Key Takeaways

  • SOCRadar uncovered a FortiBleed operator accessing both INC Ransom and Lynx negotiation panels
  • The campaign targeted 430,000 Fortinet FortiGate firewalls and completed the full attack chain on 354 targets
  • Researchers say FortiBleed actors are also exploiting a Nextcloud zero-day bug to expand network access

The discovery that a FortiBleed operator was logged into the ransom negotiation panels for both INC Ransom and Lynx has shifted the narrative around the campaign. What began as a sprawling credential theft wave against Fortinet FortiGate firewalls now operates as a direct ransomware supply line. This escalation highlights the growing threat for organizations compromised in the initial access wave.

Researchers at SOCRadar reported the linkage came from an operational security lapse by the threat group, which allowed investigators to access logs and internal documentation. Inside those files, the team found direct evidence tying the credential harvesting to downstream ransomware actions. The finding fits a wider trend documented by the European Union Agency for Cybersecurity, which noted in its 2024 threat landscape report that ransomware-as-a-service models rely heavily on credential theft and VPN exploitation.

Mass compromises of remote access devices frequently feed ransomware groups, but the scale of the FortiBleed operation is particularly notable. SOCRadar's Threat Research Unit reports that the campaign targeted roughly 430,000 FortiGate devices worldwide and harvested credentials for more than 30,000 devices. The group installed a Golang-based sniffer on approximately 12,000 firewalls, effectively turning them into credential-collection nodes.

Further investigation revealed the extent of the network intrusions. The Threat Research Unit found that attackers reached admin-level access on 409 targets and completed the full attack chain—including VPN compromise and domain controller access—on 354 of them. The campaign's internal tracking document explicitly noted whether ransomware was successfully deployed on these networks. Security teams recognize that initial access brokering transitioning into active encryption represents a severe escalation of operational risk, often leading to data extortion and extended network downtime.

In addition to firewall exploitation, SOCRadar confirmed that FortiBleed actors are also exploiting a Nextcloud zero-day bug. That exploitation is described as part of the intrusion and access expansion phase rather than a ransomware payload stage. Using a previously unknown vulnerability to widen entry points indicates the ecosystem around FortiBleed is highly organized. Nextcloud, contacted prior to publication of the original reporting, had not responded.

Industry researchers map these tactics to known attack patterns within the MITRE ATT&CK framework, which includes credential harvesting, VPN compromise, and lateral movement techniques often seen in ransomware pipelines. Security teams relying on this mapping use it to prioritize compensating controls. Others point to guidance from zero trust models, which emphasize strong identity controls and the assumption that network boundaries cannot be trusted as a primary defense.

Palo Alto Networks and Darktrace have previously analyzed the Lynx ransomware code lineage, noting that Lynx retains 70% to 90% code similarity with INC and uses double extortion across the manufacturing, finance, legal, and energy sectors. Seeing FortiBleed operators supply access to both brands reinforces that RaaS families behave as interconnected ecosystems rather than isolated crews. It also raises questions for organizations depending heavily on firewalls and VPNs as perimeter tools.

Remote access infrastructure remains one of the most sensitive components in the enterprise technology stack. Researchers at the SANS Institute note that misconfigured firewalls and VPN concentrators create foothold opportunities that are difficult to detect. When attackers install sniffers directly on those devices, traditional markers of compromise become even harder to spot.

Not everything in the campaign points to immediate encryption activity. SOCRadar researchers noted that most observed behaviors initially aligned with credential theft and network profiling. However, the presence of an operator actively engaging with INC Ransom and Lynx ransom demands using infrastructure traceable back to FortiBleed indicates that monetization pathways are actively utilized.

Across the broader landscape, the Cybersecurity and Infrastructure Security Agency frequently highlights the importance of segmenting identity systems and monitoring for anomalous VPN behavior. While enterprises often find that level of tuning difficult to maintain, campaigns targeting thousands of firewalls through automated tooling emphasize the necessity of continuous configuration validation.

Incidents that combine credential harvesting, access brokering, and exploitation of a zero-day bug act as a forcing function for enterprise security teams. They highlight how interconnected attacker ecosystems have become and how compromised credentials serve as a multi-purpose resource. As researchers continue to analyze the findings, affected organizations are actively reevaluating their firewall posture, remote-access configurations, and long-term identity strategies.