A campaign of exceptional scale, dubbed FortiBleed by researchers, has compromised approximately 75,000 Fortinet FortiGate firewalls - roughly half of all internet-facing devices. VPN and administrative credentials were exfiltrated across 194 countries, affecting multinationals including Samsung, Siemens, FedEx, Accenture and Oracle.
How the attack works
Attackers target the exposed SSL VPN interface of FortiGate devices. Once authentication is intercepted, password hashes are cracked using a 45-GPU cluster orchestrated via Hashtopolis - a distributed cracking tool. The recovered credentials are then used to break into internal Active Directory environments.
The industrial scale of the operation is confirmed by the numbers:
- 1.16 billion credential attempts against 320,777 FortiGate targets
- 2.1 billion attempts against 163,650 associated MSSQL servers
Confirmed damage
At least 4 organisations fully compromised, including a Turkish NATO defence contractor with classified documents stolen. Identified victims include Fortune 500 companies.
Fortinet claims the published data comes from previously known incidents. The researchers behind the discovery dispute this.
Are you affected?
If your infrastructure relies on a Fortinet FortiGate firewall with SSL VPN enabled, you are potentially exposed. This also applies if your IT service provider uses a FortiGate to access your systems - check with them whether they are affected and what measures have been taken.
Hudson Rock provides a free verification tool: hudsonrock.com/fortinet - enter your domain to find out whether credentials associated with your organisation have been compromised.
Immediate actions
- Rotate passwords: all VPN and Fortinet administrator accounts, without exception
- Enable MFA on the admin interface and VPN portal
- Audit recent connections: look for unusual access, especially from foreign IPs or outside normal business hours
- Check Active Directory accounts: look for unplanned account creations or privilege escalations
- Restrict admin interface access: block direct internet exposure if not already done
Heavy Mind managed IT clients
We do not use FortiGate to access your environments. Our monitoring and access infrastructure relies on separate solutions.
No action is required on your part in this context.
Not a managed IT client?
If you have a FortiGate or your service provider uses one, we can help:
- Exposure audit: review of your SSL VPN configuration, exposed access points and signs of compromise
- Remediation: credential rotation, configuration hardening, MFA activation
- Ongoing monitoring: proactive detection of abnormal access across your network perimeter
Let's talk about your needs and build the right solution together.
Contact usSources: The Register · Volodymyr Diachenko / SecurityDiscovery