Severity rationale: The campaign is actively successful in the wild, targets critical infrastructure (firewalls), and involves the sale of compromised credentials on criminal forums.
'FortiBleed' Campaign: Large-Scale Credential Attacks Targeting SSL-VPNs and Edge Devices
Fortinet, Sophos, Microsoft · FortiGate, Sophos Firewall, MSSQL
A sophisticated credential-theft campaign is currently targeting edge security devices from Fortinet and Sophos, as well as MSSQL databases. Attackers are using password spraying to gain access and then stealing device configuration files to harvest further credentials. Organizations should immediately move management interfaces off the public internet and enforce phishing-resistant MFA to mitigate this risk.
Key Facts
- Vendor
- Fortinet, Sophos, Microsoft
- Product
- FortiGate, Sophos Firewall, MSSQL
- Exploitation
- Exploited in the wild
- Affected versions
- Fortinet FortiGate (various versions), Sophos edge devices (various versions), Microsoft SQL (MSSQL) Server exposed instances
Summary
A large-scale credential theft and password-spraying campaign, internally tracked as "FortiBleed," is actively targeting internet-exposed security appliances and database services. The activity focuses on Fortinet and Sophos edge devices, as well as MSSQL instances. Threat actors are utilizing a curated list derived from previous breaches and successful exploits to gain initial access, subsequently extracting device configurations to expand their credential library and pivot deeper into target networks.
What happened
Threat actors are executing a multi-stage attack starting with massive, internet-wide password-spraying attempts. If initial access is achieved, the actors frequently attempt to escalate privileges—sometimes leveraging local vulnerabilities—to extract device configuration files. These files often contain stored credentials or hashes which the attackers then crack offline.
On June 16, 2026, an initial access broker (IAB) on the Russian-language forum Exploit[.]in claimed responsibility for the campaign, offering harvested credentials for sale and referencing an unspecified CVE. This cycle of automated spraying, configuration theft, and offline cracking allows the actors to move from a generic breach list to a highly specific and potent list of administrative credentials for corporate edge infrastructure.
Why it matters
This campaign is significant because it specifically targets the "keys to the kingdom": edge security devices. Compromising a firewall or VPN gateway allows attackers to bypass traditional perimeter security, intercept traffic, and potentially gain cleartext credentials for subsequent lateral movement. The use of a feedback loop—where credentials stolen from one victim are immediately used to spray others—increases the speed and success rate of the campaign.
Affected systems
- Fortinet Devices: Particularly FortiGate appliances with exposed management or VPN interfaces.
- Sophos Devices: Network security appliances exposed to the internet.
- MSSQL Servers: Specifically those with the default port (1433) exposed directly to the public internet.
Recommended actions
- Audit Authentication Logs: Monitor for high-volume login failures followed by a single successful login from the same or related IP address.
- Isolate Management Interfaces: Move administrative interfaces behind a "jump box" or Zero Trust Network Access (ZTNA) solution. These interfaces should never be directly accessible from the public internet.
- Enforce Phishing-Resistant MFA: Implement FIDO2/Passkey-based multi-factor authentication for all remote access points.
- Rotate Privileged Credentials: Immediately change default or long-standing administrative passwords on all edge devices. Use a Privileged Access Management (PAM) system to automate rotations.
- Patching: Ensure all edge devices are running the latest firmware to prevent the "Configuration Extraction" stage, which often relies on known local privilege escalation (LPE) vulnerabilities.
Technical details
The attack follows a three-stage lifecycle:
- Initial Access: High-volume password spraying against exposed management ports (443, 10443, 1433) using curated breach lists.
- Privilege Escalation & Extraction: Upon gaining low-privilege access, actors may leverage vulnerabilities to escalate to admin, then export the device configuration (e.g., config backups).
- Offline Cracking: The stolen configurations are processed offline to crack password hashes, which are then used for persistence or sold to other actors.
Detection & hunting
Hunting Queries & Log Locations
1. Log Analysis (FortiGate/Sophos):
- Location: System/Authentication logs.
- Logic: Look for an 'Action: Login Failed' event occurring >10 times within 1 minute from a single external IP, followed by 'Action: Login Successful' from that same IP within a 5-minute window.
2. MSSQL Auditing:
- Query: Examine
sys.dm_os_ring_buffersor SQL Server Error Logs forLogin failed for user 'sa'followed by successful logins from unfamiliar source IPs.
3. Indicators of Compromise (IOCs):
- While specific IPs rotate frequently, monitor for traffic spikes on ports 443 (VPN), 10443, and 1433 (MSSQL) originating from known VPN exit nodes or VPS providers.
Recommended actions
Immediate Containment
- Disable public internet access to management interfaces for firewalls and SQL servers. Use ZTNA or VPN-only access.
- Identify and lockout any accounts showing patterns of successful login after multiple failures.
Patch & Verify
- Verify all edge devices are patched against recent local privilege escalation (LPE) vulnerabilities.
- Reset passwords for all administrative accounts on internet-facing edge devices.
Hardening
- Enforce phishing-resistant MFA (e.g., FIDO2, Hardware keys) for all remote access.
- Onboard edge device administration to a Privileged Access Management (PAM) system with auto-rotation.
Monitor
- Monitor logs for suspicious configuration export events or abnormal administrative session durations.
Compliance relevance
Sources
- Threat Brief: Mitigating Large · Unit 42 (Palo Alto)
Disclaimer: CyberBrief HQ articles are for informational purposes only and do not constitute security advice for any specific environment. Always validate guidance against your own controls and vendor advisories before acting.