The FortiBleed credential theft campaign has been connected to Lynx ransomware and the INC operation, indicating stolen Fortinet credentials are being weaponized for network intrusions.
Security researchers have established a direct link between the FortiBleed credential theft campaign and Lynx ransomware operations, along with activity tied to the INC group. The connection reveals that threat actors obtained Fortinet credentials through FortiBleed and are leveraging them to compromise networks.
FortiBleed refers to a widespread campaign targeting Fortinet systems to steal authentication credentials. The scale of the operation made it one of the largest credential theft efforts in recent months, affecting numerous organizations across multiple sectors.
The linkage to Lynx ransomware suggests the stolen credentials serve as an entry point for ransomware deployment. Threat actors typically use compromised credentials to establish initial access, move laterally through networks, and eventually deploy ransomware for extortion.
The involvement of the INC operation in this chain indicates coordination or overlap between different threat actors. Such connections are common in the ransomware ecosystem, where initial access brokers sell or share credentials with ransomware operators.
Organizations running Fortinet products are advised to audit their authentication logs and review access patterns for suspicious activity. Standard mitigation measures include implementing multi-factor authentication, resetting credentials for potentially compromised accounts, and monitoring for lateral movement within networks.
The discovery underscores the critical importance of credential security. Stolen authentication details remain among the most valuable assets for attackers, offering a direct pathway to internal networks without triggering initial compromise detection systems.
Fortinet has not yet issued specific guidance regarding this threat linkage. Organizations should monitor vendor advisories and coordinate with their security teams to assess exposure and remediation priorities.
Progress Software is alerting ShareFile customers running Storage Zone Controllers to immediately shut down their servers due to a credible external security threat targeting the on-premises file-sharing platform.
A US court sentenced Angelo Martino, a former ransomware negotiator, to 70 months in prison for colluding with the BlackCat ransomware gang to extort $75.3 million from five of his employer's clients.
A Florida-based ransomware negotiator has been convicted for assisting a notorious ransomware gang in extorting U.S. companies. This marks the third negotiator jailed for facilitating ransom payments to hackers.
Attackers are actively exploiting a critical authentication bypass in Gitea's official Docker image that enables user impersonation, including administrator accounts. The vulnerability affects the self-hosted Git service.