FortiBleed Campaign Links Credential Theft to Ransomware Operations

FortiBleed Campaign Links Credential Theft to Ransomware Operations

First seen 2 Jul 2026, 18:59 UTC GbhackersTheregisterDarkreadingsocradar.io 84% similarity 69.8
Share:

Article Content

Browse articles
ThreatCluster

The FortiBleed campaign has been linked to two ransomware groups, INC Ransom and Lynx, through an operational security lapse that revealed one actor's simultaneous access to both groups' negotiation panels. This campaign targeted over 430,000 Fortinet firewalls, successfully harvesting credentials from at least 30,000 devices. Researchers confirmed admin-level access on 409 targets, with ransomware deployment occurring on 12 of those. The attack exploited SSL VPN authentication hashes, utilizing a 45-GPU cluster for cracking. The findings indicate that FortiBleed is not merely a credential theft operation but a precursor to ransomware attacks, significantly raising the stakes for organizations using FortiGate infrastructure.

Key Points: • FortiBleed campaign linked to ransomware groups INC Ransom and Lynx. • Over 430,000 Fortinet firewalls targeted, with credentials harvested from 30,000 devices. • At least 12 ransomware deployments confirmed from FortiBleed access.

ThreatCluster AI

Timeline

2026-06-17
FortiBleed campaign disclosed
The campaign targeted over 430,000 Fortinet firewalls, harvesting credentials and exploiting SSL VPN authentication.
Theregister
2026-07-02
Link between FortiBleed and ransomware confirmed
Research revealed a single operator linked to both INC and Lynx ransomware groups, indicating direct ties to ransomware deployment.
Darkreading
2026-07-02
Admin-level access confirmed on multiple targets
Attackers achieved admin-level access on 409 targets, completing the full attack chain on 354 of them.
Theregister

Community

Browse all →