Sweeping Credential-Harvesting Heist Compromises +30K Fortinet Devices
ID: eebba176-8a26-5a91-8e02-804be96e9943
STIX ID: report--eebba176-8a26-5a91-8e02-804be96e9943
Feed Name: Dark Reading
SOCRadar identified an active campaign dubbed "FortiBleed" in which attackers used previously leaked Fortinet credentials, credential stuffing, and automated scanners to verify and compromise roughly 30,791 devices across 194 countries (21,108 unique IPs and 8,316 domains) spanning government, telecommunications, healthcare, education, finance, and critical infrastructure. Compromised Fortinet firewalls and VPNs are used as listening posts to harvest additional credentials that are fed back into the attack infrastructure; the operation appears automated and self-sustaining, attributed to suspected Russian-speaking actors with possible espionage and financial motives. Affected organizations are advised to rotate administrative and VPN credentials, enable multi-factor authentication, review authentication logs, remove management interfaces from the public Internet, and update firmware.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
