Listen to this Post
Introduction: A Credential Theft Operation That Became a Global Ransomware Pipeline
A large-scale cybersecurity investigation has revealed a deeply structured intrusion ecosystem where stolen access to enterprise firewalls is no longer just an intelligence-gathering exercise but a direct pipeline into ransomware deployment. The campaign, known as FortiBleed, has been linked to ransomware operations such as INC Ransom and Lynx, showing how compromised credentials from network perimeter devices are being systematically converted into real-world encryption attacks. What began as opportunistic scanning of exposed systems has evolved into a coordinated monetization engine targeting enterprises across manufacturing, logistics, energy, and technology sectors worldwide.
Overview of the FortiBleed Campaign and Its Industrial-Scale Reach
Massive Global Targeting Across Fortinet Infrastructure
The investigation shows that attackers systematically scanned approximately 11,250 exposed Fortinet FortiGate portals across more than 150 countries. From this vast pool, they achieved confirmed administrative access on at least 409 systems and fully executed intrusion chains on 354 targets. These intrusions were not isolated events but part of a repeatable model that transformed access into ransomware deployment.
Credential Harvesting at Industrial Scale
At the core of the operation was a credential theft mechanism targeting misconfigured and exposed firewall devices. The attackers deployed custom packet sniffers capable of passively extracting authentication data from live network traffic. Over time, they are believed to have targeted up to 430,000 FortiGate appliances globally, collecting more than 110 million credentials in the process, an unprecedented scale for firewall-based compromise operations.
From Access Broker to Ransomware Enabler
Infrastructure Linking to INC and Lynx Negotiation Panels
Threat intelligence researchers at SOCRadar identified a critical operational overlap: an operator associated with FortiBleed infrastructure was actively participating in negotiation panels for both INC Ransom and Lynx Ransomware. This discovery confirmed that stolen Fortinet credentials were not merely stored or sold but directly used in live ransomware extortion operations.
Operational Infrastructure Exposure and Internal Leaks
A significant breakthrough came when analysts discovered over 200 servers tied to the FortiBleed ecosystem, including one exposed system containing internal logs, operational documentation, and stolen credential datasets. This leak provided rare visibility into how initial access brokers coordinate with downstream ransomware groups, bridging the gap between reconnaissance and monetized attacks.
Attack Execution and Infection Chains
Deployment of Packet Sniffers and Persistent Access Tools
The attackers installed Golang-based sniffers on approximately 12,000 Fortinet devices. These tools silently monitored traffic and extracted authentication data, allowing attackers to maintain persistent access even after initial compromises were detected. The modular nature of the tooling suggests a well-resourced operation with development specialization.
Ransomware Deployment and Impact
At least 12 confirmed ransomware deployments have been directly linked to FortiBleed-derived access. These incidents resulted in widespread encryption of enterprise endpoints, disrupting operations across multiple regions. The affected organizations span high-value sectors including manufacturing supply chains, logistics networks, and technology providers.
Organizational Structure and Threat Actor Profile
A Coordinated Multi-Layered Criminal Enterprise
Internal documents indicate the operation is structured with around 20 individuals, divided into specialized roles. A small leadership group orchestrates high-impact intrusions, while supporting teams manage scanning, exploitation, credential validation, and ransomware deployment coordination.
Russian-Speaking Operator and Initial Access Brokerage Model
Tooling patterns, working hours, and infrastructure usage suggest the involvement of a Russian-speaking threat actor likely operating as an initial access broker. This role focuses on obtaining and selling or leasing authenticated access rather than directly executing ransomware in all cases, creating a layered cybercrime economy.
Expanding Attack Surface Beyond Fortinet
Nextcloud Zero-Day Possession Claims
Researchers also identified indications that the attackers may possess at least one zero-day vulnerability in Nextcloud. While not yet publicly confirmed, this suggests the group is expanding beyond perimeter firewalls into collaboration and file-sharing platforms commonly used in enterprise environments.
Exploitation of FortiClient EMS Vulnerability
Separate reporting from eSentire revealed active exploitation of FortiClient EMS vulnerability CVE-2026-35616 (CVSS 9.1). Attackers used this flaw to deploy EKZ Stealer, targeting browser-stored credentials from Chromium-based browsers and Firefox, and exfiltrating them through PowerShell-based channels.
