A Russian initial access broker (IAB) is targeting over 430,000 FortiGate firewalls as part of the FortiBleed credential-harvesting campaign, SOCRadar reports.
Discovered last week, the campaign has been ongoing since at least February, and was initially believed to be Fortinet-exclusive. But it is not.
In a fresh report (PDF), SOCRadar explains that FortiBleed is in fact a multi-vendor credential and access operation, likely mounted by a financially motivated threat actor.
“Attackers compromise exposed firewalls, harvest the authentication traffic and credentials passing through them, crack what they capture, and sell that access on,” the company told SecurityWeek.
Over 430,000 FortiGate firewalls worldwide are within the scope of the campaign and, of the 80,000 identified targets, more than 19,000 are still being actively sniffed, using a custom Golang tool dubbed FortigateSniffer.
