A large-scale credential-harvesting operation dubbed FortiBleed has siphoned approximately 110 million credentials by compromising more than 430,000 FortiGate firewalls worldwide, according to a report by The Hacker News.
The campaign, active since at least February 2026, is attributed to a Russian-speaking initial access broker (IAB) motivated primarily by financial gain. IABs typically sell compromised network access to other threat actors — including ransomware operators — on underground markets, and the sheer volume of harvested credentials makes this operation a significant supply-side threat to organisations across every sector.
How FortiBleed Operates
The attackers follow a multi-stage playbook. First, they compile and gather credential lists likely sourced from prior data breaches or stealer logs. Next, they scan the internet for exposed FortiGate services that could serve as entry points. Armed with that intelligence, they deploy network sniffers alongside brute-force pipelines to target accessible firewall appliances using the collected credentials. Finally, the campaign delivers bespoke payloads on compromised systems — though the precise nature of those payloads remains unclear based on available reporting.
FortiGate firewalls are among the most widely deployed enterprise security appliances globally, manufactured by Fortinet. A breach at the perimeter device level is particularly dangerous because firewalls sit at the network edge and often hold credentials and configuration data that grant access to internal infrastructure.
Why This Matters
The scale of FortiBleed — 430,000 compromised devices and a nine-figure credential haul — underscores how perimeter security appliances have become high-value targets for financially motivated threat actors. When a firewall is compromised, the attacker potentially inherits VPN configurations, administrative credentials, and a foothold inside the network, all without needing to phish a single employee.
The involvement of an IAB also raises the spectre of downstream attacks. Even if the group behind FortiBleed does not conduct ransomware operations itself, the access it sells can be repurposed by buyers with far more destructive intentions.
What Organisations Should Do
Organisations running FortiGate appliances should audit their devices for signs of compromise, rotate all stored credentials, and ensure firmware is fully patched. Given the brute-force and sniffing vectors involved, enforcing strong, unique passwords and multi-factor authentication on firewall management interfaces is essential. Security teams should also monitor for indicators of compromise associated with the campaign as they become available from threat intelligence providers.
The FortiBleed operation is a reminder that the devices organisations rely on to protect their networks can themselves become the weakest link when left unpatched or poorly configured.
根據 The Hacker News 的報導,一個名為 FortiBleed 的大規模憑證竊取行動,透過入侵全球超過 43 萬台 FortiGate 防火牆,已盜取約 1.1 億個憑證。
此行動至少自 2026 年 2 月起活躍,被歸因於一個主要受經濟利益驅動、以俄語為主的初始存取代理。IAB 通常在地下市場向其他威脅行為者(包括勒索軟件營運者)出售已遭入侵的網絡存取權限,而此次行動所竊取的巨量憑證,使其成為對各行各業組織構成重大供應側威脅的來源。
FortiBleed 如何運作
攻擊者遵循一個多階段的操作手冊。首先,他們編譯並收集可能源自先前數據洩露或竊取器日誌的憑證列表。接著,他們掃描互聯網以尋找可能成為入口點的暴露 FortiGate 服務。憑藉這些情報,他們部署網絡嗅探器並配合暴力破解 pipeline,以收集到的憑證針對可訪問的防火牆設備進行攻擊。最後,此行動在已入侵的系統上投放定製的有效載荷——儘管根據現有報告,這些有效載荷的確切性質仍不清楚。
FortiGate 防火牆是由 Fortinet 製造,屬於全球部署最廣泛的企業安全設備之一。在外圍設備層級發生洩露尤其危險,因為防火牆位於網絡邊緣,通常儲存著授予內部基礎設施存取權限的憑證和配置數據。
為何此事重要
FortiBleed 的規模——43 萬台被入侵的設備和九位數字的憑證收穫——凸顯了外圍安全設備如何成為受經濟利益驅動的威脅行為者的高價值目標。當防火牆被入侵時,攻擊者潛在地繼承了 VPN 配置、管理員憑證,以及進入網絡內部的立足點,而這一切無需欺騙任何一名員工。
IAB 的介入也引發了後續攻擊的擔憂。即使 FortiBleed 背後的團伙本身不進行勒索軟件行動,其出售的存取權限也可能被懷有更具破壞性意圖的買家重新利用。
組織應採取的措施
運行 FortiGate 設備的組織應審計其設備是否有被入侵的跡象,輪換所有已儲存的憑證,並確保韌體已完全修補。鑑於所涉及的暴力破解及嗅探手段,在防火牆管理介面上實施強密碼、唯一密碼及多重因素驗證至關重要。安全團隊亦應監控來自威脅情報提供者、與此行動相關的入侵指標。
FortiBleed 行動提醒我們,組織用來保護其網絡的設備,若未經修補或配置不當,本身亦可能成為最薄弱的環節。