FortiBleed Exposed: Dissecting the 110-Million-Credential FortiGate Harvesting Campaign – A Digital Forensics Deep Dive + Video

Listen to this Post

🐢▶️ Listen🚀

Introduction:

The FortiBleed campaign, uncovered by SOCRadar’s Threat Research Unit, represents one of the most consequential credential-harvesting operations targeting network edge infrastructure in recent memory. Active since at least February 2026, this financially motivated Initial Access Broker (IAB) has compromised over 430,000 FortiGate firewalls globally, amassing more than 110 million credentials across 659 distinct harvesting pipelines. Rather than exploiting a novel zero-day vulnerability, the attackers weaponized exposed management interfaces, weak and default credentials, and the legitimate FortiOS diagnostic toolkit itself—transforming each compromised firewall into a passive listening post for authentication traffic traversing victim networks. This article reconstructs the operational timeline from observed artifacts, dissects the attack chain, and provides actionable detection and hardening guidance for defenders.

Learning Objectives:

• Understand the five-stage FortiBleed attack chain, from credential sourcing and reconnaissance to credential harvesting, cracking, and exfiltration.
• Identify the specific tools, commands, and infrastructure used by the threat actor, including FortigateSniffer, Masscan, Shodan_Recon, and mpbrute2.
• Learn how to detect FortiBleed activity through log analysis, network monitoring, and endpoint forensics.
• Implement practical hardening measures for FortiGate firewalls, SSH access, and Active Directory environments.
• Apply Linux and Windows commands to investigate and remediate compromised systems.

You Should Know:

1. Credential Sourcing & Reconnaissance – Building the Attack Foundation

The FortiBleed operation begins not with exploitation, but with methodical intelligence gathering. The adversary maintains two distinct credential repositories: a generic multi-product list (creds.txt) combining previous data leaks and purchased datasets, and 16 curated dictionaries (base0.txt through base15.txt) specifically tailored for FortiGate administrative accounts using conventions like fortiAdmin, system, and Support_fortinet. This separation indicates deliberate curation rather than a single reused dataset.

The reconnaissance phase employs a sophisticated toolchain:

• Masscan – An asynchronous SYN scanner used for broad sweeps to identify open ports (443/10443 for FortiGate, 1433 for MSSQL, etc.) before any product fingerprinting occurs.
• Shodan_Recon – Queries Shodan’s indexed database to retrieve hostnames, SSL certificate metadata (CN/Org), and service categories while tracking API credit consumption to avoid detection.
• FortiProbe-fast – A lightweight multithreaded probe that classifies targets into confirmed FortiGate systems, non-FortiGate systems, and dead hosts, preventing brute-force efforts from being wasted on non-targets.
• RDNS-Scan – Performs large-scale PTR resolution to identify corporate naming conventions, serving as victim triage.
• GeoSplit – Partitions confirmed FortiGate IPs by country, generating separate files per region.
• match_corps.py / merge_revenue.py / build_report.py – Correlates target IPs against revenue-based organizational mappings to prioritize high-value victims.

Step‑by‑step guide for defenders:

To detect reconnaissance activity, monitor for unusual scanning patterns targeting ports 443, 10443, 1433, and 3389. Implement the following Linux commands to analyze firewall logs:

 Check for Masscan-like SYN scans on FortiGate management ports
grep "DPT=443" /var/log/fortigate.log | awk '{print $1,$2,$13}' | sort | uniq -c | sort -1r

Identify SSL certificate queries from Shodan-like sources
grep "SSL" /var/log/fortigate.log | grep -E "CN=|Org="

Detect PTR resolution spikes (RDNS-Scan)
tcpdump -1n -r capture.pcap 'udp port 53' | grep -E "PTR\?" | cut -d' ' -f7 | sort | uniq -c | sort -1r

For Windows environments, use PowerShell to audit network connections:

 Detect outbound scanning tools
Get-1etTCPConnection | Where-Object {$<em>.State -eq "Established" -and $</em>.RemotePort -in (443,10443,1433,3389)} | Format-Table

Check for suspicious processes with network activity
netstat -ano | findstr /R "443 10443 1433 3389"

1. Pairing & Initial Access – Credential Stuffing at Scale

With reconnaissance complete, the attacker transitions to credential validation across four parallel tracks: FortiGate web interfaces, FortiGate administrative SSH, Synology DSM, and MSSQL databases. The bridging utility `gen_rotator` generates a Cartesian product of hosts and credentials, outputting `IP:PORT:login:pass` combinations consumed by protocol-specific checkers.

