Recent reporting has detailed an active credential exposure campaign dubbed “FortiBleed” that targets internet-facing FortiGate firewall devices. The activity involves a custom tool, often referred to as FortiGateSniffer, that enables attackers to harvest sensitive information. This includes VPN credentials and session data from affected devices. Read the Cybersecurity Threat Advisory now to protect your environments.
What is the threat?
FortiBleed is an active credential-harvesting campaign targeting internet-facing FortiGate firewall and VPN appliances. Attackers focus on extracting sensitive authentication material directly from the device rather than compromising individual endpoints.
At the center of the campaign is a custom tool commonly referred to as FortiGateSniffer. The tool is designed to collect VPN credentials, session cookies, and authentication tokens as they are processed by the FortiGate operating system. Rather than exploiting a single new zero-day flaw, attackers combine previously disclosed vulnerabilities, exposed management services, and weak or reused credentials. This approach helps them gain an initial foothold on the appliance.
Once access is obtained, attackers use FortiGateSniffer or similar techniques to intercept authentication data in memory or during VPN login workflows. As remote users authenticate to the SSL VPN or other access services, the tool captures credentials before they are fully protected or discarded by the system.
In some cases, attackers can extract cached session information. This allows them to reuse active VPN sessions without reauthentication. The technique is particularly stealthy because it does not require persistent malware on user endpoints. It can also operate within the firewall’s normal authentication and logging processes.
After credentials are harvested, attackers pivot to credential replay and persistence. Stolen VPN usernames and passwords are used to establish legitimate VPN connections. These connections often originate from infrastructure that resembles an organization’s normal remote workforce.
Because attackers use valid credentials, security controls may not flag the activity as suspicious. From there, they can enumerate internal networks, access file shares and internal applications, and deploy additional tools. This approach allows threat actors to maintain long-term, low-noise access to the environment. It also helps them bypass traditional detection mechanisms that focus on exploit-based intrusions rather than credential abuse.
Why is it noteworthy?
This threat report is noteworthy because it targets perimeter security infrastructure. These systems are often implicitly trusted and granted broad access to internal networks. The compromise of a firewall or VPN appliance can undermine one of the most critical layers of security. It can also reduce the effectiveness of downstream defenses.
Additionally, FortiBleed highlights the ongoing risk posed by credential harvesting at the network edge. This remains true even in the absence of a new zero-day vulnerability. By abusing exposed services and previously known weaknesses, attackers can quietly collect valid credentials. They can then reuse them for long-term access. This makes detection more difficult than with traditional brute-force or exploit-based attacks.
What is the exposure or risk?
Organizations with internet-facing FortiGate devices are at risk of credential compromise and unauthorized network access. Stolen VPN or administrative credentials can be used to bypass multifactor authentication in some configurations. They can also enable lateral movement and facilitate data exfiltration or ransomware deployment.
Because attackers often authenticate using valid credentials, malicious activity may appear legitimate. This can increase dwell time and amplify the impact of a breach.
What are the recommendations?
Barracuda strongly recommends organizations take the following steps to reduce their risk:
-
- Patch and Update: Ensure FortiGate devices are running the latest FortiOS versions.
- Restrict Management Access: Disable internet exposure of administrative interfaces and limit access to trusted IP ranges.
- Rotate Credentials: Reset VPN, administrative, and service account credentials, especially if exposure is suspected.
- Enforce MFA: Require multifactor authentication for VPN and administrative access.
- Network Segmentation: Limit VPN user access to only required internal resources.
References
For more in-depth information about the recommendations, please visit the following links:
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
