A Massive Cyberattack Unfolds: Fortinet Firewalls Compromised by Ransomware Actors
A concerning development in the world of cybersecurity has come to light as researchers at SOCRadar have discovered that the threat actors behind the massive FortiBleed campaign are collaborating with notorious ransomware gangs, Inc and Lynx. The initial access broker (IAB) operation, which compromised thousands of Fortinet firewalls, is now using its stolen credentials to deploy ransomware on affected organizations.
The connection between FortiBleed and these two ransomware-as-a-service (RaaS) gangs was uncovered through an operational security lapse in the IAB’s infrastructure. Researchers gained access to internal files, logs, and documentation, revealing that a single operator was logged into the ransom negotiation panels for both Inc and Lynx, actively engaging with ransom demands. This finding confirms that FortiBleed actors are monetizing their access by selling stolen credentials to these gangs.
The FortiBleed campaign, which was first discovered last month, has compromised an estimated 30,000 Fortinet firewalls worldwide. The attackers used a Golang-based sniffer to turn the firewalls into credential stealers, collecting sensitive information from unsuspecting organizations. SOCRadar’s research revealed that approximately 12,000 devices have the FortiBleed sniffer installed.
The collaboration between FortiBleed and Inc and Lynx gangs is a stark reminder of the evolving nature of cyber threats. By exploiting vulnerabilities in perimeter security devices like Fortinet firewalls, attackers can gain access to sensitive networks, ultimately leading to devastating ransomware attacks. SOCRadar’s findings suggest that this access-supply layer is becoming increasingly lucrative for threat actors, with compromised environments and related victim data being collected, validated, and potentially monetized or passed downstream.
According to Ensar Seker, CISO at SOCRadar, most of the activity observed so far has been consistent with credential theft, victim profiling, access brokering, and data theft-extortion risk. However, he warns that organizations should treat exposure as a serious pre-ransomware intrusion risk, given the clear pathway for ransomware groups.
The latest development in this saga also highlights the importance of vigilance in cybersecurity. Organizations must prioritize threat intelligence and digital security to prevent such attacks from unfolding on their networks. As Seker notes, “The evidence points to an access-supply layer where compromised Fortinet environments and related victim data are being collected, validated, and potentially monetized or passed downstream.” It is essential for businesses to stay informed about emerging threats and take proactive measures to safeguard their systems.
To mitigate the risk of ransomware attacks, organizations should consider the following:
* Regularly update firewalls and perimeter security devices to prevent exploitation of known vulnerabilities.
* Implement robust threat intelligence programs to detect potential attacks early on.
* Conduct thorough vulnerability assessments and penetration testing to identify potential entry points for attackers.
* Educate employees about cybersecurity best practices and ensure they are equipped to recognize suspicious activity.
By staying informed and proactive, organizations can minimize the risk of falling victim to these devastating cyberattacks.
Source: Dark Reading — 2026-07-02