Dismantling FortiBleed: How Russian IABs Weaponized FortiGate Firewalls To Harvest 110 Million Credentials—And How To Stop Them + Video

Introduction:

A single compromised FortiGate firewall can become a passive listening post for every credential crossing a victim’s network, turning legitimate diagnostic tooling into a large-scale credential-harvesting engine. The SOCRadar Threat Research Unit (STRU) has published a comprehensive 70+ page technical report detailing one of the most significant cybercrime operations in recent years—an active credential-harvesting campaign dubbed “FortiBleed”. Active since at least February 2026, this Russian-origin operation has targeted over 430,000 FortiGate firewalls, exposed over 110 million credentials across 24 authentication protocols, and compromised a NATO-aligned defense contractor. This article distills the report’s key findings, providing defenders with actionable intelligence, step‑by‑step mitigation strategies, and verified commands to fortify their FortiGate environments against this evolving threat.

Learning Objectives:

Understand the complete five‑stage attack chain of the FortiBleed operation, from reconnaissance to credential exfiltration.
Learn how to identify Indicators of Compromise (IOCs) and detect the Golang‑based FortigateSniffer tool.
Acquire hands‑on Linux and Windows commands to audit, harden, and monitor FortiGate firewalls and network infrastructure.
Implement defensive measures to prevent SSH brute‑force attacks, detect passive sniffers, and secure authentication protocols.
Gain insights into how threat actors are integrating AI and GPU‑accelerated cracking to scale their operations.

You Should Know:

The Five‑Stage Attack Chain: From Shodan to Exfiltration

The FortiBleed operation follows a meticulously planned five‑stage attack chain that transforms compromised firewalls into automated credential‑harvesting nodes.

Stage 1: Large‑Scale Reconnaissance – The attacker uses Masscan and Shodan to scan the internet for exposed FortiGate admin interfaces. This initial recon phase identifies vulnerable targets with default credentials or weak authentication configurations.

Stage 2: SSH Brute‑Force – Once a target is identified, the attacker launches SSH brute‑force attacks against FortiGate admin accounts. Weak passwords and lack of rate‑limiting make many devices susceptible.

Stage 3: Sniffer Deployment – Upon successful access, the attacker deploys the FortigateSniffer—a Golang‑based tool that abuses the legitimate `diagnose sniffer packet` command available in FortiOS. This sniffer operates passively across 24 authentication protocols, capturing RADIUS, NTLM, Kerberos, and other credentials in real time without triggering traditional security alerts.

Stage 4: Offline Hash Cracking – Captured hashes are exfiltrated to a distributed GPU cracking infrastructure. The attacker uses Hashtopolis and Hashcat clusters, supplemented by rented GPU capacity from vast.ai, to crack passwords at scale.

Stage 5: Session‑Cookie Replay & Persistent Access – Cracked credentials and session cookies are replayed to maintain persistent access, enabling lateral movement and data exfiltration. The actor has executed more than 659 harvest cycles, confirming breaches and data theft from high‑value targets.

2. Identifying FortigateSniffer: Detection and Forensics

Detecting the presence of FortigateSniffer on a compromised firewall requires a combination of log analysis, process inspection, and network monitoring.

Linux Commands for Forensic Analysis (on FortiGate CLI):

 Check for running processes that may indicate sniffer activity
diagnose sys process list | grep -i sniffer

Examine recent system logs for unauthorized SSH logins
diagnose log display | grep -i "sshd" | tail -50

Review current sniffer sessions (legitimate and malicious)
diagnose sniffer packet any "host <suspicious_IP>" 4 10

List all active admin sessions
diagnose sys admin list

Check for unauthorized configuration changes
diagnose sys config-history show

Inspect cron jobs or scheduled tasks for persistence mechanisms
diagnose system cron list

Windows Commands (for SOC/IR teams analyzing collected logs):

 Search Windows Event Logs for failed SSH attempts (if using FortiClient or SSH tunneling)
Get-WinEvent -LogName Security | Where-Object { $_.Id -eq 4625 } | Select-Object TimeCreated, Message

Check for outbound connections to known malicious IPs (use IOC list)
Get-1etTCPConnection | Where-Object { $_.RemoteAddress -in @("MALICIOUS_IP_1", "MALICIOUS_IP_2") }

Examine scheduled tasks for persistence
Get-ScheduledTask | Where-Object { $_.State -1e "Disabled" }

Network Detection: Monitor for unexpected outbound connections from FortiGate devices to IPs associated with Russian and Ukrainian hosting providers—the actor’s infrastructure is hosted across these networks. Use packet capture analysis to detect abnormal `diagnose sniffer packet` activity that exceeds normal operational baselines.

