Published on July 2, 2026

FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations


Severity

Medium

Detail

Researchers have linked the recently uncovered FortiBleed campaign to the INC and Lynx ransomware operations, confirming that the large-scale theft of FortiGate credentials is being used to facilitate ransomware attacks. According to SOCRadar, the campaign has already resulted in multiple ransomware deployments after attackers gained administrative access to exposed Fortinet devices.

The operation demonstrates how stolen credentials obtained from internet-facing security appliances can be rapidly weaponized for follow-on intrusions and extortion.

How?

The campaign began with attackers scanning the internet for exposed FortiGate firewalls and attempting to authenticate using known or previously compromised credentials. Upon gaining administrative access, they deployed a custom Golang-based packet sniffer that silently collected authentication credentials and other sensitive network traffic from compromised devices.

Researchers estimate the attackers targeted approximately 430,000 FortiGate devices globally, installing the sniffer on around 12,000 systems and harvesting more than 110 million credentials. Investigation of exposed attacker infrastructure revealed operational files, automation scripts, and harvested data, indicating the campaign was coordinated by an organized, Russian-speaking group operating as an initial access broker.

The stolen credentials were then used to gain access to victim environments, with evidence showing an operator managing both INC Ransom and Lynx ransomware negotiation panels. SOCRadar identified confirmed administrative access on hundreds of organizations, with at least 12 ransomware incidents leading to the encryption of hundreds of endpoints.

Researchers also discovered infrastructure targeting Citrix environments and evidence suggesting the group may possess a zero-day vulnerability affecting Nextcloud, indicating plans to expand credential harvesting beyond Fortinet devices.

Conclusion

The FortiBleed campaign highlights the growing role of initial access brokers in modern ransomware operations, where stolen credentials from network appliances are directly monetized through ransomware deployments. The campaign also demonstrates the increasing focus on edge devices as high-value entry points into enterprise networks.

Organizations should immediately patch internet-facing Fortinet systems, rotate credentials exposed on network appliances, enforce multi-factor authentication (MFA), and review authentication logs for suspicious administrative access. Security teams using Citrix or Nextcloud should also monitor for unusual login activity, as the attackers appear to be expanding their targeting beyond Fortinet infrastructure.

Source

https://thehackernews.com/2026/07/fortibleed-credential-theft-linked-to.html