Listen to this Post
Introduction: A Hidden Cyber Operation That Turned Firewalls Into Gateways for Ransomware
Cybersecurity incidents often begin with noisy exploits, malware downloads, or phishing emails. FortiBleed changed that assumption. Instead of launching visible attacks, threat actors quietly transformed enterprise firewalls into surveillance points, silently collecting administrator credentials without deploying a single malicious payload. What initially appeared to be a credential harvesting campaign has now evolved into something far more dangerous.
New findings from SOCRadar’s Threat Research Unit reveal direct operational links between the massive FortiBleed campaign and two of today’s active ransomware organizations, INC Ransom and Lynx. The evidence goes far beyond infrastructure similarities or behavioral patterns. Investigators discovered an operator connected to FortiBleed actively managing ransom negotiations for both ransomware groups in real time, providing one of the clearest attribution cases seen in recent cybercrime investigations.
The discovery significantly changes the threat landscape surrounding FortiGate devices. Organizations are no longer facing the possibility of stolen credentials being sold on underground markets months later. Instead, compromised credentials are being weaponized almost immediately by the very criminals collecting them. This dramatically shortens the timeline from initial compromise to full-scale ransomware deployment, placing hundreds of thousands of organizations worldwide at elevated risk.
SOCRadar Uncovers Direct Link Between FortiBleed and Ransomware Operations
SOCRadar’s latest investigation establishes a direct connection between the FortiBleed credential harvesting infrastructure and the ransomware groups INC Ransom and Lynx. Unlike previous intelligence reports that relied on indirect indicators, researchers uncovered operational evidence showing a shared threat actor actively participating in both environments.
The operator was found logged into ransomware negotiation portals belonging to both groups simultaneously, communicating with victims and managing extortion operations. This level of visibility provides exceptionally strong attribution, eliminating much of the uncertainty that usually surrounds cybercriminal investigations.
The discovery confirms that FortiBleed is not simply a credential theft operation. It is part of an integrated attack chain leading directly to ransomware deployment.
How FortiBleed Quietly Harvested Credentials Across the World
One of the most alarming aspects of FortiBleed is its simplicity.
Rather than exploiting software vulnerabilities through malware or code execution, attackers developed a custom Go-based utility named FortigateSniffer. This tool abuses legitimate FortiOS packet diagnostic capabilities to monitor authentication traffic flowing through the firewall itself.
The firewall essentially becomes an unwilling surveillance device.
Because the technique relies entirely on native diagnostic functionality, no malicious software needs to be installed on the target appliance. Traditional endpoint security products rarely detect this behavior because nothing obviously malicious is taking place.
The attackers simply observe authentication requests generated by legitimate users across nearly two dozen supported protocols, collecting usernames, passwords, VPN credentials, and administrative logins as they pass through the firewall.
This passive approach dramatically reduces the likelihood of detection while allowing credential collection on an enormous scale.
A Campaign That Reached More Than 150 Countries
Following its initial disclosure, SOCRadar significantly expanded its investigation using Shodan, Censys, Validin, and proprietary internet-wide scanning capabilities.
Researchers identified approximately 200 additional operational servers associated with FortiBleed beyond the infrastructure documented in the original report.
These servers served multiple purposes, including credential interception, network reconnaissance, victim tracking, and internet-wide scanning for exposed FortiGate appliances.
The campaign ultimately targeted more than 430,000 FortiGate firewalls distributed across over 150 countries, making it one of the largest firewall-focused credential harvesting operations documented in recent years.
From Credential Theft to Complete Domain Takeover
The scale of the compromise extends well beyond stolen passwords.
SOCRadar tracked active reconnaissance against approximately 11,250 FortiGate VPN portals around the world.
Among those targets:
Administrative access was successfully confirmed on 409 organizations.
Complete attack chains were executed against 354 victims.
Attackers compromised VPN infrastructure.
Domain controllers were breached.
Full Domain Administrator privileges were obtained.
At least 12 confirmed ransomware attacks followed.
Hundreds of corporate endpoints were encrypted.
This demonstrates a disciplined and repeatable attack methodology rather than opportunistic exploitation.
Once privileged access was achieved, ransomware deployment became only the final stage of a carefully planned intrusion.
Operational Mistakes Revealed the Criminal Infrastructure
Ironically, the attackers themselves made a mistake that exposed their internal operations.
