Tag
FortiBleed Campaign: 73,932 FortiGate Systems Credentials Exposed
3 rules 9 TTPs 1 IOCA Russian-speaking threat group utilized a large dataset of administrative and VPN credentials, likely sourced from exposed FortiGate configuration files and active credential harvesting, to access government, critical infrastructure, and multinational corporate networks, resulting in widespread data exfiltration.
First-Time FortiGate Administrator Login Detected
2 rules 1 TTPA user with the Administrator role has successfully logged in to the FortiGate management interface for the first time within the last 5 days, potentially indicating unauthorized access or misconfiguration.
KRVTZ-NET IDS Alerts Analysis: Network Scanning and Exploitation Attempts
3 rules 4 TTPsMultiple IDS alerts indicate potential network reconnaissance, vulnerability exploitation attempts targeting Fortigate VPN (CVE-2023-27997), and ColdFusion servers originating from various IP addresses on March 13, 2026.
Fortigate VPN CVE-2023-27997 Exploitation Attempt
2 rules 1 TTPIDS alerts indicate a potential exploitation attempt against a Fortigate VPN server using CVE-2023-27997, characterized by repeated GET requests to the /remote/logincheck endpoint originating from a specific IPv6 address.
Fortigate VPN Exploit Attempt via CVE-2023-27997 and Suspicious User-Agent
3 rules 2 TTPsMultiple IDS alerts indicate potential exploitation attempts against Fortigate VPN servers using CVE-2023-27997, alongside traffic from a suspicious user agent, possibly indicating reconnaissance or exploit activity.