fortinet firewalls exposed plaintext credentials for nearly 74,000 devices across 194 countries, according to researchers who traced the breach through attackers’ own infrastructure. The exposed logins gave Russian-speaking attackers near-unrestricted access inside organizations, including Oracle, Chevron, Lenovo, Federal Express, a NATO defense contractor, and Fortinet itself.
Bob Diachenko and the stolen logins
Bob Diachenko, a security researcher and head of SecurityDiscovery.com, said he found the data after gaining access to the attackers’ command-and-control server and other infrastructure. The exposed records included the industry, revenue, and employee count for each compromised organization, which turns the leak into an operational map of who was hit, not just a raw credential dump.
Fortinet firewalls and central access
Kevin Beaumont said almost all of the compromised devices remained online as of Wednesday morning. He also said he confirmed with multiple organizations in the attackers’ logs that the credentials were real and current.
In many cases, the attackers moved from the firewalls into centralized authentication systems such as Radius servers and Microsoft Active Directory. That put the breach beyond the edge device itself and into the systems that control who can log in across a network.
25,000 threads and 45 GPUs
Hudson Rock said the attackers mass-scanned the Internet for FortiGate remote login endpoints. Hudson Rock also said they used a custom binary with 25,000 threads to spray hundreds of thousands of endpoints with thousands of login and password combinations.
The same group also intercepted SSL VPN authentication hashes and cracked them using a dedicated 45-GPU cluster managed via Hashtopolis. Hudson Rock said that method led to full network compromises at multiple organizations across Japan, Taiwan, Vietnam, Iraq, and Turkey, and that a Turkish NATO defense contractor had classified defense documents exfiltrated.
The uncomfortable detail for network defenders is scale. The compromised devices represented roughly half of all Internet-facing Fortinet firewalls based on Shodan polling, and the exposed data covered nearly 74,000 devices from more than 21,000 IP addresses.
The open question is whether the affected organizations have fully reset the credentials tied to those exposed firewalls, Radius servers, and Microsoft Active Directory systems before attackers can reuse them again.
