FortiBleed Attack Exposes Fortinet Firewall Credentials in 194 Countries

Key Points:

• A newly identified campaign, dubbed "FortiBleed," is targeting Fortinet FortiGate firewalls, exposing VPN and administrator credentials across 194 countries, affecting major corporations and public sector organizations.
• The attack has resulted in over 1.16 billion credential attempts against more than 320,000 FortiGate targets, with successful logins recorded in a verified database, potentially allowing attackers to monitor traffic and collect further credentials.
• Organizations should immediately rotate FortiGate admin and VPN credentials, enforce MFA for external access, restrict management interfaces to trusted IPs, review logs for suspicious activity, and ensure all FortiOS devices are fully patched.

Technical Details: The attack exploits previously stolen credentials from infostealer infections and historical breaches rather than relying solely on weak passwords.

MITRE ATT&CK Techniques:

• T1078 - Valid Accounts (Defense Evasion)
• T1190 - Exploit Public-Facing Application (Initial Access)
• T1040 - Network Sniffing (Collection)

IOCs Mentioned:

• None mentioned