FortiBleed Links Credential Theft To Ransomware

For years, ransomware dominated headlines because of its disruptive impact on organizations. However, the attackers behind today's most successful campaigns rarely perform every stage of an intrusion themselves. Instead, a sophisticated cybercrime supply chain has emerged in which specialist groups focus on individual phases of an attack before selling access to others.

FortiBleed Links Credential Theft To Ransomware

The FortiBleed campaign demonstrates how mature this criminal ecosystem has become. What initially appeared to be a large-scale credential theft operation has evolved into compelling evidence of collaboration between an Initial Access Broker (IAB) and two established ransomware-as-a-service (RaaS) operations, INC and Lynx. Rather than simply stealing credentials for resale, the campaign illustrates how compromised network access has become a valuable commodity that fuels ransomware deployment on a global scale.

The investigation, conducted by SOCRadar's Threat Research Unit (STRU) and reported by Dark Reading, shows that organizations should no longer view credential theft as an isolated security incident. Instead, it should be treated as an early warning indicator of a potentially devastating ransomware attack.

Initial Access Brokers have become an indispensable part of today's cybercriminal economy. Their business model focuses on obtaining privileged access to corporate environments before selling that access to ransomware operators, espionage groups, or data extortion criminals. FortiBleed represents one of the most sophisticated examples of this model.

Researchers estimate the campaign targeted more than 430,000 internet-facing FortiGate firewalls across almost 200 countries. Using a custom Golang tool known as FortigateSniffer, attackers transformed compromised firewalls into passive credential collectors capable of intercepting authentication traffic across 24 different protocols.

Rather than deploying traditional malware across endpoints, the attackers abused legitimate FortiOS diagnostic functionality to quietly monitor authentication traffic. The technique allowed them to collect credentials, Kerberos tickets, NTLM hashes, session cookies, and identity information while remaining significantly more difficult to detect.

This approach demonstrates an important shift in attacker methodology. Instead of immediately encrypting systems or deploying destructive malware, the attackers invested time in harvesting identities that could provide persistent access into enterprise environments.

The scale of the campaign is remarkable. SOCRadar identified approximately 659 credential harvesting pipelines that collectively captured more than 110 million credentials. These credentials extend well beyond Fortinet administration accounts and include authentication material used throughout enterprise environments.

The attack chain followed a disciplined progression:

  • Reconnaissance and target prioritization
  • Credential stuffing and brute-force attacks against exposed FortiGate interfaces
  • Deployment of FortigateSniffer to capture authentication traffic
  • Credential validation, privilege escalation, and lateral movement
  • Data theft and preparation for ransomware or resale

Unlike opportunistic attacks, FortiBleed reflects careful operational planning designed to maximize the financial value of every compromise.

Small and medium-sized businesses represented a significant proportion of victims, particularly organizations with fewer than 200 employees. However, high-value targets included defense contractors, IT service providers, and organizations operating critical infrastructure, demonstrating that the campaign prioritized organizations capable of providing valuable downstream access.

The latest phase of the investigation provides perhaps the strongest evidence yet that credential harvesting now directly supports ransomware operations.

During continued infrastructure analysis, SOCRadar discovered an operational security mistake made by the FortiBleed operators. That lapse provided researchers with access to internal files, operational documentation, and system logs that revealed how the campaign functioned behind the scenes.

Most significantly, researchers observed an operator connected to FortiBleed infrastructure simultaneously logged into the ransom negotiation portals used by both INC Ransom and Lynx. This finding represents far more than circumstantial evidence.

Researchers also identified overlapping victim datasets between FortiBleed infrastructure and INC Ransom operations, while internal tracking documents recorded compromised credentials, accessed networks, privilege levels, and whether ransomware had ultimately been deployed.

The recovered documentation indicated a highly organized operation consisting of roughly twenty individuals performing specialized roles throughout the intrusion lifecycle. Rather than acting as isolated criminals, the operators appeared to function much like a legitimate enterprise with dedicated technical specialists, operational support staff, and senior operators responsible for the highest-value compromises.

Ransomware Has Become an Industrial Supply Chain

Perhaps the most significant lesson from FortiBleed is that ransomware should no longer be viewed as a standalone threat. Modern ransomware increasingly resembles an industrial supply chain in which specialist organizations perform discrete services before handing work to another criminal group.

The ecosystem now commonly includes:

  • Initial Access Brokers that compromise organizations.
  • Credential harvesting specialists that build large repositories of enterprise identities.
  • Malware developers that maintain ransomware platforms.
  • Negotiation specialists that conduct extortion activities.
  • Money laundering networks that distribute criminal proceeds.

This specialization improves efficiency for every participant while allowing ransomware groups to focus on encryption, extortion, and negotiation instead of investing resources into gaining initial access.

FortiBleed illustrates this model almost perfectly. The credential harvesting campaign appears to supply access that downstream ransomware operators can purchase and weaponize when the timing suits their objectives. For defenders, this means an organization may experience weeks or months between the initial compromise and eventual ransomware deployment.

Traditionally, organizations have viewed firewalls primarily as defensive infrastructure. FortiBleed demonstrates that attackers increasingly view them as offensive platforms capable of providing privileged visibility into enterprise authentication.

By compromising edge security appliances rather than endpoints, attackers gain several advantages.

First, authentication traffic naturally passes through perimeter devices, allowing credentials to be collected without deploying malware across hundreds of endpoints.

Second, trusted security appliances often receive less behavioral monitoring than workstations or servers, making malicious activity harder to identify.

Finally, privileged network positioning allows attackers to observe authentication across multiple systems simultaneously while maintaining persistence.

This evolution challenges traditional assumptions about perimeter security. Organizations that focus endpoint detection exclusively on laptops and servers may overlook the growing importance of continuously monitoring network infrastructure itself. One of the most important observations from security researchers is that credential theft should never be treated as a completed incident.

Security leaders should prioritize several defensive actions immediately following any suspected FortiGate compromise:

  • Rotate all VPN, administrator, and privileged credentials.
  • Enforce phishing-resistant multifactor authentication wherever possible.
  • Remove management interfaces from direct Internet exposure.
  • Review authentication logs for abnormal geographic access, unusual login times, and credential reuse.
  • Continuously monitor privileged accounts for evidence of lateral movement long after the initial compromise appears contained.

Because stolen credentials may circulate through underground markets for months, organizations should assume that attackers will continue attempting to monetize previously harvested identities well after the original intrusion.

FortiBleed demonstrates that cybercrime continues to evolve toward specialization, collaboration, and operational efficiency. The campaign no longer represents simply another credential theft operation targeting exposed firewalls. Instead, it provides compelling evidence that large-scale identity harvesting has become an integral component of the ransomware economy.

The confirmed operational overlap between FortiBleed infrastructure and the INC and Lynx ransomware groups highlights how Initial Access Brokers increasingly function as suppliers within a broader criminal ecosystem. Their role is to obtain trusted access at scale, validate that access, and pass it to downstream operators who monetize it through ransomware or data extortion.

Share:

facebook
X (Twitter)
linkedin
copy link
Karolis Liucveikis

Karolis Liucveikis

Experienced software engineer, passionate about behavioral analysis of malicious apps

Author and general operator of PCrisk's News and Removal Guides section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over 8 years working in this branch. He attended Kaunas University of Technology and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications.

▼ Show Discussion

PCrisk security portal is brought by a company RCS LT.

Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

Donate