NOW LET US – AI RAG SaaS Studio TP.HCM
NOW LET US
Digital Product Studio
Back to news
CYBERSECURITY...3 min read

FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations

Share
NOW LET US Article – FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations

The financially-motivated FortiBleed credential-harvesting campaign has been linked to INC and Lynx ransomware operations, exposing a massive infrastructure that targeted over 430,000 FortiGate firewalls globally.

The recently discovered financially-motivated FortiBleed campaign has been attributed to INC and Lynx ransomware operations, indicating that the verified, stolen credentials were intended for follow-on intrusions.

"An operator tied to FortiBleed's infrastructure was found actively working negotiation panels for both groups, tying mass FortiGate credential theft directly to ransomware deployment for the first time," SOCRadar said in a new report published Wednesday.

The company said it tracked scanning activity against approximately 11,250 FortiGate portals in more than 150 countries, followed by confirmed admin-level access on 409 targets and successful completion of the full attack chain on 354 of them. In all, at least 12 ransomware deployments have resulted from this access, causing hundreds of endpoints to be encrypted across affected organizations.

The large-scale credential-harvesting operation, which came to light last month, involved the threat actors systematically scanning the internet for exposed Fortinet devices, attempting to break into them using known credential combinations, and then deploying custom packet sniffers to passively gather credentials and other authentication data from network traffic.

The campaign is assessed to have targeted 430,000 FortiGate firewalls globally, gathering over 110 million credentials in the process. The activity was exposed after an operational security error on the part of the attackers left a server containing credentials stolen from thousands of Fortinet appliances exposed on the internet.

The Golang sniffer is estimated to have been installed on about 12,000 Fortinet devices, making it a subset of the total number of networking gear targeted.

The latest findings from SOCRadar show that an operator with access to FortiBleed infrastructure was found logged in to both INC Ransom and Lynx negotiation panels, with victims listed by INC Ransom overlapping with data from the campaign. The links are based on one of the 200 newly discovered servers associated with the FortiBleed infrastructure that granted visibility into internal files, logs, and operational documentation.

Ensar Seker, chief information security officer at SOCRadar, told The Hacker News via email that the exposed server functioned as a staging staging and operational coordination server, and was not used for phishing or active credential collection.

"It contained target inventories, harvested data, automation scripts, configuration files, and operational artifacts that indicate it was used to coordinate large-scale credential harvesting against internet-facing network appliances," Seker said. "In other words, it served as part of the attackers’ backend infrastructure rather than the infrastructure victims directly interacted with."

Tooling, logs, and working hours indicate that the activity is the work of a Russian-speaking threat actor who likely operates as an initial access broker. Much of the targeting has singled out manufacturing, technology, and logistics sectors in Latin America and the Asia Pacific regions.

SOCRadar also said it discovered an internal document that indicates it's an organized operation comprising about 20 people with a clear division of labor. "A small core of lead operators drives most high-impact intrusions, backed by specialists and support staff," it added.

In addition, the threat actors are believed to be in possession of at least one zero-day vulnerability in Nextcloud. The threat intelligence firm said it's actively coordinating with the affected vendor.

The Delaware-based company said it also identified Citrix-related artifacts that indicate the activity is likely targeting beyond Fortinet devices. The identified infrastructure included a dedicated target list containing about 29,000 IP addresses and 37 domains associated with Citrix environments. This suggests the automated workflow may be repurposed for other remote access technologies.

"At this stage, the presence of these target lists does not conclusively prove that credential harvesting against Citrix devices has already occurred at scale," Seker explained. "Rather, it demonstrates clear reconnaissance and targeting preparations."

"However, given the sophistication of the infrastructure and the operators proven ability to automate credential collection against Fortinet devices, organizations using internet-facing Citrix infrastructure should treat this as an early warning and verify authentication logs, rotate exposed credentials where appropriate, enforce MFA, and monitor for anomalous login activity."

The disclosure comes as eSentire said it observed threat actors exploiting a flaw in Fortinet FortiClient EMS (CVE-2026-35616, CVSS score: 9.1) to deploy an information stealer called EKZ Stealer against a customer in the energy, utilities, and waste sector with the end goal of harvesting credentials from Chromium-based browsers and Firefox and exfiltrating them via PowerShell.

© 2026 Now Let Us. All rights reserved.

Source: The Hacker News

Advertisement
Ad slot ready: 5887729102

More in this category

NOW LET US Related – CISA Adds Exploited PTC Windchill RCE Flaw to KEV as Web Shell Attacks Continue

cybersecurity

CISA Adds Exploited PTC Windchill RCE Flaw to KEV as Web Shell Attacks Continue

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical remote code execution vulnerability (CVE-2026-12569) impacting PTC Windchill to its Known Exploited Vulnerabilities (KEV) catalog, warning of active exploitation involving JSP web shells.

NOW LET US Related – New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets

cybersecurity

New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets

DirtyClone (CVE-2026-43503) is a new Linux kernel privilege escalation vulnerability that allows local users to corrupt file-backed memory via cloned network packets and gain root access.

NOW LET US Related – Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack

cybersecurity

Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack

Cybersecurity researchers have flagged a new evolution of the supply chain attack linked to the Miasma malware family, compromising npm packages and propagating to the Go ecosystem to harvest developer credentials.

NOW LET US Related – Surviving the Mythos Era: Richard Bejtlich on the Case for NDR

cybersecurity

Surviving the Mythos Era: Richard Bejtlich on the Case for NDR

Despite the abundance of security telemetry, modern SecOps teams struggle to validate active threats. Richard Bejtlich’s 'NDR Essentials' guide explains how Network Detection and Response (NDR) enables proactive interdiction and hypothesis-driven threat hunting in the AI era.

NOW LET US Related – Operation Endgame Disrupts SocGholish Servers, Cleans 14,971 WordPress Sites

cybersecurity

Operation Endgame Disrupts SocGholish Servers, Cleans 14,971 WordPress Sites

An international law enforcement collaboration under Operation Endgame has disrupted the infrastructure of the SocGholish malware, taking down 106 servers and cleaning nearly 15,000 compromised WordPress websites.

NOW LET US Related – CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices

cybersecurity

CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged Fortinet customers to secure their FortiGate appliances against a massive, automated credential-stuffing campaign codenamed FortiBleed, which has compromised over 86,000 devices globally.

EXPLORE TOPICS

Discover All Categories

Deep dive into the specific technology sectors that matter most to you.