FortiBleed credential-harvesting campaign, which has compromised more than 430,000 FortiGate firewalls worldwide, is directly feeding two active ransomware-as-a-service operations, INC Ransom and Lynx.
SOCRadar’s Threat Research Unit identified an operator with access to FortiBleed infrastructure actively logged into negotiation panels for both ransomware brands, marking the first confirmed connection between mass FortiGate credential theft and ransomware deployment.
STRU first documented FortiBleed as a large-scale credential-harvesting operation targeting more than 430,000 FortiGate firewalls globally.
The threat actor operates as an Initial Access Broker, deploying a custom Golang-based tool called FortigateSniffer to passively intercept authentication traffic by abusing FortiOS’s native diagnose sniffer packet command across two dozen protocols.
Continued investigation using Shodan, Censys, Validin, and internal IP block scanning uncovered roughly 200 additional operational servers tied to the campaign’s sniffers and scanners. STRU tracked scanning activity against approximately 11,250 FortiGate portals across more than 150 countries:
Admin-level access confirmed on 409 targets
Full attack chain completed (VPN compromise, domain controller access, domain admin) on 354 targets
At least 12 confirmed ransomware deployments, with hundreds of endpoints encrypted
A security breach in a newly identified server exposed the actor’s internal environment, including logs and operational documentation, forming the basis for this attribution.
INC and Lynx Connection
Inside the exposed environment, STRU found an operator actively engaging with ransom negotiations on both INC Ransom and Lynx panels. INC Ransom has operated since mid-2023 as one of the more prolific RaaS groups, while Lynx, active since roughly a year later, is widely assessed as an evolved INC variant.
This finding is corroborated by victim overlap: comparing FortiBleed’s own target data against a separately discovered INC-linked open directory revealed matching victim organizations across both datasets, independent confirmation of a shared operational pipeline.
STRU also recovered an internal tracking document detailing which credentials were used, which networks were accessed, and the outcomes of ransomware deployments. Analysis suggests a structured operation of roughly 20 people, including a small core of primary operators, dedicated specialists, and junior back-office support.
FortiBleed is not an isolated credential-theft operation; it’s a direct feeder into active ransomware economies. For organizations running FortiGate infrastructure, exposure to FortiBleed is now more than a credential risk; it’s a potential precursor to a full ransomware deployment.
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.
The post FortiBleed Password Stealing Attack Linked to INC and Lynx Ransomware Operations appeared first on Cyber Security News.



