FortiBleed True Scale: 430,000 Firewalls Targeted, INC and Lynx Linked

SOCRadar confirmed FortiBleed hit 430,000 FortiGate firewalls with sniffers on 19,000 devices, linking the operation to INC Ransom and Lynx ransomware groups.
Table of Contents
    Add a header to begin generating the table of contents

    SOCRadar’s Threat Research Unit published an infrastructure analysis of FortiBleed revealing that the credential theft campaign targeted 430,000 FortiGate firewalls globally — six times the 74,000 figure reported in the initial June disclosure — with active credential-sniffing tools deployed on approximately 19,000 devices. That sniffer count has since dropped to 11,000 following Fortinet notifications to affected organizations. SOCRadar also confirmed a direct operational link between the FortiBleed infrastructure and two active ransomware operations: INC Ransom and Lynx, whose administration panels were both found in browser sessions on a Windows server identified as part of the FortiBleed infrastructure.

    The Scale Revelation: 430,000 Firewalls and a Criminal Operation Far Larger Than First Reported

    The full FortiBleed operation involves an estimated 500 attacker-controlled servers managed by a team of approximately 20 operators — a significantly larger criminal enterprise than the initial public disclosures suggested. The June 19 coverage reported credentials exposed from roughly 74,000 firewalls; SOCRadar’s infrastructure analysis placed the campaign’s actual targeting scope at 430,000 FortiGate devices globally. The distinction matters operationally: an organization that checked whether its FortiGate appeared in the initial 74,000-device disclosure and found no match should not treat that as a clean bill of health. The true targeting scope is six times larger, and the population of organizations that should be auditing their FortiGate authentication history is correspondingly larger.

    SOCRadar’s Method: Browser Sessions Revealing INC Ransom and Lynx Admin Panels

    The attribution connecting FortiBleed to INC Ransom and Lynx came from direct analysis of a Windows server identified as FortiBleed infrastructure. SOCRadar found browser sessions on that server actively accessing administration panels for both INC Ransom — a ransomware-as-a-service operation active since mid-2023 — and Lynx ransomware, which emerged in mid-2024 and is assessed by researchers to be INC operating under a different brand or as a closely affiliated operation. The presence of both groups’ admin panels in the same browser session on the same FortiBleed server is not coincidental: it confirms that the stolen FortiGate credentials are being fed directly into the ransomware monetization stage, with FortiBleed functioning as an initial access operation that supplies both INC and Lynx with entry points into victim networks.

    The 19,000 Active Sniffers and What FortiGate Credential Siphoning Looks Like in Practice

    Credential-sniffing tools deployed on 19,000 FortiGate devices means those devices are actively transmitting management credentials to attacker infrastructure as users and administrators authenticate. Fortinet’s notifications to affected organizations reduced the active sniffer count from 19,000 to approximately 11,000 — a drop that reflects organizations receiving the notification and taking action, but also confirms that roughly 11,000 devices remain actively compromised at the time of SOCRadar’s report. FortiGate credentials obtained through sniffing provide authenticated VPN access directly into corporate networks. Unlike phishing-based initial access, credential-supplied VPN authentication produces session events that are largely indistinguishable from legitimate remote access, making these intrusions harder to detect at the perimeter.

    FortiBleed as a Ransomware Pre-Positioning Infrastructure

    The SOCRadar analysis confirms that FortiBleed was not designed as a standalone credential trading operation. The direct personnel overlap between FortiBleed infrastructure and INC and Lynx ransomware administration — visible in the shared browser sessions on the FortiBleed Windows server — establishes that credential theft and ransomware deployment are integrated stages of a single criminal operation. Stolen FortiGate credentials provide INC and Lynx with authenticated VPN access to corporate networks at scale, which the ransomware groups then use for reconnaissance, lateral movement to high-value systems, and ultimately ransomware deployment.

    What Organizations in the FortiBleed Exposure Window Must Do Now

    The 430,000-device targeting scope means the population of organizations that should be treating themselves as potentially compromised is six times larger than initially understood. Organizations with FortiGate devices should rotate all management credentials immediately regardless of whether they appeared in any public disclosure, audit FortiGate authentication logs for the period spanning the FortiBleed campaign window for sessions from unexpected IP addresses or unusual timing, and review network monitoring logs for lateral movement indicators consistent with post-VPN-access reconnaissance. INC and Lynx operators conducting pre-ransomware reconnaissance typically access internal file shares, backup systems, and domain controller infrastructure — these are the specific network areas where detection indicators should be prioritized. Organizations that detect signs of unauthorized VPN access during the campaign window should initiate incident response procedures rather than credential rotation alone.

    Related Posts