Listen to this Post

Introduction:
The firewall was always supposed to be the last line of defense – the impregnable gateway separating the trusted internal network from the hostile internet. In June 2026, that illusion shattered. The FortiBleed campaign, investigated by SOCRadar’s Threat Research Unit (STRU), has evolved into one of the largest ransomware operations ever documented, compromising over 86,644 Fortinet FortiGate firewalls across 194 countries and harvesting more than 110 million credentials. What makes this campaign particularly alarming is that it exploits no zero-day vulnerability – it weaponizes operational security failures, turning trusted network appliances into passive listening posts for every credential traversing the network.
Learning Objectives:
- Understand the complete five-stage attack chain of the FortiBleed campaign, from reconnaissance to data exfiltration
- Master the technical mechanics of the FortigateSniffer tool and how it abuses FortiOS diagnostic functions
- Learn defensive strategies, including credential rotation, MFA enforcement, and integrity verification for FortiGate devices
- The FortigateSniffer Arsenal: Turning Firewalls into Password Collectors
The core weapon in the FortiBleed operation is FortigateSniffer (also tracked as fg_sniffer), a Golang-based tool compiled for both Linux (fg_sniffer_linux_amd64) and Windows (fg_sniffer_windows_amd64.exe). Rather than deploying traditional malware, the tool abuses FortiOS’s own built-in diagnostic command – `diagnose sniffer packet` – to passively intercept all authentication traffic traversing a compromised firewall across 24 protocols, including RADIUS, NTLM, Kerberos, LDAP, RDP, SMB, MSSQL, FTP, Telnet, and WinRM.
Once sniffed, the raw SSH terminal output is converted into `.pcapng` format by the SNIFTRAN engine, then processed through a PCAP Deep Analysis Toolkit (v5.0) that extracts cleartext credentials, NTLMv2 hashes, Kerberos TGS/ASREP tickets, and session cookies.
Evasion Techniques:
- GeoIP-based filtering using a binary-search-optimized `ipgeo.csv` to avoid targeting specific regions
- Business-hour scheduling restricting active sniffing to 07:00–18:00 Moscow Time to minimize anomaly alerts during off-hours
Linux Command to Check for Suspicious Sniffer Processes:
Check for unauthorized diagnose sniffer processes ps aux | grep -i "diagnose sniffer" Review FortiOS CLI history for unauthorized commands cat /tmp/cli_history.log | grep -i "diagnose sniffer packet" Check for unexpected .pcap or .pcapng files find / -1ame ".pcap" -type f -mtime -30 2>/dev/null
Windows Forensic Command (if FortiGate is managed via Windows EMS):
Check for FortigateSniffer Windows binary
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.Name -match "fg_sniffer"}
Review SSH connection logs
Get-WinEvent -LogName Security | Where-Object {$_.ID -in (4624,4625)} | Select-Object TimeCreated, Message
- The Five-Stage Attack Chain: An Industrialized Credential Factory
The FortiBleed operation follows a methodical, five-phase lifecycle that researchers have described as an “industrialized harvesting operation”.
Phase 1: Reconnaissance & Credential Sourcing
Attackers used Masscan for broad port sweeps, Shodan_Recon for passive enrichment via SSL/certificate metadata, and FortiProbe-fast to classify targets into FortiGate/non-FortiGate/dead. Custom scripts (match_corps.py, merge_revenue.py, build_report.py) then ranked targets by corporate revenue before any exploitation began – reflecting deliberate, economic-value-driven targeting rather than indiscriminate opportunism.
Phase 2: Pairing & Initial Access
The tool `gen_rotator` generated host-credential Cartesian product combo files. These fed into `mpbrute2.bin` for SSH brute-force attacks against FortiGate admin accounts using 16 product-specific wordlists, and into `forticheck` (up to 25,000 threads) for SSLVPN portal credential stuffing. By the operation’s end, `ssh.txt` contained 237,330 working FortiGate SSH credentials.
Phase 3: Sniffer Deployment & Harvesting
With valid SSH credentials, attackers logged into each compromised FortiGate and injected FortigateSniffer. 6,127 devices were loaded in observed deployments, with a 90% SSH validation success rate.
