FortiBleed Unmasked: How an Exposed Attacker Server Revealed a 75,000-Device Credential Apocalypse + Video

By /

Listen to this Post

Featured Image

Introduction:

The line between a catastrophic data breach and an inflated security narrative has never been thinner. In June 2026, the cybersecurity community was rocked by reports of “FortiBleed”—a massive credential-compromise campaign allegedly affecting over 75,000 internet-facing Fortinet FortiGate firewalls and SSL VPN gateways across 194 countries. However, a critical distinction emerged: FortiBleed is not a software vulnerability, zero-day exploit, or newly disclosed Fortinet flaw. Rather, it is the label given to a verified dataset of working device credentials that a financially motivated threat group assembled through credential reuse, brute-force attacks, and offline GPU-assisted hash cracking against exposed devices. The campaign came to light only because the operators made a catastrophic operational security error—they left their own back-end server exposed to the internet with an open, browsable directory, allowing researchers from CloudSEK and SpyCloud to reconstruct the entire attack infrastructure from credential harvesting to access sales.

Learning Objectives:

  • Understand the full attack chain of the FortiBleed credential-harvesting campaign, from internet-wide scanning to VPN session replay and Active Directory enumeration.
  • Identify the exposed attacker infrastructure, including tooling, automation scripts, and cracking platforms such as Hashtopolis and Vast.ai GPU rentals.
  • Implement immediate hardening measures, configuration audits, and credential storage upgrades to protect FortiGate devices from similar credential-based attacks.

You Should Know:

  1. The Attack Chain: From Internet-Wide Scanning to Network Intrusion

The FortiBleed operation represents a sophisticated, highly automated credential-compromise pipeline. The attackers did not rely on a single exploit but instead orchestrated a multi-stage process that transformed exposed management interfaces into validated access credentials. The attack chain unfolded as follows:

  • Phase 1: Reconnaissance and Scanning – The threat actors conducted internet-wide scanning targeting FortiGate, Sophos, Synology, MSSQL, and other exposed services. They systematically identified internet-facing Fortinet devices with accessible management or SSL VPN interfaces. The scale was immense: researchers documented approximately 1.16 billion credential attempts across more than 320,000 FortiGate targets.

  • Phase 2: Credential Testing and Validation – Using a curated password list developed through a mix of previous breaches, infostealer logs, and successful exploitation of older vulnerabilities, the attackers performed password spraying and brute-force authentication against exposed services. They tested, validated, and catalogued working credentials using custom scripts including panel.js, check.js, and `panel_final.js` found in the exposed directory.

  • Phase 3: Configuration Extraction and Hash Harvesting – Depending on the permissions obtained, the actors extracted device configuration files, including stored administrator credentials and password hashes. They also intercepted authentication hashes from active SSL VPN sessions. Many affected systems stored administrator credentials using older hashing approaches that were significantly less resistant to offline password cracking.

  • Phase 4: Offline GPU-Assisted Cracking – The attackers leveraged a dedicated 45-GPU cluster managed through Hashtopolis, a distributed hash-cracking platform, to crack intercepted hashes offline. The exposed directory revealed a layered cracking architecture including `bot.py` for Telegram-based control, Hashtopolis instances, and `hashpanel.log` for tracking cracking progress.

  • Phase 5: Active Directory Enumeration and Lateral Movement – Once inside victim networks, the attackers used Impacket-based tools to enumerate Active Directory, harvest Kerberos tickets, capture NTLM hashes, extract Group Policy data, and retrieve credentials stored in AD fields. The exposed toolkit included ad_enum.py, spray_admin.sh, spray_da.py, and various password wordlists.

  • Phase 6: Target Enrichment and Access Sale – The attackers enriched target records with revenue, industry, and employee data using scripts such as match_corps.py, merge_revenue.py, build_report.py, and build_full_map.py. They prioritized valuable organizations and packaged validated VPN or SSH access for potential sale on cybercrime forums.

