FortiBleed Vulnerability Exposes 73,000 Fortinet VPN Devices

Post Views: 2

FortiBleed leak reveals extensive exposure of Fortinet VPN credentials across 73,932 devices.

Discovery of the Breach

A newly identified security incident named “FortiBleed” has disclosed a dataset containing Fortinet and FortiGate virtual private network (VPN) credentials linked to 73,932 firewall URLs across global organizations. The breach was initially detected by security researcher Bob Diachenko, who identified a server housing what appears to be functional Fortinet VPN credentials, including usernames, IP addresses, and plaintext passwords.

Initial Detection by Bob Diachenko

Diachenko’s findings, supported by screenshots and data shared publicly, indicate the database includes entries for high-profile entities such as Chevron, Samsung, Foxconn, Comcast, AT&T, Mercedes-Benz, Toyota, Sinopec, and State Grid. The researcher highlighted the scale of the breach, noting a single file contained 21,634 domain names spanning multiple industries.

“The dataset includes metadata about each organization, such as industry type, revenue, and employee count, which could aid threat actors in targeting specific entities,” said Bob Diachenko.

Scope and Impact

The breach is attributed to a Russian-speaking multi-operator threat group, according to Diachenko’s analysis. The group allegedly executed a large-scale brute-force campaign, launching approximately 1.16 billion credential attempts against 320,777 FortiGate SSL VPN devices and 2.1 billion attempts against 163,650 Microsoft SQL Server systems.

Attack Methodology

Attackers reportedly intercepted SSL VPN authentication hashes, which were cracked using a 45-GPU cluster managed through the Hashtopolis platform. The recovered credentials were then used to infiltrate internal Active Directory environments.

Additional Findings

Diachenko obtained additional details after analyzing files inadvertently exposed on the same server, including logs, scripts, and tooling. The researcher noted that the threat group maintained detailed records of successful compromises, compiling a database of verified credentials across diverse industries.

Geographic and Sectoral Impact

The breach reportedly impacted organizations in Japan, Taiwan, Vietnam, Iraq, and Turkey, including a Turkish NATO defense contractor from which classified materials were allegedly stolen. Threat intelligence firm Hudson Rock independently analyzed the dataset and confirmed its scale, describing it as one of the largest known collections of compromised Fortinet-related credentials.

“The dataset includes verified credentials for entities in telecommunications, IT services, financial services, government, healthcare, education, and manufacturing sectors,” said Hudson Rock.

Verification and Analysis

Cybersecurity researcher Kevin Beaumont independently verified portions of the data, confirming the authenticity of several admin credentials. He noted that the dataset likely originated from exported Fortinet configurations, as it contains technical details typically found in device settings.

Technical Insights

Beaumont also highlighted that the credentials include long, complex passwords, suggesting advanced methods were used to extract them. His analysis indicated the dataset encompasses approximately 75,000 Fortinet devices, most of which remain active online.

Recommendations for Affected Organizations

Hudson Rock has released a free FortiBleed lookup tool to help organizations assess their exposure. Affected entities are advised to rotate passwords for Fortinet VPN and administrative interfaces, implement multi-factor authentication (MFA), review gateway logs for anomalies, and monitor for leaked employee credentials.

Conclusion

No official response from Fortinet has been publicly disclosed as of the latest update. Security experts urge organizations to prioritize immediate action to mitigate risks associated with the exposed credentials.