Lynx ransomware linked to FortiBleed credential-theft campaign

▼ Summary
– The FortiBleed campaign stole credentials from over 73,000 Fortinet devices using a custom packet-sniffing tool on compromised FortiGate firewalls.
– The operation is now linked to the INC and Lynx ransomware groups, with evidence showing access to their negotiation panels from the campaign’s infrastructure.
– The campaign targeted more than 430,000 FortiGate firewalls globally, deploying sniffers on about 19,000 devices, with roughly 11,000 still compromised.
– About 500 servers were used in the operation, which is believed to have around 20 members with defined roles.
– Attackers may have exploited an undisclosed Nextcloud zero-day vulnerability and created persistent backdoor accounts with the username “adminin” on compromised systems.
The sprawling FortiBleed credential-theft campaign has now been directly tied to the INC and Lynx ransomware operations, revealing that the stolen Fortinet credentials were likely stockpiled to enable future network breaches. Earlier this month, researchers uncovered an exposed internet server containing credentials harvested from over 73,000 Fortinet devices. That server held downloaded FortiGate configuration files, stolen authentication data, and infrastructure specifically designed to crack password hashes and execute credential-stuffing attacks. Security analysts dubbed the massive operation “FortiBleed” because of the sheer volume of compromised credentials.
Subsequent investigations by SOCRadar found that attackers deployed a custom packet-sniffing tool called “FortiGate Sniffer” on compromised FortiGate firewalls. This tool allowed them to intercept VPN credentials and other authentication data directly from network traffic. Now, SOCRadar’s Threat Research Unit (STRU) has established a direct link between the credential theft operation and members of the INC and Lynx ransomware-as-a-service (RaaS) groups.
The breakthrough came when researchers identified a Windows server that was part of the FortiBleed infrastructure. “Our threat researchers identified a Windows server belonging to the FortiBleed infrastructure, which provided further insight into the threat actors’ modus operandi,” SOCRadar told BleepingComputer. “During the investigation of that server, analysis of the collected artifacts revealed that the threat actor had accessed the ransomware negotiation panels of both the Lynx / INC ransomware group.”
SOCRadar shared screenshots with BleepingComputer showing browser sessions that accessed the administration panels for both ransomware groups. The images display negotiation dashboards containing victim chats used during ransomware discussions. According to researchers, this provides direct evidence that an individual with access to FortiBleed infrastructure was also involved with the ransomware groups’ negotiation platforms.
The company also identified more than 200 additional operational servers beyond those originally associated with the campaign. It discovered victim information harvested during FortiBleed that overlaps with organizations later listed on the INC ransomware leak site. Evidence suggests the operation consists of roughly 20 members with defined roles, and SOCRadar says the campaign was considerably larger than originally understood.
According to the researchers, the operation targeted more than 430,000 FortiGate firewalls worldwide and deployed traffic sniffers on approximately 19,000 devices. After notifying impacted organizations, the number has fallen to around 11,000 compromised devices. The researchers also identified roughly 500 servers used by the operation.
The attackers may have exploited a previously undisclosed Nextcloud zero-day vulnerability as part of their operations to expand access after initial compromise, though technical details have not yet been released. SOCRadar also told BleepingComputer it found persistent backdoor accounts using the username “adminin” on compromised systems and is continuing efforts to recover ransomware decryption keys.
INC Ransom has operated as a ransomware-as-a-service platform since mid-2023, targeting organizations across healthcare, education, government, and other sectors worldwide. Lynx emerged in mid-2024 and is believed by security researchers to be a rebrand of the INC ransomware gang rather than a new extortion group. SOCRadar says a second technical white paper containing indicators of compromise, attribution evidence, and additional technical analysis will be released once its investigation is complete.
(Source: BleepingComputer)