Key tools in this phase:

• forticheck – A multithreaded FortiGate credential checker supporting up to 25,000 threads, with two authentication modes: administrative panel (/logincheck + secretkey) and SSL-VPN portal (/remote/logincheck + credential).
• mpbrute2.bin – Targets FortiGate administrative SSH access using the 16 curated wordlists, producing valid SSH credentials consumed by later phases.
• syno.bin – Targets Synology DiskStation Manager on port 5001, primarily succeeding with default credentials.
• MSSQL_Checker – Uses the go-mssqldb library for native TDS protocol authentication, exposing a local metrics API on port 777.

Step‑by‑step guide for defenders:

Audit SSH and web interface access logs for brute-force patterns:

 On FortiGate CLI - Check for failed SSH login attempts
diagnose sys auth statistics | grep -i fail

Review web interface login attempts
grep "logincheck" /var/log/fortigate.log | grep -E "failed|invalid"

Detect mpbrute2-style dictionary attacks (multiple attempts from single source)
grep "sshd" /var/log/auth.log | grep "Failed password" | awk '{print $11}' | sort | uniq -c | sort -1r

Windows PowerShell commands to detect credential stuffing tools:

 Identify processes with high thread counts (>1000)
Get-Process | Where-Object {$_.Threads.Count -gt 1000} | Select-Object Name, Threads, CPU

Check for unusual authentication attempts in Event Logs
Get-WinEvent -LogName Security | Where-Object {$_.Id -in (4625,4648)} | Select-Object TimeCreated, Message

1. FortiGate Sniffer Deployment & Harvesting – The Core of FortiBleed

Once valid SSH credentials are obtained, the attacker deploys FortigateSniffer (also known as fg_sniffer), a Golang-based tool that abuses the legitimate FortiOS diagnostic command diagnose sniffer packet. This transforms each compromised FortiGate into a passive listening post for authentication traffic across 24 protocols, including Kerberos (port 88), SMB (445), LDAP (389), RDP (3389), MSSQL (1433), MySQL (3306), RADIUS (1812), and WinRM (5985/5986).

The tool operates in two steps:

1. Read Targets – Loads a list of FortiGate SSH credentials (IP:PORT:USER:PASS). In observed instances, 6,127 devices were loaded with ~90% SSH validation success rate, eventually growing to 237,330 working credentials.
2. Inject Sniffer – Logs in via SSH and executes the sniffer trace with detailed logging (Ethernet, IP, TCP/UDP headers, hexadecimal format) capturing unlimited packets until terminated.

The actual command executed on each FortiGate is:

diagnose sniffer packet any 'port 49 or port 88 or port 445 or port 389 or port 135 or port 139 or port 143 or port 110 or port 25 or port 21 or port 23 or port 3389 or port 5985 or port 5986 or port 636 or port 3268 or port 1433 or port 3306 or port 5432 or port 6162 or port 1812 or port 1813 or port 1645 or port 1646' 6 0 a

This command captures all traffic on the specified ports with verbose output (level 6) and unlimited packet count, writing results to a log file.

Step‑by‑step guide for defenders:

To detect FortigateSniffer activity, monitor for unauthorized `diagnose sniffer packet` executions:

 On FortiGate CLI - Check for active sniffer sessions
diagnose sys top 5 10

Review command history for sniffer usage
diagnose sys cli-history | grep "diagnose sniffer"

Audit SSH access logs for unusual login patterns
grep "sshd" /var/log/secure | grep -E "Accepted|Failed" | grep -v "from trusted_IP"

For network-level detection, look for sustained high-volume packet captures:

 Monitor interface traffic spikes indicating active sniffing
iftop -i any -t -s 60

