Weaponizing FortiOS: How Hackers Weaponized Diagnostic Commands to Steal Credentials

A sophisticated, large-scale credential harvesting operation, dubbed “FortiBleed”, has surfaced, demonstrating a highly efficient method for compromising Fortinet FortiGate firewalls. By weaponizing built-in diagnostic capabilities, threat actors have successfully transformed trusted network security appliances into silent, internal surveillance hubs.

Detailed technical analysis from the SOCRadar Threat Research Unit (STRU) reveals the staggering scale of this campaign: over 110 million credentials have been harvested to date. The attackers specifically target misconfigured or insufficiently hardened edge devices, turning them into passive interception points within the target’s internal architecture.

Technical Breakdown: The FortigateSniffer Engine

The campaign is linked to a financially motivated Initial Access Broker (IAB), with forensic artifacts—including Cyrillic comments within the code—suggesting Russian origins. What began as a single exposed directory discovered by researcher Volodymyr Diachenko has metastasized into a massive infrastructure of over 260 operational servers.

The attackers systematically scanned for over 430,000 internet-facing FortiGate firewalls, prioritizing those with weak administrative credentials. The centerpiece of this operation is a custom-built Golang binary known as FortigateSniffer. This tool performs a clever “living-off-the-land” maneuver by abusing the legitimate FortiOS diagnostic command: diagnose sniffer packet.

While this command is a standard utility for network troubleshooting, the attackers repurposed it to sniff authentication traffic across 24 different protocols. By capturing high-value handshake data from protocols such as NTLM, Kerberos, and RADIUS, the attackers can intercept credentials in transit without triggering traditional signature-based Intrusion Detection Systems (IDS) that look for malicious payloads rather than legitimate diagnostic commands.

The Five-Stage Attack Lifecycle

The FortiBleed operation follows a highly disciplined, automated kill chain:

1. Reconnaissance: Utilizing mass-scanning tools like Shodan and Masscan to fingerprint internet-facing FortiGate assets.
2. Initial Access: Executing targeted SSH brute-force attacks against administrative interfaces to gain entry.
3. Data Interception: Deploying the FortigateSniffer tool to capture authentication hashes directly from the network stream.
4. Cryptographic Cracking: Offloading captured hashes to a distributed GPU-accelerated cracking farm. The attackers utilize Hashtopolis and Hashcat, leveraging rented high-performance compute resources from cloud providers like vast.ai to accelerate the cracking process.
5. Persistence & Exfiltration: Using the successfully cracked credentials and session cookies to facilitate lateral movement and long-term access, including the exfiltration of sensitive organizational data.

The operational maturity of the group is evidenced by their use of an isolated offensive lab featuring Kali Linux and the CyberStrike automated framework. This structured approach allowed for over 659 documented harvesting cycles.

Impact and Risk Assessment

The real-world consequences of FortiBleed are severe. Beyond general credential theft, researchers have confirmed breaches of high-value targets, including a NATO-aligned defense contractor. While the attackers appear to favor Small and Medium-sized Businesses (SMBs)—specifically in the IT services sector—due to their generally weaker security postures, the ability to compromise enterprise-grade firewalls makes them a threat to any organization.

Mitigation Strategies for Security Teams:

• Configuration Audit: Immediately review FortiGate administrative settings and ensure all services are hardened.
• Enforce MFA: Implement robust Multi-Factor Authentication for all administrative access to prevent successful brute-force attempts.
• Disable Unnecessary Features: Disable diagnostic or sniffing capabilities if they are not actively required for operational troubleshooting.
• Monitor Command Logs: Set up alerts for the execution of diagnose sniffer packet or other sensitive diagnostic commands within your SIEM.

Indicators of Compromise (IoCs)

Note: IP addresses are intentionally defanged (e.g., [.]). Re-fang only within controlled threat intelligence environments.