No time to FortiBleed! Russian hackers compromise more than 30k Fortinet firewalls in almost 200 countries, including Australia

The attackers scan for Fortinet devices and methodically test each one, recording the passwords that gain access to each device.

“Once a device is compromised, they use it as a listening post, monitoring traffic passing through and collecting any additional credentials that flow by. Those freshly collected passwords are then fed back into the scanner to compromise even more devices. The system feeds itself,” SOCRadar said in a 16 June blog post.

“The password list is not random. It is a carefully assembled collection of credentials leaked from Fortinet devices in earlier incidents, meaning many targets may have never changed their passwords after a prior breach. The attackers know this, and they are counting on it.”

So far, SOCRadar has found 30,791 compromised devices, running across 8,316 unique domains, and based in 194 countries around the world.

Most of the victims tend to be from NATO countries, and while SOCRadar is still investigating, it said that “the operational fingerprints are clear”.

However, two Australian entities appear in SOCRadar’s list of the top 50 targeted organisations.

VIEW ALL

Perhaps the most disappointing aspect of this mass compromise is that the most commonly compromised passwords remain some of the most commonly used.

“This points directly to a widespread failure to rename default accounts or rotate factory credentials, giving the attacker a highly reliable target list before any brute force was even needed,” SOCRadar said.

Targets in government and the education sector feature prominently, but telecommunications firms make up the bulk of the compromised credentials.

Benjamin Harris, CEO and founder of cyber security firm watchTowr, observed that “73,000+ Fortinet VPN credentials don’t just appear overnight”.

“Attackers are moving faster than defenders, exploiting internet-facing appliances within hours, extracting credentials and sensitive data, and returning later, even after the device has been patched. A vulnerability may exist only for a short time, but stolen credentials can provide access for months or years,” Harris told Cyber Daily.

“This serves as yet another reminder that ‘patch faster’ is no longer sufficient advice. If this incident resulted from the rapid exploitation of earlier Fortinet CVEs, the real issue isn’t the bug itself; it’s the access attackers gain before organisations can even respond.”

Harris noted that while the source of the data remains unknown, it’s most likely that the credentials were harvested over a long period, exploiting numerous vulnerabilities in internet-facing Fortinet applications.

“The uncomfortable reality is that modern exploitation isn’t always about immediate impact. It’s about harvesting data that retains value long after the underlying vulnerability has been patched,” Harris said.

“And the pattern repeats. A vulnerability is exploited, credentials and configuration data are collected, and the incident fades from view.

“Months later, the vulnerability is patched, and defenders believe the risk has passed. The bug was temporary. The access wasn’t.”

You can read SOCRadar’s full analysis and a tool to check for compromise here. For now, however, here is SOCRadars’ advice.

“SOCRadar rates this campaign critical. The single most important step: change every password on every Fortinet device your organisation operates, including VPN accounts and admin accounts,” SOCRadar said.

“Do it today.

“Then enable two-factor authentication, review your login history, and restrict admin access so it cannot be reached from the open internet.”