Lynx and INC Ransomware Groups Linked to Widespread Fortinet Credential Theft

The massive FortiBleed credential theft campaign was far larger than initially reported, targeting over 430,000 FortiGate firewalls and directly linked to INC and Lynx ransomware operations.

CSBadmin
2 Min Read

Campaign Scale and Methods

The FortiBleed operation, initially identified when a server exposed credentials from over 73,000 Fortinet devices, has proven far larger than first reported. New research from SOCRadar reveals the campaign targeted more than 430,000 FortiGate firewalls globally, successfully deploying custom traffic sniffers on approximately 19,000 devices. The attackers used a tool called “FortiGate Sniffer” to intercept VPN credentials and other authentication data directly from network traffic on compromised FortiGate firewalls. After notifications to affected organizations, the number of actively compromised devices has fallen to around 11,000, but the investigation uncovered roughly 500 servers used by the operation.

SOCRadar’s Threat Research Unit established concrete connections between the FortiBleed infrastructure and both INC and Lynx ransomware operations. Investigators identified a Windows server within the FortiBleed network and discovered browser sessions accessing the administration panels for both ransomware groups. These sessions showed negotiation dashboards containing victim chats, providing direct evidence that individuals with access to FortiBleed infrastructure were also involved in ransomware negotiations. The researchers found that victim information harvested during the credential theft campaign overlaps with organizations later listed on the INC ransomware leak site. The operation is believed to consist of roughly 20 members with defined roles, and researchers suspect the attackers exploited a previously undisclosed Nextcloud zero-day vulnerability to expand access after initial compromise. Persistent backdoor accounts using the username “adminin” were found on compromised systems, and efforts to recover ransomware decryption keys are ongoing.

Source: BleepingComputer

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.