A cybersecurity threat known as FortiBleed has been linked to a Russian-speaking initial access broker, which has been actively exploiting FortiGate firewalls worldwide. Since February 2026, the attackers have targeted over 430,000 devices, harvesting more than 110 million credentials. The operation utilizes a specialized tool called FortigateSniffer, which leverages the FortiOS diagnostic command to capture authentication traffic from compromised devices. This tool monitors multiple protocols, extracts credentials, and allows attackers to crack and reuse these credentials against vulnerable systems.
The attackers have shown a particular interest in small and medium-sized businesses, especially those in the United States and India, with a focus on the IT services sector. They have also expanded their reach to target various other devices and services, including Synology NAS, Sophos firewalls, and Citrix SSL-VPNs, employing brute-force techniques to gain access. The campaign appears well-coordinated with a structured five-stage attack process, and resources are allocated based on the potential economic value of the targets.
The threat actors have implemented a sophisticated sniffing mechanism that includes geofencing and time restrictions, operating in cycles to maximize their success rate. The campaign's scale and methodology indicate a broader multi-vendor initial access operation. Recent developments have seen access to compromised Fortinet devices being advertised at high prices, highlighting the financial motivations behind these attacks. Security teams are urged to take immediate action to mitigate potential risks posed by FortiBleed.