
FortiBleed
FortiBleed is an active credential-harvesting campaign targeting FortiGate SSL-VPN infrastructure globally.The threat actor - assessed as a Russian-origin Initial Access Broker with high confidence - abuses the FortiOS built-in diagnostic sniffer (diagnose sniffer packet) to passively intercept authentication traffic on compromised devices.The campaign has executed 659 documented harvest cycles across 430,000+ FortiGate targets, capturing over 110 million credentials from 80,553 unique devices spanning 23,406 organizational domains. A confirmed data exfiltration event against a NATO-aligned defense contractor was observed on June 15, 2026, indicating actor escalation beyond credential brok
Indicators of Compromise
Hashes (73)
593ab666967bc8f4b60016080cd98a0038b2b3897f2c55eacc5e84f2cbf19ce63c6a1352401c78222a0eaffb16c2b3c13d2e5b082f9b147634e9d5612d769e0fb348795acf06417167dfa75ff31568eb4c63100fd6faaac21d8d82de2cc7b1f3326a911d793e8ce27b77e335ef957e9f2d0a0c58ebe958f97f41f0f83093fd3daa73bd532780c3d8cfdbab5e86f3d141cda398dd669bf798383eda190bcea0c1350ba5e95edadaf9fda830c15f0d9dae1666054217533ce783c7761e0e080e327b5e37edda6ec7b2f7b0ed2c3f944558b75d912a3eba34e3250efc366bea0ba67c322680bcb71bee0c2796bda54321285b7384c6678f4540cd86df2a3da46bd62fe4711ffe7f010b628b17302c5303fa1bbcdad33a94d2a700b65b433fcf214dc695335896a3465a34aa623aa955632e2c25ffd7b8494b9994b9a5572a70e33d52cd26988ec548e013944268bd8efea0f1da93c60545cf7a19535a8c0c9ac68b94fd8d11403375c6c4a8cf3d3d63379d2835c4199129d362af9b720c19b9a97333e8cd263bfe68580fbd3548e59ce5104381852d8f8f061bbdab92d9dd1a9ab89e4d464be65ee68ab02973a9fdd6747ef42ccb380b88a726b6c6567557ad8e71e0a3f0bae16fe0c3937d2a78afef62d4237f6d29f4ed99e0336396be7952c66f706b1d7ce53c4fcb567a3ecc881d8ce7bb6e4be3631a7a94b90bcc77df3fb81f4c324f3b6a58024584f93c006f6e70ee3567f80dec446033bda68a788b7ea4f938353f95fff270f4e3a9d7add8c64666020dd668ce66e15969a736ec48cadc5974f63dc44fb198e9c4e9c05ebcf9c27c06900e6f877a8a3961f5186410a87a06eb2544a9fdb55dea6537a1496baec2b11fbd50316d5d82780a789fdcfe9db784+53 moreIPv4 (434)
213.21.239.6591.148.237.63109.205.211.139213.177.179.6677.90.185.25185.93.89.142213.177.179.5677.90.185.5762.60.131.246188.127.246.99213.177.179.109185.93.89.150213.177.179.9877.90.185.49213.171.17.11591.214.78.252185.93.89.143213.171.17.47185.93.89.14177.90.185.45+414 moreNotes
<span id="docs-internal-guid-9e77bd99-7fff-670b-79b5-3bcbfb4871f9"><span style="font-family: Arial, sans-serif; background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><font color="#0a1628"><span style="font-size: 18pt;">Conclusion</span><span style="font-size: 24px;"> </span></font><span style="background-color: transparent;"><font color="#0a1628"><span style="font-size: 24px;"> </span></font><font color="#2c3e50"><span style="font-size: 11pt;">FortiBleed represents a significant evolution in the Initial Access Broker threat category. Unlike prior IAB campaigns targeting FortiGate — which predominantly relied on disclosed CVEs or third-party stealer log acquisition — the FortiBleed actor developed proprietary collection infrastructure and has operated it continuously since at least February 2026. Three characteristics differentiate this campaign from typical IAB activity: </span></font></span><span style="color: rgb(10, 22, 40); font-size: 18pt; font-weight: normal;" id="docs-internal-guid-23a5a607-7fff-9342-5df7-70d415144286"><br><ul style="margin-top:0;margin-bottom:0;"><li style="list-style-type: disc; font-size: 11pt; color: rgb(44, 62, 80); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Scale of passive interception: The FortigateSniffer technique does not require a vulnerability — it abuses a legitimate, signed administrative feature of FortiOS. This means that even fully-patched FortiGate devices are vulnerable once admin credentials are compromised. The actor effectively turns each compromised FortiGate into a credential harvesting node that captures authentication traffic from all other users and services passing through that device.</span></p></li><li style="list-style-type: disc; font-size: 11pt; color: rgb(44, 62, 80); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Industrial automation: The 659 documented harvest cycles, the automated SNIFTRAN processing pipeline, the GPU cracking infrastructure, and the 2,051+ curl_replay.sh scripts demonstrate a level of operational automation that rivals nation-state-level APT operations. This is not opportunistic exploitation — it is a systematic, factory-scale credential harvesting enterprise.</span></p></li><li style="list-style-type: disc; font-size: 11pt; color: rgb(44, 62, 80); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Escalation trajectory: The June 15, 2026 DFS exfiltration from a NATO-aligned defense contractor marks a critical inflection point. The actor is transitioning from pure credential brokering toward targeted post-exploitation against high-value organizations. This pattern — mass credential harvesting followed by selective high-value targeting — is consistent with pre-ransomware access activity observed from groups like ALPHV/BlackCat and LockBit affiliates.