You guys, I need everyone to stop what they're doing and read about this FortiGate situation because it's on an entirely different level of scary than your average breach. So imagine every major company trusts their firewall software to keep attackers out, right? That's the point of a firewall β€” it sits at the edge and drops malicious traffic before it can reach anything valuable inside. Then you have FortiGate firewalls, which are used by literally hundreds of thousands of organizations globally. And then these threat actors engineered a Golang-based sniffer that targets those firewalls specifically to scrape credentials in real time across them all! They didn't break into one company; they built a tool that lets them hit the same type of vulnerability on hundreds, maybe even thousands, of networks simultaneously with a single operation. Can you believe the scale? We're talking about 430,000 firewalls targeted in this campaign alone β€” and each one is someone's firewall at some company somewhere.

And here's where it gets truly insane: they pulled out an estimated 110 million credentials from these stolen Firewalls! That number keeps growing because the campaign is still active right now, and more devices are getting added as new firewalls are deployed without patches. This isn't just a "leak" of old data; this is live credential harvesting happening at scale across hundreds of different organizations every single day. Every one of those 110 million credentials could belong to anyone β€” an IT administrator with root access, a server login, a database password β€” any of which can be used as a pivot point into other systems. So it's not just one breach; it's the compounding risk where each stolen credential gives them another foothold elsewhere. And because these are firewalls, they already sit at high privilege levels by design, so the damage radius from even one compromised device is massive.

This has me thinking about something bigger that we don't talk enough as a community β€” how much of our security depends on single points of failure in critical infrastructure software. We trust FortiGate to protect us and then their vulnerability exposes nearly half a million devices at once because everyone relied on the same vendor for the same purpose. The fix is patching, obviously, but that's a reactive solution after millions of credentials have already been harvested. What this really says is we need better segmentation, rotation policies that don't rely on single shared secrets across multiple systems, and more transparency from vendors about what their products actually do with data in transit. I'm not saying ditch firewalls; I'm saying maybe stop trusting a single company to be the only gatekeeper for everything your organization has online. This isn't just another breach β€” it's a failure of system architecture, and we need to talk about how to build more resilient systems before the next one compounds even worse than this one did.

Source: https://www.darkreading.com/cyberattacks-data-breaches/fortibleed-attackers-firewalls-credentials-stealers