FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations
The "FortiBleed" campaign, attributed to INC and Lynx ransomware groups, involves large-scale credential theft from FortiGate firewalls to facilitate follow-on ransomware deployments. Threat actors scanned over 430,000 FortiGate devices globally, stealing more than 110 million credentials and successfully compromising 354 targets, resulting in at least 12 ransomware incidents. The operation is run by a Russian-speaking group of approximately 20 people acting as initial access brokers, targeting
Analysis
TL;DR
- The "FortiBleed" campaign, attributed to INC and Lynx ransomware groups, involves large-scale credential theft from FortiGate firewalls to facilitate follow-on ransomware deployments.
- Threat actors scanned over 430,000 FortiGate devices globally, stealing more than 110 million credentials and successfully compromising 354 targets, resulting in at least 12 ransomware incidents.
- The operation is run by a Russian-speaking group of approximately 20 people acting as initial access brokers, targeting manufacturing, technology, and logistics sectors in Latin America and Asia Pacific.
- A critical operational security failure exposed a server containing stolen credentials, while the group is also suspected of possessing a zero-day vulnerability in Nextcloud.
- Concurrently, threat actors are exploiting CVE-2026-35616 in FortiClient EMS to deploy EKZ Stealer, highlighting a broader trend of credential harvesting via Fortinet ecosystem vulnerabilities.
Why It Matters
This incident underscores the critical risk of exposed administrative interfaces and weak credential hygiene in enterprise network security infrastructure. For security practitioners, it demonstrates how mass credential harvesting can directly translate into ransomware attacks, necessitating immediate audits of exposed Fortinet devices and enforcement of multi-factor authentication. The link between initial access brokering and ransomware deployment highlights the need for integrated threat intelligence sharing to disrupt these supply chains before encryption occurs.
Technical Details
- Attack Vector: Systematic internet scanning of FortiGate portals followed by brute-force attempts using known credential combinations, then deployment of a custom Golang-based packet sniffer to passively harvest authentication data from network traffic.
- Scale and Impact: Approximately 12,000 Fortinet devices were infected with the sniffer; 409 targets achieved admin-level access, with 354 completing the full attack chain. At least 12 ransomware deployments occurred, encrypting hundreds of endpoints.
- Infrastructure Exposure: The campaign was exposed due to an operational security error where a server containing stolen credentials was left accessible on the internet, allowing researchers to analyze logs, internal files, and negotiation panel data.
- Related Vulnerabilities: Exploitation of CVE-2026-35616 (CVSS 9.1) in FortiClient EMS to deploy EKZ Stealer, aiming to exfiltrate credentials from Chromium and Firefox browsers via PowerShell. Suspected possession of a Nextcloud zero-day vulnerability.
- Threat Actor Profile: A structured group of ~20 individuals with clear division of labor, identified as Russian-speaking, operating as initial access brokers for INC and Lynx ransomware groups.
Industry Insight
- Immediate Remediation: Organizations must immediately verify that no FortiGate devices are exposed to the public internet and enforce strict network segmentation and MFA for all administrative access points.
- Supply Chain Vigilance: Security teams should monitor for indicators of compromise related to EKZ Stealer and other information stealers, particularly in sectors heavily targeted like manufacturing and logistics.
- Proactive Threat Hunting: Given the link between credential theft and ransomware, incident response plans should include specific playbooks for detecting lateral movement and privilege escalation following potential credential exposure events.
Disclaimer: The above content is generated by AI and is for reference only.