Close Menu
Cybercrime and Ransomware

FortiBleed Attack Hits 430,000+ Firewalls, Steals 110M+ Credentials

Staff WriterBy No Comments4 Mins Read1 Views

Summary Points

  1. Over 430,000 FortiGate firewalls globally have been silently compromised in a large-scale credential-harvesting campaign called “FortiBleed,” which has stolen over 110 million credentials since February 2026.
  2. The attackers exploited FortiGate’s native diagnostic command “diagnose sniffer packet” via a custom Golang tool, weaponizing legitimate functionality to intercept real-time network traffic and credentials without detection.
  3. The operation involves sophisticated automation, including an AI-powered autonomous penetration testing agent, and exploits a five-phase attack chain: reconnaissance, initial access, traffic harvesting, credential cracking, and data exfiltration.
  4. Victims are mostly mid-sized organizations and a mix of global regions, with critical recommendations for defenders to rotate credentials, enforce multi-factor authentication, and detect signs of network sniffing and credential theft.

What’s the Problem?

The ongoing “FortiBleed” campaign has silently compromised over 430,000 FortiGate firewalls worldwide, beginning at least in February 2026. This extensive operation involves threat actors transforming these firewalls—vital security devices—into covert listening posts by exploiting a built-in diagnostic command. They use a custom tool called FortiGateSniffer, which can monitor multiple network protocols simultaneously, to intercept and extract sensitive credentials—such as usernames, passwords, and hashes—from live traffic without triggering alarms. The attackers may be linked to a financially motivated Russian-speaking initial access broker, and their infrastructure includes a GPU password-cracking cluster and automated tools, indicating an industrial scale effort. The victims, mostly small- to medium-sized organizations in regions including the U.S., India, and others, have suffered data theft, privilege escalation, and persistent access. Security researchers from SOCRadar discovered the breach after finding an exposed directory, alerting the cybersecurity community to this widespread threat. Consequently, organizations are urged to rapidly update credentials, reinforce multi-factor authentication, and audit network traffic for signs of compromise.

Risk Summary

The ‘FortiBleed Attack,’ which compromised over 430,000 FortiGate firewalls and stole more than 110 million credentials, illustrates how a single cybersecurity breach can threaten any business. When such an attack occurs, sensitive customer data, internal communications, and business operations are put at serious risk. Consequently, businesses face not only financial losses from downtime and recovery efforts but also reputational damage that erodes customer trust. Moreover, attackers can exploit stolen credentials to access critical systems, leading to potential data breaches, ransomware infections, or even long-term operational disruptions. Ultimately, no organization—regardless of size or industry—is immune; thus, proactive security measures are essential to prevent, detect, and respond to such threats before they can cause significant harm.

Possible Remediation Steps

In the face of the FortiBleed attack, which compromised over 430,000 FortiGate firewalls and resulted in the theft of more than 110 million credentials, swift and decisive remediation is crucial. Prompt action minimizes damage, prevents further exploitation, and restores organizational resilience by closing vulnerabilities before adversaries can capitalize on them. As outlined by NIST CSF principles, timely response and accurate remediation are vital for maintaining cybersecurity integrity and protecting sensitive assets.

Containment Measures

  • Isolate affected devices from the network.
  • Disable vulnerable services and interfaces temporarily.

Assessment & Analysis

  • Conduct comprehensive vulnerability scans to identify exposed systems.
  • Review logs for signs of exploitation or lateral movement.

Patch & Update

  • Apply the latest firmware and security patches from Fortinet.
  • Ensure all security updates are current across the environment.

Credential Management

  • Force password resets for all compromised accounts.
  • Implement multi-factor authentication (MFA) across critical systems.

Monitoring & Detection

  • Enhance real-time monitoring and threat detection capabilities.
  • Set up alerts for unusual activity or access behaviors.

Communication & Response

  • Notify stakeholders and affected users promptly.
  • Collaborate with cybersecurity experts or incident response teams if needed.

Post-Incident Review

  • Conduct a thorough investigation to understand breach vectors.
  • Update security policies and procedures based on insights gained.

Implementing these measures rapidly aligns with best practices, helping organizations contain the incident, minimize impact, and strengthen defenses against future threats.

Advance Your Cyber Knowledge

Explore career growth and education via Careers & Learning, or dive into Compliance essentials.

Explore engineering-led approaches to digital security at IEEE Cybersecurity.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.