Global credential-spraying campaign abuses Fortinet VPNs at scale
A sprawling, industrial-scale campaign has been quietly probing Fortinet VPN devices and other network endpoints worldwide, making billions of login attempts in an automated credential-spraying operation. Security researchers uncovered the activity only because the attackers left their own infrastructure exposed online, revealing a coordinated effort to harvest credentials and move laterally through corporate networks.
The mechanics of mass exploitation
The campaign targeted Fortinet FortiGate SSL VPN devices and Sophos user portals, scanning over 320,000 FortiGate endpoints and more than 247,000 Sophos endpoints. Attackers then sprayed nearly 3,640 username-password pairs across each target, totaling over a billion combinations, using a custom tool called forticheck running 25,000 concurrent threads. A parallel wave hit 163,650 Microsoft SQL Server instances with 2.1 billion login attempts at 50,000 threads. Once inside, the operators deployed network sniffers to extract cleartext credentials from protocols including HTTP, FTP, SMTP, LDAP, and others. Kerberos and NTLM hashes were sent to a 45-GPU cracking cluster for offline brute-forcing.
From breach to full domain access
With cracked credentials in hand, the attackers replayed captured session cookies through OpenConnect to hijack live VPN sessions and gain access to Active Directory. From there, they conducted standard post-exploitation activities such as dumping Active Directory data, exfiltrating files, and stealing Kerberos tickets and Group Policy templates. The operators used Kali Linux virtual machines behind NAT to avoid direct contact with victim networks, while selecting targets based on publicly available revenue data. Multiple operators coordinated via shared terminal sessions, and the cracking infrastructure was itself left running on default credentials—a fitting irony given their modus operandi.
A global footprint and lingering risks
At least four organizations across Japan, Taiwan, Vietnam, Iraq, and Turkey were fully compromised, with a Turkish defence contractor linked to NATO reporting the loss of classified documents. The exposed dataset covered 73,932 FortiGate devices across 21,613 organizations in 207 countries, with India leading in raw volume and Latin American telecoms showing the highest device density. IT services, telecoms, financial services, and government sectors were most exposed. In a random sample, 88% of exposed organizations also appeared in stealer-log or breach data, and 38% had staff with active infostealer infections. Nearly 590 were already listed on ransomware leak sites.
The lesson is clear: an exposed FortiGate management interface is rarely an isolated issue. It often signals that attackers have already found—and exploited—other weaknesses in the environment.
Source: Security Affairs. AI-assisted editorial synthesis — TechnoExpress.