Hello All. A massive credential exposure campaign dubbed FortiBleed is impacting internet-facing Fortinet FortiGate firewalls and VPN gateways worldwide.

Current reporting suggests 73,000–86,000+ Fortinet devices may be affected across 194 countries, with attackers harvesting verified credentials for administrative and SSL VPN access.

Important clarification:

FortiBleed is not a new CVE or zero-day.

This appears to be a large-scale credential compromise campaign involving:

  • Credential stuffing
  • Password spraying
  • Brute-force attacks
  • Reused / previously leaked passwords
  • Exploitation of older known Fortinet exposures

In other words, this is less about a brand-new vulnerability and more about a dangerous combination of:

  • Weak password hygiene
  • Internet-exposed management interfaces
  • Missing MFA
  • Poor credential rotation

For defenders, this reinforces a hard truth that the firewall is part of your attack surface – It’s not just a defensive tool—it’s also a high-value target.

Immediate actions, I recommend:

  • Rotate all FortiGate admin and VPN credentials
  • Enforce MFA on all remote access
  • Disable internet-facing management where possible
  • Review admin logins for anomalous IPs/geographies
  • Check for unauthorized config changes
  • Patch to latest FortiOS / review Fortinet PSIRT advisories

From an OT perspective, this matters even more.

Many industrial environments still rely on vendor VPN access, jump hosts, and perimeter firewalls to protect critical operations. A compromised edge device could become the initial access point into:

  • Power utilities
  • Manufacturing
  • Water treatment
  • Transportation
  • Critical infrastructure

This is exactly why identity + access security is now just as important as patching.

Read more

Hello All. Most OT deception projects fall into one of two categories: they’re either too simple to fool anyone—or too static to provide meaningful insight.

So, I decided to build something different. Today, I’m announcing AdaptiveGrid — an open-source, adaptive OT honeypot designed to simulate real industrial environments and capture high-fidelity attacker behavior.

Why AdaptiveGrid?

Traditional OT honeypots tend to rely on:

  • Static banners
  • Basic protocol responses
  • Limited interaction depth

The problem? Modern attackers—and even basic tooling—can quickly identify these as fake.

It’s designed not just to look like an OT environment, but to behave like one.

What Makes It “Adaptive”?

At the core of AdaptiveGrid is the idea that deception should evolve during the interaction.

Instead of a fixed response model, the platform:

  • Tracks attacker behavior over time
  • Groups activity into per-attacker cases
  • Scores actions based on intent (e.g., scanning vs. exploitation)
  • Adjusts logging, alerting, and response depth dynamically

This means a simple port scan is treated very differently than:

  • Repeated authentication attempts
  • Protocol-specific manipulation
  • Attempts to access engineering interfaces or project files

Key Features

AdaptiveGrid is designed for both real-world detection and research/demo environments:

High-Interaction OT Emulation

  • EtherNet/IP (CIP), Modbus, OPC UA simulation
  • Emulated controller identities (e.g., PLC-style responses)
  • Realistic engineering workstation behavior

Enterprise + OT Hybrid Lures

  • Fake engineering portals (HTTP/HTTPS)
  • SMB shares for project file access attempts
  • Authentication traps (including credential capture)

Advanced Telemetry & Logging

  • Structured timeline.jsonl per event
  • Full session logging and artifact capture
  • Credential hashing and storage for analysis

ATT&CK-Aligned Detection

  • Automatic mapping to MITRE ATT&CK techniques
  • Clear linkage between behavior and adversary tactics

Burst & Behavior Analytics

  • Detects rapid scanning and brute-force activity
  • Identifies escalation patterns in attacker behavior
  • Use of AI to compile data and provide analysis on behavior

Per-Attacker Case Management

  • One case per attacker (not per event)
  • Full timeline of actions from recon → interaction → exploitation

AdaptiveGrid is designed to complement platforms like Claroty, Nozomi Networks, and Microsoft Defender for IoT—not replace them.

