The FortiBleed campaign, a vast credential-stealing operation impacting organizations across 150 nations, has been linked to the deployment of INC Ransom and Lynx ransomware, according to a report from SOCRadar.
FortiBleed’s Global Impact
Initially discovered in June, FortiBleed has targeted more than 430,000 FortiGate firewalls. The attackers employ a network monitor known as FortigateSniffer to intercept traffic and capture plaintext credentials and password hashes, paving the way for further compromises.
The campaign is believed to be orchestrated by a Russian access broker. Their objective is to infiltrate Active Directory domains, exfiltrate confidential data, and maintain continuous access to compromised networks.
Scale and Scope of the Attack
Active since February, FortiBleed is estimated to have compromised over 110 million credentials. Recent observations by SOCRadar indicate scanning activities against around 11,250 FortiGate portals, with attackers securing administrative privileges on 409 instances.
The full attack sequence was completed on 354 targets, involving VPN breaches, domain controller access, and domain admin rights acquisition. Among these, 12 incidents culminated in ransomware deployment, encrypting numerous endpoints within affected entities.
Operational Insights and Future Threats
An operational security lapse by the attackers allowed SOCRadar to gain insight into their system, accessing internal files and logs. The firm identified an operator managing both the INC Ransom and Lynx ransomware negotiation platforms, linking FortiBleed victims to these ransomware attacks.
The discovery of a common operator using infrastructure traceable to FortiBleed confirms that credentials harvested are directly facilitating ransomware operations. Analysis suggests the involvement of about 20 individuals, with roles spanning high-impact intrusions to technical support.
SOCRadar highlights that FortiBleed is not a standalone credential-theft campaign, but rather a critical component feeding into the broader ransomware ecosystem. The infrastructure that intercepted authentication data across numerous firewalls is connected to two prominent ransomware brands through shared operatives.
INC Ransom, appearing in mid-2023, quickly became a leading ransomware-as-a-service platform, with Lynx emerging later as an enhanced version. As these threats evolve, organizations must remain vigilant and enhance their cybersecurity measures to mitigate potential risks.
