Overview
- Researchers published detailed technical reports on June 22 and June 23 that trace the operation from mass scanning to credential harvesting and offline cracking.
- The operator used SSH brute‑force and credential stuffing to gain admin access, then deployed a Golang tool called FortigateSniffer that abused FortiOS's diagnose sniffer packet command to capture authentication traffic across many protocols.
- Captured hashes and cleartext credentials were sent into a distributed cracking pipeline using Hashcat and Hashtopolis with rented GPUs, producing what investigators estimate as roughly 110 million harvested credentials and hundreds of harvesting pipelines.
- Fortinet and national cyber agencies have warned this is not a single new product flaw but a credential‑reuse and brute‑force campaign and they urge isolating or rebuilding compromised devices, rotating credentials, enabling phishing‑resistant MFA, and upgrading firmware to support PBKDF2.
- The campaign disproportionately hit small and mid‑sized firms and managed service providers, creating downstream supply‑chain risk because validated logins were sold or brokered for rapid lateral movement and data exfiltration.