FortiBleed Campaign Update: What Fortinet Customers Should Know

SecureCyber is aware of the ongoing campaign against Fortinet firewalls that SOCRadar and HudsonRock have referred to as “FortiBleed.”

It is important to clarify that this campaign is not tied to a current or active vulnerability in Fortinet firewalls. Instead, the activity appears to involve the use of previously stolen credentials or weak, easily guessed passwords associated with FortiGate management accounts.

Why SecureCyber-Managed Firewalls Are Protected

For customers with SecureCyber-managed firewalls, administrative security controls are already in place to reduce this risk. Our standard management practices include:

• Restricted management interface access
• Multi-factor authentication for administrative access
• Strong password requirements
• Monitoring and verification of configuration changes
• Ongoing patching and maintenance to keep firewalls current

These controls are designed to help protect managed environments from unauthorized access attempts involving compromised credentials.

If Your Organization Manages Its Own Firewall

If your team manages its own FortiGate firewall, we recommend taking the following steps immediately:

• Check the HudsonRock and SOCRadar lookup tools listed below to determine whether your organization appears in the published datasets
• Review administrative account security, including multi-factor authentication
• Enable MFA for all VPN users, not only administrators
• Confirm that management access is not exposed on public-facing interfaces
• Verify that access is appropriately restricted through Trusted Hosts or Local-In Policies
• Change passwords for local administrative accounts, especially where older password hash formats may still be in use
• Run your firewall on the latest mature Fortinet firmware, downloaded directly from Fortinet Support.

If you are unsure how to implement any of these items or unsure if they are implemented in your firewall, SecureCyber can help with a FortiGate Health Check.

Lookup Tools

• HudsonRock: https://www.hudsonrock.com/fortinet
• SOCRadar: https://socradar.io/free-tools/fortibleed

Ongoing SecureCyber Review

The campaign datasets are now searchable, and SecureCyber analysts and engineers are reviewing the available information to better understand threat actor methods and gather relevant threat intelligence.

Need Help?

If you find your organization’s information in either dataset, or if you have questions about your Fortinet environment, contact SecureCyber for incident response support and guidance.

• 24/7 Incident Response: 937-388-4405
• Email: sales@secdef.com
• Contact SecureCyber Service Desk