Phase 4: Cracking & Lateral Movement
The attackers leveraged a 45-GPU cluster (10× RTX 4090) using Hashtopolis and Hashcat to crack hashes at scale. Rented `vast.ai` capacity supplemented their cracking infrastructure.
Phase 5: Exfiltration
The actor executed a targeted DFS backup exfiltration against a NATO-aligned defense contractor.
- The Infrastructure Behind the Breach: A Peek Inside the Attacker’s Lab
SOCRadar’s investigation revealed the attacker’s complete offensive infrastructure:
- Isolated Kali VM lab for controlled testing
- Hashtopolis / Hashcat GPU clusters for distributed cracking
- Rented vast.ai capacity for supplemental GPU power
- CyberStrike automation for orchestration
The attackers made a critical mistake – their infrastructure was briefly exposed through open directory indexing, giving researchers a partial view of the toolchain, automated scanning scripts, credential-testing tools, shell histories, cron jobs, GPU cluster configuration, and the verified-credential database itself.
Commands to Hunt for FortiBleed IOCs in Your Environment:
Check for unauthorized admin accounts on FortiGate show system admin Review authentication logs for unusual source IPs Known IOC: 85.11.187.8 / AS211486 (honeypot finding) grep "85.11.187.8" /var/log/forti.log Check for SHA-256 hashes in old-password field (super_admin config backup) grep -i "old-password" /path/to/fortigate-backup.conf
Windows: Check for unauthorized RDP/SMB access from suspicious IPs
Get-WinEvent -LogName Security -FilterXPath "[System[EventID=4625]]" |
Where-Object {$_.Properties[bash].Value -match "85.11.187.8"}
- Why Patches Won’t Save You: The Operational Security Failure
FortiBleed is not caused by a software vulnerability in Fortinet products. There is no CVE and no patch to apply. The attackers sourced passwords from prior Fortinet breach dumps (including the 2021 leak tied to CVE-2018-13379 that exposed roughly half a million accounts) and infostealer malware logs.
Fortinet introduced stronger PBKDF2 hashing in FortiOS 7.2.11, 7.4.8, and 7.6.1 – but on upgraded devices, administrator passwords remain stored as weaker salted SHA-256 until each admin next logs in, and legacy hashes can persist in a hidden ‘old-password’ field.
Critical Remediation Steps:
- Treat all administrator and VPN credentials on exposed devices as compromised and reset them immediately
- Enforce multi-factor authentication (MFA) on all administrative and remote access accounts
- Restrict management interfaces to trusted internal networks – they should not be internet-facing
- Enforce PBKDF2 by requiring every administrator to log in once after upgrade, or resetting remaining accounts via a super_admin
- In FortiOS v7.2.x and v7.4.x, enable `login-lockout-upon-weaker-encryption` to remove residual SHA-256 hashes
FortiGate CLI Commands for Hardening:
Enable login lockout upon weaker encryption config system global set login-lockout-upon-weaker-encryption enable end Force PBKDF2 password hashing config system admin edit <admin_name> set password <new_password> set force-pbkdf2 enable next end Restrict admin access to trusted IPs only config system admin edit <admin_name> set trusthost1 <IP/mask> set trusthost2 <IP/mask> next end
- The SOCRadar FortiBleed Exposure Checker: Your First Line of Defense
SOCRadar has released a free FortiBleed Exposure Checker at `https://socradar.io/free-tools/fortibleed`. Organizations can instantly verify whether their IP addresses or domains appear in the FortiBleed dataset – the attacker’s operational database as discovered by SOCRadar researchers, cross-referenced against broader threat intelligence.
How to Use the Checker:
1. Navigate to `https://socradar.io/free-tools/fortibleed`
2. Enter your organization’s IP address block or domain
3. Review the results for any exposed credentials
- If exposed, immediately rotate all credentials and initiate incident response
Additional Verification Commands:
Check if your FortiGate is exposed on Shodan Use Shodan CLI to query for your public IP shodan host <your_public_ip> | grep -i fortigate Verify SSL VPN portal exposure openssl s_client -connect <your_fortigate_ip>:443 -servername <your_domain> 2>/dev/null | openssl x509 -1oout -text | grep -i "fortinet"
6. Attribution: The Lynx / INC Ransomware Connection
Through extensive technical analysis, SOCRadar has officially linked the FortiBleed threat actor to the Lynx / INC ransomware group – a notorious operation active since 2023 with a history of targeting healthcare, government, and manufacturing sectors.
