FortiBleed: CISA Warns of Widespread Fortinet Credential Compromise
The Cybersecurity and Infrastructure Security Agency (**CISA**) has issued an urgent alert regarding a global campaign dubbed 'FortiBleed,' targeting internet-accessible **Fortinet** devices. Malicious actors are exploiting compromised credentials associated with an estimated 74,000 **Fortinet** firewalls and VPN gateways, impacting both government and private sector organizations worldwide. **CISA** urges immediate action to mitigate the significant security risks.
The **FortiBleed** campaign leverages a massive leak of credentials, exposing a critical vulnerability in the security posture of numerous organizations relying on **Fortinet FortiGate** appliances and associated **SSL VPN** gateways. This widespread compromise necessitates immediate and decisive action from IT security professionals.
### Critical Steps for Fortinet Customers
**CISA** has outlined a series of essential steps for affected **Fortinet** customers to defend against this malicious activity and secure their infrastructure:
1. **Terminate Sessions and Reset Credentials:** All active **SSL VPN** and administrative sessions must be immediately terminated. Organizations are advised to reset all **Fortinet** VPN and administrative passwords, especially for internet-facing systems, and to enforce robust password policies across the board.
2. **Ensure Secure Credential Storage:** Verify that administrator credentials are being stored using the **Password-Based Key Derivation Function 2 (PBKDF2)** algorithm. Weaker, legacy hash functions should be removed in accordance with **Fortinet**'s guidance.
3. **Review Logs Diligently:** A thorough review of firewall, VPN, authentication, and domain controller logs is crucial. Security teams should look for any indicators of lateral movement, unusual access patterns, suspicious accounts, or unauthorized configuration changes.
4. **Enable Phishing-Resistant Multi-Factor Authentication (MFA):** Implementing phishing-resistant **MFA** is paramount for all remote access and administrative accounts. This security measure must be enforced on all external gateways and administrative interfaces to prevent unauthorized access.
5. **Reduce Attack Surface and Lock Down Management Access:** Organizations should ensure that firewall administration is inaccessible from the public internet. **Fortinet** management interfaces should be restricted to trusted internal networks, and any unauthorized or unnecessary accounts must be removed or disabled.
### Further Resources and Analysis
For additional guidance and to assess potential impact, **CISA** recommends reviewing information from various cybersecurity researchers and **Fortinet** itself:
* Tech Times: "Fortinet FortiGate Credential Leak Hits 73,932 Firewalls: Half the Internet-Facing Fleet"
* **SOCRadar**: "FortiBleed: The Compromise of 80,000+ Fortinet Firewalls"
* **Hudson Rock**: "FortiBleed: 75,000 Fortinet Firewalls Compromised: Global Enterprises Exposed β Claim Your Ethical Disclosure"
* **Arctic Wolf**: "Active FortiBleed Campaign Impacting Fortinet Devices Across 194 Countries"
* **Fortinet**: "Attacks at the Speed of AI"