GoKawiilSecurity firm SOCRadar says the large-scale FortiBleed campaign targeting Fortinet FortiGate devices used custom sniffers to harvest authentication secrets from compromised firewalls and steal credentials.
The report, published today, expands on the company's previous research into the large-scale "FortiBleed" campaign, which revealed a collection of Fortinet VPN credentials associated with more than 80,000 firewall URLs worldwide.
According to SOCRadar, the operation targeted more than 430,000 FortiGate firewalls worldwide and has been active since at least February 2026.
The researchers say the threat actor behind this campaign serves as an initial access broker (IAB), using credential stuffing, brute-force attacks, credential harvesting, and offline password cracking to obtain access to corporate networks.
One of the researchers' findings is the alleged use of a Golang-based tool dubbed "FortigateSniffer," which abuses FortiOS's built-in diagnose sniffer packet functionality to capture authentication traffic traversing compromised FortiGate devices.
According to SOCRadar, the attackers abused this legitimate feature on compromised devices to steal credentials from network traffic passing through the firewall.
SOCRadar says the tool was designed to monitor traffic for credentials, password hashes, and authentication secrets from various protocols, including RADIUS, NTLM, Kerberos, and LDAP.
"The tool is designed to monitor traffic across 24 protocols, parse authentication data, and extract credentials from network flows," SOCRadar said in the report.
While Fortinet previously told BleepingComputer last week that this incident is a collection of previously compromised credentials rather than a new vulnerability or incident, SocRadar's report shows an ongoing campaign that is actively compromising FortiGate VPN devices.
Sniffing for credentials
... continue reading