FortiBleed Campaign Linked to INC, Lynx Ransomware Attacks
FortiBleed is a large-scale credential-harvesting campaign targeting over 430,000 FortiGate firewalls across 150 countries, resulting in the compromise of approximately 110 million credentials. The operation utilizes a custom network sniffer called FortigateSniffer to capture cleartext credentials and password hashes from firewall traffic. Evidence confirms a direct link between the initial access brokers behind FortiBleed and ransomware operators deploying INC Ransom and Lynx families. Attacker
Analysis
TL;DR
- FortiBleed is a large-scale credential-harvesting campaign targeting over 430,000 FortiGate firewalls across 150 countries, resulting in the compromise of approximately 110 million credentials.
- The operation utilizes a custom network sniffer called FortigateSniffer to capture cleartext credentials and password hashes from firewall traffic.
- Evidence confirms a direct link between the initial access brokers behind FortiBleed and ransomware operators deploying INC Ransom and Lynx families.
- Attackers successfully completed full kill chains on 354 targets, achieving domain admin privileges and encrypting hundreds of endpoints in 12 confirmed incidents.
- The campaign highlights the convergence of initial access brokering and ransomware-as-a-service, where stolen credentials are actively fed into extortion operations.
Why It Matters
This incident demonstrates the critical risk of supply chain and infrastructure vulnerabilities, specifically how compromised network security devices can serve as gateways for massive credential theft. For AI and cybersecurity practitioners, it underscores the necessity of monitoring for anomalous traffic patterns and implementing strict segmentation to prevent lateral movement from perimeter devices to internal domains. Furthermore, it illustrates the evolving business models of cybercriminal groups, where specialized roles like initial access brokering are tightly integrated with ransomware deployment, requiring holistic defense strategies rather than siloed responses.
Technical Details
- Attack Vector: The campaign exploits vulnerabilities or misconfigurations in FortiGate firewalls to deploy "FortigateSniffer," a tool designed to intercept and log network traffic.
- Data Exfiltration: The sniffer captures cleartext credentials and password hashes, which are then used to authenticate into internal Active Directory domains.
- Scale and Scope: Scanning activity was observed against roughly 11,250 portals, with administrative access gained on 409 targets and full attack chain completion on 354.
- Ransomware Integration: A single operator was identified managing negotiation panels for both INC Ransom and Lynx, using infrastructure traceable back to the FortiBleed campaign, proving direct handoff of stolen access.
- Operational Structure: Internal documents suggest an organized group of approximately 20 individuals, with distinct roles for high-impact intrusions and technical support.
Industry Insight
- Organizations must urgently audit their firewall configurations and implement multi-factor authentication (MFA) everywhere possible, especially for administrative access, to mitigate the impact of harvested credentials.
- Security teams should enhance detection capabilities for unusual outbound traffic from network appliances, as these devices often possess high-level access and can act as powerful pivots for attackers.
- The cybersecurity industry needs to improve threat intelligence sharing regarding initial access brokers, as the direct linkage between credential harvesting and ransomware deployment requires a coordinated response across the threat landscape.
Disclaimer: The above content is generated by AI and is for reference only.