FortiBleed Credential Theft Tied to Ransomware Operations

Recent investigations have linked the FortiBleed credential theft campaign to the INC and Lynx ransomware groups, suggesting that the stolen credentials were utilized for subsequent cyber intrusions.

Analysts observed that an individual associated with FortiBleed’s infrastructure was actively managing negotiation panels for both ransomware groups, establishing a direct connection between the mass theft of FortiGate credentials and ransomware deployments. This activity involved scanning approximately 11,250 FortiGate portals across over 150 countries, achieving administrative access on 409 targets, and successfully executing full attack sequences on 354 of them. Consequently, at least 12 ransomware attacks were launched, leading to the encryption of hundreds of endpoints within the affected organizations.

The FortiBleed operation, which surfaced last month, entailed systematically scanning the internet for exposed Fortinet devices, attempting access using known credential combinations, and deploying custom packet sniffers to capture credentials and authentication data from network traffic. The campaign reportedly targeted 430,000 FortiGate firewalls globally, amassing over 110 million credentials. The operation was exposed due to an operational security lapse by the attackers, which left a server containing credentials from thousands of Fortinet appliances accessible online.

Further analysis revealed that an operator with access to FortiBleed infrastructure was logged into both INC Ransom and Lynx negotiation panels, with victim data overlapping between the campaign and the ransomware groups. This connection was identified through one of the 200 newly discovered servers linked to FortiBleed, providing insight into internal files, logs, and operational documentation.

The threat actors behind this campaign are believed to be Russian-speaking and likely function as initial access brokers. Their activities have predominantly targeted the manufacturing, technology, and logistics sectors in Latin America and the Asia Pacific regions. The operation appears to be well-organized, comprising approximately 20 individuals with clearly defined roles, including a core group of lead operators supported by specialists and auxiliary staff.

Additionally, the attackers are suspected to possess at least one zero-day vulnerability in Nextcloud, with efforts underway to coordinate with the affected vendor to address the issue.

These developments underscore the critical importance of robust cybersecurity practices. Organizations must prioritize the implementation of strong password policies, regular credential rotation, and the deployment of multi-factor authentication to mitigate the risks associated with such credential theft campaigns. Proactive measures are essential to safeguard against the escalating threat posed by sophisticated cybercriminal operations.