logo

FortiBleed Attackers Turn Firewalls Into Credential Stealers as Heists Persist

ID: 973f8f64-8590-5e71-8ab7-419b0eb73c69

STIX ID: report--973f8f64-8590-5e71-8ab7-419b0eb73c69

Feed Name: Dark Reading

Threat Score
85/100

Date Published: 2026-06-23

Date Updated: 2026-06-23

Author: Elizabeth Montalbano

...
...

Researchers uncovered the FortiBleed campaign in which attackers deploy a Golang sniffer (FortigateSniffer) on Internet-exposed FortiGate firewalls to passively capture credentials across ~24 authentication protocols. The campaign has created hundreds of credential-harvesting pipelines, impacted a global set of devices (reportedly targeting >430,000 FortiGate instances), and resulted in the theft of over 110 million credentials; attackers then crack and reuse those credentials for AD/SMB access, lateral movement, data theft and downstream ransomware or resale.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.