FortiGate Credential Theft Campaign Directly Fuels Ransomware Operations

Researchers confirmed that the FortiBleed credential harvesting campaign targeting FortiGate firewalls is directly feeding INC Ransom and Lynx ransomware operations through shared infrastructure and operators.

CSBadmin
2 Min Read

Scope of the FortiBleed Campaign

A large-scale credential harvesting operation known as FortiBleed has compromised over 430,000 FortiGate firewalls globally. The threat actor operates as an initial access broker, deploying a custom tool named FortigateSniffer that passively intercepts authentication traffic by abusing a native FortiOS diagnostic command across two dozen protocols. Investigators using public scanning tools uncovered approximately 200 additional operational servers tied to the campaign’s sniffers and scanners.

Tracking revealed scanning activity against roughly 11,250 FortiGate portals across more than 150 countries. The attackers confirmed admin level access on 409 targets and completed the full attack chain involving VPN compromise, domain controller access, and domain admin privileges on 354 targets. At least 12 confirmed ransomware deployments have occurred, with hundreds of endpoints encrypted.

Connection to INC and Lynx Ransomware

A security breach in a newly identified server exposed the attacker’s internal environment, including logs and operational documentation. Inside this environment, researchers found an operator actively engaging with ransom negotiations on both INC Ransom and Lynx ransomware panels. INC Ransom has operated since mid 2023 as a prolific ransomware as a service group, while Lynx is widely assessed as an evolved variant of INC.

Corroborating evidence includes victim overlap between FortiBleed’s target data and a separately discovered INC linked open directory, which revealed matching victim organizations across both datasets. An internal tracking document was also recovered, detailing which credentials were used, which networks were accessed, and the outcomes of ransomware deployments. Analysis suggests a structured operation of roughly 20 people, including a small core of primary operators, dedicated specialists, and junior back office support.

Source: Cyber Security News

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.