The massive FortiBleed credential theft campaign has been linked to the INC and Lynx ransomware operations, suggesting the stolen Fortinet credentials were intended to fuel future network intrusions.
Earlier this month, a server containing credentials stolen from more than 73,000 Fortinet devices was discovered exposed on the internet. Researchers found the server contained downloaded FortiGate configuration files, credentials harvested from compromised devices, and infrastructure used to crack password hashes and perform credential-stuffing attacks.
The campaign was dubbed "FortiBleed" due to the large number of exposed credentials and the massive credential-theft operation.
Follow-up investigations by SOCRadar revealed that the operation used a custom packet-sniffing tool called "FortiGate Sniffer" on compromised FortiGate firewalls, allowing attackers to intercept VPN credentials and other authentication data directly from network traffic.
SOCRadar's Threat Research Unit (STRU) latest research now ties the credential theft operation directly to members of the INC and Lynx ransomware-as-a-service (RaaS) groups.








