FortiBleed 2026: Threat Intelligence Brief

FortiBleed 2026: Threat Intelligence Brief
FortiBleed 2026: Threat Intelligence Brief
Hunter Strategy

FortiBleed 2026: Threat Intelligence Brief

TLP: WHITE
Audience: Security Leadership and Operations
Prepared by: Threat Intelligence
Date: 10 July 2026

Executive Summary

FortiBleed is a large scale, financially motivated credential harvesting campaign disclosed in June 2026 after security researcher Volodymyr "Bob" Diachenko discovered an exposed command server left open by the threat actors themselves. The operation, attributed with medium confidence to a Russian speaking initial access broker operating under the handle "SantaAd," turned compromised internet facing Fortinet FortiGate firewalls into passive credential collection platforms running silently inside tens of thousands of enterprise networks. By the time of discovery, the group had executed roughly 1.16 billion credential attempts against more than 320,000 FortiGate targets and had validated working credentials for between 73,932 and 86,644 devices across 194 countries, representing approximately half of all internet facing Fortinet firewalls worldwide. The threat has since escalated: FortiBleed operators have been confirmed as directly connected to the Inc Ransom and Lynx ransomware as a service gangs, with at least 12 ransomware deployments already attributed to harvested FortiBleed access.

1.16BCredential attempts against more than 320,000 FortiGate targets
86,644Devices with validated working credentials across 194 countries
$30K to $60KAdvertised price per listing for compromised FortiGate access

1. Discovery and Attribution

How the Campaign Was Found

The exposed server discovered by Diachenko contained a structured database of validated FortiGate credentials alongside the automated tooling, scripts, and analytics that powered the operation. This was not a victim leak. It was the attacker command post, left open on the internet by the operators themselves. Kevin Beaumont and Hudson Rock independently validated portions of the dataset. Threat researchers published the most detailed technical analysis of the operator infrastructure, identifying more than 150 additional operational servers beyond the original campaign infrastructure and an internal document revealing an organized operation of roughly 20 people with a clear division of labor.

Attribution Assessment

Attribution rests on three primary indicators: Cyrillic language comments embedded throughout the custom tooling, operating windows consistent with Moscow business hours, approximately 07:00 to 18:00 Moscow Time, and command and control infrastructure hosted on Eastern European micro hosters. The initial access broker handle "SantaAd" was observed across dark web listings advertising access to compromised environments. Attribution is assessed at medium confidence. Definitive nation state sponsorship has not been established, and the operation is consistent with financially motivated criminal activity rather than directed intelligence collection.

Relevant CVEs

Three CVEs contributed directly to the credential debt FortiBleed was built on:

CVECVSSv3DescriptionStatus
CVE-2025-597189.8 CriticalAuthentication bypass via crafted SAML message; allows unauthenticated admin accessAdded to CISA KEV, December 2025
CVE-2025-597199.8 CriticalAuthentication bypass via crafted SAML message; allows unauthenticated admin accessAdded to CISA KEV, December 2025
CVE-2026-248589.8 CriticalFortiCloud account holder can authenticate to devices registered to other usersPatched January 26, 2026; exploited as 0-day before patch

Fortinet confirmed that FortiBleed was not driven by a new product vulnerability. The campaign exploited a combination of credential reuse from previous incidents tied to these CVEs, brute force techniques against devices with weak password hygiene, and a customer base that had not enforced MFA.

2. Why Fortinet Was Targeted

Market Position and Install Base

Fortinet holds one of the largest install bases in network perimeter security across SMB, enterprise, and government environments globally. A single automated toolset pointed at internet facing FortiGate management portals reaches more organizations than almost any other perimeter vendor, which creates a compelling reward to effort ratio. Fortinet's competitive pricing draws in smaller organizations running lean on security resources. Those organizations tend to deploy the device, bring it online, and then deprioritize hardening, leaving default accounts active and management interfaces exposed to the open internet indefinitely.

