Many companies and governments have a problem. Hackers entered thousands of Fortinet security devices around the world.

許多公司與政府正面臨問題。駭客入侵了全球數千台 Fortinet 安全設備。

The hackers used a fast computer program. This program tried many common passwords until it found the right ones. It did not use a secret bug in the software.

駭客使用了一個高速電腦程式。該程式不斷嘗試許多常見密碼，直到找到正確的為止。它並非利用軟體中的秘密漏洞。

Many big companies have this problem. These companies include Samsung and Oracle. Many devices in India, the USA, Taiwan, and Mexico are not safe. Some hackers stole secret military papers from Turkey.

許多大公司都面臨這個問題。這些公司包括三星 (Samsung) 與 Oracle。印度、美國、台灣與墨西哥的許多設備並不安全。部分駭客甚至從土耳其竊取了軍事機密文件。

After the hackers got inside, they moved to other parts of the network. They stole more passwords from main servers. However, the hackers made some mistakes. Experts found their tracks.

駭客進入系統後，便移動至網路的其他部分。他們從主伺服器竊取了更多密碼。然而，駭客犯了一些錯誤，讓專家發現了他們的蹤跡。

The situation is still bad. Many broken devices are still online today.

情況依然糟糕。許多被入侵的設備至今仍處於連網狀態。

A large-scale security breach has affected tens of thousands of Fortinet firewalls worldwide, giving unauthorized access to many international companies and government organizations.

一次大規模的安全漏洞影響了全球數萬個 Fortinet 防火牆，導致許多國際公司與政府機構遭到未經授權的存取。

The breach, known as 'FortiBleed,' started when attackers scanned FortiGate login pages on the internet. Instead of using unknown software bugs, the attackers used a method called 'credential spraying.' This involved using a custom program to test thousands of common passwords against the systems. Once they gained access, the attackers stole authentication data, which they then cracked using a powerful cluster of 45 GPUs to discover more passwords.

這次漏洞被稱為「FortiBleed」，始於攻擊者在網際網路掃描 FortiGate 登入頁面。攻擊者並非使用未知的軟體漏洞，而是採用一種稱為「認證噴灑」（credential spraying）的方法。這涉及使用自訂程式，針對系統測試數千個常用密碼。一旦取得存取權限，攻擊者便竊取驗證數據，隨後利用由 45 個 GPU 組成的強大集群進行破解，以發現更多密碼。

The impact is significant, with estimates suggesting that between 30,000 and 74,000 devices were compromised. This represents nearly half of all Fortinet firewalls connected to the internet. Affected organizations include well-known companies such as Oracle, Samsung, Lenovo, and PwC, as well as government agencies. The highest number of affected devices were found in India, the United States, Taiwan, and Mexico. Furthermore, it was confirmed that classified defense documents were stolen from a Turkish NATO contractor.

影響十分顯著，估計約有 30,000 至 74,000 台設備遭到入侵。這幾乎佔了所有連接網際網路的 Fortinet 防火牆的一半。受影響的組織包括 Oracle、Samsung、Lenovo 和 PwC 等知名公司，以及政府機關。受影響設備數量最多的地區為印度、美國、台灣和墨西哥。此外，已確認一家土耳其 NATO 承包商的機密國防文件被盜。

After entering the networks, the attackers moved sideways to target central authentication systems, such as Microsoft Active Directory. Although the password-cracking tools were advanced, researchers emphasized that the attackers made mistakes in their own security, leaving clues behind on their control servers.

進入網路後，攻擊者採取橫向移動以針對中央驗證系統，例如 Microsoft Active Directory。儘管密碼破解工具相當先進，但研究人員強調，攻擊者在自身的安全性上犯了錯誤，在他們的控制伺服器上留下了線索。

The situation remains critical because a large number of the compromised devices are still online and active.

情況依然危急，因為大量被入侵的設備仍處於在線且運作狀態。

A large-scale security breach has affected tens of thousands of Fortinet firewalls globally, granting unauthorized access to numerous multinational corporations and government entities.

一次大規模的安全漏洞影響了全球數萬個 Fortinet 防火牆，導致眾多跨國公司與政府實體遭到未經授權的訪問。

The breach, identified as 'FortiBleed,' originated from the systematic scanning of internet-facing FortiGate remote login endpoints. Rather than exploiting previously unknown software vulnerabilities, the threat actors utilized a high-volume credential-spraying methodology. This process involved a custom binary employing 25,000 threads to test extensive lists of known passwords against targeted endpoints. Upon successful authentication, the actors established network footholds, which facilitated the interception of SSL VPN authentication hashes. These hashes were subsequently processed via a 45-GPU cluster using a recursive, 12-level feedback system, wherein successful password discoveries served as seeds for further candidate generation.

此次被命名為「FortiBleed」的入侵，源於對面向網際網路的 FortiGate 遠端登入端點進行系統性掃描。威脅參與者並非利用先前未知的軟體漏洞，而是採用了高容量的「憑證噴灑」（credential-spraying）方法。此過程使用了一個自定義二進位檔，透過 25,000 個執行緒將大量已知密碼清單對準目標端點進行測試。在成功通過驗證後，攻擊者建立了網路據點，從而便於攔截 SSL VPN 驗證雜湊值（hashes）。隨後，這些雜湊值透過一個 45 個 GPU 的集群，利用一個 12 層的遞迴反饋系統進行處理，將成功發現的密碼作為種子，用於生成更多候選密碼。

Stakeholder impact is extensive, with estimates of compromised devices ranging from 30,000 to approximately 74,000, representing nearly half of all internet-facing Fortinet firewalls according to Shodan polling. Affected entities include high-profile organizations such as Oracle, Samsung, Lenovo, and PwC, as well as critical infrastructure providers and government agencies. Geographically, the highest concentrations of compromised devices were observed in India, the United States, Taiwan, and Mexico. Of particular institutional concern is the confirmed exfiltration of classified defense documentation from a Turkish NATO contractor.

利害關係人的影響範圍極廣，估計受影響的設備數量在 30,000 至約 74,000 部之間，根據 Shodan 的調查，這幾乎佔了所有面向網際網路的 Fortinet 防火牆的一半。受影響的實體包括 Oracle、三星、聯想和 PwC 等知名組織，以及關鍵基礎設施供應商與政府機構。在地理分布上，印度、美國、台灣與墨西哥的受害設備最為集中。特別令體制擔憂的是，已確認一名土耳其 NATO 承包商的機密國防文件被外洩。

Following the initial perimeter breach, the actors transitioned to lateral movement within the target networks. This progression enabled the compromise of centralized authentication systems, specifically Microsoft Active Directory and Radius servers. Despite the technical sophistication of the password-cracking apparatus, researchers noted a lack of operational security, as the attackers left identifiable artifacts on their command-and-control infrastructure.

在初步突破邊界後，攻擊者轉而於目標網路內進行橫向移動。這一進程使得他們能夠入侵中心化驗證系統，特別是 Microsoft Active Directory 和 Radius 伺服器。儘管密碼破解設備在技術上非常精密，但研究人員指出其缺乏操作安全，因為攻擊者在其指令與控制基礎設施上留下了可識別的痕跡。

The current situation remains critical, as a significant portion of the compromised devices remain online and active.

目前的狀況依然嚴峻，因為仍有很大一部分被入侵的設備處於在線且活躍狀態。