Large Scale Credential Theft Campaign Targets Fortinet Devices
Credential theft through large-scale password spraying against Fortinet and other devices has been reported by Unit 42 of Palo Alto Networks. The campaign, known as “FortiBleed,” also appears to involve attempts targeting MSSQL and Sophos devices.
Threat actors are utilizing a curated password list developed from previous data breaches. The password spraying method involves scanning internet-exposed services and attempting credential guesses. Successful access grants the attackers a pathway to escalate privileges and extract device configurations containing sensitive information. This process is iterative; stolen credentials are used to expand the password list, thus perpetuating the cycle of compromise.
The initial access broker allegedly responsible for this campaign has posted on a Russian-language cybercrime forum, promoting the sale of the stolen credentials alongside referencing an unspecified CVE. This highlights how credential theft can serve as a lucrative business for cybercriminals, further complicating defensive strategies.
Defensive Context
Organizations with devices such as Fortinet, MSSQL, or Sophos should take special note of this activity. Those with exposed services, especially remote access interfaces, are particularly vulnerable. However, entities that do not utilize these specific technologies or maintain strict access controls may be less concerned about the immediate risks presented by this campaign.
Why This Matters
This campaign underscores the risks associated with improper security hygiene, particularly for devices exposed to the internet. Enterprises using affected technologies must recognize that attackers are actively searching for weak points in their defenses, emphasizing the need for robust security practices.
Defender Considerations
Administrators are advised to closely monitor remote access logs for unusual login patterns, particularly successful logins that follow many failed password attempts. Credential hardening measures, such as implementing multi-factor authentication and disabling unused accounts, are critical countermeasures. Continuous vigilance around configurations and the use of complex passwords is also crucial for reducing potential attack vectors.
Environment Exposure
This threat is particularly relevant when Fortinet, MSSQL, and Sophos devices are improperly secured or exposed to public networks. Environments lacking recent updates or that have known vulnerabilities may especially attract attackers using this methodology. Conversely, organizations with strong access controls and comprehensive monitoring practices may find themselves less at risk from such campaigns.
Indicators of Compromise (IOCs)
While specific IP addresses or hashes were not detailed, the campaign’s association with Russian-language forums and credential sales presents a potential IOCs landscape for monitoring in threat intelligence efforts.