Step‑by‑step guide for defenders to detect this attack chain:

Linux Command – Check for unauthorized admin sessions on FortiGate via SSH:

ssh admin@<FortiGate-IP> "get system admin" | grep -v "admin"

Linux Command – Audit recent authentication logs:

ssh admin@<FortiGate-IP> "log event auth" | grep -E "login|failed|success"

Windows Command – Check for suspicious Impacket activity in Domain Controller logs:

Get-WinEvent -LogName Security | Where-Object { $_.Message -match "Impacket|NTLM|Kerberos" } | Select-Object TimeCreated, Message
  1. The Exposed Infrastructure: A Treasure Trove of Attacker Tooling

The attackers’ operational security failure provided an unprecedented window into their entire working environment. The exposed server, accessible at the time at IP address 85.11.187.8 on port 9999, held 319 files constituting the operators’ complete working environment. Rather than relying on advertised figures, CloudSEK reconstructed the campaign from these primary artefacts.

The exposed directory contained several critical categories of files:

  • Scanning and Validation – panel.js, check.js, `panel_final.js` – JavaScript-based tools for scanning and validating credentials against FortiGate targets.

  • Cracking Infrastructure – `bot.py` (Telegram-controlled bot for managing cracking operations), Hashtopolis instances, `hashpanel.log` – the complete logging of hash-cracking activities.

  • Credential and Target Datasets – corps.txt, fsd_sort.txt, creds_with_pass.txt, `targets_300M_plus.txt` – massive databases of credentials and targets, with some files referencing over 300 million targets.

  • Enrichment and Attribution – match_corps.py, merge_revenue.py, build_report.py, `build_full_map.py` – Python scripts for enriching credential data with business intelligence.

  • Quality Control – clean_honeypots.py, `fake_ips.txt` – scripts to filter out honeypots and fake IP addresses from the target list.

  • Post-Exploitation Toolkit – ad_enum.py, spray_admin.sh, spray_da.py, `pass_` wordlists – tools for Active Directory enumeration, password spraying against domain admins, and password cracking.

  • Live Access – `vpn5.conf` – a working SSL VPN configuration into a victim network, demonstrating active, ongoing access at the time of discovery.

Step‑by‑step guide for infrastructure hardening:

  1. Immediately terminate all admin and VPN sessions and reset all credentials, especially on internet-facing systems.
  2. Restrict external management of your devices via trusted hosts, local-in policy, or ideally remove internet administration altogether.
  3. Review and validate configuration – compare to a known good configuration, paying particular attention to unrecognized accounts such as “forticloud, fortiuser, fortinet-support, fortinet-tech-support”.
  4. Check logs for unexpected administrator access from unknown IP addresses and domain controller logs for lateral movement.

Linux Command – Verify current admin accounts and their source IP restrictions:

ssh admin@<FortiGate-IP> "show system admin" | grep -E "edit|set trusthost"

Linux Command – Check for unauthorized configuration changes:

ssh admin@<FortiGate-IP> "execute backup config tftp <filename> <tftp-server-IP>" 
 Then compare with known good configuration using diff
  1. Credential Storage Weaknesses: Why Older Hashes Were Catastrophically Vulnerable

A critical technical finding from the FortiBleed analysis centers on how FortiGate devices store administrator credentials. Many affected systems stored administrator passwords using older hashing approaches that were significantly less resistant to offline password cracking. Fortinet has since migrated administrator passwords in newer FortiOS releases to the more resilient PBKDF2 (Password-Based Key Derivation Function 2) algorithm. However, documentation indicates that after upgrades, existing passwords may remain stored in the older SHA-256 format until users log in again or reset their credentials.

This created a perfect storm for the attackers: systems where passwords had not been changed for extended periods, or where dormant admin accounts persisted, were particularly at risk. The attackers could extract these legacy hashes from configuration files and crack them using their 45-GPU Hashtopolis cluster, often recovering even long, complex passwords if they were stored using outdated or fast hash formats.

