~/f4n6 $ grep -r "FortiBleed credential-theft campaign linked to Lynx ransomware" ./investigations/ --include="*.md"

FortiBleed credential-theft campaign linked to Lynx ransomware

Jeff Davies 02 Jul 2026 9 min read

1. Executive summary

The FortiBleed campaign — a large-scale credential-harvesting operation active since February 2026 — has been linked by SOCRadar's Threat Research Unit (STRU) to the INC and Lynx ransomware-as-a-service (RaaS) groups. The operation targeted over 430,000 FortiGate firewalls globally, deployed custom Golang-based packet sniffers on approximately 19,000 devices, and harvested an estimated 110 million credentials, with a database of over 86,000 confirmed working credentials compiled from stolen FortiGate configuration files. SOCRadar identified a Windows server within the FortiBleed infrastructure that was used to access ransomware negotiation panels for both the Lynx and INC groups, providing direct evidence of operational overlap between the credential-theft campaign and ransomware actors. EMEA financial services organisations running internet-accessible FortiGate firewalls and VPN concentrators face elevated risk of follow-on network intrusion, domain-level compromise, and ransomware deployment using stolen credentials.

2. Regulatory framing

Article Trigger (the fact in this item) Practical impact
DORA Art. 17: ICT-related incident management process Credential theft from FortiGate firewalls constitutes an ICT-related incident affecting perimeter security devices. Financial institutions must ensure their incident management process encompasses credential-theft from network infrastructure, including detection of unauthorised sniffers and backdoor accounts on firewalls.
DORA Art. 18: classification of ICT-related incidents and cyber threats Over 86,000 confirmed working credentials stolen; 19,000 devices compromised with sniffers deployed; overlap with ransomware negotiation panels. This incident likely meets the threshold for classification as a major ICT-related incident given the scale of credential compromise and direct link to ransomware operations.
DORA Art. 19: reporting of major ICT-related incidents to competent authorities Direct evidence linking stolen Fortinet credentials to INC/Lynx ransomware negotiation panels; victim information overlaps with organisations on INC leak site. Where a financial institution confirms its FortiGate credentials were among those stolen, the incident may require reporting to competent authorities as a major ICT-related incident.
DORA Art. 28: ICT third-party risk — general principles FortiGate firewalls are ICT third-party infrastructure; credential theft creates concentration risk across the Fortinet estate. Institutions should assess whether their Fortinet deployment creates ICT concentration risk in light of this campaign.
NIS2 Art. 21(2)(d): supply chain security measures FortiGate firewalls are supply-chain ICT components; the campaign exploited perimeter devices to harvest credentials. NIS2-covered entities must ensure supply-chain security measures account for credential-theft risk from network appliance vendors.
NIS2 Art. 23: incident reporting obligations Confirmed compromise of FortiGate devices with sniffers and backdoor accounts constitutes a reportable security incident. NIS2-covered organisations with confirmed FortiGate compromise must meet incident reporting obligations to their CSIRT or competent authority.
UK NIS 2018: UK Network and Information Systems Regulations — OES/RDSP duties FortiGate firewalls and VPN concentrators are network and information systems within scope of OES/RDSP. OES and RDSP operators should assess whether FortiGate devices under their responsibility were exposed and whether credentials were harvested.

3. Technical analysis & attack chain

Confirmed attack chain

  1. Reconnaissance and target enumeration. The threat actors compiled credential lists and scanned for exposed FortiGate firewall and VPN services across the internet. The campaign targeted over 430,000 FortiGate firewalls globally, active since February 2026.
  2. Credential harvesting via custom sniffer. A custom Golang-based packet-sniffing tool called "FortiGate Sniffer" was deployed on compromised FortiGate firewalls. The sniffer intercepted VPN credentials and other authentication data directly from network traffic. Sniffers were deployed on approximately 19,000 devices.
  3. Configuration file theft. Attackers downloaded FortiGate configuration files from compromised devices, extracting credentials and authentication secrets stored within.
  4. Credential processing infrastructure. A server containing credentials stolen from more than 73,000 Fortinet devices was discovered exposed on the internet. The server contained: - Downloaded FortiGate configuration files - Credentials harvested from compromised devices - Infrastructure used to crack password hashes - Tooling for credential-stuffing attacks
  5. Backdoor persistence. SOCRadar identified persistent backdoor accounts using the username adminin on compromised systems.
  6. Linkage to ransomware operations. SOCRadar identified a Windows server belonging to the FortiBleed infrastructure. Analysis of collected artifacts revealed the threat actor had accessed ransomware negotiation panels for both the Lynx and INC ransomware groups. Screenshots shared with BleepingComputer show browser sessions accessing administration panels containing negotiation dashboards with victim chats used during ransomware negotiations.
  7. Victom overlap with ransomware leak sites. SOCRadar discovered victim information harvested during FortiBleed that overlaps with organisations later listed on the INC ransomware leak site.
  8. Scale reduction. After SOCRadar notified impacted organisations, the number of compromised devices fell from approximately 19,000 to around 11,000. SOCRadar identified roughly 500 servers used by the operation and more than 200 additional operational servers beyond those originally associated with the campaign.

