SOCRadar Links FortiBleed Campaign to INC and Lynx Ransomware Operations
ID: 7bb7482f-ec89-58e5-8f27-e52aaaa484b8
STIX ID: report--7bb7482f-ec89-58e5-8f27-e52aaaa484b8
Feed Name: SOCRadar Blog
SOCRadar’s Threat Research Unit links the FortiBleed credential-harvesting campaign—using a custom Golang sniffer against FortiGate appliances and targeting 430,000+ devices—to active ransomware operations (INC Ransom and Lynx). The investigation uncovered ~200 additional servers, scanning of ~11,250 FortiGate portals, confirmed admin access on 409 targets and full domain compromise on 354, with at least 12 ransomware deployments; an operator tied to FortiBleed was observed logged into both ransomware negotiation panels and victim overlap was confirmed, indicating direct feeding of stolen credentials into ransomware activity.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