</span></p></li></ul><br><p style="line-height:1.2;margin-top:0pt;margin-bottom:6pt;"><span style="font-size: 11pt; color: rgb(44, 62, 80); background-color: transparent; font-variant: normal; vertical-align: baseline;">Russian-origin attribution is supported by multiple independent technical indicators: Cyrillic-language developer comments present throughout recovered tool source code (FortigateSniffer, PCAP Deep Analysis Toolkit v5.0, HARVEST ENGINE), infrastructure hosted on Eastern European micro-hosters with documented ties to Russian-language cybercriminal ecosystems, and consistent targeting of NATO-affiliated organizations. These indicators, assessed in combination, elevate FortiBleed's geopolitical risk profile beyond a purely financially-motivated IAB operation. Possible linkage to ransomware affiliate groups or state-adjacent actors has not been excluded. </span></p><p style="line-height:1.2;margin-top:0pt;margin-bottom:6pt;"><span style="font-size: 11pt; color: rgb(44, 62, 80); background-color: transparent; font-variant: normal; vertical-align: baseline;">Recommended immediate actions: verify organizational exposure via the SOCRadar FortiBleed Exposure Checker (https://socradar.io/free-tools/fortibleed); block the four core /24 infrastructure ranges at the network perimeter; initiate credential rotation for all FortiVPN users on devices that received inbound connections from confirmed campaign infrastructure; deploy SIEM detection rules contained in this entry. Organizations in the IT services, defense, financial services, and critical infrastructure sectors should prioritize exposure verification given observed targeting patterns. </span></p><p style="line-height:1.2;margin-top:0pt;margin-bottom:6pt;"><span style="font-size: 11pt; color: rgb(44, 62, 80); background-color: transparent; font-style: italic; font-variant: normal; vertical-align: baseline;">Extended technical documentation — including full IOC sets, binary reverse engineering artifacts, infrastructure OSINT mapping, harvest cycle analysis, and victimology dataset — is available in <a href="https://socradar.io/resources/whitepapers/dismantling-fortibleed-inside-a-russian-fortinet-compromise-operation/">SOCRadar's Dismantling FortiBleed technical intelligence report.</a></span></p><div><span style="font-size: 11pt; color: rgb(44, 62, 80); background-color: transparent; font-style: italic; font-variant: normal; vertical-align: baseline;"><br></span></div></span></span></span>
Mitigation
<span id="docs-internal-guid-325665a4-7fff-59fe-ca03-8b44a21a4305"><span style="font-family: Arial, sans-serif; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><font color="#0a1628"><span style="font-size: 18pt;"><b>Mitigation</b></span><span style="font-size: 24px;"><b> </b></span></font><span style="background-color: transparent;"><font color="#0a1628"><span style="font-size: 24px;"><b> </b></span></font><font color="#2c3e50"><span style="font-size: 11pt;">The following mitigations apply to organizations operating FortiGate SSL-VPN infrastructure. Controls are ordered by implementation priority and estimated impact on reducing exposure to FortiBleed's attack chain: </span></font></span><span style="font-weight: normal;" id="docs-internal-guid-343699ed-7fff-8234-86fc-1d0d3f43369c"><div style=""><span style="background-color: transparent; font-variant: normal; vertical-align: baseline;"><span id="docs-internal-guid-832a074d-7fff-c5de-9d92-b39b48f77a81" style=""><span style="background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;"><font color="#0a1628"><span style="font-size: 14pt;">Immediate Actions </span></font><span style="font-weight: normal;" id="docs-internal-guid-c18cfd6a-7fff-02b1-6d23-282a773fbe91"><ul style="color: rgb(10, 22, 40); font-size: 14pt; margin-top: 0px; margin-bottom: 0px;"><li style="list-style-type: disc; font-size: 11pt; color: rgb(44, 62, 80); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Audit FortiGate admin access: Review all admin accounts on FortiGate management interfaces. Immediately disable or remove any unrecognized accounts. Check for accounts created after February 2026.</span></p></li><li style="list-style-type: disc; font-size: 11pt; color: rgb(44, 62, 80); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Rotate all FortiGate SSL-VPN credentials: Force password resets for all FortiVPN user accounts. Session tokens are compromised even when password authentication is MFA-protected, because the sniffed packets capture post-MFA session data.</span></p></li><li style="list-style-type: disc; font-size: 11pt; color: rgb(44, 62, 80); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Enable FortiGate admin login alerts: Configure FortiGate to send SNMP/Syslog alerts on every admin login, CLI session start, and diagnose command execution. Route these to SIEM immediately.