THE FortiBleed attack campaign targets over 430,000 FortiGate firewalls globally, compromising them to harvest credentials through a Golang-based tool called FortigateSniffer. This tool captures authentication data across 24 protocols, resulting in the theft of over 110 million credentials including RADIUS, NTLM, and Kerberos.
Researchers from SOCRadar report that the attackers, likely motivated by financial gain and believed to be Russian, utilize a five-step attack chain beginning with reconnaissance, followed by credential-stuffing and traffic capturing via legitimate commands. Key targets include small-to-medium-sized businesses, particularly in the U.S. and India. Organizations are urged to enhance their cybersecurity measures, rotate credentials, and implement multi-factor authentication to mitigate risks.