Old Passwords, Fresh Victims
Two cybersecurity firms say a single hacking crew has quietly broken into tens of thousands of Fortinet firewalls and VPNs run by major companies worldwide. The campaign, named FortiBleed, skips the usual playbook. There is no secret software flaw and no exotic exploit. The attackers simply logged in with passwords that victims never bothered to change. Hudson Rock and SOCRadar published their findings this week, and the operation is still running.
Key Takeaways
- FortiBleed leans on credential reuse rather than a Fortinet bug — hackers scan for exposed devices, then sign in with passwords leaked in earlier breaches.
- Hudson Rock found evidence pointing to more than 73,000 affected Fortinet URLs across 194 countries; SOCRadar puts the count of compromised devices above 30,000.
- Named victims include Accenture, Comcast, Foxconn, Lenovo, Oracle, Samsung, Siemens, and PwC, with both firms pointing to a Russian-speaking group.
The method is almost boring, which is exactly why it works. Hackers run automated tools that sweep the internet for exposed Fortinet firewalls and VPN gateways. They then try lists of previously leaked passwords against each one. When a login works, they are inside. From there, the crew can pull more sensitive data out of the victim company.
How the Campaign Feeds Itself
Each breached device becomes a tool for the next break-in. SOCRadar described the loop in its report: “Once a device is compromised, [the hackers] use it as a listening post, monitoring traffic passing through and collecting any additional credentials that flow by. Those freshly collected passwords are then fed back into the scanner to compromise even more devices. The system feeds itself.”
That design rewards patience over cleverness. The password list is not random. It draws on credentials pulled from earlier Fortinet incidents and infostealer logs, so any organization that skipped a password reset after a prior breach is already on the menu. Security teams who track self-perpetuating attack loops will recognize the shape of it — compromise feeds collection, collection feeds more compromise.
Who Got Hit, and Where
Hudson Rock says its evidence suggests more than 73,000 unique Fortinet URLs have been hacked, while SOCRadar counts over 30,000 compromised devices. According to Hudson Rock, the affected companies include Accenture, Comcast, Foxconn, Lenovo, Oracle, Samsung, Siemens, and PwC. A Lenovo spokesperson confirmed receipt of a press request but did not reply further. The other companies stayed silent.
The damage spreads across the map. Both firms name India, the United States, Taiwan, and Mexico as the countries with the most affected devices, with victims on every continent. Hudson Rock flags IT services, construction materials, and telecommunications as the hardest-hit industries. SOCRadar adds government agencies to the list. Both companies believe the operators are Russian-speaking.
No Zero-Day, Just Old Habits
Fortinet pushed back on the framing. A company spokesperson, Tiffany Curci, said in a statement to reporters that Fortinet “is aware of a reported third-party credential-harvesting campaign targeting Fortinet firewalls and VPN gateways.” Based on the company’s own analysis, she added, the data involved is “a resharing of data from previous incidents, as well as bruteforcing of credentials, and is not related to any recent incident or advisory.”
The reports trace back to a list of credentials for Fortinet devices and the companies behind them. Security researcher Bob Diachenko first flagged the campaign over the weekend. Independent researcher Kevin Beaumont then analyzed the data and confirmed it “is legit.” The scale impressed even seasoned analysts: Diachenko described “a Russian-speaking multi-operator group conducting large-scale credential harvesting against Fortinet FortiGate SSL VPN appliances worldwide,” adding that the operation “processed 1.16 billion credential attempts against 320,777 FortiGate targets and 2.1 billion attempts against 163,650 MS-SQL servers.” The group cracked stolen password hashes on a 45-GPU cluster, then pivoted from the firewall into internal corporate networks.
For years, attackers usually got into Fortinet gear by abusing software vulnerabilities. FortiBleed flips that. The crew leans on leaked passwords — a simpler, cruder route. And it keeps working because the underlying problem is human, not technical. Recent industry data backs that up: even as software flaws climb the charts, stolen credentials remain one of the top ways intruders get in. The lesson rhymes with other recent failures, including federal credentials left sitting in plaintext where anyone could grab them.
There is a sharper edge to this one. SOCRadar found the group’s exposed operational server and warned affected organizations to treat their network perimeter as already compromised. The firm noted the victim list skews heavily toward NATO member countries, which suggests money is not the only motive. Among the recovered data sat credentials tied to what looked like a defense-industry VPN endpoint. Fortinet firewalls anchor the network edge at banks, hospitals, universities, and telecoms, which is why a pile of working passwords against them carries weight far beyond any single company. For organizations weighing how to consolidate their defenses, the episode strengthens the case for unified enterprise security platforms that can spot credential abuse before it spreads. The fix here is unglamorous: rotate every admin and VPN password, kill reused logins, lock down internet-facing management ports, and check the logs for access that should not be there.
Written by Alius Noreika
Click Here For The Original Source.
