Close Menu
    What's Hot

    Why this year’s World Cup is so pricey – Live Updates

    Trump-Linked Firm’s Fees for Organizing Freedom 250 Events Remain Secret

    Opinion | Why Am I Dreading Taylor Swift’s Wedding?

    Facebook X (Twitter) Instagram
    Trending
    • Why this year’s World Cup is so pricey – Live Updates
    • Trump-Linked Firm’s Fees for Organizing Freedom 250 Events Remain Secret
    • Opinion | Why Am I Dreading Taylor Swift’s Wedding?
    • Gen Z Goes to Hollywood
    • Teenage Boys Who Raped Girls in Fordingbridge, England, Have Sentences Revised
    • When 3 Passive Funds Become The Market
    • Maddy Cusack: Former Sheffield United midfielder ‘would still be alive’ if coach did not join club, inquest told | Football News
    • FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations

    adminBy adminJuly 2, 2026No Comments4 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations
    Share
    Facebook Twitter LinkedIn Pinterest Email

    FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations

    The recently discovered financially-motivated FortiBleed campaign has been attributed to INC and Lynx ransomware operations, indicating that the verified, stolen credentials were intended for follow-on intrusions.

    “An operator tied to FortiBleed’s infrastructure was found actively working negotiation panels for both groups, tying mass FortiGate credential theft directly to ransomware deployment for the first time,” SOCRadar said in a new report published Wednesday.

    The company said it tracked scanning activity against approximately 11,250 FortiGate portals in more than 150 countries, followed by confirmed admin-level access on 409 targets and successful completion of the full attack chain on 354 of them. In all, at least 12 ransomware deployments have resulted from this access, causing hundreds of endpoints to be encrypted across affected organizations.

    Cybersecurity

    The large-scale credential-harvesting operation, which came to light last month, involved the threat actors systematically scanning the internet for exposed Fortinet devices, attempting to break into them using known credential combinations, and then deploying custom packet sniffers to passively gather credentials and other authentication data from network traffic.

    The campaign is assessed to have targeted 430,000 FortiGate firewalls globally, gathering over 110 million credentials in the process. The activity was exposed after an operational security error on the part of the attackers left a server containing credentials stolen from thousands of Fortinet appliances exposed on the internet.

    The Golang sniffer is estimated to have been installed on about 12,000 Fortinet devices, making it a subset of the total number of networking gear targeted.

    The latest findings from SOCRadar show that an operator with access to FortiBleed infrastructure was found logged in to both INC Ransom and Lynx negotiation panels, with victims listed by INC Ransom overlapping with data from the campaign. The links are based on one of the 200 newly discovered servers associated with the FortiBleed infrastructure that granted visibility into internal files, logs, and operational documentation.

    Ensar Seker, chief information security officer at SOCRadar, told The Hacker News via email that the exposed server functioned as a staging staging and operational coordination server, and was not used for phishing or active credential collection.

    “It contained target inventories, harvested data, automation scripts, configuration files, and operational artifacts that indicate it was used to coordinate large-scale credential harvesting against internet-facing network appliances,” Seker said. “In other words, it served as part of the attackers’ backend infrastructure rather than the infrastructure victims directly interacted with.”

    Tooling, logs, and working hours indicate that the activity is the work of a Russian-speaking threat actor who likely operates as an initial access broker. Much of the targeting has singled out manufacturing, technology, and logistics sectors in Latin America and the Asia Pacific regions.

    Cybersecurity

    SOCRadar also said it discovered an internal document that indicates it’s an organized operation comprising about 20 people with a clear division of labor. “A small core of lead operators drives most high-impact intrusions, backed by specialists and support staff,” it added.

    In addition, the threat actors are believed to be in possession of at least one zero-day vulnerability in Nextcloud. The threat intelligence firm said it’s actively coordinating with the affected vendor.

    The Delaware-based company said it also identified Citrix-related artifacts that indicate the activity is likely targeting beyond Fortinet devices. The identified infrastructure included a dedicated target list containing about 29,000 IP addresses and 37 domains associated with Citrix environments. This suggests the automated workflow may be repurposed for other remote access technologies.

    “At this stage, the presence of these target lists does not conclusively prove that credential harvesting against Citrix devices has already occurred at scale,” Seker explained. “Rather, it demonstrates clear reconnaissance and targeting preparations.”

    “However, given the sophistication of the infrastructure and the operators proven ability to automate credential collection against Fortinet devices, organizations using internet-facing Citrix infrastructure should treat this as an early warning and verify authentication logs, rotate exposed credentials where appropriate, enforce MFA, and monitor for anomalous login activity.”

    The disclosure comes as eSentire said it observed threat actors exploiting a flaw in Fortinet FortiClient EMS (CVE-2026-35616, CVSS score: 9.1) to deploy an information stealer called EKZ Stealer against a customer in the energy, utilities, and waste sector with the end goal of harvesting credentials from Chromium-based browsers and Firefox and exfiltrating them via PowerShell. 

    Credential FortiBleed linked Lynx operations Ransomware Theft
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleOpinion | Three Ways Trump Is Strangling Economic Growth
    Next Article Maddy Cusack: Former Sheffield United midfielder ‘would still be alive’ if coach did not join club, inquest told | Football News
    admin
    • Website

    Related Posts

    AI Compute Hijacking, Apple Email Flaw, BlueHammer Ransomware + 14 Stories

    July 2, 2026

    ToddyCat-Linked Umbrij Malware Abuses OAuth to Access Gmail via Google API

    July 2, 2026

    Identity Lifecycle Management Wasn’t Built for AI Agents 

    July 2, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Why this year’s World Cup is so pricey – Live Updates

    Trump-Linked Firm’s Fees for Organizing Freedom 250 Events Remain Secret

    Opinion | Why Am I Dreading Taylor Swift’s Wedding?

    Gen Z Goes to Hollywood

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by