SOCRadar’s dug deeper into the FortiBleed campaign, and the picture is worse than expected. The operation targeted over 430,000 FortiGate firewalls worldwide and has been active since at least February.
Here’s how it works. Attackers first gain admin access through credential stuffing and brute-force attacks on VPN devices. Once inside, they deploy a custom Golang tool — “FortigateSniffer” — that abuses FortiOS’s built-in diagnostic packet sniffer to capture authentication traffic flowing through the compromised firewall.
The tool monitors 24 protocols: Kerberos, LDAP, SMB, RADIUS, RDP, WinRM, MySQL, PostgreSQL, SMTP, FTP, Telnet, and more. Captured traffic gets reconstructed into PCAP files, then fed into a Python toolkit that extracts cleartext credentials, password hashes, Kerberos tickets, NTLM auth material, and database credentials.
The cracked hashes go through a distributed GPU cluster running Hashcat. Researcher Kevin Beaumont noted the attacker rented 36 enterprise-class GPUs — more than most large companies have for internal AI — from a GenAI compute provider. They weren’t using them for machine learning. They were cracking passwords.
Fortinet’s position has been that the leaked credentials came from previous compromises, not a new vulnerability. But SOCRadar’s evidence points to an ongoing, active campaign.
Beacomont published a list of targeted IPs. If you run FortiGate devices, check your systems against it and look for signs of compromise.
