An update on FortiBleed — what’s happening with victim orgs

This report updates on the FortiBleed activity: threat actors scanned and accessed internet-facing FortiGate devices, exported full device configurations, cracked stored password hashes using rented GPU clusters, and are selling/using the harvested credentials to access internal networks (including VPNs and Active Directory). The author provides observed IoCs (exporting IPs and victim lists), describes attacker actions (automated config exports, creation of admin accounts, firewall rule changes, VPN logins), and gives remediation guidance including rebuilding compromised appliances, rotating VPN keys, enforcing MFA, and firmware updates.