When you compromise a firewall you have lots of options in terms of next steps, from using the VPN, changing configurations, creating backdoors or perhaps using the firewall to PCAP. In this post I’m going to explore the ‘Fortibleed’ campaign. I have to note, we can see in honeypot logs this TA did not seem to limit themselves to Fortinet exploitation, however the area of analysis has a heavy Fortinet element. You will see they deployed a capture and analysis platform. Treat everything with a pinch of salt because I’m using a mad probability based machine (LLM) to support me for this!

A picture paints a thousand words

By analyzing data, metadata and honeypot logs we can see all kinds of things. A key element here is the probable use of PCAP analysis to feed a hash cracking platform. That also alongside the targeting and attacking of downstream elements e.g. Active Directory Domains Services (ADDS).

There’s also likely some deception involved here but… it’s a bit early to be sure and the view one gets is only partial and never complete.

Here’s a view from Greynoise honeypots, given the toolsets the TA appears to have been using and the length of time/volume I think it would be unwise to assume they are a one trick pony.

I’ll try and update more if I find any key elements I think awareness should be raised on, but the key thing here: I strongly suspect lots of PCAP occurred, which might make doing IR a little bit more complex.

LLM Summary

EXECUTIVE SUMMARY — THREAT ACTOR ACTIVITY ASSESSMENT TLP:AMBER+STRICT | DRAFT | E&OE Overview A well-resourced threat actor has been operating a scaled, semi-automated credential harvesting programme targeting enterprise organisations globally, with confirmed successful access to over 149 Active Directory domains across multiple sectors including defence, energy, finance, healthcare, and government. The actor demonstrates capability maturity beyond a typical opportunistic attacker: they operate purpose-built tooling under a branded platform, maintain parallel cracking infrastructure across cloud-rented and consumer GPU resources, and employ active counter-attribution techniques. Exfiltration of classified defence documentation introduces an intelligence collection dimension that may indicate state tasking or a secondary consumer of the access being generated. Objectives The actor’s primary observable activity is consistent with large-scale access brokerage or intelligence collection: systematically acquiring, validating, and retaining enterprise credentials at volume. Targeting is revenue-sorted — Fortune 500 organisations, large government entities, and defence-sector firms appear prioritised over smaller targets. The retrieval of Turkish Armed Forces technical documentation from a major defence electronics manufacturer is inconsistent with purely financially-motivated crime and elevates the assessment beyond ransomware precursor or IAB activity. The actor should be treated as having both financial and potential intelligence collection motivations until further evidence narrows the assessment. Methodology Initial access is credential-based across two primary vectors: mass brute-force of firewall SSH management interfaces using vendor-pattern and default credentials, and large-scale spray of SSL-VPN portal authentication endpoints. Three iterative spray campaign series were identified; each campaign feeds recovered credentials back as wordlist input to the next. This self-reinforcing loop, supported by a 46-GPU cracking capability across three parallel platforms, produces a continuously improving attack posture with each operational cycle. Post-access collection is technically distinctive. Rather than deploying implants or lateral-movement tooling in the conventional sense, the actor pivots through the compromised SSL-VPN and uses the victim firewall’s own management API to trigger and download packet captures of internal network traffic. A custom-built credential harvester then processes these captures offline, extracting authentication material from over 15 network protocols including Kerberos pre-authentication exchanges. This technique is passive, leaves no artefacts on internal endpoints, and is difficult to detect without specific monitoring of firewall management-plane API activity. Over 148,000 Kerberos AES-256 hashes and 33,000 NTLM hashes were collected in this manner across the observed campaign period. Active Directory exploitation follows using cracked credentials: enumeration, Kerberoasting, AS-REP roasting, delegation abuse, and file share staging, with sensitive documents retrieved to dedicated exfiltration infrastructure. Broader Activity Honeypot telemetry indicates the actor was actively probing attack surfaces beyond FortiGate appliances during the same period. Evidence of targeting against MSSQL authentication, IPMI remote management interfaces, and internet-exposed RDP suggests the FortiGate-centric capability described above represents one tool strand within a broader programme, not the complete picture. The actor should be assumed capable of and actively pursuing initial access via any commonly exposed internet-facing service. It would be a mistake to scope detection or hunting exclusively around FortiGate indicators. Infrastructure and OPSEC The actor operates seven automated Kali Linux virtual machines that reinstall from a remote platform (cyberstrike.io) on reboot — indicating a deliberate design for operational persistence through disruption. VPN configuration is written to temporary storage and wiped on restart. A set of decoy IP addresses is actively injected into the actor’s own traffic as false-flag attribution material; the same addresses simultaneously function as canary authentication validators in spray campaigns — a dual-purpose deception technique that complicates both attribution and IOC-based detection. (Edited by DC 20/06/2026 13:33: this seems to be an LLM hallucination, there is evidence of honeypot detection, I can’t see evidence of ‘false flag attribution’) Attribution Indicators Code comments are written in Russian. The actor demonstrates detailed knowledge of Iranian phone number formats and Islamic calendar year conventions, reflected in purpose-built password wordlists targeting Iranian-configured devices — suggesting prior operational experience against Iranian infrastructure or familiarity with Iranian target environments. No attribution to a specific known threat group is made at this time. The combination of Russian-language artefacts, Iranian targeting knowledge, and confirmed interest in Turkish military material merits further analytical attention. Priority Actions Organisations should proceed on the assumption that any internet-facing firewall or VPN appliance running default, vendor-pattern, or unchanged credentials has been targeted by this programme, and may have been successfully accessed. Recommended immediate priorities: audit management-plane API access logs on all perimeter devices for anomalous PCAP trigger calls; rotate all VPN and firewall management credentials against the known vendor-pattern wordlists in circulation; review Active Directory logs for mass LDAP enumeration patterns; and cross-check internal Kerberos logs for AS-REQ traffic volumes inconsistent with normal authentication patterns.

The above was generated, so take everything with a pinch of salt. I am not god, I can’t see everything… and this game is difficult.

It’s nice outside, I’m going to go and touch grass!