FortiBleed credential-theft campaign linked to Lynx ransomware

A Massive Credential-Stealing Campaign Exposed: FortiBleed Linked to Lynx Ransomware Group

In a shocking revelation, researchers have uncovered a massive credential-theft campaign known as FortiBleed, which has been linked to two notorious ransomware groups: INC and Lynx. The operation, which exposed over 73,000 Fortinet devices worldwide, was not just a simple case of data breaches – it appears to be a carefully planned and executed scheme to fuel future network intrusions.

The campaign’s scope is staggering. Researchers have identified more than 430,000 compromised FortiGate firewalls globally, with traffic sniffers deployed on approximately 19,000 devices. The number of affected organizations has decreased from over 73,000 to around 11,000 after impacted companies were notified. This massive operation was made possible by a custom packet-sniffing tool called “FortiGate Sniffer,” which allowed attackers to intercept VPN credentials and other authentication data directly from network traffic.

Further investigation revealed that the FortiBleed infrastructure was used by an individual with access to the ransomware negotiation panels of both Lynx and INC groups. This provides direct evidence that a single entity or group is behind both the credential theft operation and the ransomware attacks. The researchers also identified more than 200 operational servers beyond those originally associated with the campaign, as well as victim information harvested during FortiBleed that overlaps with organizations listed on the INC ransomware leak site.

The investigation has shed light on the complexity of the operation, which is believed to consist of roughly 20 members with defined roles. The attackers exploited a previously undisclosed Nextcloud zero-day vulnerability to expand access after initial compromise. However, technical details have not yet been released.

The connection between FortiBleed and Lynx ransomware is significant, as it suggests that the stolen credentials were intended to fuel future network intrusions. INC Ransom has operated as a ransomware-as-a-service platform since mid-2023, targeting organizations across various sectors worldwide. Lynx emerged in mid-2024, with many security researchers believing it to be a rebrand of the INC ransomware gang rather than a new extortion group.

As this investigation continues, SOCRadar will release a second technical white paper containing indicators of compromise, attribution evidence, and additional technical analysis once their research is complete. For now, organizations are advised to remain vigilant and take proactive steps to secure their networks and systems.

In the wake of this revelation, it’s essential for security teams to prioritize testing every layer of defense before attackers do. Regular breach and attack simulation tests can help identify vulnerabilities in SIEM and EDR rules, ensuring that threats don’t slip through detection. By staying one step ahead of these sophisticated attacks, organizations can protect themselves from the devastating consequences of a ransomware attack.


Source: Bleeping Computer — 2026-07-01