The Legacy Credential Storage Problem

A critical technical enabler specific to Fortinet was its legacy approach to credential storage. Prior to FortiOS versions 7.2.11, 7.4.8, and 7.6.1, administrator password hashes were stored using SHA-256. SHA-256 does not resist modern GPU accelerated offline cracking. A threat actor who pulls a configuration file from a compromised device can crack those hashes offline with no further interaction with the live device, meaning no authentication logs, no lockout events, and nothing to alert the victim.

Fortinet introduced PBKDF2 based password hashing in the versions noted above, but the migration path contains a hidden risk that most post incident coverage missed. When upgrading from earlier firmware, existing administrator passwords remain stored as SHA-256 hashes in a hidden field called old-password. This field is invisible through the normal management interface but fully readable in any configuration backup pulled by a super_admin account. The SHA-256 hash is only overwritten when each administrator explicitly re-authenticates after the upgrade. Organizations that upgraded FortiOS, checked the patch compliance box, and moved on without completing that re-authentication step are still carrying crackable hashes regardless of what firmware version they are running.

SSL VPN as the Highest Value Target

SSL VPN is the highest value component on any perimeter device because compromising it grants access to the internal network as a trusted remote user, not just administrative control over the firewall itself. This distinction matters operationally: a management plane compromise gives control over the device, while an SSL VPN compromise gives network level access to everything behind it, including Active Directory, internal file shares, and production workloads.

SSL VPN credentials are also typically tied to Active Directory accounts. A single working credential can establish a domain level foothold from which an attacker can move laterally across internal network segments without ever touching the firewall again. Fortinet has seen multiple SSL VPN specific CVEs exploited in the wild, including CVE-2023-27997 and CVE-2024-21762, on top of the authentication bypass CVEs tied directly to the FortiBleed campaign. The attack surface SSL VPN creates cannot be eliminated by taking it offline because internet exposure is inherent to its function.

3. Technical Attack Chain

The FortiBleed operation followed a five stage, disciplined, and highly automated playbook. Each stage was purpose built and operated at a scale that required industrial grade infrastructure.

  1. 1.Stage 1: Reconnaissance. Masscan and Shodan were used to identify internet facing FortiGate devices at scale. A custom tool called FortiProbe-fast then fingerprinted targets to confirm they were FortiGate management portals. The operators did not attack targets indiscriminately. A revenue and sector based scoring model prioritized victims by economic value before any credential attempt was made, meaning the group was building a targeting product from the reconnaissance phase forward.
  2. 2.Stage 2: Initial Access. The group deployed a custom multi threaded utility called forticheck, configured to run up to 25,000 simultaneous threads. It executed three credential attack methods in parallel: credential stuffing using credentials sourced from infostealer malware logs and prior breach datasets, brute force attacks, and dictionary attacks. Approximately 1.16 billion credential attempts were directed at 320,777 FortiGate targets. The operation was not limited to Fortinet infrastructure. An additional 2.1 billion brute force attempts were directed at more than 163,000 Microsoft SQL Server systems, confirming a multi vendor targeting scope.
  3. 3.Stage 3: Sniffer Deployment. On approximately 6,127 to 12,000 compromised devices, the operators deployed FortigateSniffer, also called fg_sniffer or the SNIFTRAN engine, a custom Golang implant. The implant abuses the legitimate FortiOS diagnostic command diagnose sniffer packet to passively capture cleartext credentials and authentication hashes from all traffic passing through the compromised device. This is the stage that transformed individual compromised firewalls into live collection platforms running against their own users. The sniffer monitored 24 protocols, including TACACS+, Kerberos, RADIUS, NTLM, RPC, SMB, LDAP, SMTP, FTP, Telnet, RDP, WinRM, MS-SQL, MySQL, and PostgreSQL, running in 300 minute capture cycles. Most victims had no indication their firewall was working against them because the sniffer generated no anomalous outbound traffic patterns visible to standard monitoring tools.
  4. 4.Stage 4: Offline Hash Cracking. Captured authentication hashes were cracked using a Hashtopolis managed hashcat cluster backed by 45 dedicated GPUs and dynamically rented GPU capacity from vast.ai. Cracking jobs were orchestrated through a Telegram bot called HASHBOT, which delivered live cracking telemetry directly to a core administrator. The offline cracking model is particularly significant because it produces no authentication attempts against live systems, no lockout events, and no defensive alerts. Reported harvest volumes include approximately 14.8 million RADIUS credentials, 924,000 NTLM hashes, 130,000 Kerberos hashes, and 89 million MySQL authentication tokens, totaling more than 110 million credentials across all collection methods.
  5. 5.Stage 5: Exfiltration and Persistence. Post authentication activity included Active Directory enumeration, DFS and SMB network share access, and persistence via stolen and replayed session cookies. Persistent backdoor accounts using the username adminin were found on compromised systems. The operation used an AI powered penetration testing agent called CyberStrike to accelerate post exploitation steps, reducing the manual effort required to move from initial credential validation to domain level access.

