The FortiBleed credential theft campaign appears to have a direct connection to the Lynx and INC ransomware operations, according to new research from SOCRadar. Investigators believe the attackers collected thousands of Fortinet credentials to support future ransomware attacks and network intrusions.
Investigation Reveals Links to Ransomware Operations
Security researchers previously uncovered an internet-exposed server containing credentials stolen from more than 73,000 Fortinet devices.
The server stored downloaded FortiGate configuration files, credentials harvested from compromised firewalls, and infrastructure used to crack password hashes and launch credential-stuffing attacks.
Researchers named the operation FortiBleed because of the massive scale of the credential theft campaign.
During a follow-up investigation, SOCRadar identified a Windows server that formed part of the FortiBleed infrastructure.
While examining the server, researchers found evidence showing that someone operating the infrastructure had accessed the ransomware negotiation portals used by both the INC and Lynx ransomware groups.
Browser Sessions Connect FortiBleed to Lynx and INC
SOCRadar shared screenshots showing active browser sessions connected to the administration panels used by both ransomware operations.
The dashboards contained victim negotiation chats that ransomware operators use during extortion attempts.
According to the researchers, the discovery provides direct evidence that at least one individual involved in the FortiBleed infrastructure also had access to the ransomware groups’ internal negotiation systems.
Campaign Is Much Larger Than First Reported
The latest investigation suggests the operation extends far beyond the infrastructure originally identified.
SOCRadar discovered more than 200 additional operational servers connected to the campaign. Researchers also found victim information collected during FortiBleed that matched organizations later published on the INC ransomware leak site.
The company believes the operation consists of roughly 20 members, with participants carrying out specialized roles.
Hundreds of Thousands of FortiGate Devices Targeted
Researchers now estimate that the attackers targeted more than 430,000 FortiGate firewalls worldwide.
The campaign reportedly deployed packet-sniffing tools on approximately 19,000 devices to capture VPN credentials and other authentication data directly from network traffic.
After SOCRadar notified affected organizations, the number of compromised devices reportedly dropped to around 11,000.
Investigators also identified approximately 500 servers supporting the operation.
Researchers Investigate Additional Attack Methods
SOCRadar believes the attackers also exploited a previously undisclosed Nextcloud zero-day vulnerability to expand access after compromising their initial targets.
The researchers have not yet released technical details about the suspected vulnerability.
The investigation also uncovered persistent backdoor accounts using the username “adminin” on compromised systems. Researchers continue working to recover ransomware decryption keys that could help future victims.
Background on the Ransomware Groups
The INC ransomware operation has offered ransomware-as-a-service (RaaS) since mid-2023. Its affiliates have targeted organizations across healthcare, education, government, and several other industries.
The Lynx ransomware group appeared in mid-2024. Many security researchers believe it represents a rebranding of the INC operation rather than an entirely new ransomware group.
SOCRadar says it plans to release a second technical white paper after completing its investigation. The report will include additional indicators of compromise, attribution evidence, and deeper technical analysis.
Conclusion
The latest findings on the FortiBleed credential theft campaign suggest the operation served as more than a large-scale credential harvesting effort. By linking the campaign to the Lynx and INC ransomware groups, researchers believe the stolen Fortinet credentials formed part of a broader strategy to support future ransomware attacks against organizations worldwide.


0 responses to “FortiBleed Credential Theft Campaign Linked to Lynx and INC Ransomware Groups”