r/u_socradario

Introducing FortiBleed!
▲ 14 r/u_socradario+5 crossposts

Introducing FortiBleed!

The SOCRadar Threat Research team just uncovered a staggering, active hacking campaign exposing over 30,000 verified Fortinet firewall credentials.

Here is the damage report:

🌍 Global Reach: 194 countries affected, with the US sitting at the #2 most targeted spot.

🏦 High-Value Targets: The victim roster includes major banks, telecom giants, and government agencies.

🛠️Full Visibility: We tracked the entire operation—the attacker infrastructure, the tools, and the complete victim list.

⚠️ Status: STILL active as of this publication.

Don't wait for an incident to react. Dive into the full discovery, grab the IoCs, and take immediate steps to mitigate the risk and strengthen your posture.

Read the full FortiBleed breakdown here: https://socradar.io/blog/fortibleed-fortinet-firewalls-compromised/

#ThreatIntelligence #Fortinet #CyberSecurity #InfoSec #SOCRadar

u/socradario — 7 days ago
▲ 17 r/u_socradario+7 crossposts

Dismantling FortiBleed: We found the Russian operation turning FortiGate firewalls into passive credential vacuums (110M+ creds harvested) 🚨

If you manage Fortinet gear, grab a coffee. You're going to need it. ☕

Our Threat Research team just published a massive teardown of a Russian compromise operation we’re tracking as FortiBleed. Active since at least February 2026, these threat actors aren't just doing simple smash-and-grabs—they’ve built a highly automated, industrialized credential-harvesting machine.

There is a special kind of irony when your firewall is the exact thing stealing your data. Here is the TL;DR of what we found under the hood:

  1. The Weapon: A custom Golang tool called "FortigateSniffer". It literally turns compromised firewalls into passive collectors, sniffing traffic across 24 different authentication protocols.
  2. The Scale: Over 430,000 FortiGate firewalls targeted. They ran 659+ harvest cycles, exposing over 110 million credentials (including RADIUS, NTLM, and Kerberos material).
  3. The Infrastructure:They aren't playing around. We mapped an isolated Kali VM lab, Hashtopolis and Hashcat GPU clusters, and rented vast(.)ai capacity used to crack hashes at scale.
  4. The Victims: The dominant profile is IT services and SMBs (under 200 employees), but they also successfully breached and exfiltrated DFS data from a NATO-aligned defense contractor.

We’ve broken down the complete 5-stage attack chain—from initial recon and brute-force to harvesting, cracking, and exfiltration.

We also dropped all the IoCs and defensive recommendations so you can set up timely alerts and mitigate risks before your network becomes a statistic.

Dive into the full teardown to help strengthen your security posture: https://hubs.la/Q04mc0fJ0

Stay sharp out there. Let us know what you think of the attack chain in the comments. 👇

reddit.com
u/socradario — 14 days ago