Massive attack on Fortinet firewalls? 74,000 devices affected by FortiBleed

Firewalls and VPN gateways are a lucrative target for attacks – after all, they guard the entrance to corporate networks. A security researcher has now, according to their statements, uncovered a large-scale attack campaign against devices from the manufacturer Fortinet – around 74,000 are said to have been compromised.

It is unclear who is behind the attack, but discoverer Volodymyr Diachenko mentions a “Russian-speaking cybercrime group with several members.” This group initially tried mass login credentials – for example, from previous data leaks – on Fortinet devices, a total of 1.16 billion username and password combinations.

The number of devices attacked via “FortiBleed” is also astronomical: there were 320,000. Half of all Fortinet devices accessible via the internet. Of these, criminals successfully obtained login credentials for 73,932 Fortinet appliances worldwide, Diachenko explains. The figures cannot be independently verified. In the majority of cases, the management interfaces were likely accessible from the internet.

However, how the attackers gained access to the devices remains unclear. Security expert Kevin Beaumont suspects they might have used a previously unknown security vulnerability to gain access. They then extracted the device configuration and cracked the password hashes contained within using a specialized cluster with 48 GPUs and a brute-force attack. In older versions of Fortinet firmware, passwords are hashed with SHA256 with Salt, which can be attacked much more efficiently using tools like hashcat compared to the PBKDF2 variant with a random hash, common from FortiOS 7.2.11 onwards.