Step‑by‑step guide for upgrading credential storage:

  1. Upgrade to the latest versions of FortiOS 7.4, 7.6, or 8.0, which support PBKDF2 hashing of administrator credentials.
  2. Enforce PBKDF2 as the hash function for administrator accounts by following Fortinet’s guidance to remove older legacy password settings via set login-lockout-upon-weaker-encryption.
  3. Reset all administrator passwords after the upgrade to ensure they are stored using the new PBKDF2 algorithm.
  4. Implement phishing-resistant MFA on all remote access and administrative accounts.

FortiOS CLI Commands – Check and enforce PBKDF2 hashing:

config system admin
edit <admin_name>
set password <new_password>
set login-lockout-upon-weaker-encryption enable
end

FortiOS CLI – Verify hash type:

diagnose system admin list
  1. The Numbers Debate: Inflated Claims vs. Verified Compromises

One of the most contentious aspects of the FortiBleed campaign revolves around the actual number of compromised organizations. While initial reports suggested that 21,632 organizations were compromised, CloudSEK’s analysis of the exposed attacker infrastructure revealed a more nuanced picture:

  • 21,632 entities were attributed through registration and domain-grouping data – this represents organizations that were targeted or had credentials associated with them, not confirmed compromises.
  • 918 organizations had evidence of captured internal Kerberos traffic, indicating deeper network penetration.
  • 148 organizations had cracked and validated Active Directory credentials, confirming deeper compromise.

The distinction is critical: many records contained internal domains such as .LOCAL, .LAN, and .CORP. Some associations may also refer to MSPs, contractors, distributors, or subsidiaries rather than the actual compromised organization. This highlights the danger of conflating “targeted” with “compromised” and underscores the importance of verified threat intelligence.

The campaign’s true scale, however, remains alarming. SOCRadar, Hudson Rock, and other researchers identified affected devices across 194 countries, spanning more than 21,000 domains. The top affected countries were India, the US, and Mexico. The dataset reportedly contains a mix of administrative and SSL VPN credentials recovered from compromised configuration files.

5. Immediate Mitigation and Hardening Actions

Given the scale and severity of the FortiBleed campaign, organizations must take immediate action to protect their FortiGate devices. CISA, Fortinet, and multiple security researchers have provided comprehensive guidance.

Critical Actions to Take Now:

  1. Terminate sessions and reset credentials – Terminate all active SSL VPN and administrative sessions. Reset all Fortinet VPN and administrative passwords, especially on internet-facing systems, and enforce strong password policies.

  2. Implement MFA – Require phishing-resistant MFA on all remote access and administrative accounts and ensure it is enforced on all external gateways and administrative interfaces.

  3. Reduce attack surface – Ensure the administration of your firewall is inaccessible from the public internet; restrict Fortinet management interfaces to trusted internal networks.

  4. Audit configurations – Review firewall, VPN, authentication, and domain controller logs for lateral movement, unusual access, suspicious accounts, or unauthorized configuration changes.

  5. Remove unauthorized accounts – Remove or disable any unauthorized or unnecessary accounts.

Linux Command – Check for suspicious accounts:

ssh admin@<FortiGate-IP> "show system admin" | grep -E "forticloud|fortiuser|fortinet-support|fortinet-tech-support"

Windows PowerShell – Check Domain Controller for new admin accounts:

Get-ADUser -Filter {Enabled -eq $true} -Properties Created | Where-Object { $_.Created -gt (Get-Date).AddDays(-30) }

Linux Command – Scan for exposed FortiGate management interfaces using Nmap:

nmap -p 443,8443 <target-1etwork> --script http-title | grep -i "fortigate"

6. Advanced Threat Hunting Indicators

Security teams should actively hunt for indicators of compromise (IoCs) associated with the FortiBleed campaign. The exposed attacker infrastructure provides specific signatures to search for:

Network IoCs:

  • Unusual authentication attempts from IP addresses associated with known scanning infrastructure.
  • Large-volume password failure events followed by successful logins.
  • Unexpected administrative access from unknown IP addresses.
  • Outbound connections to IP 85.11.187.8 (the exposed attacker server).

Host-based IoCs:

  • Unauthorized admin accounts, particularly forticloud, fortiuser, fortinet-support, and fortinet-tech-support.
  • Unauthorized configuration changes, including new VPN users, firewall rules, or SSL VPN settings.
  • Evidence of Impacket tool usage in Domain Controller logs.
  • Kerberos ticket harvesting activity.