AdaptiveGrid is being released as an open-source project, with a focus on:

  • Transparency
  • Community-driven improvements
  • Realistic OT simulation for defenders, researchers, and educators

Future enhancements will include:

  • Expanded protocol support
  • Deeper controller emulation
  • Integration with SIEM/SOAR platforms
  • Optional AI-assisted alert summarization
Read more

Hello All. As a follow-up to my recent Mythos post, I have been thinking about cyber-hygiene improvements organizations can make in their OT environments. In environments where patching may no longer be an option, tools like Sysmon shift the strategy from prevention to visibility and early detection. You’re essentially compensating for unpatchable risk by increasing your ability to observe attacker behavior in real time. In many cases, these Windows machines cannot run modern EDR tools due to their vintage and/or cannot support them in their current OT environment. On legacy Windows systems (including XP/7-era HMIs), Sysmon can be one of the few viable ways to regain some defensive ground.

Monitoring process creation is one of the highest-value use cases. Most successful attacks on legacy systems still require some form of execution—whether that’s cmd.exe, PowerShell (where present), dropped binaries, or living-off-the-land techniques. By baselining what “normal” looks like on an HMI and alerting on deviations (new parent-child relationships, unusual command-line arguments, unsigned binaries), you can catch activity that would otherwise go completely unnoticed.

DNS and outbound connectivity is even more critical in OT. Many of these systems are not supposed to communicate externally at all. So when you see DNS queries to Internet domains, failed or successful connections to external IPs, or even unusual internal name resolution patterns, that’s often a high-fidelity signal. In a world where AI-driven attacks may rapidly establish command-and-control, those early outbound indicators can be the only warning you get.

Feeding this telemetry into a SIEM is where the real value compounds. SIEMs will allow you to correlate across layers—endpoint behavior, network activity, and even OT protocol anomalies if you’re integrating tools like Nozomi or Claroty. This is where you move beyond simple alerting into detection engineering, building use cases such as:

  • Process execution + outbound connection within a short window
  • New binary execution on a system with no change tickets
  • DNS queries to rare or previously unseen domains
  • Lateral movement patterns combined with OT protocol access

That said, there are a few realities to be aware of.

First, Sysmon on legacy systems requires careful tuning. These environments are typically very static, which is actually an advantage—you can get to a high-confidence baseline quickly—but noisy configs will overwhelm both the system and your analysts. Minimal, targeted logging (process create, network connections, DNS if available, and maybe file creation in sensitive directories) tends to work best.

Second, performance and stability matter more than anything in OT. Even tools that access Windows natively such as Sysmon need to be validated in a lab or staging environment before deployment. The last thing you want is a monitoring control impacting an HMI tied to production or safety systems.

Third, this approach doesn’t reduce vulnerability exposure—it simply makes exploitation more visible. So it needs to sit alongside:

  • Strong network segmentation
  • Strict allow-listing where possible
  • Passive OT monitoring for protocol-level anomalies

The bigger picture is that this aligns perfectly with the shift we’re seeing in the wake of AI-driven vulnerability discovery. If we assume that new flaws will continue to be found in unpatchable systems, then behavioral monitoring becomes the control of last resort.

In that sense, deploying Sysmon isn’t just a technical improvement—it’s a strategic acknowledgment that: You may not be able to stop the exploit, but you can still catch the attacker.

Deploying Sysmon is straightforward. It is part of the Microsoft SysInternals toolkit and can be downloaded directly from Microsoft’s official site:

https://learn.microsoft.com/sysinternals/downloads/sysmon

Once downloaded, it can be installed with a configuration file that defines what events to capture. In OT environments, it’s important to keep this configuration lightweight and targeted—focusing on process creation, network connections, and DNS activity to avoid performance impacts on sensitive systems.

There are, however, important considerations. Legacy OT systems are often fragile, so any agent deployment must be tested carefully to ensure it does not impact stability. Additionally, Sysmon does not reduce the underlying risk—it simply makes attacker activity more visible. This means it should be combined with strong segmentation, strict access controls, and passive network monitoring.

Ultimately, this approach reflects a broader shift in cybersecurity. As AI-driven tools begin to uncover new vulnerabilities in long-abandoned platforms, organizations can no longer rely on patching as their primary defense. Instead, they must assume these systems are permanently exposed and focus on detecting what happens next.

In that reality, Sysmon is not just a tool—it’s a way to regain visibility in environments where control is otherwise limited.

Read more