8 Days After FortiBleed: What We Know Now [Flash Report]
目次
This blog is a summary of our latest Flash Report, “FortiBleed Campaign” written by CybelAngel REACT analysts. Get in touch こちら to access the full report.
What is FortiBleed?
On June 13, 2026, security researcher Volodymyr “Bob” Diachenko located an internet-exposed server tied to an active credential harvesting operation. The campaign became widely public on June 17, 2026. CISA issued a hardening alert on June 18, 2026.
The operation, now known as FortiBleed, is a mass credential harvesting campaign targeting internet-facing Fortinet FortiGate VPN devices across 194 countries. The exposed server, located at 85[.]11[.]187[.]8 in Poland, ran an open directory exposing 319 operational files without authentication: credential databases, custom scanning and sniffing tooling, deployment scripts, job logs, and victim data sorted by revenue tier.
The campaign was publicly attributed to Initial Access Broker SantaAd. It remains active as of June 25, 2026.
How the attack worked
FortiBleed operated as an automated, multi-stage pipeline.
In the first stage, the operators ran high-concurrency validation of regional FortiGate target lists, capturing session traffic and deleting packet captures after processing to limit forensic traces.
In the second stage, captured traffic was parsed offline across multiple protocols including NTLMv1/v2, Kerberos, HTTP, LDAP, MSSQL, MySQL, FTP, Telnet, RADIUS, SNMP, and SSH. Privileged accounts were flagged separately.
In the third stage, hashes were cracked offline using Vast.ai-rented GPUs via Hashtopolis and Hashcat, controlled through a Telegram bot. The same infrastructure was used to run mass brute-forcing against approximately 163,650 MSSQL hosts in parallel.
In the fourth stage, operators used Impacket over the compromised VPN to pivot into internal networks, conducting Active Directory auditing, AS-REP and Kerberoasting attacks, password spraying, and session cookie reuse for persistent VPN access.
A notable finding from the REACT team’s analysis: the operators established persistence by planting backdoor administrative accounts whose names imitate legitimate Fortinet services. The same username and password pairs were found recurring across thousands of distinct devices, confirming these were planted rather than discovered credentials. Account names identified include forticloud-sync, forticloud-tech, support_fortinet, fgtsecure, fgtsec, Technical_support, fortinetadmin, and tech-fortinet.
Who is behind it: initial access broker SantaAd
SantaAd is a Russian-speaking threat actor active on Exploit[.]in, XSS, and WWH-Club since early 2025, operating under the alternate handles Anon_1315047618 on WWH-Club, BioHack and diamond on XSS, and Lmm on WWH-Club. The actor specialises in Initial Access Sales involving Fortinet firewalls and VPN gateways.
At least seven publications related to FortiGate were identified under the SantaAd identity, posted between February 2025 and June 2026. As of April 2025, the actor claimed to have a large amount of FortiVPN access available for sale.
On June 17, 2026, SantaAd indirectly indicated involvement in the FortiBleed campaign by referencing public reporting on it in a relevant auction thread. The actor initially sought up to $50,000 for the credentials and increased the asking price to $120,000 after the campaign gained public attention.
The exposed server at 85[.]11[.]187[.]8 is assessed as operationally tied to SantaAd’s activity based on converging technical indicators identified during the REACT team’s investigation.
What CybelAngel found
CybelAngel’s REACT team obtained the sorted credential output file, fsd_sort.txt, recovered from the attacker’s open directory. The team searched it against all monitored CybelAngel customer assets. Clients for whom one or more matches were identified received a dedicated alert.
The full technical findings, attack chain analysis, indicators of compromise, and network infrastructure details are available in the CybelAngel Flash Report published June 25, 2026.
よくある質問
Yes. As of June 25, 2026, the threat actor behind the FortiBleed campaign remains active and portions of the infrastructure continue to operate.
FortiBleed is a credential harvesting campaign, not a software vulnerability. There is no CVE associated with the campaign. The attack exploited credentials rather than a flaw in FortiOS.
CybelAngel cross-referenced the recovered credential dataset against all monitored customer assets. If your assets were found in the dataset, you will have already received a dedicated alert from our team. For any questions, please contact your Customer Success Manager.
The REACT team identified the following account names planted by the operators on compromised devices: forticloud-sync, forticloud-tech, support_fortinet, fgtsecure, fgtsec, Technical_support, fortinetadmin, adminin, and tech-fortinet. These names are designed to imitate legitimate Fortinet service accounts.
This marks the initial phase of CybelAngel’s published findings on the FortiBleed campaign. Our REACT team continues to monitor developments and will publish updates as the situation evolves.
フルフラッシュレポートにアクセスするにはご連絡ください
著者について
