Posted in

FortiBleed Campaign Linked to INC and Lynx Ransomware Attacks

The large-scale FortiBleed credential theft campaign has now been directly linked to the INC and Lynx ransomware operations, providing strong evidence that the stolen FortiGate administrator credentials were intended to enable ransomware attacks.

According to a new report from SOCRadar, investigators identified an operator associated with the FortiBleed infrastructure actively managing ransom negotiation panels for both ransomware groups. This marks the first confirmed connection between the massive FortiGate credential-harvesting campaign and subsequent ransomware deployment.

Thousands of FortiGate Devices Targeted Worldwide

Researchers tracked attackers scanning approximately 11,250 FortiGate portals across more than 150 countries.

The investigation revealed:

  • Administrative access was successfully obtained on 409 FortiGate devices.
  • The complete attack chain was executed against 354 organizations.
  • At least 12 ransomware incidents have already been linked to the campaign.
  • Hundreds of systems across affected organizations were encrypted.

The findings demonstrate that the stolen credentials were actively used rather than simply collected for future resale.

How the FortiBleed Campaign Worked

The FortiBleed operation relied on large-scale internet scanning to locate publicly exposed Fortinet appliances.

Attackers attempted to log in using known or previously stolen administrator credentials. After gaining access, they deployed a custom Golang-based packet sniffer capable of silently collecting usernames, passwords, session information, and other authentication data directly from network traffic.

Security researchers estimate that the campaign targeted nearly 430,000 FortiGate firewalls worldwide and harvested more than 110 million credentials.

The operation came to light after attackers accidentally exposed an internal server containing credentials stolen from thousands of compromised Fortinet devices.

Custom Packet Sniffer Installed on Thousands of Devices

The malicious packet sniffer was reportedly deployed on roughly 12,000 Fortinet appliances, allowing attackers to continuously capture authentication data without raising immediate suspicion.

This represents only a portion of the total devices targeted during the campaign, suggesting the attackers prioritized systems that offered the highest value or easiest access.

Evidence Links FortiBleed to Ransomware Deployment

SOCRadar uncovered approximately 200 additional servers associated with the FortiBleed infrastructure.

One exposed server contained internal files, operational logs, automation scripts, configuration files, and target inventories that provided investigators with unprecedented insight into the operation.

Among the most significant discoveries was evidence showing an operator simultaneously accessing the negotiation portals of both INC Ransom and Lynx ransomware groups.

Researchers also identified overlap between organizations compromised during the FortiBleed campaign and victims later listed on INC Ransom’s leak site, strengthening the connection between credential theft and ransomware deployment.

Organized Operation With Defined Roles

Analysis of internal documentation suggests FortiBleed is not the work of a single threat actor.

Instead, researchers believe the campaign is run by an organized team of approximately 20 members, each assigned specialized responsibilities.

The operation appears to include:

  • Lead intrusion operators
  • Credential harvesting specialists
  • Infrastructure administrators
  • Automation developers
  • Operational support personnel

Based on tooling, language artifacts, and working patterns, investigators believe the attackers are Russian-speaking and likely operate as an Initial Access Broker (IAB), supplying compromised networks to ransomware affiliates.

Manufacturing and Technology Firms Among Primary Targets

The campaign primarily targeted organizations in:

  • Manufacturing
  • Technology
  • Logistics

Victims were concentrated across Latin America and the Asia-Pacific region, although compromised FortiGate devices were identified worldwide.

Signs of Expanding Beyond Fortinet Devices

Researchers also uncovered evidence suggesting the attackers are expanding their operations beyond Fortinet appliances.

The investigation revealed infrastructure containing a dedicated target list with approximately:

  • 29,000 IP addresses
  • 37 domains associated with Citrix environments

While researchers have not confirmed large-scale credential theft against Citrix systems, the presence of these target lists indicates active reconnaissance and preparation for future attacks.

Organizations using internet-facing Citrix infrastructure are encouraged to review authentication logs, rotate potentially exposed credentials, enforce multi-factor authentication (MFA), and monitor for suspicious login activity.

Possible Nextcloud Zero-Day Under Investigation

Another concerning discovery is evidence suggesting the attackers may possess an undisclosed zero-day vulnerability affecting Nextcloud.

SOCRadar stated that it is actively coordinating with the software vendor regarding the potential vulnerability, although no technical details have been publicly released.

Fortinet EMS Vulnerability Exploited to Deliver EKZ Stealer

Separately, security researchers at eSentire reported active exploitation of a critical vulnerability affecting Fortinet FortiClient EMS.

The flaw, tracked as CVE-2026-35616 with a CVSS score of 9.1, was used to deploy the EKZ Stealer information-stealing malware against an organization operating in the energy, utilities, and waste management sector.

Once installed, the malware harvested credentials stored in Chromium-based browsers and Mozilla Firefox before exfiltrating the stolen data using PowerShell.

Final Thoughts

The FortiBleed investigation highlights how large-scale credential theft campaigns increasingly serve as the first stage of ransomware attacks rather than isolated cybercrime operations.

The confirmed links between FortiBleed, INC Ransom, and Lynx demonstrate the growing collaboration between Initial Access Brokers and ransomware groups, enabling attackers to rapidly transition from credential compromise to enterprise-wide encryption.

Organizations using Fortinet appliances should immediately review administrative accounts, rotate credentials, enable multi-factor authentication, monitor network appliances for unauthorized changes, and apply the latest security updates to reduce the risk of compromise.

Leave a Reply

Your email address will not be published. Required fields are marked *