Overview
- Researchers found an exposed server holding tens of thousands of Fortinet credentials and configuration files that were harvested by a mass scanning operation.
- The attackers used a custom Go‑based 'FortiGate Sniffer' plus distributed GPU cracking to turn intercepted authentication traffic into working VPN and admin logins.
- SOCRadar analysis shows an operator with access to FortiBleed infrastructure logged into INC and Lynx ransomware negotiation panels and links at least a dozen confirmed ransomware deployments to that access.
- Recovered internal documents describe a roughly 20‑person, role‑based criminal operation running hundreds of servers and tracking which stolen credentials led to domain compromise.
- Remediation and agency notices have cut active compromised FortiGate management ports, but thousands of devices remain exposed and investigators say the group may have used a Nextcloud zero‑day while technical details are still developing.