4. Scope and Victim Profile

Geographic and Sector Distribution

The confirmed dataset contains validated working credentials for between 73,932 and 86,644 unique FortiGate device URLs spanning 21,632 distinct domains across 194 countries. India and the United States combined account for roughly a third of affected device entries by count. Telecom was the most heavily represented sector, with government entities across 111 domains close behind. Healthcare, finance, and energy sectors also had confirmed post exploitation activity documented across affected environments. SMBs made up approximately 66 percent of affected organizations by count, consistent with the class of customer that runs lean on security resources and is least likely to have completed post patch hardening steps.

Confirmed Victims

Confirmed or reported victims include Foxconn, Samsung, Comcast, AT&T, Mercedes-Benz, Toyota, Sinopec, State Grid, Siemens, Lenovo, Oracle, Chevron, PwC, and Accenture, alongside numerous government agencies and critical infrastructure operators. A confirmed breach of a NATO aligned defense contractor with document exfiltration was documented on 15 June 2026. Active Directory compromise and lateral movement across internal network segments were documented in victims spanning telecom, government, healthcare, finance, and energy sectors.

The Dataset as a Commercial Product

What distinguished FortiBleed from a generic credential dump was deliberate commercial packaging. Each credential entry included the target organization's industry vertical, revenue, and employee headcount, structured to help buyers evaluate access before purchase. When media coverage of FortiBleed began, initial access broker operators updated their dark web auction listings to cite news articles as proof of credential validity and raised prices accordingly. Access to compromised FortiGate environments was advertised at $30,000 to $60,000 per listing. Threat researchers identified roughly 148 organizations with confirmed Active Directory compromise from within the dataset, reflecting how buyers prioritized environments offering immediate paths to domain level privilege escalation.

5. Ransomware Escalation

As of early July 2026, threat researchers confirmed that the FortiBleed initial access broker operation is directly connected to Inc Ransom and Lynx, two active ransomware as a service gangs. An operator tied to FortiBleed infrastructure was found actively logged into the ransom negotiation panels for both groups, engaging with victim demands. This represents the first confirmed instance directly connecting mass FortiGate credential theft to actual ransomware deployment.

Researchers traced 354 completed FortiGate intrusion chains and confirmed at least 12 ransomware deployments resulting in the encryption of hundreds of endpoints across affected organizations, including at least one energy sector customer. Lynx emerged in mid-2024 as a rebrand of INC Ransomware, whose source code was sold for $300,000 on the RAMP forum, and operates an 80/20 affiliate profit split. The two groups share operational personnel, infrastructure, and victim lists. Overlap between FortiBleed victim data and organizations already listed on the INC Ransom leak site has been confirmed.

