FortiBleed Malware Campaign Linked to INC Ransom
Recent revelations have surfaced regarding the notorious FortiBleed malicious operation. Researchers have definitively linked this campaign to more than mere credential harvesting. Instead, they attribute it directly to the Lynx/INC ransomware syndicate. Security experts also know this collective as INC Ransom.
Uncovering the Attack Infrastructure
According to a detailed SOCRadar security report, the campaign operators carelessly exposed a critical operational server. This exposed server contained vital files concerning their malicious infrastructure. Consequently, analyzing this data allowed SOCRadar to grasp the operation’s staggering scale. The operation compromised exactly 86,644 FortiGate devices. Furthermore, it involved over 80,000 unique IP addresses across 22,405 domains and 194 nations.
The Link to Ransomware Operators
Previously, the primary concerns surrounding FortiBleed involved the breach’s magnitude. Experts also questioned the initial access vectors into Fortinet devices. However, this recent update finally identifies the likely perpetrators. Lynx/INC operates primarily as a ruthless ransomware group. Since 2023, they have aggressively targeted enterprise networks across healthcare, education, government, and industrial sectors. Furthermore, they predominantly focus their attacks on North America and Europe.
Exploiting Historical Data Over New Flaws
Interestingly, the FortiBleed scheme did not exploit a novel, undiscovered vulnerability. Instead, operators scavenged passwords from historical breaches and infostealer logs. Subsequently, they systematically tested these credentials against publicly accessible FortiGate devices. Upon successful infiltration, the compromised gateway transformed into a covert listening post. This allowed the attackers to monitor SSL VPN traffic and harvest fresh credentials continually.
The Danger of Poor Password Hygiene
Crucially, SOCRadar highlights that simply updating firmware failed to resolve the issue for many organizations. The device remained highly vulnerable to subsequent intrusions if the attackers already possessed the password. This occurred specifically when victims neglected to change passwords after previous incidents. Moreover, the database contained numerous default Fortinet administrative and system accounts. This glaring detail exposes the remarkably poor password hygiene among many victims.
Impacted Sectors and Remediation Steps
Researchers identified several heavily impacted sectors during their investigation. These include telecommunications, government agencies, financial institutions, hospitals, universities, energy providers, and large enterprises. Specifically, the data dump revealed 591 records linked to 111 distinct government domains. Additionally, the telecommunications sector accounted for a staggering 5,616 compromised records.
Immediate Actions for Defense
Organizations utilizing FortiGate and SSL VPN must act swiftly and decisively. We strongly recommend changing all administrator and VPN user passwords immediately. Furthermore, administrators must enable two-factor authentication without delay. You should thoroughly inspect all login logs for suspicious activity. Additionally, restrict all external access to the management dashboard and apply the latest firmware updates. Finally, if your device appears in the FortiBleed dataset, you must assume complete perimeter compromise. Consequently, initiate a comprehensive incident response investigation immediately.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.