SOCRADAR'S Threat Research Unit has linked the FortiBleed campaign, which has compromised credentials from over 430,000 FortiGate firewalls globally, to active ransomware operations: INC Ransom and Lynx. Utilizing a tool called FortigateSniffer, attackers intercepted authentication traffic without sending malicious payloads. The campaign has confirmed admin-level access on 409 targets and full domain compromises on 354, leading to at least 12 ransomware deployments.
A significant operational security oversight revealed internal documents connecting the attackers to both ransomware groups. INC Ransom, active since mid-2023, claims numerous breaches, with Lynx emerging later as an evolution of INC. The report emphasizes that organizations using FortiGate devices face immediate risks of ransomware, urging them to assess their exposure.