A significant cyberattack, dubbed FortiBleed, has reportedly compromised tens of thousands of Fortinet firewalls and VPNs utilized by major corporations worldwide. Cybersecurity firms Hudson Rock and SOCRadar have detailed the ongoing campaign, which appears to exploit a fundamental security lapse rather than a novel software vulnerability. The attackers are leveraging lists of previously compromised passwords, suggesting that many organizations have failed to update default credentials or secure sensitive internet-facing systems.

The modus operandi involves automated tools scanning the internet for exposed Fortinet devices. Once identified, attackers attempt to gain access using known password lists. Upon successful infiltration, these compromised devices are then used as ‘listening posts’ to monitor network traffic and harvest additional credentials. These newly acquired passwords are then fed back into the scanning process, creating a self-perpetuating cycle of compromise that expands the attack’s reach.

Fortinet has acknowledged awareness of the campaign, stating that the compromised data appears to be a combination of previously leaked credentials and brute-forced attempts, not indicative of a new exploit. However, reports from Hudson Rock suggest over 73,000 Fortinet URLs have been affected, while SOCRadar estimates more than 30,000 devices are compromised. The affected entities span various sectors, including IT services, construction materials, and telecommunications, with government agencies also listed among the victims. Prominent companies such as Accenture, Comcast, Lenovo, Oracle, Samsung, Siemens, and PwC have been identified as potentially impacted.

The geographical distribution of the attacks is widespread, with India, the United States, Taiwan, and Mexico showing the highest numbers of affected devices. The cybersecurity firms involved indicate that the group behind this operation is likely Russian-speaking. This campaign stands out from previous attacks on Fortinet devices, which often exploited specific software flaws, by relying on a more basic, yet effective, method of credential stuffing.

Key Takeaways

• Tens of thousands of Fortinet firewalls and VPNs globally have been compromised in a cyberattack named FortiBleed.
• The attack primarily exploits weak or reused passwords rather than unknown software vulnerabilities.
• Compromised devices are used to harvest more credentials, creating a self-sustaining attack cycle affecting major corporations and government agencies.

Editor’s Analysis & Impact

The FortiBleed campaign highlights a critical and persistent vulnerability in corporate cybersecurity: the failure to implement basic security hygiene, such as regular password changes and multi-factor authentication. The reliance on credential stuffing, a relatively unsophisticated attack vector, underscores the significant risk posed by exposed and poorly secured devices. This incident serves as a stark reminder for organizations across all sectors to rigorously audit their network perimeters, enforce strong password policies, and invest in robust security monitoring. The potential for widespread data breaches and operational disruption necessitates a proactive approach to cybersecurity, moving beyond reactive measures to preventative strategies.

Frequently Asked Questions

Q: What is the FortiBleed campaign?
A: FortiBleed is an ongoing cyberattack campaign that has compromised tens of thousands of Fortinet firewalls and VPNs worldwide. It exploits weak or reused passwords to gain unauthorized access to corporate networks.

Q: How are cybercriminals gaining access to Fortinet devices?
A: Attackers are using automated tools to scan for exposed Fortinet devices and then attempting to log in using lists of previously leaked or commonly used passwords. They are not exploiting unknown software vulnerabilities in the devices themselves.

Q: Which companies and industries are most affected?
A: Major companies like Accenture, Comcast, Lenovo, Oracle, Samsung, Siemens, and PwC are reported to be among the victims. The most affected industries include IT services, construction materials, telecommunications, and government agencies.