AI Security AI安全 8d ago Updated 8d ago 更新于 8天前 49

FortiBleed Campaign Linked to INC, Lynx Ransomware Attacks FortiBleed活动与INC、Lynx勒索软件攻击有关联

FortiBleed is a large-scale credential-harvesting campaign targeting over 430,000 FortiGate firewalls across 150 countries, resulting in the compromise of approximately 110 million credentials. The operation utilizes a custom network sniffer called FortigateSniffer to capture cleartext credentials and password hashes from firewall traffic. Evidence confirms a direct link between the initial access brokers behind FortiBleed and ransomware operators deploying INC Ransom and Lynx families. Attacker FortiBleed是针对全球150个国家超43万台FortiGate防火墙的大规模凭证窃取行动,已导致超1.1亿个凭证泄露。 攻击者部署名为FortigateSniffer的网络嗅探器,旨在捕获明文凭证和密码哈希以获取Active Directory域控制权。 该行动由俄罗斯初始访问代理发起,通过共享操作人员和基础设施,直接将窃取凭证用于部署INC Ransom和Lynx勒索软件。 SOC雷达观察到攻击者在354个目标上完成完整攻击链,其中12起事件导致数百个终端被加密。

75
Hot 热度
70
Quality 质量
65
Impact 影响力

Analysis 深度分析

TL;DR

  • FortiBleed is a large-scale credential-harvesting campaign targeting over 430,000 FortiGate firewalls across 150 countries, resulting in the compromise of approximately 110 million credentials.
  • The operation utilizes a custom network sniffer called FortigateSniffer to capture cleartext credentials and password hashes from firewall traffic.
  • Evidence confirms a direct link between the initial access brokers behind FortiBleed and ransomware operators deploying INC Ransom and Lynx families.
  • Attackers successfully completed full kill chains on 354 targets, achieving domain admin privileges and encrypting hundreds of endpoints in 12 confirmed incidents.
  • The campaign highlights the convergence of initial access brokering and ransomware-as-a-service, where stolen credentials are actively fed into extortion operations.

Why It Matters

This incident demonstrates the critical risk of supply chain and infrastructure vulnerabilities, specifically how compromised network security devices can serve as gateways for massive credential theft. For AI and cybersecurity practitioners, it underscores the necessity of monitoring for anomalous traffic patterns and implementing strict segmentation to prevent lateral movement from perimeter devices to internal domains. Furthermore, it illustrates the evolving business models of cybercriminal groups, where specialized roles like initial access brokering are tightly integrated with ransomware deployment, requiring holistic defense strategies rather than siloed responses.

Technical Details

  • Attack Vector: The campaign exploits vulnerabilities or misconfigurations in FortiGate firewalls to deploy "FortigateSniffer," a tool designed to intercept and log network traffic.
  • Data Exfiltration: The sniffer captures cleartext credentials and password hashes, which are then used to authenticate into internal Active Directory domains.
  • Scale and Scope: Scanning activity was observed against roughly 11,250 portals, with administrative access gained on 409 targets and full attack chain completion on 354.
  • Ransomware Integration: A single operator was identified managing negotiation panels for both INC Ransom and Lynx, using infrastructure traceable back to the FortiBleed campaign, proving direct handoff of stolen access.
  • Operational Structure: Internal documents suggest an organized group of approximately 20 individuals, with distinct roles for high-impact intrusions and technical support.

Industry Insight

  • Organizations must urgently audit their firewall configurations and implement multi-factor authentication (MFA) everywhere possible, especially for administrative access, to mitigate the impact of harvested credentials.
  • Security teams should enhance detection capabilities for unusual outbound traffic from network appliances, as these devices often possess high-level access and can act as powerful pivots for attackers.
  • The cybersecurity industry needs to improve threat intelligence sharing regarding initial access brokers, as the direct linkage between credential harvesting and ransomware deployment requires a coordinated response across the threat landscape.

TL;DR

  • FortiBleed是针对全球150个国家超43万台FortiGate防火墙的大规模凭证窃取行动,已导致超1.1亿个凭证泄露。
  • 攻击者部署名为FortigateSniffer的网络嗅探器,旨在捕获明文凭证和密码哈希以获取Active Directory域控制权。
  • 该行动由俄罗斯初始访问代理发起,通过共享操作人员和基础设施,直接将窃取凭证用于部署INC Ransom和Lynx勒索软件。
  • SOC雷达观察到攻击者在354个目标上完成完整攻击链,其中12起事件导致数百个终端被加密。

为什么值得看

本文揭示了网络犯罪生态系统中“初始访问代理”与“勒索软件即服务(RaaS)”之间紧密的垂直整合趋势,打破了传统上认为凭证窃取与勒索软件部署相对独立的认知。对于安全从业者而言,这强调了监控防火墙流量异常及强化凭证管理的重要性,因为单一组件的妥协可直接导致整个企业网络的沦陷。

技术解析

  • 攻击载体与机制:攻击者利用针对FortiGate防火墙的漏洞或配置错误,部署自定义网络嗅探工具“FortigateSniffer”,拦截并记录经过防火墙的流量,从而提取明文凭证和密码哈希。
  • 攻击链完整性:攻击者不仅窃取凭证,还进一步利用这些凭证渗透VPN、访问域控制器并最终获取域管理员权限,完成了从外围突破到内网核心控制的完整杀伤链。
  • 勒索软件联动证据:SOCRadar通过追踪发现,同一操作人员同时登录INC Ransom和Lynx勒索软件的谈判面板,且基础设施可追溯至FortiBleed,证实了凭证窃取直接服务于勒索软件投放。
  • 组织规模与分工:内部追踪文档显示该团伙约有20名成员,分为专注于高影响力入侵的核心人员和提供技术支持的辅助人员,显示出高度的组织化和专业化。

行业启示

  • 供应链与第三方风险加剧:企业需重新评估对关键基础设施(如防火墙)的安全配置,因为针对单一网络节点的妥协可能引发连锁反应,导致整个域环境的崩溃。
  • 网络犯罪生态的垂直整合:初始访问经纪商(IAB)与勒索软件团伙之间的界限日益模糊,这种“一站式”犯罪服务降低了攻击门槛,使得更广泛的威胁行为者能够发动大规模攻击。
  • 防御策略转向身份优先:鉴于凭证窃取是此次攻击的核心,企业应加强多因素认证(MFA)、实施最小权限原则,并部署针对异常登录行为和凭证转储的检测机制,而不仅仅依赖边界防御。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全