Listen to this Post
Introduction:
The FortiBleed campaign has exposed a staggering reality: over 86,000 internet-facing FortiGate firewalls across 194 countries have had their administrative credentials compromised. This is not a software vulnerability but an operational security catastrophe—attackers are systematically harvesting credentials through credential stuffing, password spraying, and offline hash cracking. Once inside, they deploy custom sniffers to capture authentication traffic from 24 different protocols, including LDAP, RADIUS, Kerberos, and NTLM, enabling lateral movement into Active Directory and internal networks. Organizations must act now—not tomorrow—to secure their perimeter devices before they become entry points for ransomware, data exfiltration, or full domain compromise.
Learning Objectives:
- Understand the attack vectors, tools, and techniques used in the FortiBleed credential-harvesting campaign
- Implement a comprehensive incident response checklist to identify and remediate compromised FortiGate devices
- Deploy permanent hardening measures including MFA, PBKDF2 hashing, and management interface lockdown to prevent future compromises
You Should Know:
- Check If Your Organization Is in the FortiBleed Dataset
The first step is determining whether your FortiGate devices appear in the leaked credential database. Several free checkers are available:
- SOCRadar FortiBleed Exposure Checker: Query by IP address or domain against the attacker’s operational database
- Hudson Rock Fortinet Checker: Alternative dataset for cross-referencing
- IP List: Security researcher Kevin Beaumont has published a list of IP addresses associated with compromised devices
How to check manually via FortiGate CLI:
Check currently logged-in administrators get system admin status List all administrator accounts config system admin show full-configuration Review login history (requires logging enabled) execute log display | grep -i "admin"
For Windows/AD administrators: Review domain controller logs for suspicious authentication attempts from FortiGate IPs:
Check for unusual logins from firewall IPs
Get-WinEvent -LogName Security | Where-Object { $_.Properties[bash].Value -match "your-fortigate-ip" }
If your organization appears in any dataset, treat all credentials as compromised and proceed immediately to Section 2.
2. Terminate All Sessions and Reset Credentials Immediately
If there is any indication of compromise, terminate every active administrative and VPN session, then reset all passwords.
Step-by-step guide:
A. Terminate active sessions (FortiGate CLI):
Terminate all administrative sessions execute admin session kill all Terminate all SSL-VPN sessions execute vpn sslvpn kill all Force logout of specific admin user execute admin session kill <session_id>
B. Reset all administrative passwords:
config system admin edit <admin_name> set password <new_strong_password> next end
C. Reset all VPN user passwords:
config vpn ssl web portal edit <portal_name> set user-password <new_password> next end
D. Force password change on next login (for AD-integrated accounts):
Active Directory: Force password reset Set-ADUser -Identity <username> -ChangePasswordAtLogon $true
Critical: Ensure new passwords are complex (minimum 16 characters, including uppercase, lowercase, numbers, and special characters) and not reused across any other systems.
- Enable Multi-Factor Authentication (MFA) on All Admin and VPN Accounts
MFA is the single most effective control against credential-based attacks. CISA explicitly recommends phishing-resistant MFA for all remote access and administrative accounts.
Step-by-step guide for FortiGate:
A. Enable MFA for administrative accounts:
config system admin
edit <admin_name>
set two-factor enable
set two-factor-authentication {fortitoken | email | sms}
next
end
B. Enable MFA for SSL-VPN users:
config vpn ssl web portal
edit <portal_name>
set two-factor enable
set two-factor-authentication {fortitoken | email | sms}
next
end
C. Enforce MFA for all users via authentication rules:
config user group edit <group_name> set member <user_list> config match edit 1 set server-1ame <ldap_server> set group-1ame <ldap_group> set two-factor enable next end
For organizations using FortiAuthenticator or third-party MFA: Configure RADIUS authentication with OTP verification:
config user radius
edit <radius_server>
set server <ip_address>
set secret <shared_secret>
set auth-type {auto | pap | chap | mschap | mschap2}
set nas-ip <fortigate_ip>
next
- Upgrade to FortiOS 7.4, 7.6, or 8.0 and Enforce PBKDF2 Hashing
Many compromised devices stored credentials using weak salted SHA-256 hashes, which attackers cracked offline at scale. Fortinet introduced PBKDF2 support in late 2025, and all organizations must upgrade and enforce this stronger hashing algorithm.
Step-by-step guide:
A. Verify current FortiOS version:
get system status | grep "Version"
B. Upgrade to a supported version (7.4.x, 7.6.x, or 8.0.x) via GUI or CLI. Always backup configuration before upgrade:
execute backup config tftp <filename> <tftp_server>
C. Enforce PBKDF2 for administrator credentials (FortiOS 7.2.11+):
config system global set login-lockout-upon-weaker-encryption enable end
This command removes legacy password hashing settings and ensures all new administrator passwords use PBKDF2.
D. Verify PBKDF2 enforcement:
get system global | grep login-lockout-upon-weaker-encryption
E. For existing administrators, force password reset to re-hash with PBKDF2:
config system admin edit <admin_name> set password <new_password> next end
- Review Logs and Validate Configuration for Unauthorized Changes
Attackers frequently add backdoor administrator accounts with innocuous-sounding names to maintain persistence.
Step-by-step guide:
A. Check for unauthorized administrator accounts (FortiGate CLI):
config system admin show full-configuration
Pay particular attention to accounts named: forticloud, fortiuser, fortinet-support, fortinet-tech-support, forticloud-sync, forticloud-tech, Technical_support.