Technical specifics

  • Targeted devices: FortiGate firewalls and Fortinet VPNs — roughly half of internet-accessible Fortinet firewalls were hit.
  • Sniffer tool: Golang-based, custom-built, named "FortiGate Sniffer." Deployed on ~19,000 devices; intercepts VPN credentials and authentication data from network traffic.
  • Credential volume: Estimated 110 million credentials targeted; database of over 86,000 confirmed working credentials created.
  • Backdoor account: Username adminin on compromised systems.
  • Infrastructure: ~500 servers identified; 200+ additional operational servers beyond the original set; one exposed Windows server containing stolen credentials from 73,000+ devices.
  • Suspected Nextnext zero-day: SOCRadar believes attackers exploited a previously undisclosed Nextcloud zero-day vulnerability to expand access after initial compromise. Technical details have not been released.
  • Threat actor structure: SOCRadar assesses the operation consists of roughly 20 members with defined roles.
  • Ransomware groups: INC Ransom (RaaS since mid-2023, targeting healthcare, education, government, and other sectors). Lynx (emerged mid-2024, believed to be a rebrand of INC rather than a new group).

Attribution confidence caveat

Attribution to the INC and Lynx ransomware groups is single-sourced — it rests solely on SOCRadar's Threat Research Unit (STRU) findings as reported to BleepingComputer. The actors "Lynx" and "INC" have no MITRE ATT&CK profiles in the verified reference data; attribution must be treated as unconfirmed. The link is supported by: (a) a Windows server within FortiBleed infrastructure being used to access both groups' negotiation panels; (b) screenshots showing browser sessions on administration panels; and (c) overlap between FortiBleed victim data and the INC leak site. A second SOCRadar technical white paper with additional attribution evidence and IOCs is pending release.

The assessment that a Russian-speaking initial access broker (IAB) motivated by financial gain is behind the campaign is reported by The Hacker News but is single-sourced and should be verified before enforcement action.

4. Mitigation & containment

P1 — Within 24 hours

  1. Identify exposed FortiGate devices. Inventory all FortiGate firewalls and VPN concentrators in the estate. Identify any devices that were internet-accessible (exposed management interfaces) since February 2026. - Check for devices with management interfaces exposed to the internet on ports 443/8443/80. - Cross-reference against the campaign timeline (active since February 2026).
  2. Hunt for the FortiGate Sniffer. Search all FortiGate devices for unauthorised Golang binaries or suspicious processes: - SSH to each FortiGate device and run: fnsyscli ls /tmp /var/tmp /dev/shm to check for unexpected binaries. - Check running processes: fnsyscli ps aux and look for unexpected processes. - Review configuration for unauthorised scripts or scheduled tasks.
  3. Hunt for backdoor account. Search all FortiGate devices for the adminin user: - Check local user accounts: config system local-user and look for username adminin. - Check admin accounts: config system admin and look for username adminin. - Review authentication logs for logins associated with adminin.
  4. Review VPN credential logs. Examine FortiGate VPN authentication logs for anomalous credential validation patterns or unexpected source IPs since February 2026.
  5. Isolate confirmed compromised devices. Any FortiGate device with confirmed sniffer deployment or the adminin backdoor account should be immediately isolated from production networks.

