Close Menu

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    Alleged Scattered Spider hacker extradited to the United States

    July 2, 2026

    Kubota says hackers had month-long access to network systems

    July 2, 2026

    FortiBleed credential-theft campaign linked to Lynx ransomware

    July 1, 2026
    Facebook X (Twitter) Instagram
    • Demos
    • Technology
    • Gaming
    • Buy Now
    Facebook X (Twitter) Instagram Pinterest Vimeo
    Canadian Cyber WatchCanadian Cyber Watch
    • Home
    • News
    • Alerts
    • Tips
    • Tools
    • Industry
    • Incidents
    • Events
    • Education
    Subscribe
    Canadian Cyber WatchCanadian Cyber Watch
    Home»News»FortiBleed credential-theft campaign linked to Lynx ransomware
    News

    FortiBleed credential-theft campaign linked to Lynx ransomware

    adminBy adminJuly 1, 2026No Comments3 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email


    Fortinet

    The massive FortiBleed credential theft campaign has been linked to the INC and Lynx ransomware operations, suggesting the stolen Fortinet credentials were intended to fuel future network intrusions.

    Earlier this month, a server containing credentials stolen from more than 73,000 Fortinet devices was discovered exposed on the internet. Researchers found the server contained downloaded FortiGate configuration files, credentials harvested from compromised devices, and infrastructure used to crack password hashes and perform credential-stuffing attacks.

    The campaign was dubbed “FortiBleed” due to the large number of exposed credentials and the massive credential-theft operation.

    image

    Follow-up investigations by SOCRadar revealed that the operation used a custom packet-sniffing tool called “FortiGate Sniffer” on compromised FortiGate firewalls, allowing attackers to intercept VPN credentials and other authentication data directly from network traffic.

    SOCRadar’s Threat Research Unit (STRU) latest research now ties the credential theft operation directly to members of the INC and Lynx ransomware-as-a-service (RaaS) groups.

    The researchers told BleepingComputer that they discovered this link after identifying a Windows server used as part of the FortiBleed infrastructure.

    “Our threat researchers identified a Windows server belonging to the FortiBleed infrastructure, which provided further insight into the threat actors’ modus operandi,” SOCRadar told BleepingComputer.

    “During the investigation of that server, analysis of the collected artifacts revealed that the threat actor had accessed the ransomware negotiation panels of both the Lynx / INC ransomware group.”

    SOCRadar shared screenshots with BleepingComputer showing browser sessions accessing the administration panels for both ransomware groups. The images show negotiation dashboards containing victim chats used during ransomware negotiations.

    According to the researchers, this provides direct evidence that an individual with access to FortiBleed infrastructure was also involved with the ransomware groups’ negotiation platforms.

    The company also says it identified more than 200 additional operational servers beyond those originally associated with the campaign, discovered victim information harvested during FortiBleed that overlaps with organizations later listed on the INC ransomware leak site, and uncovered evidence suggesting the operation consists of roughly 20 members with defined roles.

    SOCRadar also says the campaign was considerably larger than originally understood.

    According to the researchers, the operation targeted more than 430,000 FortiGate firewalls worldwide and deployed traffic sniffers on approximately 19,000 devices.

    After notifying impacted organizations, the number has fallen to around 11,000 compromised devices. The researchers also say they identified roughly 500 servers used by the operation.

    The researchers also believe the attackers exploited a previously undisclosed Nextcloud zero-day vulnerability as part of their operations to expand access after initial compromise. However, technical details have not yet been released.

    SOCRadar also told BleepingComputer it found persistent backdoor accounts using the username “adminin” on compromised systems and is continuing efforts to recover ransomware decryption keys.

    INC Ransom has operated as a ransomware-as-a-service platform since mid-2023, targeting organizations across healthcare, education, government, and other sectors worldwide.

    Lynx emerged in mid-2024 and is believed by security researchers to be a rebrand of the INC ransomware gang rather than a new extortion group.

    SOCRadar says a second technical white paper containing indicators of compromise, attribution evidence, and additional technical analysis will be released once its investigation is complete.


    article image

    Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

    The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

    Get the whitepaper



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleBlack Hat Europe 2025 | How We Turned AI’s ‘Web Browsing’ Into A Gateway For Targeting 1B+ Users
    Next Article Kubota says hackers had month-long access to network systems
    admin
    • Website

    Related Posts

    News

    Alleged Scattered Spider hacker extradited to the United States

    July 2, 2026
    News

    Kubota says hackers had month-long access to network systems

    July 2, 2026
    News

    Medtronic notifies customers impacted by ShinyHunters data breach

    July 1, 2026
    Add A Comment

    Comments are closed.

    Demo
    Top Posts

    Catchy & Intriguing

    March 17, 202677 Views

    IP Address Investigations and Local OSINT

    March 20, 202633 Views

    Defending Canada’s Digital Frontier: Combating Phishing, Social Engineering, Ransomware, and Malware

    March 23, 202632 Views
    Stay In Touch
    • Facebook
    • YouTube
    • TikTok
    • WhatsApp
    • Twitter
    • Instagram
    Latest Reviews
    85
    Featured

    Pico 4 Review: Should You Actually Buy One Instead Of Quest 2?

    January 15, 2021 Featured
    8.1
    Uncategorized

    A Review of the Venus Optics Argus 18mm f/0.95 MFT APO Lens

    January 15, 2021 Uncategorized
    8.9
    Editor's Picks

    DJI Avata Review: Immersive FPV Flying For Drone Enthusiasts

    January 15, 2021 Editor's Picks

    Subscribe to Updates

    Get the latest tech news from FooBar about tech, design and biz.

    Demo
    Most Popular

    Catchy & Intriguing

    March 17, 202677 Views

    IP Address Investigations and Local OSINT

    March 20, 202633 Views

    Defending Canada’s Digital Frontier: Combating Phishing, Social Engineering, Ransomware, and Malware

    March 23, 202632 Views
    Our Picks

    Alleged Scattered Spider hacker extradited to the United States

    July 2, 2026

    Kubota says hackers had month-long access to network systems

    July 2, 2026

    FortiBleed credential-theft campaign linked to Lynx ransomware

    July 1, 2026

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Facebook X (Twitter) Instagram Pinterest
    • Home
    • Technology
    • Gaming
    • Phones
    • Buy Now
    © 2026 ThemeSphere. Designed by ThemeSphere.

    Type above and press Enter to search. Press Esc to cancel.