Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label CISA alert. Show all posts
VPN security
CISA alert Credential Theft Cyber Security Cybersecurity firewall security FortiBleed Fortinet security VPN security

CISA Warns Organizations to Secure Fortinet Devices Amid Massive FortiBleed Credential Theft Campaign

 

 



The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has advised organizations to strengthen the security of internet-facing Fortinet devices following the discovery of a large-scale credential theft operation that may affect more than 86,000 firewalls and VPN systems.

The campaign, known as FortiBleed, was first brought to light earlier this week. Cybersecurity firm SOCRadar initially reported that over 30,000 Fortinet devices had been compromised, potentially putting enterprise networks at risk. The company has since revised its estimate, indicating that more than 86,000 devices may be impacted.

“Discovered in June 2026, the operation has produced a verified database of over 86,644 confirmed working credentials across 194 countries, all collected from internet-facing Fortinet infrastructure,” the company says.

According to researchers, threat actors compiled a large database of usernames and passwords and validated them using automated testing tools. Many of the exposed credentials are believed to have originated from previous security incidents and were never updated or revoked.

Security researcher Kevin Beaumont, in collaboration with Hudson Rock, worked with several affected organizations and confirmed that many of the credentials remain active and recently used.

“The data comprises roughly 50% of all Fortinet firewall devices facing the internet, based on polling from Shodan,” Beaumont says.

Further investigation by security researcher Bob Diachenko suggests that a Russian-speaking threat actor is behind the campaign. Reports indicate that at least four organizations have already experienced complete network compromise.

“They intercept SSL VPN authentication, crack hashes on a 45-GPU cluster managed via Hashtopolis, and pivot into internal Active Directory environments,” Diachenko says.

Researchers estimate that the attackers carried out approximately 1.16 billion credential-stuffing attempts against more than 320,000 FortiGate devices. Additionally, around 2.1 billion brute-force login attempts were directed at over 160,000 Microsoft SQL (MSSQL) servers.

Hudson Rock noted that thousands of organizations have been affected, “including major government entities and critical infrastructure providers”.

Cybersecurity company Huntress also highlighted the scale of the incident. “While the overall campaign is massive, Huntress has cross-referenced the listed IP addresses against their own data corpus and identified 845 partner organizations specifically impacted by this credential dump.”

In response to the growing threat, CISA released an advisory on Thursday urging Fortinet customers to take immediate action. Recommended measures include terminating active user sessions, resetting passwords, adopting the Password-Based Key Derivation Function 2 (PBKDF2) algorithm for storing administrator credentials, reviewing logs for suspicious activity, enabling phishing-resistant multi-factor authentication (MFA), and restricting management access to minimize exposure and reduce the attack surface.

Read more »
Subscribe to: Posts (Atom)