In June, FortiBleed hit ~74,000 internet-facing FortiGate firewalls across 194 countries. It’s not a new vulnerability: Fortinet says it involves reused credentials and brute-forcing weak, MFA-less devices (meaning there’s no CVE or patch, just working admin/VPN passwords). Huntress cross-referenced the listed IP addresses against their own data corpus and identified 845 partner organizations specifically impacted by this credential dump.
What’s notable is the methodology, which Huntress has unique telemetry into. Attackers:
Brute-forced credentials and cracked hashes with Hashcat on GPU infrastructure via vast[.]ai
Used access to harvest NTLM and Kerberos hashes from internal network traffic (via packet sniffing on the Fortigate device itself)
Persisted via a Telegram-based C2 bot
Created backdoor accounts: admin
fgt_adminand SSLVPN usersslvpn