Home/News/FortiBleed Campaign Linked to INC and Lynx Ransomware
The Hacker News2 min read

FortiBleed Campaign Linked to INC and Lynx Ransomware

The financially motivated FortiBleed campaign has been definitively linked to the INC and Lynx ransomware operations, with evidence suggesting that the stolen credentials were intended for subsequent network intrusions. Analysis of the campaign's infrastructure revealed an operator actively participating in negotiation panels for both INC and Lynx, directly connecting the mass theft of FortiGate credentials to ransomware deployment.

This attribution was detailed in a recent security advisory, which highlighted the sophisticated nature of the attack. The FortiBleed campaign specifically targeted FortiGate devices, a popular firewall solution, to exfiltrate valid user credentials. The subsequent use of these credentials by INC and Lynx indicates a coordinated effort to leverage initial access gained through credential theft for more damaging ransomware attacks.

The advisory further elaborated on the operational tactics, techniques, and procedures (TTPs) employed by the threat actors. The direct link between the credential harvesting and the ransomware groups suggests a high degree of collaboration or shared infrastructure. This connection underscores the evolving threat landscape where initial access brokers and ransomware gangs are increasingly intertwined, facilitating more efficient and impactful cyberattacks.

Security researchers emphasized that the stolen credentials could grant attackers privileged access to victim networks, bypassing traditional perimeter defenses. The implication is that organizations relying on FortiGate devices must remain vigilant and ensure their authentication mechanisms are robust and that any signs of credential compromise are immediately investigated and remediated to prevent further exploitation by ransomware groups like INC and Lynx.

Original source — read the full reporting at the publisher:

Read on The Hacker News

Read next