Secure AF - A Cybersecurity Podcast

FortiBleed Attacks: Turning Fortinet Firewalls into Credential Stealers

Alias Cybersecurity

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 4:53

Got a question or comment? Message us here!

FortiBleed is turning perimeter defenses into attack infrastructure. 

In this episode, we unpack how adversaries exploit FortiOS vulnerabilities, harvest credentials directly from firewalls, and pivot deeper into networks, plus detection strategies, threat hunting tips, and mitigation guidance for SOC teams.

Support the show

Watch full episodes at youtube.com/@aliascybersecurity.
Listen on Apple Podcasts, Spotify and anywhere you get your podcasts.

SPEAKER_00

Good morning, good afternoon, or good evening, whenever you may be, and welcome to another episode of The Sock Brief. This is your go-to podcast for staying ahead of the ever-evolving world of cybersecurity threats. I'm your host, Andrew, and today we're going to discuss a concerning new campaign actively targeting Fortinet firewalls. Big surprise on that one. Researchers are calling it Fortableed, and the attackers are using it to turn these security appliances into credential stealers while the attacks continue to spread. We'll discuss how it works, why it's effective, and some practical steps your SOC can take to detect and defend against it. So let's start with what we know about the Fortableed attacks. So Fortinet firewalls are widely used across enterprise environments because they're reliable, feature-rich, and user-friendly. Unfortunately, attackers have continued to find ways to abuse vulnerabilities in Forty OS, particularly in the SSO VPN and management interfaces of the devices. Once the attackers gain a foothold, they deploy custom tools that turn the firewall itself into a credential harvesting machine. The attackers are stealing credentials from connected users, VPN sessions, and even administrative accounts. And what makes this campaign particularly interesting is that the firewall is both the entry point and the attacker's tool. They're using it to capture usernames and passwords as they flow through the device, then using those stolen credentials to move deeper into the network or just selling them on the dark web. Reports are showing that the attacks have been ongoing for several weeks, with multiple organizations affected across different industries. And because firewalls are supposed to be the gatekeepers for our internal environments, when one gets turned against you, it undermines the entire perimeter. Many organizations don't monitor their firewalls as closely as they should, and this gives attackers a quiet place to operate. The credential stealing aspect also means one compromised firewall can lead to widespread account takeovers. For detection on this one, SOC should focus on visibility into their firewall activity. Look for things like unusual administrative logins, unexpected configuration changes, or anomalous traffic patterns coming from the firewall itself. Monitor for signs of credential harvesting, such as spikes and authentication attempts, or any kind of unusual VPN session behaviors. This is another great place for a sim because by integrating the firewall logs into it, you can correlate events across endpoints and the rest of the network to get a much clearer picture of what's happening. On the prevention side, the most important step is patching, and we talk about that one a lot. Fortinet has already released updates to address the vulnerabilities being exploited, so make sure you're on the latest version. Also, restrict management, access to the firewall, and absolutely never expose the admin interface to the internet. Use strong MFA for all your administrative accounts and consider network segmentation so that even if a firewall is compromised, the reach is limited. For threat hunting, just being proactive and regularly reviewing firewall logs for any kind of suspicious activity. That's a big one. Scan for known Fortableed indicators and test your incident response plan with a scenario that starts with a compromised perimeter device. Make sure you're sharing this information internally so your network and security teams are aligned on the risk. And this Fortableed campaign shows that even security devices can be turned into offensive tools. So here's uh closing thoughts and a call to action on this one. The ongoing Fortableed attacks are a reminder that no device is truly immune, especially when it sits at the edge of your network. Socks really need to monitor logs, patch regularly, and maintain strong segmentation to keep these threats contained. So this week, if you run FortiGates in your environment, review them for exposure and verify that they're fully patched to the latest versions. Run a quick hunt for anomalous activity on those systems and share the findings with your team. And that's a wrap for this episode of Sock Brief. Have questions or your own firewall stories? Hit us up on social media or via our website. Keep your eyes open, keep sharpening those skills, and we'll talk soon. As always, stay secure out there. Bye.

Podcasts we love

Check out these other fine podcasts recommended by us, not an algorithm.

Secure After Dark Artwork

Secure After Dark

Alias Cybersecurity