FortiBleed exposed how a Russian-speaking threat group quietly compromised around 75,000 Fortinet firewalls worldwide by abusing old credential leaks, infostealer logs, automated login testing, offline cracking, and compromised FortiGate devices. The campaign turned exposed firewalls into credential-harvesting nodes, creating a self-feeding access pipeline for future attacks and possible ransomware operations.
The shift from initial access via credential reuse to repurposing firewalls as persistent credential-harvesting nodes creates a compounding risk where compromised perimeter devices actively expand the attack surface. This self-feeding pipeline suggests defenders must treat any anomalous authentication success on a firewall not just as a breach, but as a potential indicator of an automated botnet expanding its foothold.