FortiBleed campaign used custom FortiGate sniffer to steal credentials

The cybersecurity landscape faces a sophisticated new threat in the form of "FortiBleed," a targeted campaign aimed at compromising Fortinet's FortiGate firewall devices. According to recent findings from security firm SOCRadar, threat actors are leveraging custom-built packet-sniffing tools to extract authentication secrets and user credentials directly from the memory of compromised hardware. This development highlights a shift in cyberespionage tactics, where attackers are no longer content with mere entry; they are now deploying bespoke surgical tools designed to reside within the foundational hardware of a corporate network.

The context of this campaign is rooted in the long-standing status of Fortinet as a cornerstone of enterprise security. As one of the most widely deployed firewall solutions globally, FortiGate devices represent a "high-value, high-reward" target for both state-sponsored actors and sophisticated cybercriminal syndicates. This is not the first time Fortinet has been in the crosshairs; the current campaign stems from the exploitation of known vulnerabilities—most notably CVE-2024-23113—which have allowed attackers to bypass traditional defenses. The recurrence of such exploits underscores a persistent struggle within the industry to patch edge devices before they become permanent backdoors into internal infrastructures.

Mechanically, the FortiBleed campaign distinguishes itself through the use of a specialized "sniffer" malware. Unlike generic malware that seeks to encrypt files for ransom, this custom tool is designed for silence and persistence. It operates by monitoring the device’s internal traffic and memory buffers, identifying data packets associated with the login process. By capturing these secrets in real-time, the malware allows attackers to harvest valid credentials without triggering standard endpoint detection systems. This level of technical sophistication suggests that the developers have a deep understanding of FortiOS, the proprietary operating system powering FortiGate devices.

The business and industry implications of FortiBleed are profound. For many organizations, the firewall is the ultimate "source of truth" for security—the gatekeeper of the perimeter. When the gatekeeper itself is compromised and turned into a surveillance tool, the entire secondary layer of identity and access management (IAM) is put at risk. This breach of trust forces a re-evaluation of the "set and forget" mentality regarding network hardware. Furthermore, it places immense pressure on Fortinet and other hardware vendors to implement more robust hardware-root-of-trust mechanisms to prevent unauthorized code execution within their kernels.

From a regulatory perspective, the FortiBleed campaign adds fuel to the fire regarding software liability and the "Secure by Design" initiatives championed by agencies like CISA. As attackers move deeper into the firmware level, the expectation for vendors to provide exploit-resistant architecture grows. Market competitors are likely to use these incidents to emphasize their own security hardening, potentially triggering a shift in market share toward vendors that can prove higher resistance to such hardware-level sniffing.

Looking ahead, organizations must move beyond simple patching and toward comprehensive compromise assessments. The presence of a custom sniffer implies that even a patched system may still harbor dormant threats if not properly remediated. The industry should watch for a rise in similar "living-off-the-hardware" techniques, as attackers increasingly view edge devices not as barriers, but as the ideal vantage points for long-term intelligence gathering. The era of the "dumb" firewall is over; the future belongs to those who can treat their networking hardware with the same level of scrutiny as their most sensitive servers.