Credential IoCs:

  • Passwords that appear in public breach databases or infostealer logs.
  • Credentials stored using legacy SHA-256 hashing rather than PBKDF2.

Step‑by‑step guide for threat hunting:

Linux – Search for suspicious admin logins in FortiGate logs:

ssh admin@<FortiGate-IP> "log event auth | grep admin" | grep -v "<trusted-IP>"

Windows – Hunt for Impacket activity:

Get-WinEvent -LogName Security | Where-Object { $_.Message -match "Impacket" } | Select-Object TimeCreated, Message

Linux – Check for unauthorized VPN sessions:

ssh admin@<FortiGate-IP> "get vpn ssl monitor" | grep -v "idle"

What Undercode Say:

  • Key Takeaway 1: FortiBleed is fundamentally a credential hygiene crisis, not a software vulnerability. The attackers succeeded不是因为新的零日漏洞,而是因为组织未能实施基本的安全控制:弱密码、缺乏多因素认证、暴露的管理界面以及过时的凭证存储实践. This campaign serves as a stark reminder that attackers will always target the path of least resistance, and credential reuse remains one of the most effective attack vectors.

  • Key Takeaway 2: The exposed attacker infrastructure provides an unprecedented forensic opportunity. The operators’ operational security failure—leaving their server openly accessible—allowed researchers to reconstruct the entire attack chain, from scanning scripts to live VPN configurations. This level of visibility into attacker operations is rare and invaluable for the security community. It reveals not just what was compromised, but how the attackers think, what tools they prioritize, and how they operationalize stolen credentials at scale.

Analysis: The FortiBleed campaign represents a paradigm shift in how we think about credential-based attacks. The attackers didn’t need to discover a new zero-day; they simply exploited the cumulative effect of years of poor credential hygiene across thousands of organizations. The 45-GPU cracking cluster, the Telegram-controlled bot infrastructure, and the automated enrichment pipeline all point to a highly professionalized, financially motivated operation. The fact that the attackers could intercept authentication hashes from active SSL VPN sessions and crack them offline underscores the importance of modern cryptographic protections like PBKDF2. Organizations must recognize that “it’s not a vulnerability” does not mean “it’s not a threat.” The absence of a CVE does not equate to safety. The most dangerous attacks often exploit the mundane: weak passwords, exposed interfaces, and outdated configurations. The 148 organizations with validated Active Directory credentials are not victims of a hack—they are victims of their own security oversights. The campaign also highlights the critical role of threat intelligence in separating signal from noise: the difference between 21,632 “attributed” entities and 148 “confirmed” compromises is the difference between panic and action. Organizations must use this incident not just to patch, but to fundamentally rethink their approach to credential management, access control, and attack surface reduction.

Prediction:

  • +1 The FortiBleed exposure will drive a significant increase in adoption of phishing-resistant MFA and PBKDF2 credential storage across the enterprise security market, as CISOs prioritize fundamental controls over chasing the next zero-day.

  • +1 The detailed forensic analysis of the exposed attacker infrastructure will become a case study in cybersecurity training programs, teaching defenders how to think like attackers and how operational security failures can be exploited for threat intelligence.

  • -1 The long-tail impact of FortiBleed will persist for years, as many of the 73,932 exposed credentials may remain valid and undetected in environments that have not fully remediated, leading to future breaches that will be incorrectly attributed to new vulnerabilities.

  • -1 The campaign’s success will embolden other threat actors to invest in similar large-scale credential harvesting operations, leading to a wave of copycat campaigns targeting other network device vendors, including Sophos, Palo Alto Networks, and Cisco.

  • +1 The incident will accelerate the development of automated credential rotation and zero-trust network access solutions, as organizations recognize that static credentials are an unsustainable security model in the face of GPU-powered cracking at scale.

▶️ Related Video (84% Match):

https://www.youtube.com/watch?v=-c0N08EookI

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Flavioqueiroz Fortibleed – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: