Plaintext with Rich

FortiBleed: When Your Firewall Becomes the Front Door

Rich Greene Season 1 Episode 32

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 9:54

Your firewall is supposed to be the thing that keeps attackers out. FortiBleed is the story of what happens when it becomes the way in.


In June 2026, roughly 86,644 sets of working Fortinet credentials turned up circulating among attackers across 194 countries. On June 18th, CISA issued an emergency advisory telling anyone running internet-facing Fortinet gear to terminate active sessions, rotate every credential, and turn on phishing-resistant multi-factor authentication immediately. This episode of Plaintext with Rich explains what FortiBleed actually is, why patching alone does not solve a credential-exposure incident, and what the difference between "patch" and "rotate" means for the people responsible for keeping a network safe. It also covers why a firewall breach lands differently than almost any other kind of breach, and what to check if you are worried someone already walked through the door before you changed the locks.


If you manage a team, own a business, or sit anywhere near a decision about network security gear, this one is directly relevant to your week. If you have no idea what a firewall does, that is fine too; the episode starts from the beginning.


One Topic, Ten minutes, No panic.

Is there a topic/term you want me to discuss next? Text me!!

YouTube more your speed? → https://links.sith2.com/YouTube  
Apple Podcasts your usual stop? → https://links.sith2.com/Apple  
Neither of those? Spotify’s over here → https://links.sith2.com/Spotify  
Prefer reading quietly at your own pace? → https://links.sith2.com/Blog  
Join us in The Cyber Sanctuary (no robes required) → https://links.sith2.com/Discord  
Follow the human behind the microphone → https://links.sith2.com/linkedin  
Need another way to reach me? That’s here → https://linktr.ee/rich.greene

The Front Door Key Disaster

SPEAKER_00

So you bought a front door, a strong front door, heavy deadbolt, the works, all of the locks. You felt really good about it. Then one morning you find out the locksmith who installed it kept a copy of every key, dropped the whole ring in a parking lot, and now those keys are circulating in 194 countries. This is roughly the week a lot of security teams recently had and maybe still going through.

Fortableed And Why Firewalls Matter

SPEAKER_00

Welcome to plain text with Rich. Today we are talking about Fortable, a credential exposure campaign where the box meant to guard the network became the way in. Now, really quick, in plain text, a firewall is the guard at the edge of a company's network. Now, typically they're at the edge, but you can and should use them internal as well because what they do is it helps decide what traffic gets in and what stays out. It's just the ability to kind of control that traffic flow. Now, a lot of companies buy these from a vendor called FortaNet, right? Whose gear shows up under names like FortiGate. Now, Fortableed is the nickname for an incident where attackers ended up holding working login credentials for tens of thousands of those guard posts. The guards' own keys, basically. So if you wouldn't mind, let me set the scene with the part that makes this well relatively urgent.

CISA Sounds The Alarm

SPEAKER_00

On June 18th, 2026, CISA, the U.S. Cybersecurity and Infrastructure Security Agency, the federal agency that warns the country about active threats, put out an advisory. Not a keep an eye on this, but a do these things right now kind of advisory. The guidance was direct. If you run internet-facing Fortinet gear, terminate active sessions, rotate all your passwords, and turn on phishing resistant multi-factor authentication. Now, when CISA tells you to rotate every password today, I feel like that's them pulling a fire alarm as calmly as possible. So what actually happened? Well, security researchers, including the team at Arctic Wolf, a cybersecurity firm that tracks active campaigns, reported a large set of working Fortinet credentials circulating amongst attackers. The figure being cited is around 86,644, and that could plus or minus, right? Sets of credentials spread again across 194 countries. Reporting attributes the activity to Russian-speaking threat actors. I want to be careful with that word reportedly, all right, because attribution is the part of these stories that shifts as more comes out. So treat the who as provisional. The what part is the part that I really want you to focus on. And the what is ugly. These are described as working credentials, usernames and passwords that at the time let someone log in. Here's the analogy I keep coming back to for those that just kind of help resonate a little bit more. Again, think of a firewall like the front desk of an office building or even the reception area for every floor in that building. Everybody who wants in will walk up to that desk. The individual there will check badges, check their roster or schedule for the day, and wave the right people through, turn the wrong people away. It's the one spot the whole building can trust to make those calls. Now imagine someone copied the guard's master key card and the guards log in to the badge system. They no longer have to sneak past the desk. They are the desk. They can wave themselves in and they can wave in their friends. And because everyone inside trusts the front desk, nobody downstairs is really asking any

Why Patching Does Not Fix It

SPEAKER_00

questions. This is why a firewall breach lands differently than a breach of some random laptop. The firewall is a thing, again, the rest of the network is built to trust. Get the keys to it, and again, you are not at the edge anymore. You are inside wearing the building's own uniform. Now, this is also why patching alone does not close this particular door. Now, typically, when a vendor finds a flaw, they tend to ship a patch once it's been developed. And that's a software fix that seals the hole, right? Or the vulnerability. Patching is good. Patch everything, right? But a patch fixes the hole. It does not unsteal the keys that already walked out through it, right? Credentials do not expire when you install an update. And I would ask you, say that again out loud, because it is the whole episode. Credentials do not expire when you install an update. If your username and password were captured last week and you patched today, congratulations. The original hole is sealed and your old password still works perfectly for whoever has it. Because a password is just a string of characters and it does not know it was stolen. That is why the headline instruction here is not only patch, it is also to rotate. Change the credentials so the stolen copies become useless. Patch closes the window, rotation changes the locks. You kind of need both. Now, who is on the list? Reporting names some pretty heavy hitters that have been affected, including Oracle, Chevron, FedEx, NATO defense contractor. I'm not going to pretend to know the inside details of any of those. And again, you should be skeptical of anyone who claims they do at this point, unless you are physically inside or work with one of those organizations. The point of naming them here is not gossip, right? I'm not spilling the tea. It's really to show scale. When the exposed set reaches across 194 countries and touches names like that, this again is not a niche problem for one unlucky shop. This is a category problem for everyone running a certain very common piece of gear. And that is quietly uncomfortable, or is the quiet, uncomfortable lesson of Fortableed. The same appliance you buy to reduce your risk becomes a single juicy high-value target precisely because it sits at the front and everything trusted. Security tools are software. Software has flaws. The thing guarding the door has a door of its own. Now, this is not a reason to rip out your firewall. A building with a front desk is safer than a building with no front desk. It is a reason to stop treating any single security application or appliance as a thing you install and forget.

The Practical Starter Kit

SPEAKER_00

So let's make this doable. As always, here's your starter kit. Number one, if you run Fortinet gear or you are not sure, ask today. Walk over to whoever manages your network or send an email and ask a simple question. Have we rotated credentials and terminated sessions since the June 18th CISA advisory on Fortinet? You do not need to understand the answer. You need the question asked out loud because asked questions get acted on and unasked ones tended to sit there. Number two, rotate. Do not just patch. If you are the one with the keyboard, the order from current guidance is to terminate active sessions first, then change every credential on the device. Then patch to the fixed version. Sessions, credentials, patch. A patch on top of a stolen password, again, is a new lock, still on an open door. Number three, turn on phishing resistant multi-factor authentication. Right? Multi-factor authentication or MFA, for those that don't know, simply means a password alone is not enough to get in. You need a second proof, like a hardware key or an apt prompt. Phishing resistant is the strong kind that a fake login page cannot typically trick out of you. With it on, a stolen password is a dead key. That is the goal here. Make the leaked stuff worthless. Four, get your management interface off the open internet. A firewall has to face the world to do its job. Its admin login maybe doesn't have to. Again, current guidance is to restrict that admin access to a trusted internal network or a VPN so a random stranger cannot even reach the login screen to try a stolen password. And number five, check the logs for who already walked in. Rotating keys today does nothing about someone who got in last week and made themselves a quiet copy of a key. Have someone review access logs for unexpected logins, new admin accounts, config changes. Locking the door is step one. Step two is checking whether anyone is already inside.

Recap And Listener Stories

SPEAKER_00

So our quick recap: a firewall is the front desk your whole network trust. Fortable bleed put working credentials for tens of thousands of those desks into the wrong hands. Patching seals the hole. It does not unsteal the keys. So you rotate, you turn on phishing resistant MFA, you pull the admin login off the open internet, and you check already who got in. Remember, patch closes the window, rotation changes the locks. Now the fun part. I want to hear your worst. The security tool was the problem story, the scanner that crashed production, the VPN that locked out the whole company, the box that was supposed to keep people out, and instead kept everyone in. Email me, DM me, drop it in the comments, whatever is easiest. As always, every single message gets read and answered by me, no bot at the front desk. Enjoying yourself? Go ahead and hit subscribe or follow or whatever your listening platform utilizes. It's the single best way to make sure you don't miss the next one. If this episode helps, share it with someone who'd actually benefit. This has been Plain Text with Rich, one topic, 10 minutes, no panic.