The FortiBleed group is also confirmed to be exploiting at least one undisclosed 0-day affecting Nextcloud, expanding post compromise access into collaboration and file storage environments beyond the initial Fortinet footprint. A target list of 29,000 Citrix related IP addresses and 37 domains was discovered, indicating that reconnaissance for a second wave targeting Citrix infrastructure is already underway. Separately, active exploitation of CVE-2026-35616 in Fortinet FortiClient EMS, CVSSv3 9.1, has been observed, deploying a credential stealer called EKZ Stealer to harvest browser stored credentials from Chromium based browsers and Firefox.

6. How FortiBleed Changes the Threat Landscape

FortiBleed directly challenges the assumption that compromising enterprise security infrastructure at scale requires sophisticated exploits or nation state level resources. The operation was built on vendor market dominance, a customer population that deprioritized device hardening, and automation sufficient to work through both systematically. It required no novel 0-day in FortiOS to reach its scale. The initial access vector was largely weak credentials and legacy password hashing that had been sitting in place since before patches existed for it.

The snowball dynamic is the most operationally significant characteristic of this campaign. Each compromised device became a new credential harvesting node feeding live traffic back into the operation. Credential stuffing against one vendor turned into a collection platform running across tens of thousands of networks simultaneously. The dataset does not stop growing at initial breach, and multiple criminal operators can access the same pool of compromised devices concurrently.

The monetization model is what makes FortiBleed a replicable template. Tiered access sales priced by victim sector and revenue, applied to compromised firewall credentials at scale, is a commercially optimized criminal product that other groups will copy. The expansion into Microsoft SQL Server, Sophos SSL-VPN, Citrix systems, and Microsoft RDP confirms the model is already being applied beyond Fortinet. Any vendor with a large install base, a customer population that underinvests in hardening, and exposed internet facing management or remote access interfaces is a viable target for this operational model.

7. 30/60/90-Day Outlook

0 to 30 Days

The immediate threat posture remains elevated. Thousands of FortiGate devices are still running active FortigateSniffer implants. Threat researchers estimate that as of early July 2026, following notification activity, the number of actively sniffed devices has dropped from approximately 19,000 to 11,000, but those remaining devices are still feeding credentials into the operation in real time. Ransomware deployments from already sold access are expected to continue at pace, with Inc Ransom and Lynx both confirmed as active downstream consumers. The Nextcloud 0-day remains undisclosed and unpatched, meaning any organization running Nextcloud in its environment and exposed to FortiBleed related threat activity faces an active exploitation risk with no vendor mitigation available. Organizations should treat the 30 day window as a breach response period, not a watch and wait period.

30 to 60 Days

The broader criminal market will continue absorbing the FortiBleed dataset. Access listings priced at $30,000 to $60,000 per environment represent high margin inventory, and buyers beyond Inc and Lynx are expected to acquire and operationalize access from this period forward. The discovered Citrix target list of 29,000 IP addresses and 37 domains indicates the same operator infrastructure is being repositioned for a follow on campaign against Citrix remote access systems. Organizations running Citrix NetScaler or Citrix Gateway in their environments, particularly those already in the FortiBleed victim set, should treat this as a near term parallel risk. CVE-2026-35616 in FortiClient EMS will likely see increased exploitation during this window as the EKZ Stealer pipeline is already confirmed active.

60 to 90 Days

The ransomware as a service structure around this campaign is maturing. The confirmed linkage between the FortiBleed initial access broker and Inc/Lynx establishes a repeatable supply chain: large scale perimeter credential harvesting feeding packaged access into ransomware as a service operations. Other initial access broker groups will observe this model and apply it to other high install base perimeter vendors. Sophos, Cisco, and Palo Alto Networks all represent viable targets under the same logic that made Fortinet attractive. The 60-90-day window is also when law enforcement and vendor coordination on the Nextcloud 0-day is most likely to produce a public disclosure, which will trigger a new wave of exploitation attempts against unpatched instances before organizations can respond. Identification of over 200 FortiBleed associated servers may support future law enforcement coordination, but the dataset itself has already been distributed to buyers and cannot be recalled.

