CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices

Key Points:

• The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Fortinet FortiGate users of an ongoing large-scale attack, dubbed FortiBleed, targeting over 86,000 internet-accessible devices using stolen and default credentials.
• The campaign, attributed to Russian-speaking threat actors, exploits weak password practices, including unchanged default accounts and reused credentials from prior breaches, impacting sectors like telecom, government, and education globally.
• Attackers use automated tools to brute-force Fortinet remote login endpoints, then monitor compromised devices to harvest additional valid credentials for further intrusions, creating a verified database of working logins.
• The attack leverages legacy credential storage weaknesses in FortiOS versions prior to 7.2.11, with many organizations still using outdated SHA-256 hashing instead of more secure PBKDF2-based storage.
• CISA recommends immediate password resets, termination of active sessions, enabling multi-factor authentication, reviewing logs for suspicious activity, and reducing attack surfaces to mitigate the threat.