FortiBleed: Large-scale credential attacks via password spraying and privilege escalation
Unit 42 tracks internet-wide password spraying and credential theft campaign targeting Fortinet, Sophos, and MSSQL devices; threat actors use curated password lists and privilege escalation to establish persistent admin access.
Attack Brief
TargetFortinet FortiGate devices, Sophos devices, MSSQL servicesVectorPassword spraying against internet-exposed services; privilege escalation; configuration extraction; offline credential crackingAttributionInitial access broker on Russian-language cybercrime forum Exploit[.]in (unvalidated claims)
Technical Details
MITRE ATT&CKT1110.003T1110T1555T1555.003T1098T1098.001AffectedFortinet FortiGate devices (unspecified versions); Sophos devices (unspecified versions); MSSQL services (unspecified versions)
Impact
Affected OrganisationsMultiple organizations across sectors; initial access broker claimed harvesting of credentials for saleConfirmed DamageCredential theft; unauthorized administrative access; configuration file extraction containing stored credentials
Mitigation
PatchesUpdate to latest software versions and patches to mitigate known vulnerabilities including local privilege escalation CVEsWorkaroundsRequire multi-factor authentication for all remote services; implement Zero Trust Network Access (ZTNA) policies and jump boxes to prevent direct internet exposure of management interfaces; change default credentials to long, complex passwords; disable unused accounts; audit remote access logs for suspicious login activity following large-volume password failure eventsDetectionHunt for successful logins shortly after large-volume password failure events in remote access logs; monitor for configuration file extraction and privilege escalation attempts
Context
Similar AttacksInitial password list likely developed from previous breaches and successful vulnerability exploitation; threat actors add newly compromised credentials to password list for iterative targeting