Campaign Scale and Methods
The FortiBleed operation, initially identified when a server exposed credentials from over 73,000 Fortinet devices, has proven far larger than first reported. New research from SOCRadar reveals the campaign targeted more than 430,000 FortiGate firewalls globally, successfully deploying custom traffic sniffers on approximately 19,000 devices. The attackers used a tool called “FortiGate Sniffer” to intercept VPN credentials and other authentication data directly from network traffic on compromised FortiGate firewalls. After notifications to affected organizations, the number of actively compromised devices has fallen to around 11,000, but the investigation uncovered roughly 500 servers used by the operation.
Direct Links to Ransomware Operations
SOCRadar’s Threat Research Unit established concrete connections between the FortiBleed infrastructure and both INC and Lynx ransomware operations. Investigators identified a Windows server within the FortiBleed network and discovered browser sessions accessing the administration panels for both ransomware groups. These sessions showed negotiation dashboards containing victim chats, providing direct evidence that individuals with access to FortiBleed infrastructure were also involved in ransomware negotiations. The researchers found that victim information harvested during the credential theft campaign overlaps with organizations later listed on the INC ransomware leak site. The operation is believed to consist of roughly 20 members with defined roles, and researchers suspect the attackers exploited a previously undisclosed Nextcloud zero-day vulnerability to expand access after initial compromise. Persistent backdoor accounts using the username “adminin” were found on compromised systems, and efforts to recover ransomware decryption keys are ongoing.
Source: BleepingComputer
