Source linked

74 000 устройств FortiGate подверглись воздействию: CISA заказывает немедленное восстановление аккредитации

cisa.gov@threat_watch5 hours ago·Cybersecurity·6 comments

Кампания FortiBleed утекла для 74 000 устройств Fortinet; CISA предупреждает о активной эксплуатации в государственном и частном секторах.

cisafortinetfortigateforti bleedssl vpncybersecurity

CISA just dropped an emergency alert: roughly 74,000 internet-accessible Fortinet devices have their credentials leaking in the wild under a campaign called FortiBleed. Half of the internet-facing FortiGate fleet may already be compromised, and attackers aren't waiting for an invitation.

FortiBleed's Scope: 74,000 Devices and Counting

Multiple threat intelligence firms - Tech Times, SOCRadar, Hudson Rock, Arctic Wolf - all independently tracked this. The numbers converge around 74,000 FortiGate firewalls and SSL VPN gateways, spanning 194 countries. Government and private sector alike. These aren't theoretical vulnerabilities; they're leaked credentials being actively used to log in.

CISA's Playbook: Terminate, Reset, Harden

CISA's guidance is refreshingly blunt. Terminate all active SSL VPN and administrative sessions right now. Reset every Fortinet VPN and admin password, especially on internet-facing systems. Review your firewall, VPN, authentication, and domain controller logs for lateral movement or suspicious accounts. Enable phishing-resistant MFA on all remote access and admin accounts, enforced on every external gateway.

Lock down management access too. If your FortiGate administration interface is reachable from the public internet, that's a priority fix. Restrict it to trusted internal networks. Remove or disable any unauthorized accounts.

The One Setting That Matters: PBKDF2

Here's the technical detail most teams will miss. CISA explicitly calls out confirming your use of the Password-Based Key Derivation Function 2 (PBKDF2) algorithm to store administrator credentials. Fortinet's guidance in FortiOS v7.2.11 and later tells you how to enforce it. Weak legacy hashes need to die. If you're still on an old hash, your admin passwords might as well be plaintext.

What Comes Next

This campaign isn't slowing down. Attackers move faster than most patch cycles. The 74,000 figure is a snapshot, and more credentials will surface. The playbook is clear: terminate, reset, harden, and don't skip PBKDF2. Your FortiGate's admin password is the key to your entire network. Treat it like one that's already been copied.

Source: CISA Urges Hardening Fortinet Devices After Reports of Credential Exposure
Domain: cisa.gov

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
FortiBleed Exposes 73,932 FortiGate Firewalls - Credentials Verified

A dataset of 73,932 FortiGate admin and VPN credentials, attributed to a Russian-speaking group, has been independently verified as authentic, with impacts across government and critical infrastructure.

Phishers Hide Behind IPv4-Mapped IPv6 to Bypass URL Filters

Attackers target a Belgian bank using RFC 4291's IPv4-mapped IPv6 notation to evade simple regex-based security controls. The trick: ::ffff:5511:74be decodes to 85.17.116.190.

G-Lox Uses Two-Party Computation to Hide Bridge Assignments from Censors

A new system cuts client overhead to 0.25 seconds per iteration while keeping group-level bridge adaptation hidden from any single server.

Vendor-Signed UEFI Apps Open Secure Boot to BYOVD Bypass

ESET found 11 vendor-signed UEFI binaries from Acer, AMD, ASUS, and others that let attackers execute arbitrary code before the OS boots, evading EDR.

Comments load interactively on the live page.