Check for large log file growth on FortiGate
ls -lah /var/log/ | grep -E "sniffer|capture"

Windows-based detection (if logging into FortiGate via Windows jump host):

 Check for SSH client activity from unexpected sources
Get-WinEvent -LogName Security | Where-Object {$<em>.Id -eq 4688 -and $</em>.Message -like "ssh"} | Select-Object TimeCreated, Message

Review PowerShell history for suspicious SSH commands
Get-Content (Get-PSReadlineOption).HistorySavePath | Select-String "ssh|diagnose|sniffer"

1. Exploitation of Validated & Harvested Material – Cracking and Lateral Movement

The harvested authentication material—including RADIUS (14.8M records), NTLM (924K hashes), Kerberos (130K hashes), and MySQL (89M auth tokens)—is processed through offline cracking and validation. The attackers successfully cracked 172 RC4 Kerberos hashes to plaintext on June 15, 2026, enabling immediate targeted exfiltration from a NATO-aligned defense contractor.

The cracking infrastructure includes:

• Isolated offensive lab with seven Kali Linux VMs running on a host server
• Strict IPTables routing rules with NAT for controlled outbound access
• Shared tmux sessions for multi-operator remote access
• CyberStrike AI-powered autonomous penetration testing agent

Step‑by‑step guide for defenders:

Detect credential cracking and lateral movement:

 Check for Kerberos TGS requests (potential hash harvesting)
grep "KRB" /var/log/fortigate.log | grep -E "TGS|AS-REQ"

Monitor for unusual NTLM authentication attempts
grep "NTLM" /var/log/security.log | awk '{print $5}' | sort | uniq -c

Detect password spraying against Active Directory
Get-WinEvent -LogName Security | Where-Object {$<em>.Id -eq 4625 -and $</em>.TimeCreated -gt (Get-Date).AddHours(-24)} | Group-Object TargetUserName | Where-Object {$_.Count -gt 10}

Linux commands to identify cracking tools (Hashcat, John the Ripper):

 Check for Hashcat processes
ps aux | grep -E "hashcat|john|oclHashcat"

Look for large hash files
find / -1ame ".hash" -o -1ame "kerberos" -o -1ame "ntlm" 2>/dev/null

Detect GPU usage spikes (cracking)
nvidia-smi --query-gpu=utilization.gpu --format=csv,noheader

5. Collection & Exfiltration – The Final Blow

The attack chain culminates in the exfiltration of sensitive data. On June 15, 2026, following successful Kerberos hash cracking, the attackers exfiltrated DFS backup data from a NATO-aligned defense contractor. Stolen session cookies and valid credentials enable persistent authenticated access, allowing the adversary to maintain a foothold even after initial compromises are discovered.

The campaign remains active, with ongoing sniffer operations and infrastructure updates as of mid-June 2026.

Step‑by‑step guide for defenders:

Implement data exfiltration detection:

 Monitor for unusual outbound data transfers
iftop -i any -t -s 300 | grep -E "outbound|upload"

Check for large file transfers from sensitive directories
find / -type f -size +100M -mtime -1 2>/dev/null

Audit DFS replication logs
grep -r "DFS" /var/log/ | grep -E "backup|replication|exfil"

Windows PowerShell for detecting data staging:

 Identify recently accessed sensitive files
Get-ChildItem -Path "C:\" -Include .backup,.sql,.pst -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.LastAccessTime -gt (Get-Date).AddHours(-24)}

Check for suspicious compressed archives
Get-ChildItem -Path "C:\" -Include .zip,.rar,.7z -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.CreationTime -gt (Get-Date).AddHours(-48)}

Monitor SMB file share access
Get-WinEvent -LogName Security | Where-Object {$<em>.Id -eq 5140 -and $</em>.TimeCreated -gt (Get-Date).AddHours(-24)}

6. Hardening & Mitigation – Defending Against FortiBleed

Given the scale and sophistication of FortiBleed, organizations must implement comprehensive defenses:

FortiGate-Specific Hardening:

• Disable SSH access from untrusted networks; restrict to management IP ranges only.
• Enforce strong, complex passwords and multi-factor authentication (MFA) for administrative accounts.
• Regularly audit and rotate credentials; eliminate default accounts like fortiAdmin, system, Support_fortinet.
• Monitor for unauthorized `diagnose sniffer packet` executions using FortiGate CLI logging.
• Implement `admin-lockout` and `failed-login` thresholds to mitigate brute-force attacks.

