Ongoing Campaign May Be Grabbing Legacy Passwords From Fortinet FortiGate Devices
Recent reports indicate a significant cyber threat involving the sale of access to approximately 75,000 Fortinet firewall devices by cybercriminals. Security experts are raising alarms as the admin credentials associated with these devices appear to be legitimate and freshly compromised.
The alarming situation came to light through the work of seasoned cybersecurity researcher Volodymyr Diachenko, who shared insights on LinkedIn after analyzing global network scanning and cyberattack data collected by Hunt Intelligence. According to Diachenko’s findings, attackers conducted a staggering 1.16 billion credential attempts against a total of 320,777 FortiGate devices, while additionally targeting 163,650 MSSQL servers with 2.1 billion attempts.
Notable victims of this campaign reportedly include a Turkish NATO defense contractor, with sensitive classified defense documents allegedly exfiltrated from their systems. Other organizations named in the wave of attacks encompass major corporations like AT&T, Chevron, Mercedes-Benz, and even Fortinet itself. This incident underscores a worrying trend in which large enterprises are becoming increasingly vulnerable to coordinated cyber attacks.
The attackers involved are described as a Russian-speaking group that operates multiple strategies for credential harvesting across Fortinet FortiGate SSL VPN appliances globally. Their methodology reportedly includes intercepting SSL VPN authentication and cracking encrypted hashes using a powerful 45-GPU cluster managed via an open-source tool called Hashtopolis, which distributes password-cracking tasks over multiple systems.
Hudson Rock, a threat-intelligence firm that observes various information-stealing malware campaigns, confirmed that they have reviewed and obtained a dataset linked to 74,000 compromised firewall URLs from 194 countries, affecting as many as 21,453 different domains. The credentials in this dataset are tied to Fortinet devices used by several high-profile companies, including Accenture, Comcast, Foxconn, Lenovo, Oracle, PwC, Samsung, and Siemens, among others. This further emphasizes that these cybersecurity issues expand beyond mere technical metrics; rather, they have real-world implications and potentially jeopardize critical infrastructure and governmental operations.
According to another cybersecurity entity, SOCRadar, the ongoing credential theft targeting FortiGate devices is far from being a historical breach. They assert that the attackers’ infrastructure is still operational, with new victims being continually added to the compromised list. More alarmingly, the majority of the government victims in the dataset are located in India, with Ukraine, Poland, and Taiwan also being major targets.
Despite these significant revelations, there has been no immediate response from Fortinet regarding this emergent issue. British cybersecurity expert Kevin Beaumont shared on social media that he had examined the dataset in collaboration with Hudson Rock, confirming its authenticity. Beaumont highlighted concerns that attackers appear to be dumping configuration data from Fortinet devices before proceeding to crack associated passwords, indicating a systematic approach to compromise these devices.
The dataset comprises recently harvested credentials and accounts for nearly half of all Fortinet firewall devices identified by the internet of things search engine Shodan, with many of the affected devices still connected to the internet. This fact raises critical concerns about the security protocols in place among organizations that utilize Fortinet’s technology.
Historically, this is not the first mass attack of its kind involving Fortinet configuration files. A previous breach attributed to a cybercrime group known as Belsen Group resulted in the leak of configuration data and passwords for over 15,000 Fortinet devices.
An important note from Fortinet is that older firmware versions of their operating systems still store administrator passwords using the SHA256 hashing mechanism. Following recent updates, as of December 2025, Fortinet advised that users transitioning from earlier versions would only have secured passwords after a successful login. This nuance implies that organizations may still be utilizing outdated and vulnerable hashing methods if they haven’t logged into their devices after firmware updates.
In light of these developments, Arctic Wolf, yet another security firm, suggests that numerous organizations might still retain configuration files with older SHA-256 hashes, which could allow attackers to easily brute-force passwords. Consequently, it is paramount for organizations to prioritize cybersecurity measures, including verifying if they have been compromised by this ongoing attack dubbed "FortiBleed."
Hunt Intelligence has created a user-friendly portal that allows organizations to check if their domain appears in the compromised dataset. This portal also provides a pathway for ethical disclosures concerning specific exposure, further emphasizing the importance of staying informed in this evolving threat landscape.
To mitigate potential risks, Hudson Rock recommends that organizations never expose their FortiOS Management Interface to the public internet and mandate multifactor authentication for admin accounts. Organizations listed in the compromised dataset are at a heightened risk and should rotate their credentials immediately while monitoring for any signs of unauthorized admin activity.
Experts further advise that if evidence of compromise is detected, organizations must isolate affected devices from both the internet and their internal networks. In Britain, implementing a reporting protocol to notify authorities and collaborating with an incident response team is also advisable.
As organizations face increasing threats from sophisticated cybercriminals, it’s becoming crucial to adopt robust security practices and remain vigilant against potential breaches. They should operate under the assumption that any credentials in the dataset have been compromised, necessitating proactive actions to protect their assets.