Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

New Malicious Campaign Delivers Vidar Stealer and Monero Crypto Miner

July 9, 2026

FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations

July 9, 2026

China-Linked APT Expands Proxy Network With New Malware

July 8, 2026
Facebook X (Twitter) Instagram
Thursday, July 9
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations
News

FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations

Team-CWDBy Team-CWDJuly 9, 2026No Comments4 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


The recently discovered financially-motivated FortiBleed campaign has been attributed to INC and Lynx ransomware operations, indicating that the verified, stolen credentials were intended for follow-on intrusions.

“An operator tied to FortiBleed’s infrastructure was found actively working negotiation panels for both groups, tying mass FortiGate credential theft directly to ransomware deployment for the first time,” SOCRadar said in a new report published Wednesday.

The company said it tracked scanning activity against approximately 11,250 FortiGate portals in more than 150 countries, followed by confirmed admin-level access on 409 targets and successful completion of the full attack chain on 354 of them. In all, at least 12 ransomware deployments have resulted from this access, causing hundreds of endpoints to be encrypted across affected organizations.

The large-scale credential-harvesting operation, which came to light last month, involved the threat actors systematically scanning the internet for exposed Fortinet devices, attempting to break into them using known credential combinations, and then deploying custom packet sniffers to passively gather credentials and other authentication data from network traffic.

The campaign is assessed to have targeted 430,000 FortiGate firewalls globally, gathering over 110 million credentials in the process. The activity was exposed after an operational security error on the part of the attackers left a server containing credentials stolen from thousands of Fortinet appliances exposed on the internet.

The Golang sniffer is estimated to have been installed on about 12,000 Fortinet devices, making it a subset of the total number of networking gear targeted.

The latest findings from SOCRadar show that an operator with access to FortiBleed infrastructure was found logged in to both INC Ransom and Lynx negotiation panels, with victims listed by INC Ransom overlapping with data from the campaign. The links are based on one of the 200 newly discovered servers associated with the FortiBleed infrastructure that granted visibility into internal files, logs, and operational documentation.

Ensar Seker, chief information security officer at SOCRadar, told The Hacker News via email that the exposed server functioned as a staging staging and operational coordination server, and was not used for phishing or active credential collection.

“It contained target inventories, harvested data, automation scripts, configuration files, and operational artifacts that indicate it was used to coordinate large-scale credential harvesting against internet-facing network appliances,” Seker said. “In other words, it served as part of the attackers’ backend infrastructure rather than the infrastructure victims directly interacted with.”

Tooling, logs, and working hours indicate that the activity is the work of a Russian-speaking threat actor who likely operates as an initial access broker. Much of the targeting has singled out manufacturing, technology, and logistics sectors in Latin America and the Asia Pacific regions.

SOCRadar also said it discovered an internal document that indicates it’s an organized operation comprising about 20 people with a clear division of labor. “A small core of lead operators drives most high-impact intrusions, backed by specialists and support staff,” it added.

In addition, the threat actors are believed to be in possession of at least one zero-day vulnerability in Nextcloud. The threat intelligence firm said it’s actively coordinating with the affected vendor.

The Delaware-based company said it also identified Citrix-related artifacts that indicate the activity is likely targeting beyond Fortinet devices. The identified infrastructure included a dedicated target list containing about 29,000 IP addresses and 37 domains associated with Citrix environments. This suggests the automated workflow may be repurposed for other remote access technologies.

“At this stage, the presence of these target lists does not conclusively prove that credential harvesting against Citrix devices has already occurred at scale,” Seker explained. “Rather, it demonstrates clear reconnaissance and targeting preparations.”

“However, given the sophistication of the infrastructure and the operators proven ability to automate credential collection against Fortinet devices, organizations using internet-facing Citrix infrastructure should treat this as an early warning and verify authentication logs, rotate exposed credentials where appropriate, enforce MFA, and monitor for anomalous login activity.”

The disclosure comes as eSentire said it observed threat actors exploiting a flaw in Fortinet FortiClient EMS (CVE-2026-35616, CVSS score: 9.1) to deploy an information stealer called EKZ Stealer against a customer in the energy, utilities, and waste sector with the end goal of harvesting credentials from Chromium-based browsers and Firefox and exfiltrating them via PowerShell. 



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleChina-Linked APT Expands Proxy Network With New Malware
Next Article New Malicious Campaign Delivers Vidar Stealer and Monero Crypto Miner
Team-CWD
  • Website

Related Posts

News

New Malicious Campaign Delivers Vidar Stealer and Monero Crypto Miner

July 9, 2026
News

China-Linked APT Expands Proxy Network With New Malware

July 8, 2026
News

SharePoint RCE CVE-2026-45659 Added to CISA KEV After Active Exploitation

July 8, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

How cybercriminals are targeting content creators

November 26, 2025

Watch out for SVG files booby-trapped with malware

September 22, 2025

How to help older family members avoid scams

October 31, 2025

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.