AI Security AI安全 8d ago Updated 8d ago 更新于 8天前 49

FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations FortiBleed凭证盗窃与INC和Lynx勒索软件行动有关联

The "FortiBleed" campaign, attributed to INC and Lynx ransomware groups, involves large-scale credential theft from FortiGate firewalls to facilitate follow-on ransomware deployments. Threat actors scanned over 430,000 FortiGate devices globally, stealing more than 110 million credentials and successfully compromising 354 targets, resulting in at least 12 ransomware incidents. The operation is run by a Russian-speaking group of approximately 20 people acting as initial access brokers, targeting FortiBleed活动被归因于INC和Lynx勒索软件团伙,首次将大规模FortiGate凭证窃取与勒索软件部署直接关联。 攻击者针对全球约43万台FortiGate防火墙,收集超过1.1亿个凭证,并在至少12起事件中成功部署勒索软件。 攻击基础设施暴露源于攻击者的操作安全失误,导致包含被盗凭证的服务器在互联网上公开。 该组织由约20人组成,分工明确,疑似俄罗斯语威胁行为者,主要目标为拉美和亚太地区的制造、科技及物流行业。 攻击者据信持有Nextcloud零日漏洞,且近期观察到类似手法利用FortiClient EMS漏洞部署EKZ Stealer窃取浏览器凭证。

75
Hot 热度
70
Quality 质量
65
Impact 影响力

Analysis 深度分析

TL;DR

  • The "FortiBleed" campaign, attributed to INC and Lynx ransomware groups, involves large-scale credential theft from FortiGate firewalls to facilitate follow-on ransomware deployments.
  • Threat actors scanned over 430,000 FortiGate devices globally, stealing more than 110 million credentials and successfully compromising 354 targets, resulting in at least 12 ransomware incidents.
  • The operation is run by a Russian-speaking group of approximately 20 people acting as initial access brokers, targeting manufacturing, technology, and logistics sectors in Latin America and Asia Pacific.
  • A critical operational security failure exposed a server containing stolen credentials, while the group is also suspected of possessing a zero-day vulnerability in Nextcloud.
  • Concurrently, threat actors are exploiting CVE-2026-35616 in FortiClient EMS to deploy EKZ Stealer, highlighting a broader trend of credential harvesting via Fortinet ecosystem vulnerabilities.

Why It Matters

This incident underscores the critical risk of exposed administrative interfaces and weak credential hygiene in enterprise network security infrastructure. For security practitioners, it demonstrates how mass credential harvesting can directly translate into ransomware attacks, necessitating immediate audits of exposed Fortinet devices and enforcement of multi-factor authentication. The link between initial access brokering and ransomware deployment highlights the need for integrated threat intelligence sharing to disrupt these supply chains before encryption occurs.

Technical Details

  • Attack Vector: Systematic internet scanning of FortiGate portals followed by brute-force attempts using known credential combinations, then deployment of a custom Golang-based packet sniffer to passively harvest authentication data from network traffic.
  • Scale and Impact: Approximately 12,000 Fortinet devices were infected with the sniffer; 409 targets achieved admin-level access, with 354 completing the full attack chain. At least 12 ransomware deployments occurred, encrypting hundreds of endpoints.
  • Infrastructure Exposure: The campaign was exposed due to an operational security error where a server containing stolen credentials was left accessible on the internet, allowing researchers to analyze logs, internal files, and negotiation panel data.
  • Related Vulnerabilities: Exploitation of CVE-2026-35616 (CVSS 9.1) in FortiClient EMS to deploy EKZ Stealer, aiming to exfiltrate credentials from Chromium and Firefox browsers via PowerShell. Suspected possession of a Nextcloud zero-day vulnerability.
  • Threat Actor Profile: A structured group of ~20 individuals with clear division of labor, identified as Russian-speaking, operating as initial access brokers for INC and Lynx ransomware groups.

Industry Insight

  • Immediate Remediation: Organizations must immediately verify that no FortiGate devices are exposed to the public internet and enforce strict network segmentation and MFA for all administrative access points.
  • Supply Chain Vigilance: Security teams should monitor for indicators of compromise related to EKZ Stealer and other information stealers, particularly in sectors heavily targeted like manufacturing and logistics.
  • Proactive Threat Hunting: Given the link between credential theft and ransomware, incident response plans should include specific playbooks for detecting lateral movement and privilege escalation following potential credential exposure events.

TL;DR

  • FortiBleed活动被归因于INC和Lynx勒索软件团伙,首次将大规模FortiGate凭证窃取与勒索软件部署直接关联。
  • 攻击者针对全球约43万台FortiGate防火墙,收集超过1.1亿个凭证,并在至少12起事件中成功部署勒索软件。
  • 攻击基础设施暴露源于攻击者的操作安全失误,导致包含被盗凭证的服务器在互联网上公开。
  • 该组织由约20人组成,分工明确,疑似俄罗斯语威胁行为者,主要目标为拉美和亚太地区的制造、科技及物流行业。
  • 攻击者据信持有Nextcloud零日漏洞,且近期观察到类似手法利用FortiClient EMS漏洞部署EKZ Stealer窃取浏览器凭证。

为什么值得看

本文揭示了网络犯罪团伙如何将大规模基础设施凭证窃取作为勒索软件攻击的前置步骤,展示了“初始访问经纪商”模式向垂直整合勒索即服务(RaaS)演变的趋势。对于安全从业者而言,这强调了监控网络设备暴露面、强化凭证管理以及关注供应链组件(如Nextcloud、FortiClient)漏洞的重要性。

技术解析

  • 攻击链与规模:攻击者扫描互联网上的FortiGate设备,尝试已知凭证组合,成功后部署自定义Golang数据包嗅探器被动收集流量中的认证数据。追踪显示扫描了11,250个门户,确认409个管理员访问,完成攻击链354个,最终导致12次勒索软件部署。
  • 基础设施与泄露:攻击者针对43万台设备,安装嗅探器于约1.2万台设备上,收集超1.1亿凭证。活动曝光是因为攻击者遗留了一个包含被盗凭证的服务器在互联网上暴露。
  • 组织特征:内部文档显示这是一个约20人的有组织犯罪集团,有明确的劳动分工,包括核心操作员、专家和后勤支持。工具、日志和工作时间表明操作者为俄语使用者。
  • 关联漏洞与工具:攻击者拥有Nextcloud零日漏洞。同时,eSentire观察到类似攻击者利用Fortinet FortiClient EMS漏洞(CVE-2026-35616,CVSS 9.1)部署EKZ Stealer,通过PowerShell从Chromium和Firefox浏览器窃取凭证。

行业启示

  • 强化网络设备暴露面管理:企业应立即审计并限制FortiGate等关键网络设备的公网暴露,强制使用强密码和多因素认证(MFA),防止凭证填充攻击。
  • 重视供应链与第三方组件安全:攻击者利用Nextcloud和FortiClient EMS等广泛使用的软件漏洞,表明供应链安全至关重要。需及时更新补丁,并对第三方组件进行持续监控。
  • 提升威胁情报共享与协同防御:鉴于攻击团伙的跨国性和组织化特征,企业和安全厂商应加强情报共享,特别是关于初始访问凭证窃取和勒索软件部署的关联指标,以提前阻断攻击链。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全