FortiBleed Vulnerability Linked to INC Threat Group and Lynx Ransomware Attacks
FortiBleed, a large-scale operation focused on extracting credentials from organizations across 150 nations, has been associated with the deployment of INC Ransom and Lynx ransomware families, according to SOCRadar.
Overview of FortiBleed
Discovered in mid-June, this campaign has targeted over 430,000 FortiGate firewalls to deploy a network sniffer known as FortigateSniffer. This tool intercepts traffic passing through the devices, capturing plaintext credentials and password hashes for later exploitation. The attack is believed to be orchestrated by a Russian initial access broker seeking to infiltrate Active Directory domains, exfiltrate sensitive data, and establish long-term access. The operation has been active since at least February, with an estimated 110 million credentials compromised.
Targeted Systems and Tools
SOCRadar identified scanning activity against approximately 11,250 FortiGate portals, with administrative access achieved on 409 targets. On 354 of these, the attackers completed the full attack chain, including breaching virtual private networks, accessing domain controllers, and obtaining domain administrator privileges. Of these, 12 incidents resulted in ransomware deployment, with “hundreds of endpoints encrypted across affected organizations.”
Operational Mistake and Discovery
A critical operational mistake by the attackers allowed SOCRadar to gain visibility into their environment, accessing internal files, logs, and documentation. The cybersecurity firm observed an operator logged into both INC Ransom and Lynx ransomware negotiation platforms, alongside overlaps between FortiBleed victims and INC targets, confirming that the same organizations were targeted in both campaigns.
“Identifying a single operator managing both platforms, using infrastructure traceable to FortiBleed, provides the strongest evidence yet that credentials obtained through this campaign are being directly utilized or transferred for ransomware operations,” SOCRadar stated.
Attack Details and Impact
Analysis of an internal tracking document linked to FortiBleed indicates the involvement of approximately 20 individuals, with some specializing in high-impact intrusions and others offering technical support. “FortiBleed is not an isolated credential theft effort but a direct contributor to the ransomware ecosystem. The same infrastructure that intercepted authentication traffic across hundreds of thousands of firewalls is connected, via a shared operator, to two of the most active ransomware groups today,” the report noted.
Ransomware Connection and Analysis
INC Ransom emerged in mid-2023 and quickly became one of the most active ransomware-as-a-service (RaaS) operations. Lynx followed as an updated variant a year later. The campaign has been linked to multiple ransomware-related incidents, including the exploitation of the BlueHammer vulnerability, the use of the Mistic RAT, and the abuse of Microsoft Teams relay servers in DragonForce attacks.
Additional Cybersecurity Threats
Recent data highlights escalating cybercrime losses, with the FBI reporting nearly $21 billion in damages in 2025. Additional reports detail vulnerabilities in Apple’s iOS, macOS, and Safari, as well as a massive password spray campaign targeting Azure CLI. Aflac Japan’s data breach impacted 4.38 million individuals, while exploitation of an Oracle E-Business Suite vulnerability has begun. The Critical SimpleHelp vulnerability has been leveraged for malware distribution, and Quantifind secured $200 million for AI-driven risk intelligence.
Industry Updates and Insights
Researchers demonstrated a new Claude code attack using seemingly benign repositories to compromise developer machines. Industry updates include promotions at AT&T, Binary Defense, and Everfox, alongside expert insights on AI-driven cybersecurity audits, frontier AI questions for enterprises, and the financial implications of AI token usage. Recent security alerts highlight active exploitation of Microsoft SharePoint vulnerabilities, Citrix NetScaler patches, and the emergence of the HTTP/2 Bomb attack.
Conclusion
FortiBleed underscores the growing interconnectivity between credential theft and ransomware operations, emphasizing the need for robust cybersecurity measures. As threat actors continue to evolve their tactics, organizations must remain vigilant against emerging vulnerabilities and adopt proactive strategies to mitigate risks.
FAQs
What is FortiBleed?
FortiBleed is a large-scale operation targeting FortiGate firewalls to extract credentials, which are then used for ransomware attacks and data exfiltration.
Which ransomware families are linked to FortiBleed?
INC Ransom and Lynx ransomware families have been associated with FortiBleed, with evidence suggesting shared infrastructure and operators.
How was FortiBleed discovered?
SOC Ra dar identified scanning activity and an operational mistake by attackers, which provided visibility into their environment and methods.
What are the broader implications of this campaign?
FortiBleed highlights the integration of credential theft with ransomware ecosystems, underscoring the need for advanced threat detection and response strategies.