Network and Identity Defenses:

• Deploy network segmentation to limit lateral movement.
• Enable advanced logging for Kerberos, NTLM, and RADIUS authentication.
• Implement MFA for all VPN and remote access.
• Conduct regular penetration testing and vulnerability assessments.

Detection and Response:

• Deploy SIEM rules to alert on high-volume authentication failures, SSH brute-force patterns, and unusual packet capture activity.
• Implement UEBA (User and Event Behavioral Analytics) to detect anomalous credential usage.
• Maintain offline backups and test recovery procedures.

What Undercode Say:

• FortiBleed is a credential campaign, not a vulnerability. The attack exploits exposed services, weak credentials, and legitimate diagnostic tools—not a FortiOS zero-day. This shifts the defense paradigm from patching to hygiene.
• The IAB model is the real threat multiplier. By harvesting, validating, cracking, and reselling access, the actor creates a supply chain for ransomware groups and state-aligned actors. Defending against FortiBleed means disrupting this economy, not just blocking individual attacks.
• Passive sniffing on FortiGate is undetectable without proper logging. The `diagnose sniffer packet` command is a legitimate administrative tool; organizations must audit its usage and restrict SSH access to prevent abuse.
• The campaign’s scale demands proactive defense. With 430,000+ firewalls targeted and 110M+ credentials harvested, reactive security is insufficient. Organizations must assume compromise and implement continuous monitoring.
• Human factors remain the weakest link. The success of credential stuffing and dictionary attacks highlights the persistent failure of password policies. MFA, password managers, and regular security awareness training are non-1egotiable.
• The NATO-aligned defense contractor breach proves no one is immune. Even high-value targets with mature security postures can fall victim to well-executed IAB campaigns. Defense-in-depth and rapid incident response are critical.
• Open-source tools enable sophisticated attacks. The use of Masscan, Shodan, CyberStrike, and Kali Linux demonstrates how readily available tools can be weaponized. Defenders must understand attacker tooling to build effective countermeasures.
• Operational security (OPSEC) failures enable forensic reconstruction. The exposed attacker directories, logs, and credential files provided critical intelligence. Threat intelligence sharing and public reporting are essential for community defense.
• The campaign is evolving. With ongoing sniffer operations and infrastructure updates, FortiBleed remains a live threat. Continuous monitoring and adaptive defenses are required.
• Collaboration is key. SOCRadar’s investigation, initiated by a LinkedIn post from security researcher Volodymyr “Bob” Diachenko, underscores the value of community-driven threat intelligence.

Prediction:

• +1 The exposure of FortiBleed will drive widespread adoption of MFA and credential hygiene across FortiGate deployments, reducing the attack surface for similar IAB campaigns in the short term.
• -1 The IAB model will proliferate, with more threat actors adopting credential-harvesting pipelines as a service, increasing the frequency and scale of initial access compromises.
• -1 Ransomware groups will leverage FortiBleed-harvested credentials to accelerate attacks, leading to a surge in data extortion and operational disruptions through mid-2027.
• +1 Security vendors will develop specialized detection rules for `diagnose sniffer packet` abuse and FortiGate SSH brute-force patterns, improving visibility and response capabilities.
• -1 The use of AI-powered tools like CyberStrike will lower the barrier to entry for sophisticated attacks, enabling less-skilled actors to execute complex campaigns.
• +1 Regulatory bodies will mandate stricter controls for edge devices and remote access, driving compliance-driven security improvements across critical infrastructure sectors.
• -1 State-aligned actors will increasingly collaborate with IABs, blurring the lines between cybercrime and cyberwarfare and complicating attribution and response.
• +1 The forensic reconstruction of FortiBleed will serve as a case study for security training, improving defender preparedness and incident response readiness.

▶️ Related Video (80% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Flavioqueiroz Fortibleed – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky