FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations

Summary: The recently discovered financially-motivated FortiBleed campaign has been attributed to INC and Lynx ransomware operations, indicating that the verified, stolen credentials were intended for follow-on intrusions. "An operator tied to FortiBleed's infrastructure was found actively working negotiation panels for both groups, tying mass FortiGate credential theft directly to ransomware deployment

A massive credential theft campaign targeting Fortinet firewalls is no longer just a data exposure incident. Security researchers have now linked the operation, known as FortiBleed, to the INC and Lynx ransomware groups, providing the first clear evidence that the stolen administrator credentials are being used to conduct real-world ransomware attacks against enterprise networks. The findings demonstrate how compromised network infrastructure can quickly become the starting point for large-scale extortion campaigns.

FortiBleed first came to light after researchers discovered a database containing tens of thousands of valid administrator and VPN credentials for internet-facing Fortinet FortiGate firewalls. Unlike a traditional software vulnerability, the campaign does not rely on a new zero-day exploit. Instead, attackers built a massive repository of working credentials by combining previously stolen configuration files, password cracking, credential stuffing, brute-force attacks, and custom packet-sniffing malware deployed on already compromised FortiGate devices.

Subsequent analysis by SOCRadar’s Threat Research Unit uncovered operational links between the FortiBleed infrastructure and operators affiliated with the INC and Lynx ransomware-as-a-service (RaaS) ecosystems. Investigators identified overlaps in attacker infrastructure, victim targeting, operational documentation, and even direct evidence showing an operator with access to the FortiBleed environment managing ransomware negotiation panels associated with both groups. These findings suggest that the credential harvesting campaign was designed not merely to collect data, but to generate reliable initial access for future ransomware operations.

Researchers tracked scanning activity against more than 11,000 internet-facing FortiGate portals across over 150 countries, confirming administrative access on hundreds of systems. In at least 354 organizations, attackers completed the full intrusion chain, progressing from credential compromise to post-exploitation activities. At least 12 confirmed ransomware deployments have already been attributed to this campaign, resulting in the encryption of hundreds of systems across multiple victim organizations.

The attack illustrates the increasingly important role of initial access brokers (IABs) within the cybercrime ecosystem. Rather than carrying out ransomware attacks themselves, these groups specialize in obtaining and validating access to enterprise environments before selling or sharing that access with ransomware operators. FortiBleed appears to follow this model, industrializing credential theft on a global scale and supplying high-quality access to multiple financially motivated threat groups. This division of labor allows ransomware affiliates to focus on lateral movement, privilege escalation, data theft, and extortion while relying on specialized partners to breach enterprise perimeters.

Compromised FortiGate devices are particularly valuable because they frequently serve as the primary security gateway protecting corporate networks. Administrative access to these appliances can provide attackers with VPN credentials, firewall configurations, routing information, authentication data, and visibility into internal infrastructure. Once inside, attackers can bypass many traditional perimeter defenses and move directly toward critical systems without relying on phishing or endpoint exploitation.

Researchers also found that the attackers deployed custom malware, referred to as FortiGate Sniffer, on compromised firewalls. Rather than simply stealing stored credentials, the malware intercepted authentication traffic passing through the devices, allowing operators to capture VPN usernames, passwords, and additional credentials as users logged into corporate networks. These freshly harvested credentials significantly increased the success rate of subsequent intrusions while enabling attackers to maintain long-term access.

Fortinet has stated that the campaign does not appear to result from a newly discovered vulnerability in FortiOS. Instead, the company believes the attackers are exploiting previously compromised credentials, weak password practices, legacy credential exposure from earlier incidents, and organizations that failed to rotate administrator passwords after upgrading their devices. As a result, simply installing the latest firmware may not eliminate the threat if compromised credentials remain in use.

Security agencies recommend treating all potentially exposed Fortinet administrator and VPN credentials as compromised. Organizations should immediately rotate passwords, enforce multi-factor authentication for administrative and VPN accounts, restrict management interfaces from public internet exposure, review authentication logs for suspicious activity, and investigate any evidence of unauthorized configuration changes. Because many attackers may have maintained persistent access for weeks or months, organizations should also conduct comprehensive threat hunting to identify indicators of compromise that predate the public disclosure of FortiBleed.

The campaign highlights a significant evolution in ransomware operations. Rather than exploiting newly disclosed software vulnerabilities, attackers are increasingly weaponizing large collections of verified credentials obtained through long-running credential harvesting campaigns. In this model, passwords—not zero-days—become the most valuable commodity in the cybercrime economy. FortiBleed demonstrates that once administrative credentials are exposed, enterprise firewalls can rapidly transition from defensive infrastructure into the initial access point for some of today’s most active ransomware groups.

Key facts

  • The financially-motivated FortiBleed campaign has been linked to INC and Lynx ransomware operations
  • Stolen credentials from FortiBleed were intended for follow-on intrusions
  • An operator associated with FortiBleed's infrastructure was observed working with negotiation panels for both ransomware groups
  • This directly connects mass FortiGate credential theft to ransomware deployment

Why it matters

This attribution highlights a concerning trend where initial credential harvesting operations are being directly leveraged by known ransomware gangs. It underscores the critical need for organizations to secure their network perimeters, specifically FortiGate devices, as stolen credentials provide a direct pathway for financially motivated cyberattacks and data encryption.