Full Report
The recently discovered financially-motivated FortiBleed campaign has been attributed to INC and Lynx ransomware operations, indicating that the verified, stolen credentials were intended for follow-on intrusions. "An operator tied to FortiBleed's infrastructure was found actively working negotiation panels for both groups, tying mass FortiGate credential theft directly to ransomware deployment
Analysis Summary
# Incident Report: FortiBleed Campaign Linked to INC and Lynx Ransomware
## Executive Summary
The FortiBleed campaign is a large-scale credential theft operation targeting over 430,000 FortiGate firewalls globally, resulting in the theft of over 110 million credentials. Investigation confirms that these stolen credentials fuels follow-on ransomware deployments by the INC Ransom and Lynx groups. The operation is orchestrated by a Russian-speaking initial access broker (IAB) group of approximately 20 individuals.
## Incident Details
- **Discovery Date:** June – July 2026
- **Incident Date:** Ongoing; identified in new report published July 2, 2026
- **Affected Organizations:** Multiple; 354 targets fully compromised; 12 confirmed ransomware deployments
- **Sector:** Manufacturing, Technology, Logistics, Energy, Utilities
- **Geography:** Global (150+ countries), with high concentrations in Latin America and Asia Pacific
## Timeline of Events
### Initial Access
- **Date/Time:** Campaigns tracked through late June/early July 2026.
- **Vector:** Exploitation of exposed FortiGate portals and FortiClient EMS vulnerabilities.
- **Details:** Attackers used known credential combinations and exploited CVE-2026-35616 (CVSS 9.1).
### Lateral Movement
- Attackers utilized a custom Golang-based packet sniffer to gather internal authentication data and credentials from live network traffic to move deeper into target environments.
### Data Exfiltration/Impact
- **Volume:** 110 million credentials harvested.
- **Impact:** Administrative access confirmed on 409 targets; successful full-chain attacks on 354 organizations; encryption of hundreds of endpoints via INC and Lynx ransomware.
### Detection & Response
- **Discovery:** Detected following an operational security (OPSEC) error by the threat actors, leaving a backend server exposed to the public internet.
- **Response:** SOCRadar identified 200 additional servers, visibility into internal logs, and links to ransomware negotiation panels.
## Attack Methodology
- **Initial Access:** Scanning for exposed FortiGate portals; credential stuffing; exploitation of CVE-2026-35616.
- **Persistence:** Implementation of custom Golang sniffers on approximately 12,000 devices.
- **Credential Access:** Passive packet sniffing of network traffic; harvesting from Chromium/Firefox browsers using "EKZ Stealer."
- **Discovery:** Global scanning of 11,250+ portals to identify vulnerable infrastructure.
- **Lateral Movement:** Use of PowerShell and verified administrative credentials.
- **Exfiltration:** Data exfiltrated via PowerShell; use of a potential zero-day in Nextcloud for further data handling.
- **Impact:** Deployment of INC Ransom and Lynx ransomware to encrypt endpoints.
## Impact Assessment
- **Financial:** High; ransom negotiations and remediation costs for hundreds of encrypted endpoints.
- **Data Breach:** Massive; 110 million credentials stolen across manufacturing and tech sectors.
- **Operational:** Significant disruption to logistics and manufacturing operations globally.
- **Reputational:** High for affected vendors (Fortinet) and the compromised organizations.
## Indicators of Compromise
- **Network Indicators:** (Defanged) Activity linked to over 200 backend servers; scanning activity from various infrastructure points.
- **File Indicators:** Golang-based packet sniffer; EKZ Stealer malware.
- **Behavioral Indicators:** Bulk logins to INC/Lynx negotiation panels from shared infrastructure; unauthorized PowerShell exfiltration scripts.
## Response Actions
- **Containment:** Coordination with affected vendors (specifically Nextcloud and Fortinet) to patch vulnerabilities.
- **Eradication:** Identification and shutdown of 200+ command-and-control (C2) servers.
- **Recovery:** Restoration of encrypted endpoints from backups where available; forced password resets for 110 million potentially compromised accounts.
## Lessons Learned
- **OPSEC Failures:** Even organized groups (20-person teams) make mistakes; identifying exposed C2 infrastructure is critical for attribution.
- **Supply Chain/Edge Risks:** Edge devices like firewalls remain the primary target for initial access brokers.
- **Integrated Operations:** The gap between "credential theft" and "ransomware" is narrowing, with IABs and ransomware operators sharing infrastructure and personnel.
## Recommendations
- **Patch Management:** Immediately patch CVE-2026-35616 and ensure all FortiGate appliances are on the latest firmware.
- **Multi-Factor Authentication (MFA):** Enforce hardware-based MFA for all VPN and administrative access to prevent stolen credentials from being useful.
- **Traffic Monitoring:** Monitor for unauthorized PowerShell activity and outbound traffic to unknown C2 IP addresses.
- **Credential Hygiene:** Implement regular password rotation policies, especially for administrative accounts on networking gear.