FortiBleed Credential Theft Tied to INC Ransom, Lynx RaaS Attacks
A newly disclosed investigation has uncovered the first confirmed operational link between the large-scale FortiBleed credential-harvesting campaign and two active ransomware-as-a-service (RaaS) groups: INC Ransom and Lynx.
The finding provides direct evidence that mass theft of FortiGate credentials is now being integrated into ransomware deployment pipelines, sharply raising the risk profile of exposed firewall infrastructure.
Initially identified as a widespread credential-harvesting operation, FortiBleed targeted over 430,000 FortiGate firewalls worldwide using a custom Golang-based tool dubbed “FortigateSniffer.”
FortiBleed Credential Theft
The malware abuses FortiOS’s diagnostic packet capture functionality to intercept authentication traffic across multiple protocols, allowing attackers to harvest valid credentials without triggering conventional security alerts.
The campaign was originally attributed to an initial access broker (IAB) and appeared financially motivated. However, until now, the downstream use of stolen credentials remained unclear.
Further investigation by STRU (Socradar Threat Research Unit) expanded the known infrastructure footprint of FortiBleed, identifying more than 200 additional servers involved in scanning, credential sniffing, and exploitation.
Using internet-wide scanning platforms including Shodan, Censys, and Validin, researchers observed active targeting of approximately 11,250 FortiGate portals across over 150 countries. Key findings include:
- Administrative access obtained in 409 instances
- 354 organizations experiencing full compromise chains, including VPN access, domain controller infiltration, and domain administrator privilege escalation
- At least 12 confirmed ransomware incidents attributed to this access, resulting in widespread endpoint encryption
A critical breakthrough stemmed from an operational security lapse that exposed internal threat-actor infrastructure.
STRU analysts gained access to logs, internal documentation, and operational systems, revealing that a single operator associated with FortiBleed was simultaneously managing negotiation panels for both INC Ransom and Lynx ransomware groups.
This overlap provides strong attribution evidence directly linking the credential-harvesting operation to ransomware deployment workflows.
An additional correlation emerged through victim overlap analysis: data extracted from the FortiBleed infrastructure was cross-referenced with an open directory associated with INC Ransom operations, revealing shared victim organizations across both datasets.
This reinforces the conclusion that harvested FortiGate credentials are either sold to, or directly used by, ransomware affiliates.
The investigation also exposed the internal organization of the campaign, revealing a coordinated team of approximately 20 individuals operating under a tiered model:
- Core intrusion specialists handling initial exploitation
- Infrastructure operators managing scanning and sniffing servers
- Lower-level support personnel responsible for data handling and campaign management
Internal tracking documents detailed credential usage, network access progression, and ransomware deployment status, indicating a mature, well-organized cybercriminal enterprise rather than an opportunistic operation.
These findings mark a critical shift in the threat landscape: firewall-level credential harvesting is no longer an isolated activity but an integrated component of ransomware supply chains.
Organizations running FortiGate devices now face heightened risk, as credential exposure through campaigns like FortiBleed can rapidly escalate into full-scale ransomware incidents.
Security teams should prioritize patching FortiOS vulnerabilities, rotating FortiGate credentials, enabling multi-factor authentication on VPN access, and monitoring for anomalous diagnostic traffic that could indicate FortigateSniffer activity.
No Comment! Be the first one.