The FortiBleed campaign used a custom-built credential sniffer to steal login information directly from compromised FortiGate devices, according to new research. Investigators say the malware allowed attackers to capture usernames and passwords as they passed through affected systems, helping the operation gather credentials on a massive scale.

The discovery sheds new light on how the attackers built a database containing access information linked to thousands of Fortinet devices across the globe. Rather than relying on a single attack method, the group appears to have combined multiple techniques to expand its reach and maintain access to compromised environments.

Researchers Identify Custom Sniffer

Security researchers found that the attackers deployed a specialized packet-sniffing tool on compromised FortiGate appliances. Once installed, the malware monitored network traffic and intercepted authentication data moving through the device.

Because FortiGate systems often sit at the edge of corporate networks, they process large amounts of login traffic every day. This position gave the attackers an opportunity to collect credentials from legitimate users without needing to compromise individual workstations.

The custom tool allowed the operation to harvest fresh credentials continuously as users authenticated through affected systems.

Campaign Targeted Internet-Facing Devices

The FortiBleed campaign focused on internet-exposed FortiGate appliances used for firewall protection and remote access services. These devices often serve as critical entry points for employees, administrators, and contractors.

Researchers believe the attackers used compromised systems as collection points for credential theft. Once access was established, the sniffer helped gather additional login data that could be used to expand the operation further.

This approach enabled the campaign to grow over time while reducing the need for noisy attack techniques that might attract attention.

Stolen Credentials Increase Security Risks

Access to Fortinet credentials can provide attackers with significant advantages. Compromised accounts may allow unauthorized access to VPN services, administrative interfaces, and other critical network resources.

Security teams often treat perimeter devices as trusted infrastructure. As a result, attackers who obtain valid credentials can potentially bypass some security controls and move deeper into corporate environments.

Researchers warn that organizations should assume exposed credentials may eventually be used for follow-on attacks, even if there is no immediate sign of malicious activity.

Attack Highlights Value of Network Appliances

The FortiBleed campaign demonstrates why network security appliances remain attractive targets for cybercriminals. These systems sit at critical points within enterprise networks and frequently handle authentication traffic for large numbers of users.

Unlike endpoint malware that targets individual computers, a compromised firewall or VPN gateway can provide visibility into a much broader set of credentials and network activity. That makes successful attacks against such devices especially valuable for threat actors.

The findings also show that attackers continue developing custom tools designed specifically for enterprise security infrastructure.

Conclusion

The FortiBleed campaign became far more sophisticated than a simple credential theft operation. By deploying a custom FortiGate sniffer, attackers were able to capture authentication data directly from compromised devices and steadily expand their collection of valid credentials. The discovery highlights the growing focus on network security appliances as high-value targets and reinforces the need for organizations to monitor perimeter devices closely for signs of compromise.


0 responses to “FortiBleed Campaign Used Custom FortiGate Sniffer to Steal Credentials”