Skip to content
Tech News
← Back to articles

FortiBleed credential-theft campaign linked to Lynx ransomware

read original more articles
Why This Matters

The FortiBleed campaign's link to Lynx and INC ransomware groups highlights a significant escalation in cybercriminal tactics, emphasizing the growing threat of credential theft fueling ransomware attacks. This development underscores the importance for organizations to strengthen their cybersecurity defenses against credential harvesting and network intrusions, as attackers increasingly leverage stolen credentials for malicious activities.

Key Takeaways

The massive FortiBleed credential theft campaign has been linked to the INC and Lynx ransomware operations, suggesting the stolen Fortinet credentials were intended to fuel future network intrusions.

Earlier this month, a server containing credentials stolen from more than 73,000 Fortinet devices was discovered exposed on the internet. Researchers found the server contained downloaded FortiGate configuration files, credentials harvested from compromised devices, and infrastructure used to crack password hashes and perform credential-stuffing attacks.

The campaign was dubbed "FortiBleed" due to the large number of exposed credentials and the massive credential-theft operation.

Follow-up investigations by SOCRadar revealed that the operation used a custom packet-sniffing tool called "FortiGate Sniffer" on compromised FortiGate firewalls, allowing attackers to intercept VPN credentials and other authentication data directly from network traffic.

SOCRadar's Threat Research Unit (STRU) latest research now ties the credential theft operation directly to members of the INC and Lynx ransomware-as-a-service (RaaS) groups.

The researchers told BleepingComputer that they discovered this link after identifying a Windows server used as part of the FortiBleed infrastructure.

"Our threat researchers identified a Windows server belonging to the FortiBleed infrastructure, which provided further insight into the threat actors' modus operandi," SOCRadar told BleepingComputer.

"During the investigation of that server, analysis of the collected artifacts revealed that the threat actor had accessed the ransomware negotiation panels of both the Lynx / INC ransomware group."

SOCRadar shared screenshots with BleepingComputer showing browser sessions accessing the administration panels for both ransomware groups. The images show negotiation dashboards containing victim chats used during ransomware negotiations.

According to the researchers, this provides direct evidence that an individual with access to FortiBleed infrastructure was also involved with the ransomware groups' negotiation platforms.

... continue reading