Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

FortiBleed Campaign Linked to INC, Lynx Ransomware Attacks

0
Medium
Vulnerability
Published: 07/02/2026 (07/02/2026, 12:34:29 UTC)
Source: SecurityWeek

Description

The FortiBleed campaign is a large-scale credential-harvesting operation targeting over 430,000 FortiGate firewalls globally. Attackers deploy a network sniffer to capture cleartext credentials and password hashes, enabling further compromise. The harvested credentials have been linked to ransomware attacks by the INC and Lynx ransomware groups. The campaign has been ongoing since at least February 2026, compromising over 110 million credentials and leading to ransomware deployment on multiple targets. The operation involves a coordinated group of about 20 individuals, including those conducting intrusions and providing technical support. This campaign demonstrates a direct link between credential theft from FortiGate devices and ransomware attacks.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/02/2026, 12:36:34 UTC

Technical Analysis

FortiBleed is a credential-harvesting campaign targeting FortiGate firewalls, using a network sniffer called FortigateSniffer to extract cleartext credentials and password hashes from network traffic. Since February 2026, it has compromised over 430,000 firewalls and harvested more than 110 million credentials. Attackers gained administrative access on hundreds of FortiGate portals, completing full attack chains including VPN compromise and domain admin privilege escalation. The stolen credentials have been used by ransomware operations INC and Lynx, confirmed by overlapping victim sets and shared operator infrastructure. The campaign is attributed to a Russian initial access broker aiming to establish persistent access and facilitate ransomware deployment. The operation involves roughly 20 individuals with roles ranging from intrusion to technical support.

Potential Impact

The campaign has resulted in the compromise of hundreds of thousands of FortiGate firewalls and the theft of over 110 million credentials. Attackers have gained administrative access on hundreds of targets, enabling them to compromise VPNs, access domain controllers, and escalate privileges to domain admins. This has led to ransomware deployment in at least 12 incidents, with hundreds of endpoints encrypted across affected organizations. The direct use of harvested credentials in ransomware attacks by INC and Lynx ransomware groups demonstrates a significant operational impact on victim organizations.

Mitigation Recommendations

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations using FortiGate firewalls should monitor vendor advisories for patches or official mitigations related to FortiBleed. Until an official fix is available, restrict administrative access to FortiGate portals, enforce strong authentication methods, and consider network segmentation to limit exposure. Review firewall logs for unusual access patterns and consider rotating credentials and VPN keys if compromise is suspected.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Article Source
{"url":"https://www.securityweek.com/fortibleed-campaign-linked-to-inc-lynx-ransomware-attacks/","fetched":true,"fetchedAt":"2026-07-02T12:36:25.343Z","wordCount":1085}

Threat ID: 6a465b4927e9c797194d95d5

Added to database: 07/02/2026, 12:36:25 UTC

Last enriched: 07/02/2026, 12:36:34 UTC

Last updated: 07/02/2026, 12:54:57 UTC

Views: 3

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses