"FortiBleed" Data Disclosure

Executive Summary

A cyber espionage campaign dubbed “FortiBleed” has been uncovered by security researchers purportedly involving the compromise of over 73,000 Fortinet devices. The recovered dataset indicates that the attacker’s operation targeted FortiGate devices and related SSL VPN gateways. According to researchers, data uncovered appears to contain valid SSL VPN and administrative credentials including usernames, email addresses, and plaintext passwords.

Unlike a traditional breach and data leak, FortiBleed was not disclosed through a dark web forum post or vendor disclosure but was discovered by researchers on an exposed server believed to belong to threat actors. The actors reportedly left a directory open, which contained attacker tooling and a cache of the harvested credentials.

At the time of writing, the method by which threat actors obtained the firewall data remains unconfirmed. Community research has tentatively attributed the attack to a Russian-speaking cybercriminal group, though this is not yet verified.

Researchers at HudsonRock have released this exposure lookup tool to search for impacted domains and verify exposure within the obtained dataset.

This is an evolving situation and Beazley Security will update this advisory as more information becomes available.

Mitigations / Workarounds

Affected organizations should assume that credentials or configuration data on FortiGate devices may have been exposed and take the following preventative actions:

Rotate admin credentials, including local administrator accounts, API tokens, certificates, and other credentials integrated with the firewall.
Review historical administrator and authentication logs for signs of suspicious activity, including logins from unexpected IP addresses, geolocations, or account activity outside of normal business hours.
Upgrade devices to the latest FortiOS release if not already applied. Following any upgrades, rotate admin credentials to invalidate credentials that may have been exposed prior.
Restrict or eliminate direct internet access to the firewall management interface. Lock down administrative access to trusted and expected internal networks.
Implement multi-factor authentication for all accounts where possible to reduce risk of compromised credentials being used.

Indicators of Compromise

At the time of writing, no indicators of compromise (IoCs) have been publicly attributed to FortiBleed, as the dataset was reportedly recovered from the actor’s own exposed server rather than discovered through a campaign with classic IoCs.

Defenders should focus on evidence of unauthorized access using compromised credentials, including:

Successful administrative or SSL VPN logins from unexpected geographies, ranges, or unexpected times.
New or unexpected administrator account creations, or unexpected changes to administrative users.
Unexpected configuration backups or exports from untrusted sources.
Evidence of lateral movement into internal environments, especially activity pivoting from firewall access into Active Directory environments or SQL servers.

Technical Details

The FortiBleed dataset was originally discovered by security researcher Bob Diachenko and is reported to contain credential records, including firewall URLs, IPs and hostnames, usernames, and plaintext passwords, along with organizational context. It is believed that some authentication hashes were intercepted and potentially cracked to access and move laterally into environments. Post-access activity reportedly includes attempts to access Active Directory and SQL server environments.

As the dataset was discovered by researchers on exposed threat actor infrastructure, the exact method through which the configuration data was stolen or obtained by the attackers is unconfirmed at this time, and there is no corresponding vulnerability advisory from Fortinet.

Beazley Security recommends organizations rotate credentials on affected FortiGate devices immediately. We will continue to monitor for additional developments and provide updates as information becomes available.

How Beazley Security is Responding

Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.

We have obtained private indicators of compromise and are conducting threat hunts across our MDR environment to detect potential access attempts against our clients.

If you believe your or

ganization may have been impacted by this attack campaign and need support, please contact our Incident Response team.

Sources

Download PDF

Aware of an incident impacting your industry? Let us know:

Report an incident

Prepare

Implement

Defend

Respond

Manage Risk

Beazley Insured

Featured Industries

Enabling readiness and resilience from pre-breach to remediation.

Bringing extensive experience to every engagement.

Nice to meet you. Find out more about our company here.

The latest insights and advisories from our team