Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
FortiBleed Vulnerability Exploited by INC and Lynx Ransomware to Steal Passwords
July 2, 2026
WhatsApp Username Reservations Raise Security Concerns for 2 Billion Users
July 2, 2026
Alleged Scattered Spider Member Extradited to US for 100+ Network Hacks
July 2, 2026
Home/CyberSecurity News/FortiBleed Vulnerability Exploited by INC and Lynx Ransomware to Steal Passwords
CyberSecurity News

FortiBleed Vulnerability Exploited by INC and Lynx Ransomware to Steal Passwords

Key Takeaways A large-scale credential harvesting operation dubbed FortiBleed, targeting FortiGate firewalls globally, has been directly linked to the INC Ransom and Lynx ransomware-as-a-service...

Sarah simpson
Sarah simpson
July 2, 2026 3 Min Read
3 0

Key Takeaways

  • A large-scale credential harvesting operation dubbed FortiBleed, targeting FortiGate firewalls globally, has been directly linked to the INC Ransom and Lynx ransomware-as-a-service (RaaS) operations.
  • Researchers identified an operator with access to FortiBleed infrastructure actively engaging with negotiation panels for both INC Ransom and Lynx, confirming a direct pipeline from credential theft to ransomware deployment.
  • The FortiBleed campaign has compromised over 430,000 FortiGate firewalls worldwide, with confirmed admin-level access on 409 targets and full attack chains completed on 354, leading to at least 12 confirmed ransomware deployments.
  • The threat actor, acting as an Initial Access Broker, utilizes a custom Golang-based tool called FortigateSniffer to exploit FortiOS’s native diagnose sniffer packet command.
  • Organizations using FortiGate infrastructure face an elevated risk, as exposure to FortiBleed is now a direct precursor to potential ransomware attacks.

A sophisticated credential harvesting campaign, dubbed FortiBleed, has been definitively linked to two active ransomware-as-a-service (RaaS) groups, INC Ransom and Lynx. This campaign has already compromised hundreds of thousands of FortiGate firewalls globally, directly fueling the ransomware ecosystem.

Table Of Content

  • Key Takeaways
  • INC and Lynx Connection
  • What You Should Do

Researchers at SOCRadar’s Threat Research Unit (STRU) established the first confirmed connection between the widespread theft of FortiGate credentials and subsequent ransomware deployment. They identified an individual with direct access to the FortiBleed infrastructure actively participating in negotiation panels for both ransomware brands, as detailed in their latest findings.

STRU initially documented FortiBleed as a vast operation designed to harvest credentials from over 430,000 FortiGate firewalls worldwide. The threat actor functions as an Initial Access Broker (IAB), deploying a bespoke Golang-based utility named FortigateSniffer. This tool surreptitiously intercepts authentication traffic across more than two dozen protocols by exploiting the FortiOS native diagnose sniffer packet command.

Ongoing investigations, leveraging platforms such as Shodan, Censys, Validin, and proprietary IP block scanning, revealed approximately 200 additional operational servers associated with the campaign’s sniffers and scanners. STRU tracked scanning activities against an estimated 11,250 FortiGate portals spanning over 150 countries. The campaign’s impact includes:

  • Confirmed administrative-level access on 409 targets.
  • Completion of the full attack chain (VPN compromise, domain controller access, domain admin privileges) on 354 targets.
  • At least 12 confirmed ransomware deployments, resulting in hundreds of encrypted endpoints.

The attribution for these activities was made possible following a security breach on a newly identified server, which exposed the actor’s internal operational environment, including critical logs and documentation.

INC and Lynx Connection

Within the compromised operational environment, STRU found an operator actively engaged in ransom negotiations on panels associated with both INC Ransom and Lynx. INC Ransom has been a prominent RaaS group since mid-2023, while Lynx, which emerged approximately a year later, is largely considered an evolved variant of INC.

This critical discovery is further substantiated by an overlap in victim organizations. A comparison of FortiBleed’s target data with an independently discovered INC-linked open directory revealed identical victim entities across both datasets, providing independent confirmation of a shared operational pipeline between the credential theft and ransomware deployment phases.

STRU also retrieved an internal tracking document that meticulously detailed which credentials were exploited, which networks were accessed, and the outcomes of various ransomware deployments. Analysis of this documentation suggests a highly organized operation, comprising roughly 20 individuals, including a small core of primary operators, specialized experts, and junior back-office support personnel.

The FortiBleed campaign is not merely an isolated credential-theft operation; it serves as a direct pipeline into active ransomware economies. For organizations utilizing FortiGate infrastructure, exposure to FortiBleed now represents more than just a credential risk; it is a significant precursor to a full-scale ransomware deployment.

What You Should Do

  • Immediately apply all available patches and security updates for your FortiGate devices, especially those addressing known vulnerabilities.
  • Implement strong, unique passwords for all administrative accounts and enforce multi-factor authentication (MFA) across all VPN and administrative access points.
  • Regularly monitor FortiGate logs for unusual activity, unauthorized access attempts, and the execution of diagnostic commands like `diagnose sniffer packet`.
  • Conduct routine vulnerability assessments and penetration tests on your network perimeter, particularly focusing on FortiGate firewalls.
  • Isolate critical systems and segment your network to limit lateral movement in the event of a breach.
  • Maintain robust backup and recovery procedures, ensuring backups are immutable and stored offline or in a separate, secure environment.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachExploitransomwareSecurityThreatVulnerability

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

WhatsApp Username Reservations Raise Security Concerns for 2 Billion Users

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Reduce Alert Fatigue to Improve SOC Efficiency and Cut Business Costs
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us