Select your language

WHAT ARE YOU LOOKING FOR?

Popular Tags

Raleigh, NC

32°F
Clear Sky Humidity: 50%
Wind: 1.79 M/S

The FortiBleed campaign has been tied to ransomware operations conducted by the INC and Lynx groups.

The FortiBleed campaign has been tied to ransomware operations conducted by the INC and Lynx groups.

A large-scale credential theft operation known as FortiBleed has been attributed to threat actors associated with the INC Ransom and Lynx ransomware-as-a-service (RaaS) ecosystems, according to research published by cybersecurity firm SOCRadar.

Investigators uncovered evidence showing that an individual with access to the FortiBleed infrastructure was simultaneously connected to the ransom negotiation portals used by both the INC and Lynx ransomware groups. This overlap suggests a direct operational relationship between the credential-harvesting campaign and the two ransomware operations.

During the investigation, researchers also observed indications that some attacks may have leveraged a previously undisclosed vulnerability affecting Nextcloud, a widely used content collaboration and file-sharing platform. The vulnerability remains under active analysis, and details have not yet been publicly released. As a result, it has not been assigned a CVE identifier or been included in any official security advisory.

According to Ensar Seker, Chief Information Security Officer at SOCRadar, the suspected Nextcloud flaw appears to have functioned as a supporting element within the attackers’ broader intrusion strategy. Rather than serving as the primary entry point, the vulnerability was likely exploited to expand access, move laterally within environments, or strengthen attacker-controlled infrastructure after an initial compromise had already been achieved.

Researchers emphasized that exploitation of the Nextcloud issue was not a universal component of the campaign. Many affected organizations showed no evidence of Nextcloud-related activity, indicating that successful compromise did not depend solely on the exploitation of the alleged zero-day vulnerability.

The findings follow a warning issued last month by the Cybersecurity and Infrastructure Security Agency (CISA), which alerted organizations that cybercriminals had gained access to and were actively abusing tens of thousands of compromised credentials associated with Fortinet firewalls and VPN appliances across both government and private-sector environments.

Multi-Stage Attack Operation

SOCRadar’s investigation indicates that the campaign was conducted through a sophisticated, layered operational model. At its core was an actor functioning as an initial access broker (IAB) a cybercriminal specializing in obtaining and selling network access to other threat groups. This operator reportedly employed a custom-built tool written in Go (Golang) that was specifically designed to capture and intercept authentication traffic from targeted systems.

The broader operation is believed to involve approximately 20 individuals, suggesting a coordinated and well-resourced criminal enterprise. Researchers are preparing an additional report expected to reveal further technical and operational details about the group's infrastructure, tactics, and affiliations.

Analysis identified active traffic interception on roughly 19,000 Fortinet devices worldwide. Following notification efforts aimed at affected organizations, the number of exposed or vulnerable devices reportedly declined to approximately 11,000, reflecting ongoing mitigation and remediation activities.

Fortinet stated that it has been collaborating with government agencies and relevant authorities to alert potentially impacted customers and reduce the risks associated with the campaign.

Impact and Ransomware Deployment

The scale of the operation appears significant. According to SOCRadar, threat actors successfully obtained administrator-level privileges in 409 environments and achieved full compromise of 354 organizations or systems.

To date, researchers have verified at least 12 ransomware incidents stemming from the campaign. Those attacks resulted in the encryption of hundreds of endpoints, demonstrating how stolen credentials and unauthorized network access were ultimately converted into financially motivated ransomware operations linked to the INC and Lynx groups.

The findings highlight the growing convergence between credential theft campaigns, initial access brokers, and ransomware operators, illustrating how compromised credentials can rapidly escalate into large-scale network intrusions and data-encrypting attacks.

Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post. 

Cybersecurity Insight delivers timely updates on global cybersecurity developments, including recent system breaches, cyber-attacks, advancements in artificial intelligence (AI), and emerging technology innovations. Our goal is to keep viewers well-informed about the latest trends in technology and system security, and how these changes impact our lives and the broader ecosystem

Please fill the required field.