What is the name of the large-scale credential-harvesting campaign that compromised over 30,000 Fortinet firewalls and VPN gateways?

The campaign is named FortiBleed.

Which countries were affected by the FortiBleed campaign?

The attack was detected in 194 countries.

Massive FortiBleed Campaign Compromises 30,000+ Fortinet Devices

Q: What companies have been reported to be affected by the FortiBleed campaign?

Companies including Foxconn, Samsung, Siemens, Lenovo, Oracle, PwC, Accenture, and Comcast have been reported to be affected.

Q: What methods were used in the FortiBleed campaign?

The attackers used credential stuffing, password spraying, brute-force attempts, and reused passwords from prior leaks.

Q: Which sectors were most affected by the FortiBleed campaign?

The government, telecommunications, healthcare, education, financial services, and critical infrastructure sectors were most affected.

Cybersecurity firms SOCRadar and Hudson Rock report a global attack on Fortinet firewalls and VPN gateways, affecting companies like Foxconn, Samsung, and Comcast.

A large-scale credential-harvesting campaign has compromised over 30,000 Fortinet firewalls and VPN gateways across 194 countries, according to cybersecurity firms SOCRadar and Hudson Rock. The attackers used a combination of credential stuffing, password spraying, brute-force attempts, and reused passwords from prior leaks to breach tens of thousands of devices used by companies including Foxconn, Samsung, Siemens, Lenovo, Oracle, PwC, Accenture, and Comcast.

What Happened

The campaign, dubbed FortiBleed, relies on credential reuse and password spraying against exposed Fortinet management and VPN interfaces. The attackers scan the internet for Fortinet devices, try a curated list of known passwords against each one, and record every successful login. Once a device is compromised, they use it as a listening post, monitoring traffic passing through and collecting any additional credentials that flow by.

SOCRadar identified over 30,791 compromised devices spanning 21,108 unique IP addresses and 8,316 unique domains across government, telecommunications, healthcare, education, financial services, and critical infrastructure sectors. Hudson Rock's analysis put the figure higher at 73,932 unique Fortinet URLs, based on a dataset first flagged by security researcher Volodymyr Diachenko.

Background and Context

The attackers executed an estimated 1.16 billion credential-based attempts against more than 320,000 FortiGate targets while simultaneously launching 2.1 billion brute-force attempts against 160,000 MSSQL servers. The operation's technical sophistication extends beyond simple credential stuffing. Once inside a device, attackers intercept SSL VPN authentication hashes and crack them offline using a dedicated 45-GPU cluster managed via Hashtopolis.

The compromised devices then serve as listening posts that harvest additional credentials from traversing traffic, creating a self-reinforcing cycle of unauthorized access. India and the US accounted for nearly one-third of all identified credential compromises, with telecommunications bearing the brunt at more than 5,600 devices and government agencies representing 591 compromised systems across 111 domains.

Why It Matters to the Industry

The FortiBleed campaign highlights the importance of robust security measures for adult-industry platforms and operators. The attackers' use of credential stuffing, password spraying, and brute-force attempts underscores the need for strong authentication and access controls. The fact that compromised devices are being used as listening posts to capture additional credentials emphasizes the importance of monitoring network traffic and implementing incident response procedures.

The campaign's reliance on reused passwords from prior leaks also highlights the need for robust password management practices, including regular password rotation and multi-factor authentication. Adult-industry platforms and operators must prioritize security measures that prevent credential reuse and protect against brute-force attacks.

What Comes Next

SOCRadar has identified technical evidence pointing to Russian-speaking threat actors, noting that victim selection was "heavily weighted toward organizations in NATO member countries." The attackers left an operational server exposed, giving researchers visibility into their infrastructure and victim database. The campaign's most striking feature is what it lacks: a malware payload or Fortinet zero-day exploit.

FortiBleed serves as a wake-up call for adult-industry platforms and operators to review their security measures and implement robust protection against credential harvesting campaigns. By prioritizing strong authentication, access controls, and incident response procedures, they can mitigate the risk of compromise and protect their users' sensitive information.

Key Facts

Over 30,000 Fortinet firewalls and VPN gateways compromised across 194 countries.
Attackers used credential stuffing, password spraying, brute-force attempts, and reused passwords from prior leaks to breach devices.
Compromised devices serve as listening posts to capture additional credentials from traversing traffic.
India and the US accounted for nearly one-third of all identified credential compromises.
Telecommunications sector was most affected, with over 5,600 compromised devices.
Government agencies represented 591 compromised systems across 111 domains.