P2 — Within 72 hours

  1. Rotate all FortiGate credentials. Rotate admin passwords, VPN pre-shared keys, RADIUS/shared secrets, and API tokens on all FortiGate devices — not only confirmed compromised ones. The 86,000-credential database means any exposed device should be presumed compromised.
  2. Review and restore configuration. For any device with confirmed compromise: - Export the current configuration and diff against a known-good backup. - Remove unauthorised admin accounts, VPN users, firewall rules, and any sniffer-related artefacts. - Rebuild the device from a known-good configuration if integrity cannot be verified.
  3. Block known malicious infrastructure. Implement egress filtering to block connections to any identified FortiBleed operational servers. SOCRadar identified ~500 servers; request the IOC list from SOCRadar or await the pending white paper.
  4. Audit Nextcloud deployments. Given the suspected Nextcloud zero-day exploitation, audit all Nextcloud instances for unauthorised access, unexpected admin accounts, and anomalous file access. Patch to the latest available version.
  5. Review Windows server infrastructure. Search for Windows servers exhibiting anomalous outbound connections or running credential-cracking tools. The FortiBleed infrastructure included Windows servers used for hash cracking and credential-stuffing.

P3 — Within 7 days

  1. Restrict FortiGate management access. Ensure all FortiGate management interfaces are accessible only from dedicated management networks or via VPN — never directly internet-exposed. Implement IP allow-lists on admin interfaces.
  2. Implement FortiGate configuration integrity monitoring. Establish a process for regular configuration export and diff against baseline to detect unauthorised changes (new admin accounts, VPN users, firewall rules).
  3. Engage Fortinet support. Open a case with Fortinet for assistance with forensic analysis of potentially compromised devices. Fortinet has acknowledged the campaign and is responding.
  4. Monitor for ransomware precursor activity. Given the link to INC/Lynx ransomware, monitor for reconnaissance activity consistent with ransomware pre-deployment: unexpected credential validation across multiple systems, lateral movement from VPN entry points, and mass file enumeration.
  5. Prepare for the second SOCRadar white paper. SOCRadar has stated a second technical white paper containing IOCs, attribution evidence, and additional technical analysis will be released. Designate a team member to monitor for publication and integrate new IOCs into detection systems.

5. Indicators of compromise

Type Value Confidence Source
username adminin High — directly observed by SOCRadar BleepingComputer (external-1)
tool_name FortiGate Sniffer High — identified by SOCRadar STRU BleepingComputer (external-1, corpus-2)
tool_language Golang High — confirmed by Dark Reading Dark Reading (corpus-6)
campaign_name FortiBleed High — multi-source Multiple sources
target_count 430,000+ FortiGate firewalls High — SOCRadar assessment BleepingComputer (external-1), The Hacker News (corpus-5)
compromised_devices ~19,000 (reduced to ~11,000 after notification) High — SOCRadar assessment BleepingComputer (external-1)
credential_count 110 million credentials; 86,000 confirmed working High — multi-source Dark Reading (corpus-6), SecurityWeek (corpus-1, corpus-3)
operational_servers ~500 identified; 200+ additional Medium — SOCRadar assessment, single-sourced BleepingComputer (external-1)
actor_size ~20 members with defined roles Medium — SOCRadar assessment, single-sourced BleepingComputer (external-1)
username  adminin
tool_name  FortiGate Sniffer
tool_language  Golang
campaign_name  FortiBleed

6. Detection

YARA rule

rule FortiBleed_Sniffer_Golang_Tool {
    meta {
        author = "Adverse Trace"
        date = "2026-07-02"
        reference = "https://www.bleepingcomputer.com/news/security/fortibleed-credential-theft-campaign-linked-to-lynx-ransomware/"
        description = "Detects the custom Golang-based FortiGate Sniffer tool used in the FortiBleed campaign"
    }
    strings:
        $sniffer_name = "FortiGate Sniffer" ascii nocase
        $golang_runtime = "Go runtime" ascii
        $fortigate_ref = "FortiGate" ascii nocase
        $vpn_cred = "VPN credential" ascii nocase
        $auth_data = "authentication data" ascii nocase
    condition:
        $sniffer_name and ($golang_runtime or $fortigate_ref) and ($vpn_cred or $auth_data)
}