SOCRadar discovered one operational server configured insecurely enough to reveal internal documentation, activity logs, management files, and operational notes.
This accidental exposure gave researchers unprecedented visibility into how the group organized its campaigns.
Instead of relying solely on external indicators, investigators were able to observe the attackers’ own workflow, victim tracking, and internal management systems.
Such intelligence is extremely rare in cybercrime investigations.
Shared Operators Connected INC Ransom and Lynx
The exposed infrastructure revealed that a single operator maintained simultaneous access to both INC Ransom and Lynx negotiation platforms.
INC Ransom has remained one of the more active ransomware-as-a-service operations since 2023, claiming responsibility for attacks against healthcare providers, enterprise organizations, and government institutions.
Lynx emerged later but has increasingly been viewed by researchers as an evolution or continuation of the INC operation.
The discovery of shared operators strongly supports that assessment.
Rather than functioning as completely separate criminal organizations, the evidence suggests both brands may represent different business identities operated by overlapping personnel.
Victim Records Matched Across Independent Infrastructure
Researchers discovered another critical piece of evidence after locating an open directory associated with INC Ransom.
When investigators compared victim information stored within
This independent correlation confirms that organizations targeted during credential harvesting later appeared within ransomware deployment records.
The overlap demonstrates that compromised credentials were not merely collected for resale.
They became operational assets used directly by ransomware affiliates.
Cybercrime Organized Like a Modern Business
Perhaps the most fascinating discovery involved the
Recovered documentation indicates that approximately twenty individuals participate in the operation.
Rather than operating chaotically, responsibilities appear carefully divided among specialized teams.
Senior intrusion operators focus on high-value compromises.
Dedicated technical specialists provide expertise during complex attacks.
Junior personnel perform administrative tasks, infrastructure management, victim tracking, and operational support.
The structure closely resembles that of a legitimate technology company, complete with specialized departments and clearly defined roles.
The only difference is that its product is cyber extortion.
Artificial Intelligence May Become Their Next Weapon
SOCRadar also disclosed that its upcoming technical whitepaper will include findings regarding the group’s experimentation with artificial intelligence.
Researchers indicate the threat actors have been exploring AI-assisted vulnerability discovery and may already be working toward exploiting at least one undisclosed zero-day vulnerability.
Responsible disclosure efforts are reportedly underway with the affected software vendor before public technical details are released.
If confirmed, this represents another evolution in modern cybercrime, where artificial intelligence increasingly supports offensive security research conducted by criminal organizations.
Why FortiGate Organizations Face Elevated Risk
The implications extend far beyond credential theft.
Organizations operating FortiGate infrastructure should assume that exposure to FortiBleed may represent the beginning of an active ransomware intrusion rather than an isolated credential compromise.
Traditional incident response often prioritizes password resets following credential theft.
In this case, attackers may already possess privileged access, maintain persistence inside the network, and prepare ransomware deployment before defenders recognize the initial compromise.
Speed becomes the defining factor.
Immediate credential rotation, VPN review, administrative account auditing, log analysis, privileged access monitoring, and network segmentation become essential defensive actions.
Every day between credential theft and detection provides attackers additional opportunities to expand control throughout enterprise environments.
Deep Analysis
FortiBleed illustrates a growing cybersecurity trend where attackers increasingly abuse legitimate administrative features instead of exploiting software vulnerabilities. Defensive strategies focused solely on malware detection are becoming insufficient.
Linux administrators should immediately inspect authentication logs:
journalctl -u ssh grep "Accepted password" /var/log/auth.log last lastb ausearch -m USER_LOGIN
Check for unusual outbound connections:
ss -tulpn netstat -plant lsof -i tcpdump -i eth0
Review firewall activity:
iptables -L -v nft list ruleset firewall-cmd --list-all
Audit VPN services:
systemctl status openvpn systemctl status strongswan
Search for privilege escalation:
find / -perm -4000 2>/dev/null sudo -l
Verify user accounts:
cat /etc/passwd cat /etc/shadow
Inspect recent login history:
last who w
Monitor suspicious processes:
ps aux top htop
Windows administrators should review:
Get-EventLog Security Get-LocalUser Get-NetTCPConnection
macOS administrators can inspect:
log show --last 24h netstat -an who
Review FortiGate administrative sessions regularly.
