FortiBleed activity linked to both INC Ransom and Lynx, researchers say

Researchers say last month’s FortiBleed campaign is more closely connected to the ransomware ecosystem than first thought, after finding evidence that one operator appears to have used affiliate acces...

Researchers say last month’s FortiBleed campaign is more closely connected to the ransomware ecosystem than first thought, after finding evidence that one operator appears to have used affiliate access for both INC Ransom and Lynx.

SOC Radar’s Threat Research Unit said it spent weeks mapping infrastructure associated with the campaign and uncovered logs from one server that had been exposed because of an operational security mistake. Those records allegedly showed a member of the initial access broker group logged into both ransomware affiliate panels, suggesting a direct bridge between stolen FortiGate access and downstream extortion activity.

Evidence points to ransomware handoff

According to the researchers, the shared login activity is the strongest sign yet that FortiBleed was not simply a credential-theft operation, but part of the pipeline that feeds ransomware groups with access to victim networks. The team said it has so far connected at least 12 ransomware incidents to organizations affected by FortiBleed.

SOC Radar also said the broader campaign was larger than early attack counts implied. Its analysis covered 11,250 Fortinet portals, although more than 430,000 firewalls were reportedly targeted. From that pool, the researchers confirmed admin-level access on 409 systems. On 354 of those, attackers allegedly completed the full intrusion chain, including VPN compromise, internal network access and reach into domain controllers and domain admin accounts.

How the campaign worked

FortiBleed was disclosed on June 17 and was not described as a novel software flaw. Instead, investigators said attackers intercepted SSL VPN authentication material and then cracked the captured hashes using a large GPU cluster managed through Hashtopolis. Once credentials were recovered, the operators could move into victims’ Active Directory environments and maintain persistence.

Fortinet had previously introduced PBKDF2 for credential storage, but the change only took effect after administrators logged in again. As a result, some organizations may still have been relying on older SHA-256-based storage with salt, which is more exposed to brute-force attacks.

Early reporting on the campaign suggested more than 73,000 unique firewall URLs may have been successfully hit, with a long list of major companies later appearing in public discussions of the incident.

For defenders, the latest findings reinforce that FortiGate exposure can quickly turn into broader ransomware risk, especially when stolen access is resold or reused by multiple criminal groups.