The FortiBleed attack has emerged as a significant threat, compromising over 430,000 FortiGate firewalls globally. This operation has been identified as a crucial component in supporting two active ransomware services, INC Ransom and Lynx. The connection to these ransomware groups highlights the widespread impact of the FortiBleed campaign.
Link Between FortiBleed and Ransomware
Investigations by SOCRadar’s Threat Research Unit (STRU) revealed an operator with access to FortiBleed’s infrastructure engaged in negotiation panels for both ransomware entities. This marks the first confirmed association between the large-scale theft of FortiGate credentials and subsequent ransomware activities. FortiBleed was initially identified as a major credential-harvesting campaign targeting FortiGate firewalls across the globe.
The threat actor behind FortiBleed operates as an Initial Access Broker, utilizing a custom tool named FortigateSniffer. This tool, developed in Golang, exploits FortiOS to intercept authentication data across numerous protocols, facilitating unauthorized access to sensitive information.
Widespread Impact of Credential Theft
Further analysis through platforms like Shodan and Censys uncovered approximately 200 operational servers linked to the FortiBleed campaign. These servers were involved in scanning activities across more than 11,250 FortiGate portals in over 150 countries. Notably, admin-level access was verified on 409 targets, and a complete attack chain was executed on 354 targets, leading to at least 12 confirmed ransomware deployments.
A security breach exposed internal server environments, providing logs and documents that confirmed the attribution of these attacks to FortiBleed. This breach offered insights into the inner workings and scale of the operation.
Implications for Cybersecurity
Within the compromised environment, evidence was found of operators negotiating ransoms on behalf of both INC and Lynx. INC Ransom has been active since mid-2023 and is a prominent RaaS group, while Lynx is considered an evolved version of INC. The overlap of victims between FortiBleed and INC-linked databases supports the shared operational framework.
Analysis of internal tracking documents indicates a structured organization of around 20 individuals, including primary operators and support staff. This discovery underscores the organized nature of these cybercriminal activities.
Organizations using FortiGate infrastructure face a heightened risk from FortiBleed. Beyond credential theft, there is now a direct threat of ransomware deployment, emphasizing the need for enhanced security measures.
Enhance your security operations by integrating proactive threat detection tools to mitigate risks from such sophisticated attacks.
