FortiBleed Vulnerability Exploited by INC and Lynx Ransomware to Steal Passwords
Key Takeaways A large-scale credential harvesting operation dubbed FortiBleed, targeting FortiGate firewalls globally, has been directly linked to the INC Ransom and Lynx ransomware-as-a-service...
Key Takeaways
- A large-scale credential harvesting operation dubbed FortiBleed, targeting FortiGate firewalls globally, has been directly linked to the INC Ransom and Lynx ransomware-as-a-service (RaaS) operations.
- Researchers identified an operator with access to FortiBleed infrastructure actively engaging with negotiation panels for both INC Ransom and Lynx, confirming a direct pipeline from credential theft to ransomware deployment.
- The FortiBleed campaign has compromised over 430,000 FortiGate firewalls worldwide, with confirmed admin-level access on 409 targets and full attack chains completed on 354, leading to at least 12 confirmed ransomware deployments.
- The threat actor, acting as an Initial Access Broker, utilizes a custom Golang-based tool called FortigateSniffer to exploit FortiOS’s native diagnose sniffer packet command.
- Organizations using FortiGate infrastructure face an elevated risk, as exposure to FortiBleed is now a direct precursor to potential ransomware attacks.
A sophisticated credential harvesting campaign, dubbed FortiBleed, has been definitively linked to two active ransomware-as-a-service (RaaS) groups, INC Ransom and Lynx. This campaign has already compromised hundreds of thousands of FortiGate firewalls globally, directly fueling the ransomware ecosystem.
Table Of Content
Researchers at SOCRadar’s Threat Research Unit (STRU) established the first confirmed connection between the widespread theft of FortiGate credentials and subsequent ransomware deployment. They identified an individual with direct access to the FortiBleed infrastructure actively participating in negotiation panels for both ransomware brands, as detailed in their latest findings.
STRU initially documented FortiBleed as a vast operation designed to harvest credentials from over 430,000 FortiGate firewalls worldwide. The threat actor functions as an Initial Access Broker (IAB), deploying a bespoke Golang-based utility named FortigateSniffer. This tool surreptitiously intercepts authentication traffic across more than two dozen protocols by exploiting the FortiOS native diagnose sniffer packet command.
Ongoing investigations, leveraging platforms such as Shodan, Censys, Validin, and proprietary IP block scanning, revealed approximately 200 additional operational servers associated with the campaign’s sniffers and scanners. STRU tracked scanning activities against an estimated 11,250 FortiGate portals spanning over 150 countries. The campaign’s impact includes:
- Confirmed administrative-level access on 409 targets.
- Completion of the full attack chain (VPN compromise, domain controller access, domain admin privileges) on 354 targets.
- At least 12 confirmed ransomware deployments, resulting in hundreds of encrypted endpoints.
The attribution for these activities was made possible following a security breach on a newly identified server, which exposed the actor’s internal operational environment, including critical logs and documentation.
INC and Lynx Connection
Within the compromised operational environment, STRU found an operator actively engaged in ransom negotiations on panels associated with both INC Ransom and Lynx. INC Ransom has been a prominent RaaS group since mid-2023, while Lynx, which emerged approximately a year later, is largely considered an evolved variant of INC.
This critical discovery is further substantiated by an overlap in victim organizations. A comparison of FortiBleed’s target data with an independently discovered INC-linked open directory revealed identical victim entities across both datasets, providing independent confirmation of a shared operational pipeline between the credential theft and ransomware deployment phases.
STRU also retrieved an internal tracking document that meticulously detailed which credentials were exploited, which networks were accessed, and the outcomes of various ransomware deployments. Analysis of this documentation suggests a highly organized operation, comprising roughly 20 individuals, including a small core of primary operators, specialized experts, and junior back-office support personnel.
The FortiBleed campaign is not merely an isolated credential-theft operation; it serves as a direct pipeline into active ransomware economies. For organizations utilizing FortiGate infrastructure, exposure to FortiBleed now represents more than just a credential risk; it is a significant precursor to a full-scale ransomware deployment.
What You Should Do
- Immediately apply all available patches and security updates for your FortiGate devices, especially those addressing known vulnerabilities.
- Implement strong, unique passwords for all administrative accounts and enforce multi-factor authentication (MFA) across all VPN and administrative access points.
- Regularly monitor FortiGate logs for unusual activity, unauthorized access attempts, and the execution of diagnostic commands like `diagnose sniffer packet`.
- Conduct routine vulnerability assessments and penetration tests on your network perimeter, particularly focusing on FortiGate firewalls.
- Isolate critical systems and segment your network to limit lateral movement in the event of a breach.
- Maintain robust backup and recovery procedures, ensuring backups are immutable and stored offline or in a separate, secure environment.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.