FortiBleed campaign linked to INC and Lynx ransomware

FortiBleed has been tied to INC Ransom and Lynx after attackers gained admin access on 409 FortiGate devices and deployed ransomware in 12 incidents.

Security firm SOCRadar uncovered a credential-harvesting operation called FortiBleed in mid-June and linked it to deployments of INC Ransom and Lynx ransomware. The firm says the activity has been running since at least February and has targeted FortiGate firewalls worldwide.

SOCRadar reports the attackers targeted more than 430,000 FortiGate devices and used a network sniffer named FortigateSniffer to capture traffic. The tool was used to extract cleartext credentials and password hashes. The firm estimates roughly 110 million credentials were compromised across as many as 150 countries.

Investigators observed scanning against about 11,250 FortiGate portals and confirmed administrative access on 409 devices. On 354 of those targets, the attackers completed a full attack chain: they compromised VPNs, accessed domain controllers and escalated to domain administrator privileges, allowing access to internal networks, endpoints and servers.

SOCRadar reports 12 incidents resulted in ransomware deployment, with “hundreds of endpoints encrypted across affected organizations.” Analysts observed a single operator logged into both INC and Lynx negotiation panels and found overlaps between FortiBleed victims and known INC targets.

An operational security error by the attackers gave SOCRadar deeper visibility into their environment. The firm gained access to internal files, logs and documentation. A tracking document associated with FortiBleed suggests the operation involves about 20 individuals, with some focused on high-impact intrusions and others providing technical support.

“Finding a single operator working both panels, using infrastructure traceable back to FortiBleed, is the clearest evidence yet that FortiGate credentials harvested through this campaign are being handed off, or used directly, for ransomware deployment,” SOCRadar wrote.

SOCRadar characterizes the campaign as likely run by a Russian initial access broker whose objectives include gaining access to Active Directory domains, stealing sensitive information and establishing persistent access for resale or direct exploitation. INC Ransom emerged in mid-2023 as a ransomware-as-a-service operation; Lynx appears to be an updated variant that surfaced about a year later.

The report links large-scale interception of authentication traffic at the firewall level to hands-on ransomware activity and documents how harvested credentials were used to facilitate later intrusions and encryption.

Articles by this author

No posts found.