threat-wire

Mass FortiGate Credential Theft Now Linked to Ransomware

A threat intelligence firm has tied the FortiBleed credential-harvesting campaign directly to two active ransomware operations, after finding a shared operator working negotiation panels for both groups. The campaign scanned more than 430,000 FortiGate firewalls worldwide and has already produced at least 12 ransomware deployments. If your business runs a FortiGate device, this is the moment to check whether your credentials were part of the haul.

By SecureBusinessHub Editorial, International cybersecurity desk — · 6 min read

Scanning began quietly. Twelve ransomware deployments later, it isn't quiet anymore.

FortiBleed is a financially motivated campaign against FortiGate firewalls that came to light last month. SOCRadar has now tied it directly to the INC Ransom and Lynx ransomware operations, the first confirmed link between a mass credential-harvesting campaign and specific ransomware deployment for this scale of target.

How the Campaign Unfolded

It started with scanning. The threat actors systematically probed the internet for exposed Fortinet devices, targeting roughly 430,000 FortiGate firewalls globally, and tried breaking in using known credential combinations.

Once inside a device, they deployed a custom Golang packet sniffer to passively capture credentials and other authentication data straight off network traffic. The sniffer was installed on an estimated 12,000 Fortinet devices, a fraction of the total number scanned. Over 110 million credentials were gathered in the process.

The campaign was exposed by its own mistake. The attackers left a server holding credentials stolen from thousands of Fortinet appliances sitting open on the internet, which is how researchers found it in the first place.

The Ransomware Connection

SOCRadar has now identified more than 200 additional servers tied to FortiBleed's infrastructure. One of them showed an operator logged into both INC Ransom's and Lynx's negotiation panels, with victims listed by INC Ransom overlapping with data from the credential-harvesting campaign.

The scale: scanning activity hit roughly 11,250 FortiGate admin portals across more than 150 countries. Of those, 409 targets saw confirmed admin-level access, and 354 saw the attackers complete the full attack chain. At least 12 ransomware deployments have resulted so far, encrypting hundreds of endpoints across the affected organisations.

SOCRadar's chief information security officer, Ensar Seker, said the exposed staging server held target inventories, harvested data, automation scripts, and operational documentation, rather than being infrastructure victims interacted with directly. Working hours and tooling point to a Russian-speaking threat actor operating as an initial access broker, backed by a roughly 20-person team: a small core of lead operators driving the highest-impact intrusions, supported by specialists and support staff.

It Isn't Just Fortinet Anymore

The same infrastructure includes a target list of about 29,000 IP addresses and 37 domains tied to Citrix environments. SOCRadar says this signals reconnaissance and targeting preparation rather than confirmed compromise, but it suggests the same automated workflow could be repurposed against other remote-access technologies. The group is also believed to hold at least one unpatched Nextcloud vulnerability, and SOCRadar says it's coordinating with the vendor on disclosure.

  • If you run a FortiGate firewall, rotate every admin and VPN credential that was valid at any point since the campaign came to light in June 2026, not just current ones
  • Check FortiOS authentication logs for login attempts using retired or default credential combinations
  • Confirm your management interface is not exposed to the public internet, and if it must be, restrict access with an IP allow-list
  • If you also run Citrix remote-access infrastructure, treat this as an early warning: verify authentication logs, rotate exposed credentials, and enforce MFA now