Close Menu

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    Anthropic to restore Claude Fable access on Wednesday

    June 30, 2026

    I Have Thoughts About That Kylie Jenner Meta Glasses Ad

    June 30, 2026

    New BioShocking attack manipulates AI browser into data theft

    June 30, 2026
    Facebook X (Twitter) Instagram
    • Demos
    • Technology
    • Gaming
    • Buy Now
    Facebook X (Twitter) Instagram Pinterest Vimeo
    Canadian Cyber WatchCanadian Cyber Watch
    • Home
    • News
    • Alerts
    • Tips
    • Tools
    • Industry
    • Incidents
    • Events
    • Education
    Subscribe
    Canadian Cyber WatchCanadian Cyber Watch
    Home»News»FortiBleed campaign used custom FortiGate sniffer to steal credentials
    News

    FortiBleed campaign used custom FortiGate sniffer to steal credentials

    adminBy adminJune 23, 2026No Comments4 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email


    Fortinet

    Security firm SOCRadar says the large-scale FortiBleed campaign targeting Fortinet FortiGate devices used custom sniffers to harvest authentication secrets from compromised firewalls and steal credentials.

    The report, published today, expands on the company’s previous research into the large-scale “FortiBleed” campaign, which revealed a collection of Fortinet VPN credentials associated with more than 80,000 firewall URLs worldwide.

    According to SOCRadar, the operation targeted more than 430,000 FortiGate firewalls worldwide and has been active since at least February 2026.

    image

    The researchers say the threat actor behind this campaign serves as an initial access broker (IAB), using credential stuffing, brute-force attacks, credential harvesting, and offline password cracking to obtain access to corporate networks.

    One of the researchers’ findings is the alleged use of a Golang-based tool dubbed “FortigateSniffer,” which abuses FortiOS’s built-in diagnose sniffer packet functionality to capture authentication traffic traversing compromised FortiGate devices.

    According to SOCRadar, the attackers abused this legitimate feature on compromised devices to steal credentials from network traffic passing through the firewall.

    SOCRadar says the tool was designed to monitor traffic for credentials, password hashes, and authentication secrets from various protocols, including RADIUS, NTLM, Kerberos, and LDAP.

    “The tool is designed to monitor traffic across 24 protocols, parse authentication data, and extract credentials from network flows,” SOCRadar said in the report.

    While Fortinet previously told BleepingComputer last week that this incident is a collection of previously compromised credentials rather than a new vulnerability or incident, SocRadar’s report shows an ongoing campaign that is actively compromising FortiGate VPN devices.

    Sniffing for credentials

    The company says the threat actor deployed a credential-harvesting sniffer framework called “FortigateSniffer” on compromised FortiGate devices after first gaining administrative access via credential stuffing and brute-force attacks.

    This tool reportedly connects to FortiGate devices over SSH and launches the FortiOS diagnose sniffer packet command.

    The “diagnose sniffer packet” command is a built-in FortiOS diagnostic tool that administrators use to troubleshoot connectivity, authentication, and network performance issues.

    The command allows admins to inspect network traffic passing through a FortiGate firewall in real time, making it useful for identifying connection failures, routing problems, and authentication errors.

    The command was configured to monitor traffic for authentication protocols and remote access services, including Kerberos, LDAP, SMB, RADIUS, RDP, WinRM, Microsoft SQL Server, MySQL, PostgreSQL, SMTP, IMAP, POP3, FTP, and Telnet.

    The report says the packet data collected from FortiGate devices was processed through a component named “SNIFTRAN,” which reconstructed the captured traffic into PCAP files.

    FortiGate Sniffer parsing data through Sniftran
    FortiGate Sniffer parsing data through Sniftran
    Source: SocRadar

    The captured data was then parsed through a Python-based “PCAP Deep Analysis Toolkit” that extracted cleartext credentials, password hashes, Kerberos tickets, NTLM authentication material, email credentials, database credentials, and other authentication artifacts from the network traffic.

    Next, the toolkit generated Hashcat-ready files containing NTLM and Kerberos hashes, and extracted cleartext credentials from protocols such as SMTP, IMAP, POP3, MySQL, and RADIUS when available.

    The threat actors allegedly used the GPU-based Hashcat password cracking utility running on a distributed GPU cluster to crack the hashed credentials.

    In an update published on Friday, cybersecurity expert Kevin Beaumont suggested that the attackers also obtained hashed credentials by downloading FortiGate configuration files from compromised devices.

    The threat actors then extracted the hashed credentials and cracked them using Hashcat and 36 enterprise-class GPUs. 

    “The password cracking was hosted at a GenAI company which rents GPU compute,” explains Beaumont.

    “The attacker rented 36 enterprise class GPUs — more than most large orgs have for internal AI efforts — and instead of using it for AI tasks, they used them for password cracking. Enterprise GPUs can crack passwords at scale very quickly.”

    Both explanations could account for the dedicated GPU-based cracking platforms observed on the attacker’s servers.

    For those managing Fortinet devices, Beaumont has published the list of IP addresses targeted in this campaign. 

    Organizations utilizing FortiGate devices should review this list and investigate whether any of their systems were targeted or compromised.


    article image

    Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

    The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

    Get the whitepaper



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleFFmpeg fixes PixelSmash flaw in widely used video decoder
    Next Article Microsoft fixes AutoGen Studio flaw that enabled code execution
    admin
    • Website

    Related Posts

    News

    Anthropic to restore Claude Fable access on Wednesday

    June 30, 2026
    News

    I Have Thoughts About That Kylie Jenner Meta Glasses Ad

    June 30, 2026
    News

    New BioShocking attack manipulates AI browser into data theft

    June 30, 2026
    Add A Comment

    Comments are closed.

    Demo
    Top Posts

    Catchy & Intriguing

    March 17, 202677 Views

    IP Address Investigations and Local OSINT

    March 20, 202633 Views

    Defending Canada’s Digital Frontier: Combating Phishing, Social Engineering, Ransomware, and Malware

    March 23, 202632 Views
    Stay In Touch
    • Facebook
    • YouTube
    • TikTok
    • WhatsApp
    • Twitter
    • Instagram
    Latest Reviews
    85
    Featured

    Pico 4 Review: Should You Actually Buy One Instead Of Quest 2?

    January 15, 2021 Featured
    8.1
    Uncategorized

    A Review of the Venus Optics Argus 18mm f/0.95 MFT APO Lens

    January 15, 2021 Uncategorized
    8.9
    Editor's Picks

    DJI Avata Review: Immersive FPV Flying For Drone Enthusiasts

    January 15, 2021 Editor's Picks

    Subscribe to Updates

    Get the latest tech news from FooBar about tech, design and biz.

    Demo
    Most Popular

    Catchy & Intriguing

    March 17, 202677 Views

    IP Address Investigations and Local OSINT

    March 20, 202633 Views

    Defending Canada’s Digital Frontier: Combating Phishing, Social Engineering, Ransomware, and Malware

    March 23, 202632 Views
    Our Picks

    Anthropic to restore Claude Fable access on Wednesday

    June 30, 2026

    I Have Thoughts About That Kylie Jenner Meta Glasses Ad

    June 30, 2026

    New BioShocking attack manipulates AI browser into data theft

    June 30, 2026

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Facebook X (Twitter) Instagram Pinterest
    • Home
    • Technology
    • Gaming
    • Phones
    • Buy Now
    © 2026 ThemeSphere. Designed by ThemeSphere.

    Type above and press Enter to search. Press Esc to cancel.