A large-scale credential-harvesting operation targeting over 430,000 FortiGate firewalls worldwide has led to the deployment of ransomware against hundreds of organizations. The campaign, dubbed FortiBleed, has been linked to two prominent ransomware families: INC Ransom and Lynx. Cybersecurity firm SOCRadar reports that the attackers have compromised over 110 million credentials since February, with a significant portion of those stolen credentials being used to gain administrative access to targeted organizations.
At the heart of FortiBleed is a network sniffer dubbed FortigateSniffer, which captures traffic passing through the firewalls and extracts cleartext credentials and password hashes. This sensitive information is then likely sold or traded on the dark web, providing attackers with the means to breach Active Directory domains and steal valuable data. The campaign’s goal appears to be twofold: to gain long-term access to compromised networks for future exploitation and to sell or use the stolen credentials to deploy ransomware.
The connection between FortiBleed and ransomware deployment has been confirmed through operational security mistakes made by the attackers. SOCRadar observed an operator logged into both INC Ransom and Lynx negotiation panels, using infrastructure tied to FortiBleed. This evidence suggests that the same organizations targeted in both operations are being compromised with stolen credentials harvested from FortiGate firewalls.
The impact of FortiBleed has been significant, with 12 incidents resulting in ransomware deployment and hundreds of endpoints encrypted across affected organizations. The campaign’s reach is staggering, with scanning activity observed against roughly 11,250 FortiGate portals and administrative access gained on over 409 targets. An estimated 20 individuals are involved in the operation, with some focused on high-impact intrusions and others providing technical support.
The findings by SOCRadar have significant implications for the cybersecurity landscape. “FortiBleed isn’t an isolated credential-theft operation sitting off to the side of the ransomware economy; it’s feeding directly into it,” the company notes. This connection highlights the interconnected nature of cyber threats and the need for organizations to prioritize proactive security measures.
As a result, it is essential for FortiGate administrators to take immediate action to secure their firewalls and prevent further credential theft. This includes implementing regular software updates, using multi-factor authentication, and monitoring network traffic for suspicious activity. Additionally, organizations should remain vigilant in protecting against ransomware attacks by backing up critical data regularly and maintaining robust incident response plans.
Ultimately, the FortiBleed campaign serves as a stark reminder of the importance of robust cybersecurity defenses and the need for organizations to stay ahead of evolving threats.
Source: SecurityWeek — 2026-07-02