FortiBleed Credential Theft Campaign Linked to Lynx and INC Ransomware Groups

Views: 51 views


361/69 Friday, July 3, 2026

Cybersecurity researchers have identified a direct link between the large-scale FortiBleed attack campaign, which focuses on stealing authentication data from Fortinet devices, and ransomware groups such as INC and Lynx. The campaign has affected a large number of FortiGate firewall devices worldwide. This connection suggests that the stolen usernames and passwords were intended to be used as an entry point into target organizations’ networks for future ransomware attacks and data extortion.

An investigation by SOCRadar’s threat research team found that the FortiBleed campaign targeted more than 430,000 FortiGate firewall devices worldwide. Attackers reportedly installed a tool called FortiGate Sniffer on compromised devices to capture login credentials, including VPN passwords, directly from network traffic. Researchers also found evidence of a backdoor account named adminin, which was used to maintain persistent access to affected systems. In addition, researchers identified attacker-controlled servers that had a history of accessing ransom negotiation panels associated with the Lynx and INC ransomware groups. Data belonging to organizations affected by FortiBleed was also found on INC’s data leak site. The operation is believed to involve approximately 20 members with clearly divided roles. Preliminary reports also indicate that the attackers may have exploited an undisclosed zero-day vulnerability in Nextcloud to expand their access after initially compromising the network.

To reduce the risk posed by this threat, organizations using Fortinet devices and Nextcloud systems should urgently inspect their environments. This includes reviewing system user accounts for suspicious entries, such as adminin, or any unauthorized accounts, as well as carefully examining configuration files and network access history. Network administrators should enforce password resets for all user and administrator accounts associated with VPN systems and enable Multi-Factor Authentication (MFA) to add another layer of security. Organizations should also regularly monitor security updates from vendors and apply patches promptly to close vulnerabilities that could be exploited in future intrusions.

Source: https://www.bleepingcomputer.com/news/security/fortibleed-credential-theft-campaign-linked-to-lynx-ransomware/