A new report details the FortiBleed campaign, an active operation using a custom Golang sniffer, FortigateSniffer, to steal credentials from over 430,000 FortiGate firewalls. Threat actors exploit a built-in FortiOS command, `diagnose sniffer packet`, to capture live network traffic and extract sensitive authentication data like Kerberos, LDAP, and VPN credentials. This isn't a zero-day, but a…

https://www.tpp.blog/27v7268

#cybersecurity #fortibleed #fortigate

🤖 This post was AI-generated.

RT: @Huntio We want to give Volodymyr "Bob" Diachenko (@MayhemDayOne) a real shoutout here 👏

A couple of days ago, Bob found and broke the #FortiBleed story, the dataset tied to more than 70,000 exposed #FortiGate devices, linked to a Russian-speaking group running credential harvesting at scale.

The open directory he worked from came up through our Open Directory Intelligence, surfaced by AttackCapture. He spotted it in our data and ran his own investigation from there.

What he found:

→ SSL VPN authentication intercepted at scale
→ Hashes cracked offline on a dedicated GPU cluster
→ Roughly 1.16 billion credential attempts run against 320,000+ FortiGate targets, plus another 2.1 billion against 160,000+ MSSQL servers
→ Plaintext credentials reused for lateral movement into Active Directory once inside
→ At least four organizations fully compromised across Asia and the Middle East, including a NATO defense contractor with documents exfiltrated

This is the best kind of validation. A researcher we respect pulled it from the data, dug in, and published it on his own 🙌

If you want to see what AttackCapture surfaces for open directories tied to your own stack, it's live in the platform. Contact us to get started:

reminder that "fortibleed" is not a vuln. no CVE. no patch. nothing fucking "bled."

it's a russian-speaking crew firing 1.16 billion creds from old breaches and infostealer logs at every fortigate dumb enough to have its mgmt interface sitting on the public internet. ~50% of internet-facing boxes. half of you.

and before anyone cries "but my password was 28 characters with symbols": it didn't get cracked. it was already chilling in an infostealer dump in plaintext. great entropy, shame about the malware on your sales guy's laptop.

the -bleed suffix is marketing. the real CVE is CVE-2026-YOUREANIDIOT: "admin panel pointed at 0.0.0.0/0, password recycled from a 2022 breach, MFA considered but never enabled."

rotate the creds, yank the mgmt interface off the internet, force MFA, and maybe stop letting threat intel firms name your incidents like they're naming a fucking Marvel villain.

#infosec #fortinet #fortigate

Bleeping Computer: FortiBleed leak exposes Fortinet VPN credentials for 73,000 devices.. “A newly discovered data leak dubbed ‘FortiBleed’ has exposed what appears to be a collection of Fortinet and FortiGate VPN credentials for 73,932 firewall URLs at organizations worldwide.”

📣🚨 #FortiBleed attack exposes Fortinet firewall credentials in 194 countries, with researchers linking the dataset to nearly 74,000 firewall URLs and 21,000+ affected domains.

Read: https://hackread.com/fortibleed-attack-fortinet-firewalls-credentials/

#Fortinet #FortiGate #Cybersecurity #DataBreach #VPN

📢 FortiBleed : 73 932 pare-feux Fortinet compromis par un groupe russophone à l'échelle mondiale
📝 ## 🔍 Contexte

Publié le 17 juin 2026 par Huds...
📖 cyberveille : https://cyberveille.ch/posts/2026-06-17-fortibleed-73-932-pare-feux-fortinet-compromis-par-un-groupe-russophone-a-l-echelle-mondiale/
🌐 source : https://www.hudsonrock.com/blog/fortibleed-75000-fortinet-firewalls-compromised-global-enterprises-exposed-claim-your-ethical-disclosure
#FortiGate #Fortinet #Cyberveille

I started a company!

“What? Huh? Why?”

Those are some of the many questions I was asking myself. Simply… Looking to challenge the brain in different ways than what I’m normally doing.

How it began – In my personal time while trying to secure my own personal hosted infrastructure, I was noticing that there wasn’t an efficient or effective way to block bad threat actors (nasty hackers) on the Internet.

The typical (tedious) approach has always been:

The problem with this approach is that you end up getting stuck in a game of whack-a-mole. Who do you think wins? Trick question – it’s not you!

I put a different idea together – what if bad threat actors run their hacking world like a business and focus on cost optimization and automation. Novel idea right?

How does this apply to what I do? Well if I were to run a business like theirs, I would figure out how to “copy/paste” my attacks in creative ways. To do this, I would choose a (cheap) hosting provider that has resources that I can use for my desired purposes. Once the hosting provider is identified, I’m going to figure out ways to spin up new resources in a quick manner in a different location (i.e. automation).

New Resource + New Location = New IP Address To Attack From

Now that I know this, let the hacking begin!

Do you see how the game of whack-a-mole starts?

What does my company do?

I have a few products available now, but the one product that solves the above problem is a product called Molasses Masses.

How does it work?

Rather than blocking on a per-IP basis, I get all the subnets for that hosting provider that the hacker is using and then block those. The idea is that remote connections coming to my/your hosted services, should not come from other hosting providers. It should be from people like you reading this article!

Now it’s possible that you or your business partners get caught up in the block list – no problem! You can exclude your own and/or business partner subnets from the specifically curated list of subnets that you download.

How effective it this?

I’ve seen a reduction of attacks of up to 90%* from all my honeypots on the Internet.

Why would you use this?

Got remote users that need to VPN into your organization?

Got hosted services that should be accessed from actual users, and not random bots sitting in hosted environments?

Then this is the product for you!

Integrations available?

Very simply, It’s a flat text file of curated subnets that you can use in your own policies..

These are the supported platforms available today to consume my product:

• Linux (shorewall)
• Cisco – Firepower Threat Defense (FTD)
• Fortinet – Fortigate Firewalls
• Palo Alto Networks – PAN-OS and Prisma Access.

Curious to test it out? 7-day free trials available.

Use discount code MM2026 to snag a 20% discount on checkout for the first 50 customers 🙂