Sigma rule

title: FortiBleed Backdoor Account adminin Created on FortiGate
id: AT-2026-07-02-221-sigma-01
status: experimental
description: Detects creation of the adminin backdoor account on FortiGate devices as observed in the FortiBleed campaign
references:

    - https://www.bleepingcomputer.com/news/security/fortibleed-credential-theft-campaign-linked-to-lynx-ransomware/
author: Adverse Trace
date: 2026/07/02
logsource:
    product: fortiGate
    feature: system
detection:
    selection:
        eventtype: "config-system-admin"
        action: "set"
        username: "adminin"
    condition: selection
falsepositives:

    - Legitimate admin account with similar naming (unlikely)
level: high
title: FortiBleed Sniffer Process on FortiGate Device
id: AT-2026-07-02-221-sigma-02
status: experimental
description: Detects execution of the custom Golang-based FortiGate Sniffer tool on FortiGate devices
references:

    - https://www.bleepingcomputer.com/news/security/fortibleed-credential-theft-campaign-linked-to-lynx-ransomware/
    - https://www.darkreading.com/cyberattacks-data-breaches/fortibleed-attackers-firewalls-credentials-stealers
author: Adverse Trace
date: 2026/07/02
logsource:
    product: fortiGate
    feature: process
detection:
    selection:
        cmdline|contains:

            - "FortiGate Sniffer"
            - "fortigate sniffer"
    condition: selection
falsepositives:

    - Legitimate FortiGate diagnostic tools (unlikely to match exact string)
level: high

7. Sources

  • BleepingComputer — FortiBleed credential-theft campaign linked to Lynx ransomware — https://www.bleepingcomputer.com/news/security/fortibleed-credential-theft-campaign-linked-to-lynx-ransomware/ — 2026-07-01
  • BleepingComputer — FortiBleed campaign used custom FortiGate sniffer to steal credentials — https://www.bleepingcomputer.com/news/security/fortibleed-campaign-used-custom-fortigate-sniffer-to-steal-credentials/ — 2026-06
  • SecurityWeek — Fortinet Responds to FortiBleed Campaign — https://www.securityweek.com/fortinet-responds-to-fortibleed-campaign/ — 2026-06
  • SecurityWeek — FortiBleed: 86,000 Fortinet Device Credentials Compromised — https://www.securityweek.com/fortibleed-86000-fortinet-device-credentials-compromised/ — 2026-06
  • Help Net Security — What the FortiBleed campaign means for organizations running FortiGate firewalls — https://www.helpnetsecurity.com/2026/06/23/fortibleed-investigation-remediation/ — 2026-06-23
  • The Hacker News — FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation — https://thehackernews.com/2026/06/fortibleed-targeted-fortigate-firewalls.html — 2026-06
  • Dark Reading — FortiBleed Attackers Turn Firewalls Into Credential Stealers as Heists Persist — https://www.darkreading.com/cyberattacks-data-breaches/fortibleed-attackers-firewalls-credentials-stealers — 2026-06

8. Adverse Trace position

This is a high-severity advisory for any EMEA financial services organisation running internet-accessible FortiGate firewalls or VPN concentrators. The campaign's scale — 430,000 devices targeted, 19,000 sniffers deployed, 86,000 confirmed working credentials — combined with the direct evidence linking the operation to INC and Lynx ransomware negotiation panels, creates a credible and immediate pathway from perimeter credential theft to ransomware deployment. The presence of the adminin backdoor account provides a concrete detection vector that defenders can act on immediately. Attribution to INC/Lynx is single-sourced (SOCRadar STRU only) and the named actors have no MITRE ATT&CK profiles — treat the ransomware linkage as strongly indicated but unconfirmed pending SOCRadar's second white paper. The suspected Nextcloud zero-day is noted but technical details are unavailable; we are not assessing its severity. Adverse Trace will monitor for the pending SOCRadar white paper and issue a follow-up advisory with additional IOCs and attribution evidence upon publication. Clients with confirmed FortiGate compromise should treat this as a potential DORA major ICT-related incident and prepare for reporting to competent authorities under DORA Art. 19.


Read the original source →

Published via PulseTrace — Adverse Trace threat intelligence.

Post this to LinkedIn
Formatting is converted automatically — headings, bullets, a link back & hashtags. Paste straight in.
J
Jeff Davies