A Massive Credential-Harvesting Operation is Feeding Ransomware Attacks on a Global Scale
Cybersecurity researchers have uncovered a large-scale credential-harvesting operation that has compromised over 110 million credentials and led to the deployment of ransomware families, including INC Ransom and Lynx. The campaign, dubbed FortiBleed, targets organizations in 150 countries by exploiting vulnerabilities in FortiGate firewalls.
The attackers use a network sniffer called FortigateSniffer to capture traffic passing through the firewalls and extract cleartext credentials and password hashes. This allows them to gain access to Active Directory domains, steal sensitive information, and establish persistent access. The campaign is believed to be mounted by a Russian initial access broker who aims to sell these stolen credentials on the dark web.
Since its discovery in mid-June, researchers at SOCRadar have observed scanning activity against over 11,250 FortiGate portals, with the attackers gaining administrative access on 409 targets. In some cases, the threat actor completed the full attack chain, compromising VPNs and domain controllers to gain domain admin privileges. This allowed them to deploy ransomware on hundreds of endpoints across affected organizations.
One of the most disturbing aspects of this campaign is its connection to ransomware operations. Researchers have found that the same individuals behind FortiBleed are using the stolen credentials to deploy INC Ransom and Lynx ransomware families. The overlap between victims of FortiBleed and targets of these ransomware attacks suggests a direct link between the two campaigns.
An operational security error by the attackers inadvertently provided SOCRadar with visibility into their environment, allowing them to access internal files, logs, and documentation. This exposed the inner workings of the operation, revealing that it involves around 20 individuals, some focused on high-impact intrusions and others providing technical support.
The FortiBleed campaign serves as a stark reminder of the importance of robust security measures in protecting against large-scale credential-harvesting operations. With the increasing sophistication of these attacks, organizations must prioritize multi-factor authentication, regularly update their systems, and implement network segmentation to prevent lateral movement.
In light of this discovery, we recommend that all FortiGate users take immediate action to secure their firewalls by implementing robust security measures, such as:
* Regularly updating firmware and software
* Enabling multi-factor authentication
* Implementing network segmentation
* Monitoring traffic for suspicious activity
By taking these precautions, organizations can mitigate the risk of being targeted by credential-harvesting operations like FortiBleed.
Source: SecurityWeek — 2026-07-02