FortiBleed: 430K+ FortiGate Firewalls Targeted in Massive Credential Harvesting Campaign
A Russian-speaking initial access broker has orchestrated a large-scale credential-harvesting operation against over 430,000 FortiGate firewalls since February 2026, potentially exposing 110 million credentials. The FortiBleed campaign combines reconnaissance, brute-force attacks, and custom malware deployment to compromise critical network infrastructure.
TL;DR
- FortiBleed targets 430,000+ FortiGate firewalls globally in credential harvesting operation active since Feb 2026
- Russian-speaking IAB uses reconnaissance, brute-forcing, and bespoke malware to gain initial access to perimeter devices
- Campaign has harvested approximately 110 million credentials from compromised systems
- FortiGate firewalls are high-value targets for attackers seeking network access and lateral movement capabilities
- Organizations should prioritize patching, credential rotation, and network segmentation for firewall infrastructure
A financially motivated Russian-speaking initial access broker has launched one of the largest credential-harvesting campaigns targeting network infrastructure, focusing specifically on FortiGate firewalls. The operation, tracked as FortiBleed, has been active since February 2026 and has successfully compromised over 430,000 firewall instances worldwide, resulting in the harvesting of approximately 110 million credentials.
The campaign employs a methodical multi-stage approach: attackers first identify exposed FortiGate services through reconnaissance, then conduct large-scale brute-force attacks against accessible systems, and finally deploy custom malware to establish persistent access. FortiGate firewalls represent high-value targets because they sit at network perimeters and provide attackers with potential pathways for lateral movement and deeper infrastructure compromise.
This incident underscores the critical importance of securing network edge devices and implementing robust credential management practices across enterprise infrastructure.
Attack Methodology and Scale
- FortiBleed targets exposed FortiGate firewall instances through systematic reconnaissance and service enumeration
- Attackers employ brute-force credential attacks against accessible management interfaces
- Custom malware is deployed post-compromise to establish persistence and enable further network exploitation
- Campaign has successfully harvested 110 million credentials from 430,000+ compromised firewalls
- Operation demonstrates coordinated, large-scale infrastructure targeting typical of professional IAB operations
Risk and Defensive Recommendations
- Compromised firewall credentials enable attackers to modify security policies and bypass perimeter controls
- Network edge devices provide attackers with strategic positions for lateral movement and data exfiltration
- Organizations should prioritize patching FortiGate systems and rotating all administrative credentials
- Implement network segmentation to limit blast radius if firewall credentials are compromised
- Deploy multi-factor authentication on all firewall management interfaces to reduce brute-force effectiveness
- Monitor firewall logs for unusual administrative access patterns and policy modifications
Sources
Sources
Security email updates
One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.