Hardening FortiGate Against SSH Brute‑Force and Credential Theft

Preventing initial access is the most effective defense against this attack chain. Implement the following hardening measures:

Step‑by‑Step FortiGate Hardening Guide:

Enforce Strong Password Policies: Require complex passwords (minimum 12 characters, including uppercase, lowercase, numbers, and symbols) for all admin accounts. Avoid default credentials.
Enable Multi‑Factor Authentication (MFA): Require MFA for all administrative access, including SSH and HTTPS. FortiToken or third‑party TOTP solutions are recommended.
Restrict Admin Access by IP: Limit administrative access to trusted IP ranges only. Use the following CLI command:
```
config system admin
edit <admin_name>
set trusthost1 <trusted_IP>/<mask>
next
end
```
Enable SSH Rate‑Limiting and Fail2Ban: Configure SSH to block IPs after a specified number of failed attempts:
```
config system ssh
set ssh-rate-limit enable
set ssh-rate-limit-max 3
set ssh-rate-limit-interval 60
end
```
Disable Unnecessary Services: Turn off SSH if not required, or restrict it to internal management networks. Disable HTTP access; enforce HTTPS only.
Regular Firmware Updates: Ensure FortiOS is updated to the latest patched version. Monitor Fortinet’s PSIRT announcements for critical vulnerabilities.
Implement Logging and Alerting: Forward all FortiGate logs to a central SIEM. Create alerts for:

– Multiple failed SSH logins from a single IP.
– Successful logins from unusual geographic locations.
– Execution of `diagnose sniffer packet` commands by non‑administrative users.

Sample Log Monitoring Script (Linux SIEM):

!/bin/bash
 Monitor FortiGate syslog for SSH brute-force patterns
tail -f /var/log/fortigate.log | while read line; do
if echo "$line" | grep -q "sshd.Failed password"; then
IP=$(echo "$line" | grep -oP 'from \K[0-9.]+')
echo "ALERT: SSH brute-force attempt from $IP" | mail -s "FortiGate Alert" [email protected]
fi
done

Credential Harvesting and GPU Cracking: The AI‑Powered Threat Multiplier

What makes FortiBleed particularly alarming is the actor’s integration of AI and high‑performance computing to accelerate credential cracking. The operator maintains an isolated Kali Linux lab, uses Hashtopolis to orchestrate distributed hash cracking across GPU clusters, and rents vast.ai GPU capacity on demand.

Understanding the Cracking Pipeline:

Hashtopolis is a web‑based platform that distributes hashcat jobs across multiple nodes. The attacker uploads captured hashes (NTLM, Kerberos, RADIUS) and deploys rulesets to crack them efficiently.
Hashcat leverages GPU parallelism to test billions of password combinations per second. With rented GPUs, the attacker can crack complex passwords in hours rather than days.
AI Integration: Threat actors are increasingly using machine learning to generate more effective password dictionaries and rulesets, improving cracking success rates.

Defensive Countermeasures:

Enforce NTLM Auditing and Disable Legacy Protocols: Where possible, disable NTLM and enforce Kerberos with strong encryption. Use Group Policy on Windows domains to restrict NTLM usage.
Implement Account Lockout Policies: Lock accounts after a small number of failed login attempts to slow down offline cracking via credential replay.
Use Complex, Long Passphrases: Passwords with high entropy significantly increase cracking time, even with GPU acceleration.
Monitor for Hashtopolis Traffic: Look for outbound connections to known Hashtopolis server IPs or unusual patterns of hash exfiltration.

Windows Command to Audit NTLM Usage:

 Check NTLM authentication attempts in Security logs
Get-WinEvent -LogName Security | Where-Object { $<em>.Id -in @(4624, 4625) -and $</em>.Message -match "NTLM" } | Select-Object TimeCreated, Message

5. IOCs, TTPs, and Victimology: Intelligence for Defenders

The SOCRadar report includes a full set of Indicators of Compromise (IOCs), TTP mappings, and victimology analysis. Key findings include:

IOCs: IP addresses, domains, and file hashes associated with the FortigateSniffer tool and C2 infrastructure. Defenders should ingest these into their SIEM, EDR, and firewall blocklists.
TTPs: The attacker employs living‑off‑the‑land techniques, abusing legitimate FortiOS commands to avoid detection. MITRE ATT&CK mappings are provided in the full report.
Victim Profile: The dominant victim profile includes IT services and SMBs with fewer than 200 employees, though a NATO‑aligned defense contractor was also breached. This indicates that no organization is immune, regardless of size or sector.

How to Operationalize IOCs:

Firewall Blocking: Add malicious IPs to your firewall deny lists.
EDR Hunting: Search for file hashes and process names associated with FortigateSniffer.
SIEM Alerts: Create correlation rules to detect the attack chain stages.
Threat Intelligence Sharing: Share findings with CERTs, MSSPs, and industry peers to strengthen collective defense.