8. Implications and Recommendations

Strategic Implications

FortiBleed is not a contained incident. It is a proof of concept for a new class of initial access broker operation that industrializes perimeter credential harvesting and connects it directly to ransomware deployment through a structured supply chain. The implications extend well beyond Fortinet customers. Every organization running internet facing perimeter devices from any major vendor, without MFA, with default credentials in place, and without enforced patch cadence, is operating under equivalent exposure conditions. The question is not whether the model will be replicated. It will be. The question is which vendor's install base becomes the next target.

The commercial packaging of the FortiBleed dataset, with credentials organized by victim revenue, sector, and headcount, represents a qualitative shift in how stolen access is sold. It lowers the barrier for less technically sophisticated buyers to identify and acquire high value targets. This increases the total addressable buyer population for harvested credentials and drives up attack volume against affected organizations after initial disclosure.

Operational Recommendations

  • MFA is the single highest impact control. It is not enabled by default on FortiGate devices and its absence is the primary reason credential stuffing at this scale succeeded. Enabling MFA on all administrator and VPN user accounts should be treated as a non-negotiable baseline, not an optional hardening measure.
  • Credential rotation must follow every CVE disclosure, regardless of whether exploitation in a given environment has been confirmed. The credential debt FortiBleed exploits came from organizations that patched vulnerabilities and never rotated the credentials those vulnerabilities exposed.
  • Management interface isolation is the second highest structural control. The SSL VPN must remain internet accessible by design. The admin console does not. Restricting management access to trusted IP ranges via trusted-host configuration, local-in policies, or full out-of-band management removes the reconnaissance and brute force surface entirely.
  • Post-upgrade re-authentication is the step that most organizations skipped. Upgrading to FortiOS 7.2.11, 7.4.8, 7.6.1, or later is necessary but not sufficient. Every administrator must log back in after the upgrade to trigger PBKDF2 re-hashing and overwrite the legacy SHA-256 hash stored in the hidden old-password field. Use the set login-lockout-upon-weaker-encryption setting to explicitly clear legacy password fields after the upgrade.
  • Default and built-in account removal addresses a structural weakness in how Fortinet devices are deployed. Audit and remove any account not tied to a named individual with a documented role and an active business need.

Detection Priorities

  • Monitor authentication logs for successful logins from unexpected source IPs, off-hours sessions inconsistent with workforce time zones, and new administrator accounts appearing without change management authorization.
  • Baseline and alert on use of the diagnose sniffer packet command in FortiGate audit logs. Any unexpected execution is a high confidence indicator of FortigateSniffer deployment.
  • Correlate FortiGate VPN authentication events against Active Directory logs. A VPN login followed immediately by AD enumeration, new account creation, or privilege escalation is a high fidelity post exploitation indicator.
  • Hunt for the persistence account adminin on all FortiGate and FortiClient EMS devices in the environment.
  • Monitor for anomalous PowerShell activity tied to credential exfiltration, consistent with EKZ Stealer behavior observed in FortiClient EMS exploitation.

Patch and Exposure Priorities

PriorityActionTimeframe
CriticalEnable MFA on all FortiGate admin and VPN accountsImmediate
CriticalRotate all credentials on internet-facing FortiGate devicesImmediate
CriticalAudit for unauthorized accounts (adminin, forticloud, fgtsecure, etc.)Immediate
CriticalUpgrade to FortiOS 7.2.11 / 7.4.8 / 7.6.1 and force admin re-authenticationWithin 24 hours
HighPull management interface off the public internetWithin 24 hours
HighPatch CVE-2026-35616 in FortiClient EMSWithin 72 hours
HighCheck device exposure via the Hudson Rock FortiBleed lookup toolWithin 24 hours
HighPatch FortiSandbox CVE-2026-39808, CVE-2026-39813, CVE-2026-25089Within 72 hours
MediumSegment SSL VPN access from internal production resourcesWithin 2 weeks
MediumImplement geo-restriction on authentication where operationally feasibleWithin 2 weeks
MediumApply 72-hour KEV patching SLA to all future Fortinet advisoriesOngoing