B. Review recent configuration changes:
View configuration change logs execute log display | grep "configuration" Check for suspicious firewall policies config firewall policy show | grep -A 10 "allow"
C. Check VPN user additions:
config vpn ssl web portal show full-configuration
D. Review domain controller logs for lateral movement (Windows):
Check for suspicious account creation
Get-WinEvent -LogName Security -FilterXPath "[System[EventID=4720]]"
Check for unusual privilege assignments
Get-WinEvent -LogName Security -FilterXPath "[System[EventID=4728]]"
Check for unexpected VPN connections from firewall IP
Get-WinEvent -LogName Security | Where-Object { $<em>.Message -match "VPN" -and $</em>.Properties[bash].Value -match "your-fortigate-ip" }
E. Compare current configuration against a known-good baseline:
Export current configuration execute backup config tftp current_config.conf <tftp_server> Diff against previous known-good backup diff known_good_config.conf current_config.conf
- Reduce Attack Surface – Lock Down Management Access
The attack succeeded because management interfaces were exposed directly to the internet. CISA and Fortinet strongly recommend restricting administrative access to trusted internal networks only.
Step-by-step hardening guide:
A. Remove administrative access from WAN interfaces (GUI):
- Navigate to System > Admin > Settings
- Under Administrative Access, ensure HTTPS/SSH/HTTP/Telnet/PING are not enabled on public-facing interfaces
B. Restrict trusted hosts (CLI):
config system admin edit <admin_name> set trusthost1 <internal_network> <subnet_mask> set trusthost2 <management_network> <subnet_mask> next end
C. Implement local-in policy (better than trusted hosts):
config firewall local-in-policy edit 1 set intf "wan1" set srcaddr "all" set dstaddr "fortigate_ip" set action deny set service "HTTPS" "SSH" set schedule "always" next end
D. Disable internet administration entirely (best practice):
config system interface edit "wan1" set allowaccess ping next end
E. Implement geo-IP blocking (if available):
config firewall geo-ip-block set enable config countries edit "RU" edit "CN" edit "KP" Add countries based on threat intelligence next end
7. Monitor for Indicators of Compromise (IOCs)
Arctic Wolf’s reverse engineering of the CyberStrike Harvester revealed specific IOCs that organizations should monitor.
Critical IOCs to monitor:
| Indicator | Description |
|–|-|
| `forticheck` | Credential spraying tool used to generate 1.16 billion login attempts |
| `FortigateSniffer` / `SNIFTRAN` | Golang-based sniffer abusing FortiOS `diagnose sniffer packet` to capture credentials across 24 protocols |
| `CyberStrike Harvester v1.5` | Binary that extracts credentials, NetNTLM, Kerberos, cookies, tokens, and RADIUS/TACACS+ data |
| Suspicious admin accounts | forticloud, fortiuser, fortinet-support, fortinet-tech-support, forticloud-sync, forticloud-tech, `Technical_support` |
| Telegram bot activity | Operator handle `@Clarksome` observed in recovered tooling |
Monitoring commands:
Monitor for sniffer activity diagnose sys top | grep "sniffer" Check for unexpected processes diagnose sys process list Monitor real-time authentication logs diagnose debug enable diagnose debug application sslvpn -1 diagnose debug application authd -1
Network monitoring (Linux):
Monitor for unusual outbound connections from FortiGate IP tcpdump -i eth0 host <fortigate_ip> -1 Check for SSH connections to FortiGate from unknown IPs grep "sshd" /var/log/auth.log | grep <fortigate_ip>
What Undercode Say:
- Key Takeaway 1: FortiBleed is not a software vulnerability—it is an operational failure. Organizations that failed to rotate passwords after prior breaches, used default credentials, or left management interfaces exposed are the primary victims. No patch will fix this; only process changes will.
-
Key Takeaway 2: The attack chain is sophisticated and automated. Attackers use custom tooling (
forticheck,FortigateSniffer,CyberStrike Harvester) to harvest credentials from compromised firewalls, then pivot to Active Directory and internal networks using Impacket and GPU-accelerated hash cracking.
Analysis: The FortiBleed campaign represents a fundamental shift in how perimeter devices are targeted. Firewalls are no longer just protective barriers—they are high-value targets that, when compromised, become credential factories for attackers. With over 430,000 FortiGate devices targeted and 86,000+ compromised, this is one of the largest credential harvesting operations ever documented. The attackers’ use of legitimate FortiOS diagnostic tools (diagnose sniffer packet) for malicious purposes highlights a critical lesson: even built-in administrative features can be weaponized. Organizations must adopt a zero-trust approach to firewall management, treating administrative access as the highest-risk attack vector. The campaign’s scale—1.16 billion login attempts against FortiGate alone—demonstrates that attackers have industrialized credential theft. Defenses must be equally automated, with continuous monitoring, real-time alerting, and mandatory MFA for all administrative functions.
Prediction:
- -1 The FortiBleed dataset will continue to grow as attackers maintain persistence on compromised devices and harvest additional credentials. Organizations that only reset passwords without factory resetting compromised devices risk reinfection.
- -1 We will see a surge in ransomware attacks and data breaches originating from FortiBleed-compromised networks over the next 6-12 months as initial access brokers sell credentials to ransomware groups.
- +1 The incident will accelerate industry-wide adoption of phishing-resistant MFA and zero-trust network access (ZTNA) as organizations realize perimeter firewalls are no longer sufficient protection.
- +1 Fortinet and other firewall vendors will likely implement stronger default security configurations, including PBKDF2 hashing by default and stricter management interface restrictions, in response to this campaign.
- -1 Small and medium-sized businesses (SMBs) with limited security resources will be disproportionately affected, as they often lack the expertise to implement the hardening measures outlined above.
▶️ Related Video (88% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Phuong Nguyen – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
