FortiBleed Campaign Uses Custom FortiGate Sniffer to Steal Credentials

Security firm SOCRadar has identified a large-scale campaign, dubbed FortiBleed, that specifically targets Fortinet FortiGate devices. Attackers are deploying custom-built sniffers designed to harvest authentication secrets directly from compromised firewalls. This represents a targeted and persistent effort to extract credentials from network perimeter devices.

The campaign's scope is significant, with SOCRadar indicating it is large-scale in nature. The use of custom sniffers suggests a high level of sophistication and a specific focus on FortiGate appliances. While the report does not specify the total number of affected devices, the campaign's scale points to a widespread threat for organizations using these firewalls.

Technical details remain limited, but the attack involves deploying a custom sniffer onto the FortiGate device itself. This tool is engineered to intercept and capture authentication secrets, likely including credentials used for administrative access or VPN connections. The compromised data could enable further network penetration or lateral movement.

SOCRadar did not specify whether a particular vulnerability is being exploited or if attackers are leveraging previously compromised credentials. No patch or workaround has been announced by Fortinet specifically for this campaign. Organizations are advised to review their FortiGate device logs for signs of unauthorized access and to rotate any potentially exposed credentials immediately.

The campaign's attribution remains unknown. This incident underscores the ongoing risk posed to network edge devices, which are frequently targeted for their critical role in securing enterprise perimeters.