FortigateSniffer Tool Turns Firewalls into Password Collectors

FortiGate firewalls abused to harvest 110m credentials in global FortiBleed campaign

Understanding the FortigateSniffer Tool Cyber Threat

The FortigateSniffer tool cyber threat is rapidly gaining attention among security professionals. Within the first half of 2026, attackers have exploited FortiGate firewalls worldwide, deploying a custom Golang-based tool called FortigateSniffer. This tool enables threat actors to silently harvest credentials from network devices, transforming trusted firewalls into password collectors. The scope and sophistication of this campaign demand urgent awareness and action from organisations relying on Fortinet devices.

How FortigateSniffer Compromises Firewalls and Collects Credentials

Unlike traditional malware, FortigateSniffer leverages legitimate features within FortiOS, the operating system running on FortiGate firewalls. The tool, compiled for both Linux and Windows environments, operates entirely in Russian and is designed to exploit the built-in diagnostic command, diagnose sniffer packet. This command allows attackers to passively intercept authentication traffic passing through the firewall.

  • Targets over 24 network protocols, including RADIUS, NTLM, Kerberos, LDAP, RDP, SMB, MSSQL, FTP, Telnet, and WinRM.
  • Converts intercepted data into .pcapng format using the SNIFTRAN engine.
  • Processes data with a PCAP Deep Analysis Toolkit to extract cleartext credentials, NTLMv2 hashes, Kerberos tickets, and session cookies.
  • Employs evasion tactics such as GeoIP filtering and business-hour scheduling to avoid detection.

The campaign, known as FortiBleed, has already impacted hundreds of thousands of devices with over 110 million credentials harvested. Attackers prioritised targets based on corporate revenue, indicating a financially motivated approach. Evidence suggests links to Russian-speaking threat actors, possibly connected to ransomware groups or state-sponsored entities.

Why the FortigateSniffer Threat Matters to Organisations

This cyber threat is significant for several reasons. Firstly, it represents one of the most extensive credential-harvesting operations ever documented against network perimeter devices. Compromised credentials can provide attackers with broad access, enabling further lateral movement, data theft, extortion, and persistent compromise of critical infrastructure.

  • High-impact targets include NATO-aligned defence contractors, indicating a risk to national security and sensitive sectors.
  • The campaign is ongoing, with attacker infrastructure still active.
  • Threat actors are using advanced reconnaissance, pairing, and brute force techniques to gain initial access.
  • Credential exposure affects not only the firewall but also any systems protected by it, including internal networks and cloud services.

Regulatory bodies such as CISA have issued urgent advisories, warning organisations to harden Fortinet devices and review security configurations. The scale and persistence of the campaign highlight the need for robust security controls and proactive monitoring.

Recommended Security Actions for Organisations Using Fortinet Devices

Organisations must act swiftly to mitigate the FortigateSniffer tool cyber threat. Following industry guidance and adopting best practices can reduce risk and enhance resilience.

Immediate Steps for Fortinet Firewall Security

  • Update FortiOS: Apply the latest security patches and firmware updates to address known vulnerabilities.
  • Restrict Administrative Access: Limit access to firewall management interfaces, using strong authentication and network segmentation.
  • Monitor Authentication Traffic: Implement logging and monitoring for unusual authentication patterns or credential abuse.
  • Review Diagnostic Commands: Audit usage of diagnostic features such as diagnose sniffer packet to detect unauthorised activity.

Ongoing Security Best Practices

  • Conduct Regular Security Audits: Review firewall configurations, access controls, and credential policies.
  • Enforce Multi-Factor Authentication (MFA): Require MFA for all administrative and remote access accounts.
  • Limit Protocol Exposure: Disable unused or unnecessary network protocols to reduce attack surface.
  • Educate Employees: Provide training on phishing, credential hygiene, and reporting suspicious behaviour.
  • Implement GeoIP Filtering: Restrict access from regions not relevant to business operations.

Incident Response and Credential Management

  • Immediately rotate credentials for any compromised accounts.
  • Perform forensic analysis of firewall logs to identify affected systems.
  • Engage cybersecurity professionals to assess and remediate exposure.
  • Report incidents to relevant authorities and comply with regulatory requirements.

By combining technical controls with user awareness, organisations can strengthen their defences against credential-harvesting tools like FortigateSniffer. Regularly reviewing vulnerability advisories and maintaining a proactive security posture are essential in today’s threat landscape.

Key Lessons from the FortigateSniffer Campaign

The FortigateSniffer tool cyber threat underscores the importance of securing network perimeter devices. Attackers increasingly target firewalls not just as barriers but as sources of valuable authentication data. The campaign demonstrates that even trusted network appliances can be weaponised if left unprotected.

  • Credential harvesting on this scale enables further attacks, including ransomware and espionage.
  • Attackers are using legitimate diagnostic features to avoid detection, requiring careful monitoring of device activity.
  • Security teams must treat network appliances as high-value assets, applying rigorous controls and rapid patch management.
  • Collaboration between IT and security staff is vital for identifying and responding to evolving threats.

Organisations should remain vigilant, prioritise threat intelligence, and adopt a layered defence strategy. The FortigateSniffer incident serves as a reminder that security is a continuous process, requiring attention to both technology and people.

Originally reported by cybersecuritynews.com.

Share this bulletin

About the Author

Rob McBride Headshot - CyPro Partner and leading cyber security expert

Rob McBride

Partner

  • CISSP
  • ACA Chartered Accountant
  • MPhil
  • BSc
  • SOC 2
  • ISO 27001

Rob McBride

Rob is a Founding Partner at CyPro and a highly experienced CISO. Beginning his career with a successful tenure at Deloitte, Rob has since amassed a wealth of experience, notably serving as a cyber security advisor to the UK government and spearheading cloud security transformations for several global banks.

At CyPro, Rob leads the managed service business line, working extensively across multiple sectors including telecommunications, technology, higher education, travel, and retail. He is passionate about equipping small and medium-sized businesses (SMBs) with robust cyber security strategies to fuel their growth.

View Profile
Back to Bulletins
Author
Rob McBride Headshot - CyPro Partner and leading cyber security expert
Rob McBride
Category
Published
Jun 23 - 2026
Post Tags
  • credential harvesting
  • cyber threats
  • firewall security
  • fortigate
  • network perimeter
Cypro firewall showing robust network security
Secure your business.
Elevate your security, accelerate your growth. We take care of cyber security for high-growth companies, at every stage of their journey.
Get in touch
CyPro Cookie Consent

Hmmm cookies...

Our delicious cookies make your experience smooth and secure.

Privacy PolicyOkay, got it!

We use cookies to enhance your experience, analyse site traffic, and for marketing purposes. For more information on how we handle your personal data, please see our Privacy Policy.

Schedule a Call