Tens of thousands of devices hacked in 'FortiBleed' attack
What's the story
A massive hacking campaign, dubbed "FortiBleed," has compromised tens of thousands of Fortinet firewalls and VPNs used by major global companies. The attack was first reported by security researcher Bob Diachenko over the weekend. Hudson Rock and SOCRadar later published reports about it this week. They revealed that the hackers are exploiting a basic issue: companies may not be changing passwords to the firewall or using credentials already known to hackers for sensitive systems exposed on the internet.
Attack method
Automated tools to scan internet for exposed Fortinet devices
The hackers behind the FortiBleed campaign are using automated tools to scan the internet for exposed Fortinet firewalls and VPNs. They then break into these devices using lists of previously known passwords. Once inside, they can steal more sensitive data from the victim companies, Hudson Rock and SOCRadar reported. The stolen credentials are then fed back into their scanners to compromise even more devices, creating a self-sustaining system.
Scale of breach
Attackers have compromised over 30,000 devices
The scale of the FortiBleed attack is staggering. Hudson Rock found evidence that more than 73,000 unique Fortinet URLs have been hacked. SOCRadar reported that over 30,000 devices have been compromised in total. The countries most affected by this attack are India, the US, Taiwan, and Mexico, with IT services, construction materials, and telecommunications industries being the hardest hit.
Attack evolution
FortiBleed different from previous attacks on Fortinet devices
Notably, the FortiBleed attack is different from previous campaigns that targeted and compromised Fortinet devices by exploiting vulnerabilities in those systems. This time, the hackers are using leaked passwords, making it a simpler and less sophisticated attack. Independent cybersecurity researcher Kevin Beaumont confirmed the legitimacy of Diachenko's findings in a blog post on Wednesday.