Massive Credential Harvesting Operation Targets Fortinet Devices to Enable Ransomware Attacks
Cybersecurity researchers have uncovered a large-scale campaign dubbed "FortiBleed," in which threat actors allegedly compromised internet-facing Fortinet security appliances to conduct extensive network sniffing and harvest sensitive credentials. Investigators believe the operation is directly supporting ransomware attacks by providing cybercriminals with unauthorized access to enterprise networks.
Unlike conventional ransomware campaigns that rely primarily on phishing emails or software vulnerabilities, the FortiBleed operation focuses on silently capturing network traffic, authentication credentials, and session data before ransomware is deployed.
Security experts warn that organizations using affected network security devices should immediately review their environments, apply available security updates, and investigate for indicators of compromise.
What Is FortiBleed?
FortiBleed is the name researchers have given to a coordinated cyber campaign targeting vulnerable or compromised Fortinet network security appliances.
Rather than immediately encrypting systems, the attackers first establish persistence and monitor network traffic to collect valuable information, including:
- User credentials
- Authentication tokens
- VPN session data
- Administrative logins
- Internal network communications
- Configuration information
The stolen data is then believed to be used to facilitate follow-on ransomware attacks or sold to other cybercriminal groups operating under the Ransomware-as-a-Service (RaaS) model.
How the Attack Works
According to researchers, the campaign follows a multi-stage attack chain designed to maximize long-term access before launching disruptive attacks.
Initial Access
Threat actors obtain access to internet-facing network devices through:
- Exploitation of known vulnerabilities
- Weak or reused credentials
- Misconfigured remote access services
- Previously compromised accounts
Network Sniffing
Once inside, attackers deploy packet-sniffing capabilities that allow them to monitor network communications and capture sensitive authentication information.
This enables the collection of:
- VPN credentials
- Session cookies
- Administrative passwords
- Authentication headers
- Internal traffic metadata
Persistence
The attackers establish persistent access to maintain long-term visibility into the environment while avoiding detection.
Ransomware Deployment
After gathering sufficient intelligence, the compromised environment may be handed over to ransomware operators, who use the stolen credentials to move laterally, disable security controls, exfiltrate data, and encrypt systems.
Why Credential Harvesting Matters
Credential theft has become one of the most effective techniques used by modern ransomware groups.
Instead of relying solely on malware exploitation, attackers increasingly use legitimate credentials to:
- Bypass security controls
- Escalate privileges
- Access sensitive systems
- Move laterally across networks
- Disable endpoint security solutions
Using valid credentials often makes malicious activity more difficult for traditional security tools to detect.
Industries Potentially at Risk
Organizations using internet-facing security appliances may face elevated risk, particularly those operating critical infrastructure or large enterprise networks.
Potentially affected sectors include:
- Financial services
- Government agencies
- Healthcare
- Telecommunications
- Manufacturing
- Education
- Energy and utilities
- Technology companies
Because network security appliances often serve as gateways into corporate environments, compromising them can provide attackers with broad visibility across an organization's infrastructure.
Connection to Ransomware Operations
Researchers believe FortiBleed functions as an initial access operation rather than a standalone ransomware campaign.
This reflects an increasingly common cybercrime business model in which specialized groups perform different stages of an attack.
Typical workflow:
- Initial access brokers compromise networks.
- Credential harvesting operations collect authentication data.
- Access is sold or shared with ransomware affiliates.
- Ransomware groups conduct data theft and encryption.
- Victims face double-extortion demands.
This specialization allows cybercriminal groups to scale attacks more efficiently.
Recommended Mitigation Measures
Organizations should immediately evaluate their exposure and strengthen defensive controls.
Apply Security Updates
Install the latest firmware and security patches for all Fortinet appliances and related infrastructure.
Review Authentication Logs
Investigate unusual VPN logins, administrator activity, and failed authentication attempts.
Rotate Credentials
Reset passwords and revoke authentication tokens that may have been exposed.
Enable Multi-Factor Authentication (MFA)
MFA significantly reduces the effectiveness of stolen credentials.
Monitor Network Traffic
Deploy network detection and response (NDR) tools capable of identifying unusual traffic patterns and packet-sniffing behavior.
Conduct Threat Hunting
Search for indicators of compromise, unauthorized processes, unexpected configuration changes, and suspicious outbound communications.
The Bigger Picture
The FortiBleed campaign illustrates how ransomware operations are evolving beyond simple malware deployment.
Modern cybercriminal groups increasingly prioritize stealth, persistence, and intelligence gathering before launching disruptive attacks.
Credential theft, network monitoring, and access brokerage have become essential components of the ransomware ecosystem, allowing attackers to maximize operational impact while reducing the likelihood of early detection.
For defenders, this shift underscores the importance of continuous monitoring, Zero Trust architecture, and rapid patch management.
Conclusion
The FortiBleed campaign serves as a stark reminder that network security devices themselves can become high-value targets for cybercriminals.
By harvesting credentials and monitoring enterprise traffic, attackers can silently prepare environments for devastating ransomware attacks without immediately revealing their presence.
Organizations should treat internet-facing security appliances as critical assets, ensure they are fully patched, enable strong authentication, and continuously monitor for suspicious activity.
As ransomware groups continue to evolve, preventing credential theft at the network perimeter will remain one of the most effective strategies for reducing organizational risk.