Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

FortiBleed and Fortinet exposure: what IAM teams need to change


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9136
Topic starter  

TL;DR: FortiBleed shows how attackers can exploit internet-facing FortiGate and FortiClient EMS exposure to harvest credentials at scale, gain admin access on 409 targets, and drive ransomware activity, according to Orca Security. The incident shows that patching alone is not enough when credential interception, standing privilege, and unmanaged admin accounts remain in place.

NHIMG editorial — based on content published by Orca Security covering FortiBleed: a credential-harvesting campaign targeting FortiGate and FortiClient EMS exposure

By the numbers:

Questions worth separating out

Q: What breaks when attackers can passively harvest credentials from remote-access infrastructure?

A: The trust model breaks because one management-plane compromise can expose many identities at once.

Q: Why do internet-facing firewalls and access gateways increase identity risk?

A: They sit in the traffic path for authentication and administration, so a privileged compromise can expose secrets even when downstream systems are well protected.

Q: How do security teams know whether credential rotation is enough after exposure?

A: Rotation is only enough if the exposed path is removed or tightly constrained first.

Practitioner guidance

  • Inventory all internet-facing Fortinet management paths Identify every FortiGate and FortiClient EMS instance that can be reached from untrusted networks, then confirm which ones can influence authentication, remote access, or admin workflows.
  • Rotate every credential that traverses FortiGate-managed infrastructure Replace VPN, RADIUS, NTLM, Kerberos, and administrative credentials associated with exposed Fortinet infrastructure, including shared service accounts and back-end access used by administrators.
  • Restrict FortiClient EMS and administrative interfaces to trusted sources Limit port 8013 and all management interfaces to known administrative ranges, then verify that remote access profiles cannot be rewritten from broadly reachable networks.

What's in the full article

Orca Security's full research covers the operational detail this post intentionally leaves for the source:

  • The affected FortiGate and FortiClient EMS versions, plus the remediation sequence for upgrading and applying the hotfix
  • The specific forensic indicators tied to FortigateSniffer, the adminin backdoor account, and the reported C2 infrastructure
  • The attack telemetry behind the 110 million credential haul and the linked ransomware activity
  • The asset exposure context that Orca used to prioritise remediation by internet reachability and criticality

👉 Read Orca Security's analysis of FortiBleed and Fortinet credential harvesting →

FortiBleed and Fortinet exposure: what IAM teams need to change?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8575
 

FortiBleed is a standing-access failure disguised as a perimeter breach. The campaign shows that once management-plane access is exposed, the attacker no longer needs to crack individual systems one by one. They inherit the trust relationships of the remote-access fabric itself, which is why FortiGate and EMS exposure has to be analysed as identity risk, not only network risk. Practitioners should treat administrative reach as a governed identity surface.

A few things that frame the scale:

  • 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for securing human identities.

A question worth separating out:

Q: Who is accountable when compromised remote-access infrastructure leads to ransomware?

A: Accountability usually spans IAM, network security, infrastructure operations, and incident response because the failure sits across access control, exposure management, and credential governance. The practical question is not who owns the box, but who owns the identity boundary it controls. That boundary has to be explicit before the next exposure event.

👉 Read our full editorial: FortiBleed shows why credential harvesting breaks Fortinet trust models



   
ReplyQuote
Share: