Threat Intelligence

The FortiBleed Autopsy – How 86,644 “Patched” Firewalls Became a Russian-Speaking Hacking Franchise

The FortiBleed Autopsy – How 86,644 “Patched” Firewalls Became a Russian-Speaking Hacking Franchise
06.19.26
Ransomware Threat Intelligence

In mid-June 2026, the global security community woke up to a quiet apocalypse. Roughly 50% of the internet’s most trusted, perimeter-grade devices Fortinet FortiGate firewalls were found to be “bleeding” valid administrative and VPN credentials. This campaign, dubbed “FortiBleed,” represents one of the most industrialized credential-harvesting operations in history, compromising a staggering 86,644 unique devices. 

The most disturbing revelation for defenders? Many of these firewalls were fully patched. This wasn’t a failure of code alone; it was a systematic dismantling of network perimeters through a convergence of legacy hashing, unpatched known vulnerabilities, and the weaponization of recycled credentials. 

The Funnel of 59 million Scans 

FortiBleed was not an opportunistic smash-and-grab. It was a high-volume funnel operation that transitioned from mass-scanning to precision exfiltration. Threat actors, identified as a multi-operator Russian-speaking syndicate, utilized a massive scanning infrastructure to identify targets before funnelling them through automated brute-force and sniffing engines. 

Metric  Value 
Unique compromised firewall URLs  86,644 
Number of countries affected  194 
Initial internet-wide scan  59.3 million hosts 
Total credential-based login attempts  1.16 billion 

 

This scale indicates a professionalized hacking franchise. As Ensar Seker, CISO at SOCRadar, noted, “This is not a routine credential dump. It is an industrialized harvesting operation that ended in real exfiltration, including from a NATO-aligned defense contractor. That is exactly why we are putting the most complete view of this incident into defenders’ hands.”

A Masterclass in Convergence 

While the industry scrambled to find a new vulnerability, the truth was far more mundane and more dangerous. The FortiBleed actors relied on “The Convergence,” a strategy that pivoted through known flaws and architectural oversights. 

Rather than burning an expensive zero-day, the syndicate followed a rigorous seven-step productization lifecycle: 

  1. Mass Scanning: Scanning 59.3 million hosts to fingerprint 437,000 FortiGate devices. 
  2. Passive Traffic Capture: Using the diagnose sniffer command via SSH to turn compromised firewalls into corporate listening posts, utilizing 21 protocol parsers to sniff internal traffic. 
  3. Configuration Harvesting: Extracting device backups to obtain internal network maps and legacy password hashes. 
  4. Offline Cracking: Moving the data to a massive 10x RTX 4090 GPU cracking rig to recover plaintext passwords. 
  5. Credential Stuffing: Leveraging 1.16 billion attempts using previously leaked data and infostealer malware logs. 
  6. Live Validation: Running automated scripts to verify credentials against active administrative panels. 
  7. Productization: Indexing the final, verified victim list by company revenue and industry vertical. 

Organizations were dismantled not by a “magic bullet,” but by a failure to remediate CVE-2026-24858 and the reuse of credentials already circulating in the darknet underground. 

Why Firmware Updates Were Not Enough 

The technical epicenter of FortiBleed lies in the legacy SHA-256 hashing scheme. While fast for data integrity, SHA-256 is a liability for password storage because it allows modern GPU clusters to test billions of combinations per second. 

Fortinet addressed this by transitioning to PBKDF2, a modern slow hash, in FortiOS versions 7.2.11, 7.4.8, and 7.6.1. However, the update contained a critical hashing trap: Applying the patch did not automatically re-hash existing passwords. 

Administrators were left with a counter-intuitive remediation requirement: even on patched firmware, the old, crackable SHA-256 hashes remained in the configuration until an administrator manually logged in to trigger a migration to PBKDF2. For expert-level remediation, analysts recommend enabling the login-lockout-upon-weaker-encryption setting in the system password policy to force the removal of these residual, vulnerable hashes. 

Complexity Is No Shield Against Infostealers 

FortiBleed effectively neutralized the traditional IT password complexity rule. Analysts found that 20-character complex strings were compromised as easily as password123.

When management interfaces are left exposed to the public internet, complexity offers zero defense against two primary vectors: 

  1. Offline Brute-Forcing: Where captured hashes are run through GPU rigs like the RTX 4090 clusters mentioned above. 
  2. Infostealer Logs: Where credentials are harvested in plaintext from infected workstations and then stuffed into the firewall’s login portal. 

If the perimeter interface is reachable, the most complex password in the world is only as secure as the device’s ability to hide its configuration files. 

Data as a Precision Tool 

The Russian-speaking actors behind this event did not just dump data; they productized it for follow-on intrusions. The dataset was indexed by organization revenue, industry, and geography, transforming a generic leak into a precision tool for ransomware groups and state-sponsored actors. 

This organized approach enabled high-impact pivots, such as the confirmed exfiltration of classified documents from a NATO-aligned defense contractor. By knowing which victims had the highest revenue, the syndicate could prioritize targets for the most profitable initial access sales on the dark web. 

Immediate Analyst Guidance 

To neutralize the persistence mechanisms established during this campaign, organizations must move beyond simple patching: 

  • Isolate Management Interfaces: This is non-negotiable. Admin panels must be removed from the public internet and restricted to a management VLAN. 
  • Enforce Universal MFA: Apply multi-factor authentication to all SSL VPN and administrative accounts to kill the utility of stolen plaintext credentials. 
  • Trigger PBKDF2 Re-hashing: Post-upgrade, every admin must log in to migrate hashes. Enable login-lockout-upon-weaker-encryption to ensure compliance. 
  • Credential Monitoring: Proactively monitor employee credentials against infostealer logs to identify exposures before they are weaponized against the perimeter. 
  • Persistence Audit: Scan logs for unauthorized local admin accounts, a key indicator that CVE-2026-24858 was leveraged for initial access. 

Beyond the Press Release 

FortiBleed is a stark reminder that branded vulnerabilities often distract from the ground truth of security. The 86,644 compromised devices represent the discovery of years of accumulated failures exposed interfaces, legacy hashing, and poor credential hygiene rather than a single overnight hack. 

As we move forward, we must stop hunting for the next Heartbleed and start addressing the decades-old configuration failures currently sitting in our perimeters. In the age of industrialized hacking, a patch is just the beginning of remediation; the real work lies in the configuration.