Tooling with Cyrillic-alphabet comments suggests a possible Russian origin, with the operator handle `@Clarksome` observed in recovered tooling. The campaign shows a heavy targeting bias toward NATO member countries, with confirmed exfiltration from a NATO-aligned defense contractor.
7. Active Hunting: Detecting FortiBleed in Your Environment
Linux (FortiGate CLI):
Check for unauthorized configuration changes diagnose sys admin list Review authentication logs diagnose log view | grep -i "failed login" Check for active SSH sessions diagnose sys session list | grep -i ssh Verify no unauthorized sniffers are running diagnose sys top 5 10 | grep -i sniffer
Windows (if managing FortiGate via FortiClient EMS):
Check for unauthorized EMS API calls (CVE-2026-35616 related)
Get-WinEvent -LogName "FortiClient EMS" -MaxEvents 50 |
Where-Object {$_.Message -match "API|unauthorized|bypass"}
Review scheduled tasks for unknown jobs
Get-ScheduledTask | Where-Object {$_.TaskName -match "forti|sniffer|harvest"}
Network-Level Detection:
Monitor for outbound .pcap exfiltration
tcpdump -i any -1 'port 22 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x50434150)'
PCAP magic bytes: 0x50 0x43 0x41 0x50 = "PCAP"
Detect SSH brute-force attempts
grep "sshd.Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -1r
What Undercode Say:
- Key Takeaway 1: FortiBleed is not a vulnerability – it’s an operational security crisis. The campaign exploits poor password hygiene, exposed management interfaces, and failure to rotate credentials after prior breaches. No patch will fix this; only proactive credential management and network segmentation can prevent it.
-
Key Takeaway 2: The attack chain represents a new paradigm in credential harvesting – turning the victim’s own firewall into a listening post. With over 110 million credentials harvested across 16,000+ corporate networks, the downstream impact will be felt for years as ransomware groups purchase access from the IAB.
-
Key Takeaway 3: The exposed operational server was a gift to defenders, but the attackers have learned and adapted. Organizations must assume compromise if their FortiGate has been internet-facing with default or unchanged credentials. Incident response should include re-imaging or integrity scanning of devices before bringing them back online.
Prediction:
-
-1 The FortiBleed dataset will continue to fuel ransomware attacks for 12–18 months as access brokers sell validated credentials to multiple threat actors, leading to a wave of secondary breaches across healthcare, government, and critical infrastructure sectors.
-
-1 The campaign has demonstrated that perimeter devices are no longer just entry points – they are persistent collection sensors. This will force a fundamental reassessment of firewall trust models, with organizations moving toward zero-trust architectures that treat all network devices as potentially hostile.
-
+1 The disclosure and free availability of the SOCRadar Exposure Checker will enable thousands of organizations to rapidly identify exposure, potentially preventing hundreds of ransomware incidents before they occur.
-
+1 Fortinet’s accelerated adoption of PBKDF2 hashing and mandatory MFA enforcement across their product line will raise the baseline security posture for all FortiGate deployments, making future credential-stuffing campaigns significantly more difficult.
-
-1 The Russian-speaking threat actor behind FortiBleed has demonstrated unprecedented operational maturity – from automated scanning and GPU cracking to business-hour evasion and revenue-based targeting. This playbook will be adopted by other IABs, spawning copycat campaigns against other network appliance vendors.
-
-1 The NATO defense contractor breach proves that even well-resourced organizations with classified data are vulnerable when perimeter credentials are exposed. This will trigger a wave of regulatory action and potentially reshape defense procurement cybersecurity requirements.
▶️ Related Video (82% Match):
https://www.youtube.com/watch?v=3AD1t63HXlk
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Huzeyfe Fortibleed – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


