The perimeter firewall has been used as a primary line of defense against external intrusions for years, but the newly uncovered campaign illustrates how these same security appliances can be weaponized against the organizations they are intended to safeguard.
Researchers have discovered a large-scale attack involving a custom Golang-based tool known as FortigateSniffer that has been deployed systematically on compromised FortiGate firewalls since February 2026.
Over 430,000 internet-facing devices have been impacted by the campaign, which is linked to an initial access broker (IAB) believed to be operating as a financial motivation threat actor.
Over 430,000 internet-facing devices have been impacted by the campaign, which is linked to an initial access broker (IAB) believed to be operating as a financial motivation threat actor.
Over 110 million credentials have been collected under covert measures by the attackers.
As trusted network gateways were transformed into silent credential-harvesting platforms, the operation illustrates one of the most significant paradigm shifts in attacker tradecraft, where compromised security infrastructures themselves serve as sources of intelligence and access.
As trusted network gateways were transformed into silent credential-harvesting platforms, the operation illustrates one of the most significant paradigm shifts in attacker tradecraft, where compromised security infrastructures themselves serve as sources of intelligence and access.
The scale, persistence, and operational sophistication observed throughout the campaign-tracked as FortiBleed-have raised concerns across the cybersecurity community. Particularly after evidence of the exfiltration of sensitive data by a NATO-aligned defense contractor, as well as the potential use of stolen credentials for ransomware, espionage, and post-compromise activities, are emerging.
It is evident from a further analysis of the operation that it extends well beyond credential theft from FortiGate appliances, and demonstrates a highly automated initial-access ecosystem that can be scaled across multiple technological platforms.
CyberStrike, an open-source, artificial intelligence-native offensive security framework, could have been utilized by the threat actors to streamline portions of the attack workflow, emphasizing how automation has become increasingly important in large-scale intrusion campaigns.
As part of the activity, a substantial emphasis was placed on small and medium-sized businesses, especially companies with fewer than 200 employees, with the United States and India emerging as the most heavily targeted regions.
As part of the activity, a substantial emphasis was placed on small and medium-sized businesses, especially companies with fewer than 200 employees, with the United States and India emerging as the most heavily targeted regions.
The potential for IT service providers to serve as entry points into broader customer networks likely prompted particular attention for them.
Moreover, researchers observed parallel brute-force attacks on NAS systems, firewalls from Sophos, portals for RDWeb, SSL VPN gateways for Citrix, and Microsoft SQL servers, which suggests that the campaign was designed to acquire access opportunities across diverse enterprise environments.
Moreover, researchers observed parallel brute-force attacks on NAS systems, firewalls from Sophos, portals for RDWeb, SSL VPN gateways for Citrix, and Microsoft SQL servers, which suggests that the campaign was designed to acquire access opportunities across diverse enterprise environments.
On May 31 and June 15, 2026 alone, the operators executed at least 659 automated credential-harvesting pipelines, which resulted in the discovery of more than 110 million authentication items.
A total of 14.8 million RADIUS credentials were recovered, along with approximately 924,000 NTLM password hashes, 130,000 Kerberos hashes, and approximately 89 million MySQL authentication tokens, indicating the scale of the operation and the significant downstream risks associated with the reuse and monetization of stolen enterprise credentials.
A total of 14.8 million RADIUS credentials were recovered, along with approximately 924,000 NTLM password hashes, 130,000 Kerberos hashes, and approximately 89 million MySQL authentication tokens, indicating the scale of the operation and the significant downstream risks associated with the reuse and monetization of stolen enterprise credentials.
FortigateSniffer is a purpose-built credential intercept utility that is suited for Linux and Windows environments and was designed to leverage legitimate FortiOS functionality rather than rely on conventional malware.
It has been demonstrated that using FortiGate appliances’ native packet diagnostic capabilities, researchers are able to passive
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
It has been demonstrated that using FortiGate appliances’ native packet diagnostic capabilities, researchers are able to passive
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: