One day after a leaked dataset dubbed FortiBleed exposed admin and SSL VPN credentials for 73,932 Fortinet firewalls worldwide, the inevitable next chapter has arrived: a cybercriminal group is now openly selling network access to roughly 74,000 FortiGate devices. The credentials on offer carry working admin logins that researchers describe as recently harvested and, in many cases, still valid β€” meaning the gap between a credential dump and hands-on-keyboard intrusion has collapsed to under 24 hours.

This is the part of the story that turns a headline into a wave of incidents. A credential leak is dangerous; a packaged, searchable, for-sale access catalog is how that danger gets distributed to every ransomware affiliate with a cryptocurrency wallet.

The monetization phase of FortiBleed

Yesterday we covered FortiBleed β€” the dataset uncovered by researcher Volodymyr β€œBob” Diachenko that exposed credentials and configuration data for nearly 74,000 FortiGate firewalls across 194 countries, roughly half of every internet-facing Fortinet device on the planet. The named victims read like a Fortune Global 500 index: Chevron, Samsung, Foxconn, Siemens, Mercedes-Benz, and a NATO defense contractor among them.

What FortiBleed produced was the raw material. What we are seeing now is the refinery. The selling party has taken cracked SSL VPN and admin credentials and is repackaging them as initial access β€” the single most valuable commodity in the ransomware economy. Initial access brokers (IABs) exist precisely to bridge the gap between mass credential theft and targeted extortion, and a fresh batch of 74,000 perimeter devices is exactly the inventory they live for.

Why β€œstill valid” is the whole problem

The detail that matters most is not the headcount β€” it’s that the credentials are live. According to security analysis, the admin credentials appear legitimate and recently harvested as part of an ongoing, still-running campaign. Threat intelligence firm SOCRadar has characterized the underlying operation as active: attacker infrastructure is up, and new victims are still being added. This is not a historical archive being dumped for clout. It is a working pipeline.

A FortiGate firewall is not a low-value foothold. It sits at the network edge, frequently terminates SSL VPN sessions, and β€” once an attacker holds admin β€” can be used to mint new VPN accounts, disable logging, pivot into internal Active Directory, and stage ransomware deployment. The original FortiBleed operators reportedly intercepted SSL VPN authentication hashes, cracked them on a 45-GPU cluster, and moved laterally into internal AD environments. The buyers of this access list inherit that same playbook without doing any of the work.

What defenders should do right now

If your organization runs an internet-facing FortiGate, treat it as presumed compromised until proven otherwise:

  • Rotate every credential β€” local admin accounts, SSL VPN users, and any service or LDAP bind accounts the firewall touches. Cracked passwords do not un-crack themselves.
  • Force-reset SSL VPN users and require re-enrollment of MFA. If MFA was not enforced before, enforce it now.
  • Audit admin accounts for unfamiliar additions and review the config for unexpected VPN tunnels, policy changes, or disabled logging.
  • Hunt, don’t just patch. Pull VPN authentication logs and look for logins from unexpected geographies or impossible-travel patterns. Cross-reference against the FortiBleed exposure window.
  • Cross-check infostealer exposure. FortiBleed was built largely from infostealer-harvested credentials. If corporate endpoints were infected, the leak is a symptom, not the disease.

The pattern is the warning

Edge devices have become the front line precisely because they are exposed by design and patched on no one’s schedule. FortiBleed showed how a single credential corpus can map half the internet’s FortiGate fleet. The 74,000-device access sale shows how quickly that corpus becomes a product. Between the two, the lesson is blunt: a perimeter appliance with a leaked password is not a future risk β€” it is a transaction already happening.

Sources