The recent FortiBleed campaign, driven by financial motives, has unveiled its connection to INC and Lynx ransomware groups. This operation, which involves the theft of credentials, highlights the intent to use these credentials for subsequent attacks.
Ransomware Operations Unveiled
A report by SOCRadar revealed that an operator linked to FortiBleed’s infrastructure was engaging in negotiation activities for both the INC and Lynx groups. This marks the first time that mass credential theft from FortiGate devices is directly associated with ransomware deployment.
SOCRadar tracked activities targeting around 11,250 FortiGate portals across more than 150 countries. The attackers successfully gained admin-level access on 409 targets and completed the attack chain on 354. Consequently, at least 12 ransomware deployments have been executed, encrypting hundreds of endpoints within affected organizations.
Global Impact and Methodology
The large-scale credential theft campaign was discovered last month. The attackers systematically scanned the internet for vulnerable Fortinet devices, using known credentials to breach them, and deployed custom packet sniffers to gather authentication data passively.
It’s estimated that 430,000 FortiGate firewalls were targeted globally, resulting in the collection of over 110 million credentials. The operation was exposed due to a security lapse by the attackers, leaving a server with stolen credentials accessible online.
Technical Insights and Threat Actor Profile
The Golang sniffer was installed on approximately 12,000 Fortinet devices, indicating a targeted subset of the overall network equipment. SOCRadar’s findings show that an operator with access to FortiBleed was logged into both INC and Lynx negotiation panels, with victim overlap evident.
The operation appears to be orchestrated by a Russian-speaking actor, likely an initial access broker, focusing on sectors like manufacturing, technology, and logistics in Latin America and the Asia Pacific.
Further insights reveal an organized effort involving about 20 individuals, with a clear division of roles. A core team of lead operators executes high-impact intrusions, supported by specialists and auxiliary staff.
Emerging Threats and Future Defense
In addition to the above, the attackers are suspected of possessing a zero-day vulnerability in Nextcloud. SOCRadar is actively coordinating with the affected vendor to address this issue.
This exposure follows eSentire’s observation of threat actors exploiting a vulnerability in Fortinet FortiClient EMS (CVE-2026-35616) to deploy EKZ Stealer, targeting credentials from various browsers via PowerShell.
The unfolding developments emphasize the need for vigilant cybersecurity measures and proactive threat intelligence collaboration to mitigate such risks in the future.
