FortiBleed Campaign: How Hackers Stole Credentials from FortiGate

Michael Miller · 2026-06-22

### The FortiBleed Campaign: A Closer Look Security firm SOCRadar recently uncovered a massive hacking campaign called FortiBleed. This operation targeted Fortinet FortiGate firewalls, which are widely used by businesses across the United States. The attackers didn't just break in—they used custom tools to steal login credentials right from the devices. ### What Made This Attack Different? Most cyberattacks rely on known malware or phishing emails. But the FortiBleed campaign was more sophisticated. The hackers deployed custom sniffers directly on compromised FortiGate firewalls. These sniffers acted like digital wiretaps, capturing authentication secrets as they passed through the system. Think of it this way: normally, when you log into a firewall, your credentials are encrypted. But these sniffers intercepted the data before it was fully secured. That gave the attackers a direct line to usernames, passwords, and session tokens. ### How Did the Attack Work? The campaign followed a clear pattern: - First, the attackers exploited known vulnerabilities in FortiGate devices. - Once inside, they installed custom malware designed to capture authentication data. - The sniffers ran quietly in the background, stealing credentials over time. - Finally, the stolen data was sent back to the attackers' command servers. This wasn't a quick smash-and-grab. It was a patient, methodical operation that could have gone unnoticed for weeks or months. ### What's at Stake for US Businesses? Firewalls are the first line of defense for most companies. If attackers steal credentials from them, they can bypass all other security measures. They might: - Access internal networks and steal sensitive data. - Plant ransomware or other malware. - Use compromised devices as launchpads for further attacks. For businesses in the United States, this is especially dangerous. Many companies rely on FortiGate firewalls to protect customer data, financial records, and intellectual property. A breach could cost millions of dollars in damages and lost trust. ### How to Protect Your Organization There's no magic bullet, but some steps can reduce your risk: - **Update firmware regularly.** Fortinet has released patches for the vulnerabilities used in this campaign. Make sure your devices are up to date. - **Monitor for unusual activity.** Look for unexpected outbound connections or changes in firewall logs. - **Use multi-factor authentication.** Even if credentials are stolen, MFA can block unauthorized access. - **Segment your network.** Don't let a compromised firewall give attackers free rein across your entire infrastructure. ### The Bigger Picture The FortiBleed campaign is a reminder that even trusted security tools can be turned against us. The attackers didn't need to invent new technology—they just used existing tools in a clever way. That's why staying vigilant matters more than ever. If you're responsible for network security, take this seriously. A single compromised firewall can lead to a cascade of problems. And in today's threat landscape, it's not a matter of if you'll be targeted, but when. Stay safe out there. Your credentials are worth protecting.