A large-scale credential theft campaign targeting Fortinet devices has direct ties to the INC and Lynx ransomware operations. Researchers traced the FortiBleed campaign to threat actors who systematized theft of administrative credentials from Fortinet FortiGate firewalls and other Fortinet products. The stolen credentials provide network access that ransomware operators use to establish persistence and move laterally across victim environments before deploying encryption payloads.
FortiBleed exploits vulnerabilities in Fortinet systems to extract stored credentials from configurations and memory. Threat actors automated this process at scale, harvesting credentials from thousands of organizations globally. The campaign operated with minimal detection because legitimate Fortinet products became the attack vector.
The connection to INC and Lynx ransomware operations reveals the infrastructure behind these intrusions. INC, known for targeting enterprise networks across multiple sectors, shares operational overlap with Lynx campaigns. Both groups employ similar reconnaissance and lateral movement tactics following initial access through stolen credentials. This linkage demonstrates how initial access brokers and ransomware operators collaborate through shared tooling and infrastructure.
For organizations running Fortinet products, the risk runs high. A compromised FortiGate firewall grants attackers a strategic vantage point. They operate inside network perimeters with administrative privileges, bypassing external security controls. From this position, adversaries enumerate systems, identify high-value targets, steal data, and deploy ransomware.
Fortinet released patches addressing the vulnerabilities exploited by FortiBleed. However, many organizations lag in applying updates, leaving systems exposed. Credential theft persists even after patching if adversaries obtained access before remediation.
Organizations should treat any Fortinet appliance as a critical asset requiring immediate attention. Priority actions include deploying latest security patches, rotating administrative credentials, enabling multi-factor authentication on administrative interfaces, and implementing network
