An investigation into the financially-motivated FortiBleed campaign has revealed ties to INC and Lynx ransomware operations, suggesting that stolen credentials were used for subsequent attacks.
According to a recent report by SOCRadar, an operator connected to the FortiBleed infrastructure was actively involved in negotiation panels for both ransomware groups, linking the mass theft of FortiGate credentials to ransomware deployments for the first time.
Over 11,000 FortiGate portals across 150 countries were scanned, with 409 targets successfully accessed at an admin level. Of these, 354 were subject to a full attack chain, resulting in at least 12 ransomware incidents and encryption of numerous endpoints within affected organizations.
The sophisticated operation involved scanning the internet for vulnerable Fortinet devices, using known credentials to gain access, and deploying custom packet sniffers to collect authentication data from network traffic.
Reports indicate that the campaign targeted 430,000 FortiGate firewalls globally, amassing over 110 million credentials. The exposure occurred due to an operational security lapse by the attackers, leading to the discovery of a server containing stolen credentials from thousands of Fortinet appliances.
About 12,000 Fortinet devices were found to have the Golang sniffer installed, representing a subset of the total devices targeted in the campaign.
Further investigation revealed that an operator with access to the FortiBleed infrastructure was logged into negotiation panels for INC Ransom and Lynx, with victims overlapping between the two groups. The discovery of new servers associated with FortiBleed provided insights into the attackers’ internal files and operational procedures.
SOCRadar’s Chief Information Security Officer, Ensar Seker, confirmed that the exposed server served as a staging and coordination platform, rather than directly collecting credentials. The activity was attributed to a Russian-speaking threat actor specializing in initial access brokering, with a focus on industries in Latin America and the Asia Pacific regions.
The organized operation involves approximately 20 individuals with distinct roles, including lead operators, specialists, and support staff. Additionally, the threat actors are believed to possess a zero-day vulnerability in Nextcloud and have targeted Citrix environments beyond Fortinet devices.
While there is no conclusive evidence of credential harvesting against Citrix devices, the presence of target lists suggests reconnaissance and preparation for potential attacks. Organizations using Citrix infrastructure are advised to enhance security measures and monitor for suspicious activities.
Recent observations by eSentire revealed threat actors exploiting a vulnerability in Fortinet FortiClient EMS to deploy an information stealer against a customer in the energy sector. The ultimate goal was to harvest credentials from web browsers and exfiltrate them using PowerShell.


