Threat Overview

The latest intelligence from Arctic Wolf, released on 2026-06-25, exposes a sophisticated credential‑compromise campaign dubbed FortiBleed. The operation focuses exclusively on internet‑facing Fortinet FortiGate firewalls and SSL VPN gateways. Unlike many modern exploits that rely on zero‑day vulnerabilities or malicious payloads, FortiBleed is primarily a credential pipeline: it harvests configuration data, extracts hashes and session tokens, cracks them, then uses the obtained credentials to pivot inside victim networks.

Weaponization & Technical Architecture

• CyberStrike Harvester v1.5 (harvest_orig) – a Go‑based Linux binary that parses PCAP/PCAP‑NG and FortiGate text dumps, normalizes credentials, and outputs Hashcat‑ready files.
• FortiGate Sniffer panel – a browser‑based interface that orchestrates capture, conversion, harvesting, cleanup and pause states via WebSocket and REST calls.
• Cracking Backbone – Telegram bot, Hashtopolis cluster, HashPanel UI, GPU workers (10x RTX 4090), and custom scripts to manage job queues and result aggregation.
• Post‑Authentication Tools – openfortivpn tunnels with Impacket utilities for AD enumeration, Kerberos validation, SMB authentication, admin‑share checks, and DFS/SMB collection.

Operational Flow

The workflow can be summarized in seven stages:

1. Lab Setup: The operator builds a seven‑VM Kali Linux lab with shared storage, VNC, SSH, and CyberStrike installed. This environment supports parallel processing.
2. Capture & Harvest: Netflow or direct FortiGate traffic is streamed to the sniffer panel, which forwards data to harvest_orig. The binary extracts credentials (NTLM, Kerberos pre‑auth, AS‑REP), session cookies, tokens, and other authentication artifacts.
3. Cleaning & Quality Control: Raw output is filtered—duplicates, SQL injections, XSS payloads, long tokens, mail addresses, honeypot entries, and brute‑force noise are removed to produce attack‑ready lists.
4. Cracking Infrastructure: Hashes enter the Telegram bot, which validates hash types, assigns GPU resources, runs multi‑stage Hashcat jobs, and returns cracked passwords. The Hashtopolis cluster distributes work across cloud GPUs.
5. Kerberos QA & Correlation: Scripts such as check7500.py, deep_analyze.py, and match_7500.py validate Kerberoasting results, map them back to harvest sessions, and enrich by domain, country, revenue, and cracked/uncracked status.
6. VPN‑Bound Validation: Operators bind outbound traffic via openfortivpn to victim VPN pools, then use Impacket scripts (ad_enum.py, smb_test.py) to enumerate AD users, groups, SPNs, and accessible SMB shares.
7. SMB/DFS Exfiltration: Once access is confirmed, the crawler (spider.py, backup_dfs2.py) recursively reads files from administrative shares, filters by size, skips duplicates, and streams content over SSH to a remote staging host. The entire exfil run logged 121.43 GB.

Indicators of Compromise (Sanitized)

• File hash: MD5 7f74bb6ba185978134c318bc5f91d23c; SHA‑256 2758f4d71a2a2dfdefab81737c2d776b2a3dafe5844fdd2157e089a28447ca98 (harvest_orig)
• Network: 193[.]8[.]187[.]42 – SSH exfiltration staging; 85[.]11[.]187[.]8:8443 – Hashtopolis API endpoint

Recommendations for Security Analysts

1. Audit all FortiGate devices for exposed management interfaces and SSL VPN ports.
2. Invalidate active SSL VPN sessions, rotate administrative credentials, and enforce MFA on all privileged accounts.
3. Disable legacy SHA‑256 password hashing in FortiOS 7.6.x by enabling login-lockout-upon-weaker-encryption; for older OS versions use login-lockout-upon-downgrade.
4. Implement network segmentation: restrict management traffic to a dedicated jump host and VLAN.
5. Deploy continuous monitoring on AD for Kerberoasting (RC4 TGS requests), AS‑REP roasting, SPN enumeration, AdminCount=1 accounts, and repeated SMB share reads from VPN source IPs.

How Arctic Wolf Protects Customers

The vendor has incorporated FortiBleed signatures into its Aurora® Superintelligence Platform, enabling real‑time detection of credential stuffing attempts against FortiGate portals, anomalous SSL VPN logins, and exfiltration over SSH from SMB shares. Analysts can adjust thresholds based on the campaign’s IP activity (e.g., 193[.]8[.]187[.]42) and tokenized patterns found in the harvester logs.

Conclusion

FortiBleed demonstrates that exposure of perimeter credentials is only the first step. A well‑engineered pipeline transforms noisy captures into high‑value internal access, illustrating why defenders must go beyond patching FortiOS and treat configuration dumps as sensitive data. By following the remediation checklist above, organizations can close the credential feedback loop and prevent attackers from turning a breached firewall into an entry point for deeper network compromise.