A devastating cyberattack campaign has left tens of thousands of Fortinet firewalls and Virtual Private Networks (VPNs) compromised worldwide, with major companies from various industries falling prey to the assault. The operation, dubbed 'FortiBleed', appears to exploit previously known or leaked passwords rather than targeting novel software vulnerabilities in the affected devices. This modus operandi allows hackers to gain initial access to company networks, setting the stage for further compromise.
Cybersecurity firms Hudson Rock and SOCRadar have been at the forefront of investigating this campaign, revealing that attackers are using automated tools to scan for exposed Fortinet devices and then employing lists of previously known credentials to breach them. Compromised devices are being utilised as 'listening posts' to monitor network traffic and collect further credentials, fuelling a self-perpetuating cycle of compromise. The scope of the attack is staggering, with over 73,000 unique Fortinet URLs affected, according to Hudson Rock, while SOCRadar reports more than 30,000 hacked devices.
High-profile organisations allegedly impacted by 'FortiBleed' include Accenture, Comcast, Foxconn, Lenovo, Oracle, Samsung, Siemens, and PwC. While a spokesperson for Lenovo acknowledged a request for comment, the other companies have remained silent thus far. The cybersecurity firms involved in the reporting of this campaign suspect that the group responsible is Russian-speaking. Geographically, India, the United States, Taiwan, and Mexico have seen the highest number of affected devices, though victims are reported worldwide. Industries most targeted include IT services, construction materials, telecommunications, and government agencies.
The nature of this attack underscores a fundamental security challenge: the reliance on leaked or weak passwords rather than zero-day vulnerabilities. It highlights the critical importance of robust password hygiene, including regular changes and the use of unique, complex credentials for internet-exposed systems. Fortinet has not yet responded to requests for comment regarding these claims. Independent cybersecurity researcher Kevin Beaumont has analysed the data and confirmed its legitimacy.
This incident follows a pattern of previous campaigns targeting Fortinet devices, though those often exploited specific vulnerabilities. The current approach, leveraging easily obtainable login details, signifies a less sophisticated but equally effective method for gaining unauthorised access to critical organisational infrastructure. The implications for data security and operational integrity are significant for all affected entities.