Particle.news
Download on the App Store

FortiBleed Credential Campaign Linked to INC and Lynx Ransomware

New forensic evidence shows operators converted stolen FortiGate credentials into direct ransomware access and negotiation activity, signaling a higher immediate risk to affected organizations.

Overview

  • Researchers found an exposed server holding tens of thousands of Fortinet credentials and configuration files that were harvested by a mass scanning operation.
  • The attackers used a custom Go‑based 'FortiGate Sniffer' plus distributed GPU cracking to turn intercepted authentication traffic into working VPN and admin logins.
  • SOCRadar analysis shows an operator with access to FortiBleed infrastructure logged into INC and Lynx ransomware negotiation panels and links at least a dozen confirmed ransomware deployments to that access.
  • Recovered internal documents describe a roughly 20‑person, role‑based criminal operation running hundreds of servers and tracking which stolen credentials led to domain compromise.
  • Remediation and agency notices have cut active compromised FortiGate management ports, but thousands of devices remain exposed and investigators say the group may have used a Nextcloud zero‑day while technical details are still developing.