a-1b9e-4f5d-8a72-3c0e1d4b9a52
status: experimental
description: >
  Detects activity consistent with the FortiBleed credential-theft campaign:
  high-volume SSL VPN authentication attempts against FortiGate devices,
  Hashtopolis hash-cracking infrastructure, and post-auth AD reconnaissance.
author: Adverse Trace
date: 2026-06-18
references:

  - https://www.theregister.com/cyber-crime/2026/06/17/massive-password-stealing-attack-hits-75k-fortinet-firewalls/5257873
logsource:
  product: firewall
  category: authentication
detection:
  selection_sslvpn_volume:
    EventID:

      - "SSL VPN login"
      - "SSL VPN login failed"
    aggregation: count() > 1000 by src_ip within 1h
  selection_hashtopolis_strings:
    CommandLine|contains:

      - "hashtopolis"
      - "Hashtopolis"
      - "hashcat"
      - "john"
  selection_ad_recon:
    EventID:

      - "4769"   # Kerberos service ticket
      - "4662"   # DS object access
    SubjectUserName: "*$"
  condition: selection_sslvpn_volume or selection_hashtopolis_strings or selection_ad_recon
fields:

  - src_ip
  - dest_ip
  - user
  - EventID
falsepositives:

  - Penetration testing
  - Load testing of VPN infrastructure
level: high

title: FortiBleed — MSSQL Brute Force Pattern
id: 8c2e1a47-9d3f-4b62-b1e5-7a8c9d0e1f23
status: experimental
description: >
  Detects high-volume authentication attempts against MSSQL servers consistent
  with the FortiBleed campaign's parallel password-spraying activity.
author: Adverse Trace
date: 2026-06-18
references:

  - https://www.theregister.com/cyber-crime/2026/06/17/massive-password-stealing-attack-hits-75k-fortinet-firewalls/5257873
logsource:
  product: windows
  category: authentication
detection:
  selection_mssql_brute:
    EventID: 4625
    LogonProcessName: "NtLmSsp"
    TargetUserName|startswith: "sa"
  aggregation: count() > 500 by src_ip within 1h
  condition: selection_mssql_brute and aggregation
fields:

  - src_ip
  - TargetUserName
  - WorkstationName
falsepositives:

  - Legitimate MSSQL connection storms during deployments
level: high

7. Sources

  • The Register — "Massive password-stealing attack hits 75k Fortinet firewalls" — https://www.theregister.com/cyber-crime/2026/06/17/massive-password-stealing-attack-hits-75k-fortinet-firewalls/5257877 — 2026-06-17
  • BleepingComputer — "FortiBleed leak exposes Fortinet VPN credentials for 73,000 devices" — https://www.bleepingcomputer.com/news/security/fortibleed-leak-exposes-fortinet-vpn-credentials-for-73-000-devices/ — 2026-06-17
  • Dark Reading — "Sweeping Credential-Harvesting Heist Compromises +30K Fortinet Devices" — https://www.darkreading.com/cyberattacks-data-breaches/sweeping-credential-harvesting-heist-compromises-30k-fortinet-devices — 2026-06-17

8. Adverse Trace position

Severity: High. A verified, large-scale credential cache for a major network-security vendor — with confirmed post-authentication compromise of internal AD estates and exfiltration of classified material — represents a direct, immediate threat to any EMEA financial services entity running FortiGate. The fact that many compromised devices are on recent patches means patching alone is insufficient; credential rotation and MFA are mandatory regardless of firmware state. Attribution to a "Russian-speaking group" remains unconfirmed in the absence of a MITRE-recognised actor profile and should not be used to scope defensive action. Next steps: Adverse Trace will (a) provide a per-client exposure check against the published domain list, (b) supply a FortiGate log-review checklist aligned to the P1/P2 actions above, and (c) on request, support DORA Art. 19 / NIS2 Art. 23 reporting drafting where an in-scope entity confirms compromise.

Adverse Trace — — distribute within EMEA financial services client base only.

Read the original source →

Published via PulseTrace — Adverse Trace threat intelligence.

Post this to LinkedIn
Formatting is converted automatically — headings, bullets, a link back & hashtags. Paste straight in.
J
Jeff Davies