</span></p></li><li style="list-style-type: disc; font-size: 11pt; color: rgb(44, 62, 80); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Restrict management interface access: Apply management ACLs (trusted-hosts) to limit FortiGate admin GUI/CLI access to specific management station IPs only. Block public internet access to FortiGate HTTPS management port.</span></p></li><li style="list-style-type: disc; font-size: 11pt; color: rgb(44, 62, 80); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Block known campaign infrastructure: Null-route and firewall-deny the four core /24 blocks (see IOC section): 85.11.187.0/24, 193.8.187.0/24, 194.113.39.0/24, 77.91.122.0/24. </span></p></li></ul><div style=""><span id="docs-internal-guid-d1bc7fa6-7fff-3696-d956-94ca6c94faa0"><span style="background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;"><font color="#0a1628"><span style="font-size: 14pt;">Short-Term Controls </span></font><span style="font-weight: normal;" id="docs-internal-guid-05fd8fc4-7fff-6f26-e0b2-5b07a328c039"><ul style="color: rgb(10, 22, 40); font-size: 14pt; margin-top: 0px; margin-bottom: 0px;"><li style="list-style-type: disc; font-size: 11pt; color: rgb(44, 62, 80); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Apply FortiOS security hardening baseline: Disable all unused management features. Disable SSH if not required. Disable diagnose sniffer access for non-root admin profiles using RBAC (System > Admin > Administrators > restrict diagnose commands).</span></p></li><li style="list-style-type: disc; font-size: 11pt; color: rgb(44, 62, 80); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Implement certificate-based VPN authentication: Replace username/password VPN authentication with certificate-based authentication. Passive PCAP capture cannot extract private keys from TLS certificate handshakes.</span></p></li><li style="list-style-type: disc; font-size: 11pt; color: rgb(44, 62, 80); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Deploy network-level MFA for VPN: FIDO2/WebAuthn or hardware token MFA prevents credential-only access. Note: replay attacks via curl_replay.sh can still bypass password MFA if session cookies are captured — certificate auth is preferable.</span></p></li><li style="list-style-type: disc; font-size: 11pt; color: rgb(44, 62, 80); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Segment FortiGate management traffic: Ensure the FortiGate management plane (MGMT port) is on a dedicated out-of-band management network, not accessible from the internet or from the general corporate LAN.</span></p></li><li style="list-style-type: disc; font-size: 11pt; color: rgb(44, 62, 80); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Enable FortiGate integrity checking: Use FortiOS 'execute certificate verify' and 'diagnose hardware deviceinfo disk' to check for unauthorized firmware modifications or persistence mechanisms installed post-compromise. </span></p></li></ul><div style=""><span id="docs-internal-guid-a725e665-7fff-94e1-d1dd-1762b4f57637"><span style="font-size: 14pt; color: rgb(10, 22, 40); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;">Detection & Monitoring <span style="font-weight:normal;" id="docs-internal-guid-07c856ac-7fff-f17e-59e2-0c8f2033a647"><ul style="margin-top:0;margin-bottom:0;"><li style="list-style-type: disc; font-size: 11pt; color: rgb(44, 62, 80); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Monitor for diagnose sniffer packet CLI executions: Any execution of this command outside of approved change windows should be treated as a compromise indicator and trigger immediate incident response.</span></p></li><li style="list-style-type: disc; font-size: 11pt; color: rgb(44, 62, 80); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Monitor FortiGate PCAP file creation: Alert on creation of .pcap files in /tmp/ or /var/ on FortiGate devices. These files are created by FortigateSniffer during harvest cycles.</span></p></li><li style="list-style-type: disc; font-size: 11pt; color: rgb(44, 62, 80); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Monitor outbound connections from FortiGate management interface: FortiGate devices should not initiate outbound connections to arbitrary internet IPs. Any such connection (especially to the four known /24 blocks) indicates active C2 communication.</span></p></li><li style="list-style-type: disc; font-size: 11pt; color: rgb(44, 62, 80); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Dark web credential monitoring: SOCRadar's Credential Intelligence module to monitor for organization email domains appearing in FortiBleed-related data dumps sold on IAB forums (Exploit.in, XSS.is, RAMP).</span></p></li></ul></span> </span></span><font color="#2c3e50"><span style="font-size: 14.6667px;"></span></font></div></span></span></span><font color="#2c3e50"><span style="font-size: 14.6667px;"></span></font></div></span></span></span></span></div></span></span></span>