FortiBleed: 75,000 Fortinet Firewalls Compromised: Global Enterprises Exposed – Claim Your Ethical Disclosure

By Hudson Rock | infostealers.com

Skip directly to the free domain look-up tool to claim your ethical disclosure

Fortinet firewalls and VPN gateways serve as the primary defensive perimeter for countless organizations worldwide. However, a massive new cyber espionage campaign has silently compromised these highly trusted devices on an unprecedented global scale.

Originally discovered by security researcher Volodymyr “Bob” Diachenko and subsequently analyzed by Hudson Rock, this dataset exposes a massive, automated operation. Threat actors successfully targeted 73,932 unique firewall URLs across 194 countries, resulting in 21,632 unique affected domains.

Based on our analysis of the dataset, the threat actors likely swept the internet for exposed Fortinet instances, systematically testing them against vast repositories of historical credential leaks. Once a foothold is established, attackers could potentially monitor traversing traffic to harvest additional logins, creating a continuous loop of unauthorized access.

Attacker Methodology & Unprecedented Scale

According to Diachenko’s investigative report, this campaign is orchestrated by a multi-operator, Russian-speaking cybercriminal group. The operation’s footprint is staggering: the attackers executed an estimated 1.16 billion credential attempts against over 320,000 FortiGate targets, alongside an additional 2.1 billion brute-force attempts directed at over 160,000 MSSQL servers.

The group’s methodology goes beyond simple credential reuse. They actively intercept SSL VPN authentication hashes and crack them using a massive, dedicated 45-GPU cluster managed via Hashtopolis. Once the perimeter is breached, the operators systematically pivot directly into internal Active Directory environments to establish deep network persistence.

This aggressive methodology has led to severe, real-world consequences. Diachenko’s research confirmed full network compromises at multiple organizations across Japan, Taiwan, Vietnam, Iraq, and Turkey. Most alarmingly, this includes a Turkish NATO defense contractor from which classified defense documents were successfully exfiltrated by the group.

High-Profile Victims Identified

The scale of this breach touches nearly every sector of the global economy, sparing no industry. The threat actors have built a verified database of working credentials for some of the largest enterprises on the planet.

Among the victims discovered in this dataset are massive multinational corporations, including:

Foxconn
Samsung
Comcast
Siemens
Lenovo
PwC
Accenture
Oracle
…and thousands of others, including major government entities and critical infrastructure providers.

Inside the Data: The Attackers’ Logs

When examining the attacker infrastructure, it becomes clear how systematic and devastating this campaign is. The attackers maintained highly organized logs of successful breaches.

Snippet from the leaked database — Figure 1: A snippet from the leaked database showing successfully compromised Fortinet credentials, revealing the sheer scale of the automated collection.

The Illusion of Password Complexity

A particularly alarming detail from this dataset is the high volume of extremely complex passwords that were successfully compromised. IT departments frequently lean on rigid password complexity rules as their main line of defense.

However, complexity is completely neutralized when passwords are recovered in plaintext. Whether threat actors leverage specific device exploits that expose plaintext credentials, or utilize databases previously harvested by Infostealers, a 20-character complex string is just as vulnerable as a simple one. If the attackers are recycling known plaintext credentials to bypass perimeters, complexity policies offer no protection.

Attackers successfully bypassing strong passwords — Figure 2: Attackers successfully matching strong, complex passwords that were previously leaked, bypassing standard IT security policies.

Examples of strong passwords found in the leak — Figure 3: Examples of the highly complex passwords compromised in the breach. When credentials are stolen via infostealers, complexity offers no defense.

Recommended Mitigation Steps

To secure your network against this specific vector, we strongly recommend the following immediate actions:

Force Credential Rotation: Immediately reset all passwords associated with Fortinet VPN and admin interfaces. As demonstrated, password complexity is not a substitute for rotation if the credentials have been leaked.
Enforce Strict MFA: Ensure Multi-Factor Authentication is universally applied to all external gateways, effectively neutralizing the threat of stolen plaintext passwords.
Audit Gateway Logs: Review Fortinet access logs for anomalous login locations, unexpected administrative sessions, or unusual traffic volumes passing through the firewall.
Monitor for Stolen Credentials: Proactively monitor employee and third-party vendor credentials against threat intelligence databases to catch compromised passwords before they are weaponized against your perimeter.

Free Look-Up Tool for Affected Organizations

Because of the critical nature of this massive campaign, Hudson Rock is committed to performing ethical disclosures for affected organizations.

We have launched a dedicated portal where companies can verify if their domains are part of this compromised dataset. Following confirmation of impact, organizations can reach out directly through the tool to receive a full ethical disclosure regarding their exposure.

Search Your Domain Now

Hudson Rock Fortinet Free Look-Up Tool Homepage

The free Hudson Rock lookup portal for affected organizations.

Hudson Rock Fortinet Lookup Tool showing an example with Comcast

Example: Verifying if an organization like Comcast was compromised in the breach.

Global Scope: Top 30 Affected Countries

This campaign has a massive global footprint. Below are the top 30 countries impacted by this compromise, ranked by the number of breached devices:

India (IN) 9,629

United States (US) 6,352

Taiwan (TW) 3,637

Mexico (MX) 3,197

Turkey (TR) 3,032

Thailand (TH) 2,939

Colombia (CO) 2,436

Malaysia (MY) 2,066

Chile (CL) 2,015

United Arab Emirates (AE) 1,988

Brazil (BR) 1,737

South Korea (KR) 1,687

Hong Kong (HK) 1,462

Dominican Republic (DO) 1,413

Italy (IT) 1,259

Singapore (SG) 1,142

France (FR) 1,116

China (CN) 1,066

Vietnam (VN) 1,038

Puerto Rico (PR) 917

Guatemala (GT) 878

Spain (ES) 865

Philippines (PH) 857

Israel (IL) 851

Canada (CA) 810

Argentina (AR) 806

South Africa (ZA) 771

Panama (PA) 688

Peru (PE) 627

Ecuador (EC) 547

Top 30 Affected Industries & Services

Telecommunications and IT Services took the heaviest hits, but the attacker’s net was cast incredibly wide. Here is the breakdown of the top 30 compromised sectors:

IT Services 1,975

Construction Materials 587

Telecommunications 574

Construction & Eng. 528

Industrial Equipment 467

Financial Services 460

Government Services 454

Construction Services 435

Electronics Mfg. 413

IT Consulting 381

Healthcare Services 365

Manufacturing 351

Education 346

Food & Beverage 300

Hospitality 270

Industrial Automation 264

E-commerce Retail 239

Education Services 233

Industrial Mfg. 210

Real Estate Dev. 206

Logistics & Trans. 201

Real Estate 178

Fashion Retail 164

Information Tech. 164

Legal Services 147

Automotive Retail 142

Security Services 137

Higher Education 133

Management Consult. 111

Software Dev. 110

Conclusion

This massive incident serves as a glaring reminder that exposed network gateways combined with reused or stolen credentials are an attacker’s dream. Relying on password complexity policies is not enough to secure environments against data points harvested by Infostealers.

Check if your company has been exposed today by using Hudson Rock’s Free Fortinet Look-Up Tool.

The post FortiBleed: 75,000 Fortinet Firewalls Compromised: Global Enterprises Exposed – Claim Your Ethical Disclosure appeared first on InfoStealers.