FortiBleed Meets Ransomware
The FortiBleed credential-theft campaign — one of the largest Fortinet exploitation operations ever documented — has now been explicitly linked to the INC Ransom and Lynx ransomware groups, according to new findings published by BleepingComputer. The connection confirms long-standing suspicions that the stolen Fortinet VPN credentials were being stockpiled as initial access inventory for future ransomware intrusions.
The FortiBleed campaign targeted Fortinet FortiGate firewalls at massive scale, compromising credentials from an estimated 73,000 to 86,644 devices and intercepting over 110 million credentials through custom packet-sniffing malware deployed directly on victim firewalls.
How the Connection Was Made
Investigators identified a Windows server used by the FortiBleed operators that contained active browser sessions logged into both the INC Ransom and Lynx ransomware negotiation panels simultaneously. The shared infrastructure provides direct forensic evidence that the same threat actors are managing both the credential-harvesting operation and downstream ransomware negotiations.
Lynx ransomware, which emerged in mid-2024, is widely believed to be a rebrand or fork of INC Ransom, which has been operating since mid-2023. The overlap in infrastructure reinforces this relationship and suggests a small core group drives activity across both brands.
Campaign Scale and Infrastructure
The FortiBleed operation revealed a sophisticated, multi-tiered threat actor:
- ~500 operational servers supporting credential harvesting and exfiltration
- A custom "FortiGate Sniffer" tool deployed on compromised firewalls to intercept live VPN authentication traffic
- Persistent backdoor accounts using the username "adminin" on compromised systems
- Infrastructure for password hash cracking and credential-stuffing attacks
- Evidence of exploiting a previously undisclosed Nextcloud zero-day to expand access
The operation employed a roughly 20-member team with defined roles including senior operators, specialists, and junior support staff — a structure more reminiscent of a criminal enterprise than opportunistic hacking.
Why This Matters
Fortinet firewalls sit at the outermost perimeter of enterprise networks, making compromised credentials exceptionally dangerous. An attacker holding valid VPN credentials can bypass perimeter controls entirely, land inside a trusted network segment, and proceed with lateral movement and ransomware deployment with minimal friction.
The link to Lynx and INC Ransom suggests the stolen credentials are not being sold on forums but rather retained for direct exploitation — a more patient, high-value approach that tends to produce larger ransom demands against well-resourced targets.
Remediation Steps
Organizations running Fortinet FortiGate devices should take the following actions immediately:
- Rotate all VPN credentials and SSL-VPN service account passwords
- Review FortiGate configurations for unauthorized admin accounts, particularly any account named "adminin"
- Apply all available FortiOS patches, especially those addressing the FortiBleed-related vulnerabilities
- Enable logging on all authentication events and forward to SIEM for anomaly detection
- Audit active sessions and terminate any unrecognized SSL-VPN connections
- Check for unauthorized packet capture processes running on firewall management interfaces
Fortinet previously notified affected customers when the FortiBleed campaign was initially disclosed, and active notification efforts reduced the number of devices with live sniffers from ~19,000 to approximately 11,000. However, credentials harvested before notification remain at risk.