HomeMalware & ThreatsFortiBleed Linked to INC Ransom and Lynx Operation

FortiBleed Linked to INC Ransom and Lynx Operation

Published on

spot_img

Cybercrime,
Fraud Management & Cybercrime,
Network Firewalls, Network Access Control

Threat Actor Accessed INC and Lynx Ransom Negotiation Panels

FortiBleed Linked to INC Ransom and Lynx Operation
SOCRadar linked the FortiBleed credential-harvesting operation to ransomware groups INC Ransom and Lynx, finding evidence that a sophisticated initial access broker compromised more than 430,000 FortiGate firewalls.

Recent investigations have uncovered alarming ties between two prominent ransomware gangs, known as INC Ransom and Lynx, and a malicious operation dubbed FortiBleed. This operation has successfully penetrated over 430,000 FortiGate firewalls, leading to the theft of crucial credentials. Security firm SOCRadar reported that an infiltrator within the attacker infrastructure had gained unauthorized access to negotiation panels from both ransomware-as-a-service entities, actively engaging in discussions regarding ransom demands.

Notably, the internal tracking documents associated with the FortiBleed operation revealed overlapping data with the victims cataloged in a separate INC Ransom open directory. This discovery suggests that the same targets are being monitored by both groups, indicating a coordinated effort. Analysis by SOCRadar points to a well-structured operation comprising roughly 20 individuals, with a core team responsible for high-impact intrusions, supported by specialized roles and junior operators managing technical aspects.

The FortiBleed campaign exploits vulnerabilities in devices that have not been adequately patched, despite fixes having been available for over five months. Attackers utilize these vulnerabilities to harvest configuration files and decode legacy admin passwords stored in these devices, while also employing brute-force methods on those with weak passwords.

SOCRadar noted that the individual behind these attacks operates as an Initial Access Broker, utilizing a bespoke tool named FortigateSniffer. This tool is adept at passively intercepting authentication traffic by leveraging FortiOS’s native diagnostic packet capture commands across multiple protocols. The sophistication of the operation is further illustrated by the possible use of an autonomous penetration testing AI agent called CyberStrike, which can integrate with existing large language models to enhance proactive security measures.

INC Ransom, which has been active since 2023, focuses on financial gain through ransomware and data extortion, meticulously choosing high-profile targets that are likely to yield substantial ransom payments. The gang primarily gains initial access through tactics such as phishing, the use of stolen credentials, and the exploitation of vulnerabilities in internet-facing systems within sectors such as industrial, healthcare, and education, particularly across the United States and Europe.

Lynx emerged in 2024 as a derivative of INC Ransom, exhibiting approximately 70% functional similarity and 50% code similarity with its predecessor. Lynx predominantly targets industries such as manufacturing, business services, technology, and transportation within Western nations.

Attribution efforts have unveiled some concerning insights; tooling with comments in the Cyrillic alphabet hints at a potential Russian origin for the threat actor. Additionally, the identification of high-profile victims, including entities aligned with NATO, raises the possibility of collaboration with Russian state-sponsored groups—an alarming trend previously noted within the Russian cybercrime ecosystem.

SOCRadar’s investigation also revealed an alarming number of attacker-controlled servers, sniffers, and scanners, totaling around 200, after scrutinizing approximately 11,250 FortiGate devices across more than 150 countries. The data indicates that nearly 50% of all Fortinet firewall devices exposed to the Internet may have been breached, highlighting the pervasive risk posed by these vulnerabilities.

Illicit access to administrative functions was equally troubling; nearly 90% of the breached devices experienced a full attack chain, moving from VPN exploits to attaining domain controller access and ultimately gaining domain administrator privileges. This devastating access facilitated at least 12 ransomware attacks, which have led to the encryption of hundreds of endpoints across impacted organizations. Prominent entities such as Samsung, Accenture, and Oracle are among the thousands of victims, which also include numerous governmental institutions and critical infrastructure providers.

Moreover, the threat actor’s methodology for maximizing exploitation power is notable. They rank potential targets according to their economic value, thereby optimizing the allocation of resources dedicated to exploitation. SOCRadar identified various Python scripts utilized by the group to align FortiGate IP addresses with the target organizations’ revenue, organizing a database of corporate details, and identifying high-revenue domains that have not yet been compromised.

Following the collection of brute-forced credentials, cleaning processes are initiated to produce a refined dataset that is subsequently exported into separate files for usernames and passwords. This meticulous methodology underscores a remarkable level of operational maturity observed throughout the campaign, further reinforcing the urgent need for robust defenses against such sophisticated attacks.

Source link

Latest articles

AI-Generated Browser Ransomware Exploits Chromium API on Windows, Linux, macOS, and Android

In a significant development within the realm of cybersecurity, researchers from Check Point have...

950 Oracle E-Business Suite Instances Exposed to CVE-2026-46817 Attacks Detected in the Wild

Urgent Security Alert: Nearly 950 Oracle E-Business Suite Instances Exposed Amid Active Exploitation Attempts In...

OpenAI Allows Cyber Vendors to Integrate GPT-5.5 into Their Defense Systems

Daybreak Cyber Partner Program Expands Application of GPT-5.5 for Cybersecurity Solutions June 22, 2026 |...

NSF Launches AI Coordination Hubs Program

NSF Launches New AI Coordination Hubs Program to Strengthen Regional Intelligence Capacity The National Science...

More like this

AI-Generated Browser Ransomware Exploits Chromium API on Windows, Linux, macOS, and Android

In a significant development within the realm of cybersecurity, researchers from Check Point have...

950 Oracle E-Business Suite Instances Exposed to CVE-2026-46817 Attacks Detected in the Wild

Urgent Security Alert: Nearly 950 Oracle E-Business Suite Instances Exposed Amid Active Exploitation Attempts In...

OpenAI Allows Cyber Vendors to Integrate GPT-5.5 into Their Defense Systems

Daybreak Cyber Partner Program Expands Application of GPT-5.5 for Cybersecurity Solutions June 22, 2026 |...