Disable unnecessary diagnostic features where operationally possible.
Enable multi-factor authentication for all VPN administrators.
Rotate privileged credentials immediately after any suspected exposure.
Monitor Domain Controller authentication logs for unusual lateral movement.
Deploy network segmentation to reduce ransomware propagation.
Continuously monitor VPN authentication anomalies.
Maintain offline backups protected from domain compromise.
Practice ransomware recovery exercises before an actual incident occurs.
Threat hunting should now prioritize credential abuse over malware detection.
Security teams must assume silent persistence until proven otherwise.
Passive attacks like FortiBleed represent the future direction of sophisticated intrusion campaigns.
What Undercode Say:
FortiBleed is one of those investigations that reshapes how defenders should think about perimeter security. For years, organizations invested heavily in protecting endpoints while assuming enterprise firewalls remained trusted infrastructure. This campaign demonstrates that trusted infrastructure itself can become the observation platform.
The most remarkable characteristic is not the scale, although targeting more than 430,000 firewalls is extraordinary. It is the patience displayed by the attackers.
No malware.
No destructive exploits.
No immediate ransomware.
Instead, they quietly watched authentication traffic until enough privileged credentials accumulated.
That discipline reflects mature operational planning.
The connection to INC Ransom and Lynx also challenges the traditional distinction between access brokers and ransomware operators.
Historically, many believed stolen credentials were sold through criminal marketplaces before separate ransomware gangs purchased them.
FortiBleed suggests vertical integration.
One organization gathers access.
The same organization exploits access.
The same organization negotiates ransom.
That business model dramatically reduces operational delays.
It also minimizes exposure to other criminal intermediaries.
Another important lesson involves operational security.
Ironically, the criminals were exposed because of their own infrastructure mistakes.
Even sophisticated threat actors remain vulnerable to human error.
The reported internal hierarchy resembles legitimate enterprise management.
Cybercrime increasingly mirrors corporate operations with specialized departments, technical experts, support staff, and workflow management.
Artificial intelligence may further accelerate this evolution.
If AI becomes integrated into vulnerability discovery and exploit development, defenders will face faster attack cycles and increasingly automated reconnaissance.
Organizations should also reconsider how they monitor network appliances.
Firewalls often receive fewer forensic reviews than endpoints.
That assumption is becoming increasingly dangerous.
Credential monitoring, privileged access management, VPN auditing, and continuous threat hunting deserve higher priority than signature-based malware detection alone.
FortiBleed represents a warning that modern cyberattacks increasingly favor stealth over speed.
Organizations that detect compromise early will likely survive.
Organizations relying solely on traditional endpoint protection may discover ransomware only after domain-wide encryption has already begun.
The investigation also highlights the importance of intelligence-driven defense.
Threat intelligence is no longer simply informational.
It directly influences incident response priorities.
Waiting for malware alerts is no longer enough.
Security teams must actively search for abnormal authentication behavior before attackers complete their objectives.
FortiBleed is less about exploiting software and more about exploiting trust.
That makes it significantly harder to detect and substantially more dangerous.
✅ Verified: SOCRadar publicly reported a direct investigative connection between the FortiBleed infrastructure and the ransomware groups INC Ransom and Lynx based on infrastructure analysis and operational evidence. The report documents administrator-level compromises and confirmed ransomware deployments.
✅ Verified: The campaign abused legitimate FortiOS packet diagnostic capabilities instead of deploying traditional malware on target firewalls. This passive credential interception technique significantly reduced the likelihood of detection.
❌ Not Yet Independently Confirmed: The reported AI-assisted zero-day research remains under coordinated disclosure. While SOCRadar states evidence exists, complete technical validation awaits publication of the promised whitepaper and vendor disclosure process.
Prediction
(+1) Fortinet administrators worldwide will accelerate firewall auditing, credential rotation, VPN monitoring, and multi-factor authentication adoption after the publication of SOCRadar’s complete technical whitepaper.
(-1) Ransomware groups are likely to adopt similar passive credential interception techniques against other enterprise security appliances, making stealth-based infrastructure attacks more common than traditional malware campaigns in the coming years.
▶️ Related Video (84% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: securityaffairs.com
Extra Source Hub (Possible Sources for article):
https://www.pinterest.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube




