Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
FortiBleed Attack Fuels Major Ransomware Operations

FortiBleed Attack Fuels Major Ransomware Operations

Posted on July 2, 2026 By CWS

The FortiBleed attack has emerged as a significant threat, compromising over 430,000 FortiGate firewalls globally. This operation has been identified as a crucial component in supporting two active ransomware services, INC Ransom and Lynx. The connection to these ransomware groups highlights the widespread impact of the FortiBleed campaign.

Link Between FortiBleed and Ransomware

Investigations by SOCRadar’s Threat Research Unit (STRU) revealed an operator with access to FortiBleed’s infrastructure engaged in negotiation panels for both ransomware entities. This marks the first confirmed association between the large-scale theft of FortiGate credentials and subsequent ransomware activities. FortiBleed was initially identified as a major credential-harvesting campaign targeting FortiGate firewalls across the globe.

The threat actor behind FortiBleed operates as an Initial Access Broker, utilizing a custom tool named FortigateSniffer. This tool, developed in Golang, exploits FortiOS to intercept authentication data across numerous protocols, facilitating unauthorized access to sensitive information.

Widespread Impact of Credential Theft

Further analysis through platforms like Shodan and Censys uncovered approximately 200 operational servers linked to the FortiBleed campaign. These servers were involved in scanning activities across more than 11,250 FortiGate portals in over 150 countries. Notably, admin-level access was verified on 409 targets, and a complete attack chain was executed on 354 targets, leading to at least 12 confirmed ransomware deployments.

A security breach exposed internal server environments, providing logs and documents that confirmed the attribution of these attacks to FortiBleed. This breach offered insights into the inner workings and scale of the operation.

Implications for Cybersecurity

Within the compromised environment, evidence was found of operators negotiating ransoms on behalf of both INC and Lynx. INC Ransom has been active since mid-2023 and is a prominent RaaS group, while Lynx is considered an evolved version of INC. The overlap of victims between FortiBleed and INC-linked databases supports the shared operational framework.

Analysis of internal tracking documents indicates a structured organization of around 20 individuals, including primary operators and support staff. This discovery underscores the organized nature of these cybercriminal activities.

Organizations using FortiGate infrastructure face a heightened risk from FortiBleed. Beyond credential theft, there is now a direct threat of ransomware deployment, emphasizing the need for enhanced security measures.

Enhance your security operations by integrating proactive threat detection tools to mitigate risks from such sophisticated attacks.

Cyber Security News Tags:credential theft, Cybersecurity, FortiBleed, Fortigate, Golang, INC Ransom, initial access broker, Lynx, Ransomware, sniffer, SOCRadar

Post navigation

Previous Post: AI-Driven Browser Ransomware Exploits Chromium API
Next Post: Extradition of Alleged Hacker in Scattered Spider Case to US

Related Posts

Threat Actors Attacking Systems with 240+ Exploits Before Ransomware Deployment Threat Actors Attacking Systems with 240+ Exploits Before Ransomware Deployment Cyber Security News
Malware Found in Top OpenClaw Skill Exposes Major Security Flaws Malware Found in Top OpenClaw Skill Exposes Major Security Flaws Cyber Security News
U.S. Tightens Export Controls on Anthropic AI Models U.S. Tightens Export Controls on Anthropic AI Models Cyber Security News
QNAP Addresses Critical NAS Security Flaws QNAP Addresses Critical NAS Security Flaws Cyber Security News
Cybercriminals Exploit Microsoft Tools in New Phishing Scheme Cybercriminals Exploit Microsoft Tools in New Phishing Scheme Cyber Security News
Critical Flaws in Apache Traffic Server Demand Immediate Updates Critical Flaws in Apache Traffic Server Demand Immediate Updates Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • CISA Alerts on SharePoint Flaw Amidst Active Exploitation
  • WhatsApp Introduces Username Reservations Ahead of Launch
  • Extradition of Alleged Hacker in Scattered Spider Case to US
  • FortiBleed Attack Fuels Major Ransomware Operations
  • AI-Driven Browser Ransomware Exploits Chromium API

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • CISA Alerts on SharePoint Flaw Amidst Active Exploitation
  • WhatsApp Introduces Username Reservations Ahead of Launch
  • Extradition of Alleged Hacker in Scattered Spider Case to US
  • FortiBleed Attack Fuels Major Ransomware Operations
  • AI-Driven Browser Ransomware Exploits Chromium API

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark