The threat actors behind FortiBleed — a massive credential-harvesting campaign targeting Fortinet FortiGate firewalls — are now confirmed working with Inc Ransom and Lynx ransomware gangs. SOCRadar researchers caught a single operator logged into both groups' ransom negotiation panels while using infrastructure tied directly to FortiBleed.
The campaign has compromised roughly 12,000 active FortiGate devices, with credentials stolen from over 30,000. Of 409 targets where attackers gained admin access, 354 saw the full attack chain executed — VPN breach, domain controller access, domain admin. At least 12 ransomware deployments have been confirmed. SOCRadar also flagged an unpatched Nextcloud zero-day being actively exploited by the same group.
Source: Dark Reading