What Undercode Say:
This campaign represents a shift from ransomware hacking to infrastructure-level exploitation.
Firewalls are no longer passive defenders but active targets for credential extraction.
The scale of 110 million credentials indicates long-term undetected access operations.
Initial access brokers are now central nodes in ransomware economics.
The FortiBleed operation demonstrates industrialization of cybercrime.
Multi-country targeting suggests automated scanning pipelines.
Administrative compromise rate shows high success post-exploitation.
Credential reuse remains a primary failure point in enterprise security.
Packet sniffers indicate passive long-duration surveillance strategy.
Malware deployment is secondary to credential harvesting in this campaign.
Operational security failure by attackers ironically exposed the entire network.
Exposure of 200 internal servers is a major intelligence leak.
Ransomware groups now rely heavily on external access brokers.
INC Ransom and Lynx sharing infrastructure signals ecosystem convergence.
The cybercrime market is increasingly modular and service-based.
Manufacturing and logistics sectors remain high-value targets.
Asia-Pacific and Latin America show weaker perimeter defense trends.
Fortinet devices are widely deployed, increasing attacker ROI.
Persistent sniffers suggest long dwell time in compromised environments.
Credential harvesting is more profitable than direct encryption attacks in early stages.
Multi-layer operator structure resembles corporate hierarchy.
Zero-day claims indicate escalation beyond opportunistic attacks.
Cross-platform targeting increases attack resilience.
Browser credential theft remains a dominant secondary vector.
PowerShell-based exfiltration shows Windows-centric targeting.
Threat intelligence sharing is critical for containment.
Exposure of firewall credentials undermines network segmentation.
Attackers exploit trust boundaries between security layers.
Internal logs exposure is a rare intelligence advantage for defenders.
Cybercrime operations now resemble SaaS business models.
Ransomware negotiation panels act as service marketplaces.
Initial access brokerage reduces technical barrier for ransomware groups.
FortiGate compromise scale suggests automation-first approach.
Human oversight remains minimal in scanning operations.
Credential dumps enable rapid lateral movement in enterprises.
Attack lifecycle is increasingly decoupled into stages.
Defensive response time is critical in firewall compromise scenarios.
Supply chain exposure extends beyond software into network hardware.
Attribution remains difficult due to layered infrastructure.
The ecosystem shows continuous professionalization of cybercrime.
❌ Exact attribution of “110 million credentials” cannot be independently verified without full dataset disclosure.
✅ Fortinet devices and firewalls are known high-value targets in real-world intrusion campaigns.
✅ CVE-2026-35616 is referenced as a high-severity vulnerability affecting FortiClient EMS in security reporting.
❌ Claims of zero-day possession in Nextcloud remain unconfirmed and intelligence-based rather than publicly validated.
✅ Ransomware-as-a-service ecosystems commonly use initial access brokers as intermediaries.
Prediction:
(+1) Expansion of Firewall-Focused Attacks
Attackers will increasingly target perimeter security appliances like VPNs and firewalls as primary entry points rather than endpoints.
(+1) Growth of Access Broker Economy
Initial access brokerage will become a dominant layer in ransomware supply chains, increasing specialization.
(-1) Increased Defensive Pressure on Fortinet Ecosystem
Greater scrutiny and patching cycles may reduce success rates of FortiGate-based intrusion campaigns over time.
(-1) Exposure Risks for Criminal Infrastructure
Operational mistakes similar to FortiBleed leaks will continue to disrupt and expose threat actor networks.
Deep Analysis:
Detect exposed Fortinet portals nmap -p 443 --script ssl-cert <target-range>
Scan for vulnerable EMS instances
nuclei -t cves/fortinet/ -u https://target
Analyze firewall logs for credential leaks
grep -i "login" /var/log/fortigate.log | awk '{print $1,$2,$NF}'
Detect suspicious packet sniffer processes
ps aux | grep -E "tcpdump|goblin|sniffer"
Monitor outbound PowerShell exfiltration
Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | Select-String "Invoke-WebRequest"
Identify lateral movement patterns
grep "admin login success" /var/log/auth.log | sort | uniq -c
Check for unusual DNS beaconing
tcpdump -i eth0 port 53 and udp
▶️ Related Video (76% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.medium.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube




