CISA Issues Security Alert: Fortinet Users Must Secure Devices Due to FortiBleed Leak

Post Views: 36

CISA issued a directive to Fortinet users to implement security measures following the exposure of nearly 74,000 firewall and virtual private network credentials in a breach termed “FortiBleed.”

CISA Directive

CISA recommended that affected organizations terminate all SSL VPN and administrative sessions, reset passwords for VPN and administrative access, activate phishing-resistant multifactor authentication, and inspect system logs for signs of unauthorized activity or internal network movement. Additionally, the agency advised storing administrative credentials using the PBKDF2 hashing algorithm, restricting firewall management interfaces from public internet exposure, and removing any unauthorized user accounts to minimize potential vulnerabilities.

Breach Details

The breach emerged after malicious actors leveraged compromised credentials to target internet-facing Fortinet devices within government and private sector entities globally. The agency confirmed reports of cybercriminals exploiting these credentials to access FortiGate appliances, noting the breach involved credentials linked to approximately 74,000 devices, including firewalls and VPN gateways.

Data Leak

A security researcher identified the FortiBleed data leak after discovering a server containing valid Fortinet VPN credentials, including usernames, IP addresses, and plaintext passwords for 73,932 firewall URLs worldwide. The dataset also included organizational details such as industry sectors, revenue figures, and employee counts, which the researcher suggested could aid in planning future attacks.

Threat Intelligence

A threat intelligence firm analyzing the data described it as one of the largest collections of compromised Fortinet credentials, spanning 21,632 unique domains across 194 countries. Notable entities listed in the dataset include Samsung, Mercedes-Benz, Foxconn, Chevron, Comcast, AT&T, Toyota, and various government agencies and critical infrastructure operators in telecommunications, healthcare, financial services, and manufacturing.

Regional Impact

The regions with the highest concentration of affected devices were India, the United States, Taiwan, Mexico, Turkey, Thailand, Colombia, Malaysia, Chile, and the United Arab Emirates.

Threat Group

The breach was attributed to a Russian-speaking threat group that reportedly executed approximately 1.16 billion credential attempts against over 320,000 FortiGate targets to intercept SSL VPN authentication hashes. The origin of the configuration data remains undetermined.

Verification

Cybersecurity expert Kevin Beaumont verified the authenticity of some credentials, confirming the dataset includes around 75,000 active devices, most of which are still operational. He noted the leaked information appears to derive from Fortinet configuration files but emphasized the source of the data remains unclear.

Lookup Tool

A free FortiBleed lookup tool developed by Hudson Rock enables organizations to assess their exposure.

Vulnerabilities

In parallel, a threat intelligence company reported that multiple critical vulnerabilities in Fortinet’s FortiSandbox platform are now being exploited in active attacks. CISA has documented 26 Fortinet security flaws exploited in the wild over recent years, with 13 of these vulnerabilities linked to ransomware campaigns.

Challenges

Security teams face challenges in detecting breaches, as 54% of successful attacks go unlogged, and only 14% trigger alerts. Advanced breach and attack simulation tools can evaluate security information and event management (SIEM) and endpoint detection and response (EDR) systems to identify gaps in threat detection.

Conclusion

CISA’s advisory follows previous warnings about compromised Fortinet devices, highlighting the urgency for organizations to address vulnerabilities promptly. The agency’s guidance underscores the need for proactive security measures to mitigate risks associated with credential exposure and unauthorized access.