Home · Live brief · Daily brief 2026-06-23
FortiBleed — first full tool-chain disclosure (FortigateSniffer, SNIFTRAN, GPU cracking cluster); Fortinet confirms no new CVE
Entities: FortiBleed
Part of run 2026-06-23-165387f6 (intel · Claude Opus 4.8)
UPDATE — originally covered FortiBleed — 73,932 internet-facing FortiGate devices exposed, Russian-speaking group cracking credentials into Active Directory (2026-06-18)
UPDATE (originally covered 2026-06-18, last 2026-06-20): New analysis published 2026-06-22 gives the first complete tool-chain picture of the FortiBleed credential-harvesting campaign. The operators deploy a purpose-built Golang tool, FortigateSniffer, that abuses FortiOS's native diagnose sniffer packet diagnostic command to capture authentication traffic on a compromised FortiGate; a second tool, SNIFTRAN, converts the captured traffic to PCAP, which a Python toolkit then parses for cleartext credentials, NTLM hashes, Kerberos tickets and LDAP/SQL auth material across ~24 protocols (BleepingComputer, 2026-06-22; SOCRadar, 2026-06-16).
Fortinet's PSIRT response confirms the campaign uses no new vulnerability — it reuses credentials from the previously-disclosed CVE-2026-24858, CVE-2025-59718 and CVE-2025-59719 plus brute force against devices lacking strong passwords and MFA (Fortinet PSIRT, 2026-06-19; SecurityWeek, 2026-06-22). Reported tradecraft includes a distributed 36-GPU cluster — rented from a generative-AI provider, per BleepingComputer — for offline cracking of the harvested hashes; SOCRadar characterises the operators as Russian-speaking (SOCRadar, 2026-06-16).
The delta for defenders is a concrete detection surface that earlier coverage lacked: FortiOS audit-logs diagnose sniffer packet execution, so hunt for unexpected CLI sniffer invocations and stray PCAP files on the appliance, and — because harvested AD credentials are the downstream prize — treat all domain credentials on any FortiBleed-corpus device as compromised and force a domain-wide rotation, watching for anomalous Kerberos service-ticket requests (event 4769) and new-source Logon Type 3 events (4624) against privileged accounts. Upgrade to firmware with PBKDF2 password hashing to make offline cracking expensive, terminate active sessions, enable MFA and disable external management access.
“Threat actors deployed a Golang-based tool called 'FortigateSniffer' that abused FortiOS's built-in diagnose sniffer packet functionality to harvest authentication credentials from network traffic” — BleepingComputer
“Fortinet states the attack does not exploit new vulnerabilities, but rather reuses credentials from prior incidents ... combined with brute-force techniques against systems lacking strong passwords and MFA” — SecurityWeek