
FortiBleed
Indicators of Compromise
No domains found for this campaign
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
Determine exposure window: Pull FortiGate system logs to identify the earliest admin login from a source IP in the campaign's /24 blocks. All credentials that authenticated through the affected FortiGate from that date forward are considered compromised.
Inventory affected credentials: Export the full FortiVPN user list plus any accounts that may have authenticated against services that route through the affected FortiGate (Exchange, SharePoint, cloud portals, etc.).
Check SOCRadar FortiBleed Free Checker: Submit your organization's IP ranges to https://socradar.io/free-tools/fortibleed to determine if your FortiGate devices appear in the campaign's known target set.
Isolate affected FortiGate devices: Disable internet-facing management interfaces immediately. If safe to do so, gracefully failover VPN load to unaffected devices.
Revoke all active VPN sessions: Execute 'get vpn ssl monitor' and terminate all active SSL-VPN sessions via 'diagnose vpn ssl del-tunnel'. This prevents curl_replay.sh session token reuse.
Invalidate all web session cookies: If the FortiGate proxies access to web applications (OWA, SharePoint, cloud portals), coordinate with those application owners to invalidate all active sessions and force re-authentication.
Factory reset and firmware re-flash: For confirmed compromised FortiGate devices, perform a factory reset and re-flash firmware from a verified FortiGuard source. Do not restore from a FortiGate backup taken during the suspected compromise window — the backup may include attacker-created admin accounts.
Rebuild configuration from hardened baseline: Reconfigure from a hardened baseline template (DISA STIG or CIS FortiGate Benchmark). Do not simply restore the pre-compromise configuration.
Forced credential reset — expanded scope: Reset passwords for: all FortiVPN users, all accounts that may have authenticated through the affected FortiGate, all admin accounts on connected Active Directory domains (credentials captured via LDAP/Kerberos sniffing), all email accounts (SMTP/IMAP credentials captured), all service accounts observed in PCAP data.
Post-incident threat hunt: Use SOCRadar's XTI platform to search for organizational domains, IP ranges, and user email addresses appearing in known IAB marketplaces and stealer log datasets. FortiBleed-harvested credentials are expected to appear in dark web markets within 2-4 weeks of collection.
Engage FortiGuard PSIRT: Report confirmed compromise details to Fortinet's Product Security Incident Response Team for telemetry contribution and coordinated response.