Sample Python Script to Check IOCs Against Local Logs:

import re
import sys

Sample IOC list (replace with actual IOCs from the report)
malicious_ips = ["192.168.1.100", "10.0.0.50"]
malicious_hashes = ["abc123def456"]

def check_logs(log_file):
with open(log_file, 'r') as f:
for line in f:
for ip in malicious_ips:
if ip in line:
print(f"ALERT: Malicious IP {ip} found in log: {line.strip()}")
for hash in malicious_hashes:
if hash in line:
print(f"ALERT: Malicious hash {hash} found in log: {line.strip()}")

if <strong>name</strong> == "<strong>main</strong>":
if len(sys.argv) != 2:
print("Usage: python ioc_checker.py <log_file>")
sys.exit(1)
check_logs(sys.argv[bash])

Incident Response and Recovery: What to Do If You Are Compromised

If you suspect a FortiGate compromise, immediate action is critical.

Step‑by‑Step IR Guide:

Isolate the Affected Firewall: Disconnect the device from the network to prevent further data exfiltration.
Preserve Evidence: Take a full forensic image of the firewall’s storage and capture all logs before any changes are made.
Change All Admin Passwords: Immediately reset all admin credentials and enforce MFA.
Review and Revoke Unauthorized Sessions: Terminate all active admin sessions and check for new, unauthorized accounts.
Analyze Logs for Sniffer Activity: Use the commands in Section 2 to identify if FortigateSniffer was deployed.
Check for Credential Theft: Assume that all credentials that passed through the firewall during the compromise period are exposed. Force password resets for all affected users and rotate all API keys and tokens.
Apply Patches and Hardening: Update FortiOS to the latest version and implement the hardening measures from Section 3.
Report to Authorities: Notify relevant CERTs and law enforcement, providing them with the IOCs and evidence gathered.
Conduct a Post‑Incident Review: Identify gaps in your security posture and update your IR plan accordingly.

Linux Command to Securely Wipe and Reset a FortiGate (Factory Reset):

 Access via console or SSH and execute:
execute factoryreset
 Note: This will erase all configurations. Only use after evidence preservation.

AI and the Future of Cybercrime: A Wake‑Up Call

The FortiBleed operation exemplifies a troubling trend: threat actors are increasingly combining traditional cybercrime techniques with AI to improve efficiency, automation, targeting, and ultimately profit. From AI‑generated password dictionaries to automated target selection, the barrier to entry for sophisticated attacks is lowering.

What Undercode Say:

Key Takeaway 1: The integration of AI and GPU‑accelerated cracking into cybercriminal operations is not a future threat—it is happening now. Organizations must adopt AI‑driven defense mechanisms to keep pace.
Key Takeaway 2: Trusted network appliances like firewalls are prime targets for silent, long‑term credential harvesting. Visibility into device behavior and strict access controls are non‑negotiable.
Key Takeaway 3: Intelligence sharing is paramount. SOCRadar’s decision to publish this report before notifying all victims underscores the importance of transparency in strengthening the global cybersecurity community.
Key Takeaway 4: SMBs are not safe. The attacker’s focus on IT services and smaller organizations highlights the need for scalable, affordable security solutions for all business sizes.
Key Takeaway 5: The attack chain is highly repeatable. Without proactive hardening and continuous monitoring, many organizations remain vulnerable to similar IAB‑led operations.

Analysis: The FortiBleed campaign is a masterclass in modern cybercriminal tradecraft. It demonstrates how a single point of failure—a weakly secured firewall—can cascade into a catastrophic data breach affecting millions of credentials. The attacker’s use of legitimate diagnostic tools (diagnose sniffer packet) and commodity GPU resources makes detection and attribution challenging. However, the detailed IOCs, TTPs, and defensive recommendations provided in the SOCRadar report offer a clear roadmap for defenders. The key takeaway is that prevention (strong passwords, MFA, IP restrictions) is vastly more effective than detection and remediation after the fact. Organizations must treat their network appliances as critical assets deserving of the same rigorous security controls applied to servers and endpoints.

Prediction:

+1 The widespread publication of the FortiBleed report will drive increased adoption of MFA and zero‑trust architectures for network device management, significantly reducing the success rate of similar attacks in the medium term.
-1 The commoditization of AI‑powered cracking tools and the availability of cheap GPU rentals will lower the barrier to entry for credential‑harvesting operations, leading to a surge in similar attacks against other network appliances (e.g., VPNs, routers) in the next 12–18 months.
+1 Security vendors will accelerate the development of AI‑based anomaly detection systems capable of identifying passive sniffers and abnormal `diagnose` command usage, improving detection rates for living‑off‑the‑land techniques.
-1 The attacker’s infrastructure, hosted across Russian and Ukrainian networks, highlights the challenges of international law enforcement cooperation. Without coordinated takedown efforts, the operator may simply rebrand and continue operations under a new guise.
+1 The report’s emphasis on victim notification and intelligence sharing will foster stronger public‑private partnerships, enabling faster response times and more effective threat hunting for the broader community.

▶️ Related Video (74% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Huzeyfe Fortibleed – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Listen to this Post