A massive cybersecurity operation, dubbed FortiBleed, has gained unprecedented access to thousands of Fortinet firewalls worldwide. The attackers have been quietly gathering credentials for months, but now it appears they’re starting to monetize that access by collaborating with notorious ransomware gangs, Inc and Lynx Ransom.
Research from SOCRadar reveals that the same individuals behind the FortiBleed campaign are working in tandem with these ransomware-as-a-service (RaaS) groups. The study discovered an operator linked to the campaign’s infrastructure who was actively engaged in ransom negotiations with both Inc and Lynx, using compromised Fortinet credentials to gain access to victim networks.
This development marks a significant escalation of the threat posed by FortiBleed, which initially targeted over 430,000 FortiGate devices globally. While the attackers’ primary goal remains unclear, it’s evident that they’re willing to exploit any vulnerability to maximize their gains. In this case, they’ve turned firewalls into credential stealers using a custom-built sniffer tool.
The connection between FortiBleed and ransomware gangs is not surprising, given the ease with which attackers can pivot from one threat vector to another. With access to sensitive network information and administrative credentials, it’s only a matter of time before they deploy ransomware to encrypt data and extort payments from victims.
SOCRadar’s research indicates that the FortiBleed IAB group is likely separate from the Inc and Lynx RaaS gangs, which are essentially buying access to compromised Fortinet environments. This “access-supply layer” allows the attackers to monetize their efforts by selling or trading credentials and victim data downstream.
But there’s more to this story. SOCRadar researchers also discovered evidence of a possible Nextcloud zero-day bug being exploited by the FortiBleed IAB group. While this vulnerability has not been publicly disclosed, it further underscores the sophistication and persistence of these attackers.
As Ensar Seker, CISO at SOCRadar, warns, “Organizations should treat exposure to perimeter security devices as a serious pre-ransomware intrusion risk.” The fact that Inc and Lynx RaaS gangs are involved in this operation highlights the significant threat posed by these groups, who are willing to pay for access to compromised networks.
In light of these findings, it’s essential for organizations with Fortinet firewalls to review their security posture and ensure they’re taking proactive measures to prevent credential theft and ransomware attacks. This includes implementing robust authentication protocols, conducting regular vulnerability assessments, and staying up-to-date with the latest patches and updates.
Ultimately, the FortiBleed campaign serves as a stark reminder of the importance of prioritizing cybersecurity in today’s threat landscape. By understanding the tactics and techniques used by attackers, organizations can better prepare themselves for the inevitable threats that lie ahead.
Source: Dark Reading — 2026-07-02