430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

FortiBleed Exposes Global Credential-Spraying Operation

FortiBleed exposed a massive campaign that made billions of login attempts against Fortinet VPNs, compromising organizations worldwide. FortiBleed wasn’t a targeted hack. It was a factory. A multi-operator crew ran an industrial-scale attack against Fortinet FortiGate SSL VPN devices worldwide, and security researcher Volodymyr “Bob” Diachenko of SecurityDiscovery.com caught them only because they left their […]

FortiBleed

FortiBleed exposed a massive campaign that made billions of login attempts against Fortinet VPNs, compromising organizations worldwide.

FortiBleed wasn’t a targeted hack. It was a factory. A multi-operator crew ran an industrial-scale attack against Fortinet FortiGate SSL VPN devices worldwide, and security researcher Volodymyr “Bob” Diachenko of SecurityDiscovery.com caught them only because they left their own infrastructure exposed on the open internet in June 2026.

“The crew mass-scans 320,777 FortiGate /remote/login endpoints and more than 247,000 Sophos /userportal endpoints. FortiGate logins are then sprayed with 3,639 base credential pairs across every target, 1.16 billion combinations in total, through a custom tool called forticheck running 25,000 threads.” reads the report published by Ransomnews.

A parallel campaign hit 163,650 MSSQL servers with 2.1 billion attempts at 50,000 threads. That’s not espionage; that’s automation.

Once they got in somewhere useful, they dropped network sniffers to pull cleartext credentials from HTTP, FTP, SMTP, LDAP, and other protocols.

“Once inside reachable infrastructure, the operators drop network sniffers that scrape cleartext credentials out of HTTP, FTP, SMTP, POP3, IMAP, LDAP, SNMP, and Telnet traffic.” states the report. “Intercepted Kerberos and NTLM hashes are shipped to a 45-way NVIDIA RTX 4090 cracking cluster orchestrated through Hashtopolis.”

With cracked credentials in hand, they replayed captured session cookies through OpenConnect to hijack live VPN sessions, then walked straight into Active Directory. Standard looting from there: AD dumps, fileshare exfiltration, Kerberos tickets, Group Policy templates.

The operators aren’t random. They work from Kali Linux virtual machines behind NAT so their command server never touches a victim’s Active Directory directly. Targets are ranked by revenue, with a top tier above 113 billion dollars, using open-source intelligence. Multiple operators work the same machines at once, coordinating over shared terminal sessions. The hash-cracking server, tellingly, was left running on default credentials. The same mistake they exploit in victims.

At least four organisations were fully compromised, across Japan, Taiwan, Vietnam, Iraq, and Turkey. The most serious claim involves a Turkish defence contractor with NATO ties whose classified defence documents were exfiltrated. Ransomnews hasn’t independently verified those contents and treats the attribution as the investigator’s assessment, not confirmed fact.

The working dataset covers 73,932 exposed FortiGate devices across 21,613 organisations in 207 countries. India leads on raw volume, and Latin American telecoms carry the densest device fleets. IT services, telecoms, financial services, and government are the most exposed sectors.

“In a random sample of exposed organisations, 88% also appeared in stealer-log or breach data and 38% had staff with active infostealer infections. Around 590 are already named on ransomware leak sites.” concludes the report.”An exposed FortiGate is rarely an isolated problem. It is one visible symptom of an organisation attackers have already found more than once.”

An exposed FortiGate isn’t a standalone problem. It’s a sign that attackers have already found the organisation more than once.

If you run FortiGate, take the management interface and SSL VPN off the public internet wherever possible. Rotate every administrator and local credential, upgrade FortiOS, and invalidate active VPN sessions so replayed cookies stop working. Reset exposed employee credentials too, not just the firewall accounts, because the infostealer overlap is too high to ignore.

The researchers also released a FortiBleed Checker to allow admins to check their domains.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, FortiBleed)