THE FortiBleed operation is a credential-harvesting campaign targeting over 430,000 FortiGate firewalls in 150 countries, leading to the deployment of INC Ransom and Lynx ransomware families. Discovered in June, it has reportedly compromised over 110 million credentials since February, with attackers gaining administrative access to 409 targets and completing full attack chains on 354. Notably, ransomware deployment has occurred in 12 cases affecting hundreds of endpoints.
SOCRadar observed an operator linked to both ransomware panels, indicating a connection between stolen FortiGate credentials and ransomware activities. The operation involves about 20 individuals focusing on high-impact intrusions and technical support, showcasing the intertwined nature of credential theft and ransomware operations.