{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/fortios/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Russian-speaking threat group"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["FortiGate","FortiOS"],"_cs_severities":["critical"],"_cs_tags":["credential-theft","fortigate","fortios","state-sponsored","espionage","data-exfiltration","russian-speaking","critical-infrastructure","government"],"_cs_type":"threat","_cs_vendors":["Fortinet"],"content_html":"\u003cp\u003eA Russian-speaking threat group has been attributed to the \u0026quot;FortiBleed\u0026quot; campaign, which involves a massive dataset containing valid administrative and SSL VPN credentials for approximately 73,932 Fortinet FortiGate firewalls across 194 countries and over 21,600 domains. Disclosed on June 13, 2026, by researcher Volodymyr Diachenko, this campaign leverages credentials likely obtained from exported FortiGate configuration files and active credential harvesting against FortiGate and MSSQL systems. The threat group used a 45-GPU cluster for offline hash cracking, enabling access to sensitive internal networks, including government, critical infrastructure, and multinational corporations. The scope and verified authenticity of these credentials make this a high-priority incident, as many affected devices remain online and internet-exposed, posing an immediate threat of espionage and data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Harvesting \u0026amp; Exposure\u003c/strong\u003e: Threat actors obtained a dataset comprising FortiGate administrative and SSL VPN credentials, likely sourced from exposed FortiGate configuration files and hashes intercepted during large-scale credential attempts (1.16 billion against FortiGate, 2.1 billion against MSSQL).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eOffline Credential Cracking\u003c/strong\u003e: A 45-GPU cluster managed through Hashtopolis was utilized to crack the collected SSL VPN authentication hashes, successfully recovering plaintext administrative and VPN credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access with Valid Accounts\u003c/strong\u003e: Using the recovered plaintext credentials, threat actors gained unauthorized access to FortiGate management interfaces and internal Active Directory environments.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement \u0026amp; Discovery\u003c/strong\u003e: Once inside, attackers deployed Active Directory and LDAP enumeration scripts (e.g., \u003ccode\u003ead_enum.py\u003c/code\u003e, \u003ccode\u003ead_full_audit.py\u003c/code\u003e) and performed password spraying (\u003ccode\u003espray_*.sh\u003c/code\u003e, \u003ccode\u003espray_*.py\u003c/code\u003e) to expand their access and identify additional targets and sensitive data within the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Collection \u0026amp; Staging\u003c/strong\u003e: SMB/DFS collection scripts (e.g., \u003ccode\u003ebackup_dfs.py\u003c/code\u003e, \u003ccode\u003espider.py\u003c/code\u003e) were used to identify and gather sensitive data across the network, potentially staging it for exfiltration.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration\u003c/strong\u003e: Classified documents and other sensitive information were exfiltrated from compromised organizations, including a Turkish NATO defense contractor.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion\u003c/strong\u003e: Threat actors employed log-clearing markers to remove traces of their activity from compromised systems, hindering detection and forensic analysis.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe FortiBleed campaign has resulted in the exposure of credentials for 73,932 FortiGate firewall URLs across 194 countries and over 21,600 domains. Verified compromises include organizations in government, telecommunications, financial services, healthcare, manufacturing, and critical infrastructure sectors, with reported impacts in Japan, Taiwan, Vietnam, Iraq, and Türkiye. A Turkish NATO defense contractor suffered exfiltration of classified documents, highlighting the potential for state-sponsored espionage. The offline nature of credential cracking means initial credential theft may not be logged, making detection of the initial compromise challenging. Continued online exposure of affected devices with verified credentials poses an ongoing, severe risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eRotate all FortiGate administrative and SSL VPN credentials immediately, especially for those identified as exposed.\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) on all FortiGate remote and administrative access points to mitigate the impact of compromised credentials.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Malicious IP in Network Connections\u0026quot; to identify and block traffic associated with \u003ccode\u003e85.11.187.8\u003c/code\u003e at your network perimeter.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Execution of AD/Credential Enumeration Scripts\u0026quot; to your Windows endpoints to alert on post-exploitation activity involving \u003ccode\u003ead_enum.py\u003c/code\u003e or similar scripts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Creation/Modification of FortiBleed Attack Tools\u0026quot; to monitor file system activity for the presence of attacker tools like \u003ccode\u003efg_capture.log\u003c/code\u003e or \u003ccode\u003ebot.py\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview Fortinet logs for unusual login attempts, administrative sessions, configuration changes, and newly created accounts.\u003c/li\u003e\n\u003cli\u003eRestrict or remove internet exposure for FortiGate management interfaces to reduce attack surface.\u003c/li\u003e\n\u003cli\u003ePatch FortiOS to the latest available version to address any underlying vulnerabilities that might have facilitated configuration file exposure.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-19T14:46:20Z","date_published":"2026-06-19T14:46:20Z","id":"https://feed.craftedsignal.io/briefs/2026-06-fortibleed-credentials-leak/","summary":"A Russian-speaking threat group utilized a large dataset of administrative and VPN credentials, likely sourced from exposed FortiGate configuration files and active credential harvesting, to access government, critical infrastructure, and multinational corporate networks, resulting in widespread data exfiltration.","title":"FortiBleed Campaign: 73,932 FortiGate Systems Credentials Exposed","url":"https://feed.craftedsignal.io/briefs/2026-06-fortibleed-credentials-leak/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["FortiOS"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","fortinet","fortios"],"_cs_type":"advisory","_cs_vendors":["Fortinet"],"content_html":"\u003cp\u003eA vulnerability in Fortinet FortiOS allows an authenticated remote attacker to escalate their privileges. The specific details of the vulnerability are not provided in the source, but the potential impact involves an attacker gaining elevated access within the affected FortiOS system. This vulnerability could lead to unauthorized access to sensitive data, modification of system configurations, or other malicious activities. Defenders should prioritize patching and implementing security best practices for FortiOS deployments to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the FortiOS device through valid credentials (e.g., compromised account, default password, or brute-force attack).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a privilege escalation vulnerability within the FortiOS software.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request or command that exploits the identified vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted request to the FortiOS device.\u003c/li\u003e\n\u003cli\u003eThe vulnerable FortiOS component processes the malicious request, failing to properly validate or sanitize the input.\u003c/li\u003e\n\u003cli\u003eThe attacker's privileges are elevated, granting them higher-level access to the system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to access sensitive data, modify system configurations, or install malicious software.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence and continues to exploit the compromised system for further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to complete compromise of the FortiOS device. An attacker gaining elevated privileges can access sensitive network configurations, intercept traffic, and potentially pivot to other systems on the network. The number of victims and specific sectors targeted are unknown, but the impact on affected organizations could be significant, potentially leading to data breaches, service disruptions, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest FortiOS patches and updates from Fortinet to address this vulnerability.\u003c/li\u003e\n\u003cli\u003eReview and enforce strong password policies for all FortiOS accounts.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all FortiOS administrative accounts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect potential privilege escalation attempts on FortiOS devices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T08:49:55Z","date_published":"2026-05-13T08:49:55Z","id":"https://feed.craftedsignal.io/briefs/2026-05-fortios-privesc/","summary":"An authenticated remote attacker can exploit a vulnerability in Fortinet FortiOS to escalate their privileges.","title":"Fortinet FortiOS Privilege Escalation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-fortios-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed - FortiOS","version":"https://jsonfeed.org/version/1.1"}