
The massive FortiBleed credential theft campaign has been linked to the INC and Lynx ransomware operations, suggesting the stolen Fortinet credentials were intended to fuel future network intrusions.
Earlier this month, a server containing credentials stolen from more than 73,000 Fortinet devices was discovered exposed on the internet. Researchers found the server contained downloaded FortiGate configuration files, credentials harvested from compromised devices, and infrastructure used to crack password hashes and perform credential-stuffing attacks.
The campaign was dubbed "FortiBleed" due to the large number of exposed credentials and the massive credential-theft operation.
Follow-up investigations by SOCRadar revealed that the operation used a custom packet-sniffing tool called "FortiGate Sniffer" on compromised FortiGate firewalls, allowing attackers to intercept VPN credentials and other authentication data directly from network traffic.
SOCRadar's Threat Research Unit (STRU) latest research now ties the credential theft operation directly to members of the INC and Lynx ransomware-as-a-service (RaaS) groups.
The researchers told BleepingComputer that they discovered this link after identifying a Windows server used as part of the FortiBleed infrastructure.
"Our threat researchers identified a Windows server belonging to the FortiBleed infrastructure, which provided further insight into the threat actors' modus operandi," SOCRadar told BleepingComputer.
"During the investigation of that server, analysis of the collected artifacts revealed that the threat actor had accessed the ransomware negotiation panels of both the Lynx / INC ransomware group."
SOCRadar shared screenshots with BleepingComputer showing browser sessions accessing the administration panels for both ransomware groups. The images show negotiation dashboards containing victim chats used during ransomware negotiations.
According to the researchers, this provides direct evidence that an individual with access to FortiBleed infrastructure was also involved with the ransomware groups' negotiation platforms.
The company also says it identified more than 200 additional operational servers beyond those originally associated with the campaign, discovered victim information harvested during FortiBleed that overlaps with organizations later listed on the INC ransomware leak site, and uncovered evidence suggesting the operation consists of roughly 20 members with defined roles.
SOCRadar also says the campaign was considerably larger than originally understood.
According to the researchers, the operation targeted more than 430,000 FortiGate firewalls worldwide and deployed traffic sniffers on approximately 19,000 devices.
After notifying impacted organizations, the number has fallen to around 11,000 compromised devices. The researchers also say they identified roughly 500 servers used by the operation.
The researchers also believe the attackers exploited a previously undisclosed Nextcloud zero-day vulnerability as part of their operations to expand access after initial compromise. However, technical details have not yet been released.
SOCRadar also told BleepingComputer it found persistent backdoor accounts using the username "adminin" on compromised systems and is continuing efforts to recover ransomware decryption keys.
INC Ransom has operated as a ransomware-as-a-service platform since mid-2023, targeting organizations across healthcare, education, government, and other sectors worldwide.
Lynx emerged in mid-2024 and is believed by security researchers to be a rebrand of the INC ransomware gang rather than a new extortion group.
SOCRadar says a second technical white paper containing indicators of compromise, attribution evidence, and additional technical analysis will be released once its investigation is complete.
Test every layer before attackers do
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.










English (US) ·