FortiBleed Campaign Verifies 86,644 Active Fortinet Credentials via 1.16 Billion Brute-Force Attempts

The operation, tracked as FortiBleed, began with 1.16 billion credential attempts against FortiGate SSL VPN endpoints and expanded to 2.1 billion MSSQL brute-force tries. SOCRadar mapped the resulting database to 194 countries, covering roughly half of all Shodan-indexed Fortinet devices. Kevin Beaumont and Hudson Rock independently confirmed recent validity through direct organization outreach, exposing the persistence of unrotated credentials from prior breaches. Bob Diachenko identified the actor's post-compromise path: SSL VPN interception, hash cracking, and lateral movement into Active Directory environments at government and critical infrastructure targets. Huntress cross-referenced the IP list and flagged 845 partner organizations already impacted.

This campaign fits a documented pattern of edge-device credential harvesting that bypasses perimeter controls without needing zero-days. Similar operations have targeted other network appliances where default or legacy authentication remains exposed. The scale indicates systematic enumeration rather than opportunistic access, with verified pivots already occurring at multiple sites. CISA's advisory emphasizes PBKDF2 enforcement, MFA, and management-interface restrictions, yet the data shows these controls were absent on the majority of affected devices.

Continued monitoring of credential dumps and Shodan telemetry will reveal whether operators expand to additional appliance vendors or shift focus to ransomware deployment on compromised perimeters.