A big-scale FortiBleed marketing campaign focusing on Fortinet’s FortiGate gadgets used customized sniffers to gather authentication secrets and techniques from compromised firewalls and steal credentials, based on safety agency SOCRadar.
The report, printed at this time, expands on the corporate’s earlier investigation into the huge “FortiBleed” marketing campaign, which revealed a set of Fortinet VPN credentials related to greater than 80,000 firewall URLs all over the world.
The operation targets greater than 430,000 FortiGate firewalls worldwide and has been energetic since at the least February 2026, based on SOCRadar.
Researchers say the attackers behind this marketing campaign act as preliminary entry brokers (IABs) and use credential stuffing, brute pressure assaults, credential harvesting, and offline password cracking to realize entry to company networks.
One of many researchers’ findings was the suspected use of a Golang-based instrument referred to as FortigateSniffer, which exploits FortiOS’ built-in diagnostic sniffer packet performance to seize authentication visitors passing by means of a compromised FortiGate machine.
In line with SOCRadar, attackers exploited this legit performance on compromised gadgets to steal credentials from community visitors passing by means of the firewall.
In line with SOCRadar, the instrument is designed to observe visitors for credentials, password hashes, and authentication secrets and techniques from numerous protocols corresponding to RADIUS, NTLM, Kerberos, and LDAP.
“The instrument is designed to observe visitors throughout 24 protocols, parse authentication information, and extract credentials from community flows,” SOCRadar stated within the report.
Whereas Fortinet beforehand advised BleepingComputer final week that this incident was not a brand new vulnerability or incident, however somewhat a set of beforehand compromised credentials, SocRadar’s report factors to an ongoing marketing campaign to actively compromise FortiGate VPN gadgets.
Sniff credentials
The attackers first gained administrative entry by means of credential stuffing and brute pressure assaults, after which deployed a credential harvesting sniffer framework referred to as FortigateSniffer on compromised FortiGate gadgets, the corporate stated.
This instrument reportedly connects to FortiGate gadgets through SSH and launches FortiOS diagnostic sniffer packet instructions.
The “diagnose sniffer packet” command is a built-in FortiOS diagnostic instrument that directors use to troubleshoot connectivity, authentication, and community efficiency points.
This command permits directors to examine community visitors passing by means of the FortiGate firewall in actual time, serving to to establish connectivity failures, routing points, and authentication errors.
This command is configured to observe visitors for authentication protocols and distant entry companies corresponding to Kerberos, LDAP, SMB, RADIUS, RDP, WinRM, Microsoft SQL Server, MySQL, PostgreSQL, SMTP, IMAP, POP3, FTP, and Telnet.
In line with the report, packet information collected from FortiGate gadgets was processed by means of a element referred to as SNIFTRAN, which reassembles the captured visitors into PCAP information.
Supply: SocRadar
The captured information was then parsed by means of the Python-based PCAP Deep Evaluation Toolkit to extract plaintext credentials, password hashes, Kerberos tickets, NTLM authentication materials, e-mail credentials, database credentials, and different authentication artifacts from the community visitors.
The toolkit then generated Hashcat-enabled information containing NTLM and Kerberos hashes, and extracted plaintext credentials from protocols corresponding to SMTP, IMAP, POP3, MySQL, and RADIUS when obtainable.
The attackers allegedly used the GPU-based Hashcat password cracking utility working on a distributed GPU cluster to crack the hashed credentials.
In an replace printed Friday, cybersecurity professional Kevin Beaumont urged that the attackers additionally obtained hashed credentials by downloading FortiGate configuration information from compromised gadgets.
The attackers then extracted the hashed credentials and decrypted them utilizing Hashcat and 36 enterprise-class GPUs.
“Password cracking was hosted at a GenAI firm that rents GPU computing,” Beaumont explains.
“The attackers rented 36 enterprise-class GPUs, which is greater than most giant organizations use for inside AI efforts. And as an alternative of utilizing it for AI duties, they used it for password cracking. Enterprise GPUs can crack passwords at scale in a short time.”
Each explanations may clarify the devoted GPU-based cracking platform noticed on the attacker’s servers.
For Fortinet machine directors, Beaumont has printed an inventory of IP addresses eligible for this marketing campaign.
Organizations using FortiGate gadgets ought to overview this checklist and examine whether or not their methods have been focused or compromised.
Safety groups doc 54% of profitable assaults and subject a warning on solely 14%. The remainder strikes invisibly by means of the surroundings.
Picus’ whitepaper exhibits how you can check your SIEM and EDR guidelines in breach and assault simulations to make sure threats go undetected.
Get the white paper
