🔴 Critical  |  Source: The Hacker News


A large-scale credential theft campaign targeting Fortinet FortiGate devices, dubbed ‘FortiBleed’, has been directly linked to the INC and Lynx ransomware groups. Stolen credentials are being harvested and fed into ransomware deployment pipelines, with one operator confirmed to be managing negotiation panels for both groups simultaneously. This confirms FortiBleed is not opportunistic scanning but a structured, financially motivated operation with ransomware as the end goal.

Security Architect’s Take: Audit all FortiGate device credentials immediately and rotate any that may have been exposed; prioritise checking for unauthorised VPN or management-plane access using those credentials. Review FortiGate firmware versions across your estate and ensure all devices are patched and not internet-exposed without strong authentication controls such as MFA.

Original advisory: FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations