Inside FortiBleed: a FortiGate SSL VPN credential-harvesting operation — 1.16B brute-force attempts vs 320,777 endpoints, NTLM/Kerberos cracked on a 45× RTX 4090 Hashtopolis cluster, SSL VPN cookie-replay into AD

Disclosure: Ransomnews Research Team, this is our write-up, built on infrastructure surfaced by Bob Diachenko. We mapped the full chain to MITRE: mass-scan FortiGate /remote/login + Sophos /userportal → forticheck brute force (25k threads) → network sniffers for cleartext creds → hash cracking on a 45-GPU Hashtopolis cluster → OpenConnect cookie replay to hijack live SSL VPN sessions → AD dump/TGT extraction/GPO harvesting. Targets ranked by revenue via OSINT. We anonymised the operator infra rather than publish raw IOCs. We also cross-referenced the resulting FortiGate working set (73,932 devices / 21,613 orgs) against stealer-log and ransomware-leak data: 88% overlap with stealer/breach data, ~590 already on leak sites. Happy to answer questions on method. submitted by /u/lexcor [link] [comments]

from hacking: security in practice https://ift.tt/pEc8I6V