FortiBleed Campaign Used Custom FortiGate Sniffer to Intercept VPN Credentials

nick

FortiBleed Campaign Used Custom FortiGate Sniffer to Intercept VPN Credentials

by

The FortiBleed campaign has taken a dangerous turn. Initially documented as a passive exploitation vector leveraging the CVE-2022-40684 authentication bypass to exfiltrate FortiGate configuration files and VPN credentials from memory dumps, the threat actor has now escalated to active credential interception. New evidence reveals that the attackers deployed a custom-built network sniffer directly on compromised FortiGate appliances, transforming the operation from opportunistic data harvesting into a sustained man-in-the-middle collection capability.

What Happened

After gaining initial access via the unpatched CVE-2022-40684 vulnerability, the attacker deployed a bespoke packet capture utility onto the FortiGate device. This custom sniffer was designed to inspect SSL VPN traffic in real time, extracting usernames and plaintext passwords as users authenticated to the VPN gateway. Unlike the original FortiBleed technique, which relied on scraping credentials that had already been processed and cached in device memory, this sniffer intercepted authentication flows as they occurred, giving the attacker a live feed of every credential transiting the appliance.

The sniffer operated by hooking into the FortiGate VPN termination process, capturing credentials before they were hashed or forwarded for authentication. Forensic analysis identified the binary masquerading within standard FortiOS process trees, making detection via routine process listing difficult. The tool logged intercepted credentials to a hidden file on the device, which the attacker periodically exfiltrated via the same management interface that had been exposed by the original vulnerability.

Impact

The shift from passive memory scraping to active network interception significantly increases the severity of the FortiBleed campaign for several reasons:

  • Real-time credential harvesting: Every successful VPN authentication, not just those coinciding with memory dump windows, was captured. This dramatically expands the attacker’s credential corpus.
  • Plaintext collection: Whereas memory-resident credentials might be partial, hashed, or stale, the sniffer captured credentials in cleartext at the point of entry.
  • Longer dwell time: The sniffer operated continuously, enabling credential harvesting over extended periods without requiring repeated exploitation of the authentication bypass.
  • Harder to detect: Passive interception leaves fewer forensic artifacts than repeated memory scraping, allowing the attacker to maintain persistence with reduced risk of triggering alerts.

Organizations that previously assessed their exposure as limited to configuration file exfiltration should now assume that all VPN credentials used during the period of compromise were intercepted in plaintext.

Fix

Organizations running FortiGate appliances, particularly those that were exposed when CVE-2022-40684 was actively exploited, should take the following steps immediately:

  1. Re-audit all FortiGate devices for indicators of compromise, focusing on unexpected processes, hidden files in writable directories, and anomalous outbound connections from the management interface. Standard IOCs from the original FortiBleed advisory may not detect sniffer deployment.
  2. Force password rotation for every user account that authenticated to any potentially impacted VPN gateway since the window of initial compromise. Treat all credentials as captured in plaintext.
  3. Update firmware to a patched version of FortiOS that addresses CVE-2022-40684 (7.2.4+, 7.0.10+, 6.4.12+, 6.2.14+, or 6.0.17+) and perform a full factory reset on any device where compromise is confirmed before restoring configuration from a known-clean backup.
  4. Enable multi-factor authentication on all VPN connections if not already enforced. While the sniffer can still capture credentials, MFA limits the utility of harvested passwords when used independently.
  5. Restrict management interface access to trusted internal networks only, using local-in policies to block external access entirely.

Fortinet Threat Cluster Context

Fortinet’s threat intelligence team attributes this activity to a cluster it tracks internally as a sophisticated nation-state-aligned group that has historically targeted edge network devices for credential harvesting and lateral movement. The group has been active since at least early 2022 and has demonstrated a consistent focus on Fortinet, Citrix, and Pulse Secure VPN appliances. The custom sniffer represents an evolution in the group’s tradecraft, suggesting dedicated development resources and familiarity with FortiOS internals.

This development underscores the strategic value threat actors place on VPN access as an initial entry vector. Organizations should treat any FortiGate appliance that was internet-accessible and unpatched during the active exploitation window as fully compromised and act accordingly.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!