general · BleepingComputer
A credential-theft campaign dubbed "FortiBleed" has been linked to members of the INC and Lynx ransomware-as-a-service groups. Researchers discovered an exposed server containing credentials stolen from more than 73,000 Fortinet devices, along with downloaded FortiGate configuration files and infrastructure for cracking password hashes. Investigation revealed attackers deployed a custom packet-sniffing tool called "FortiGate Sniffer" on compromised FortiGate firewalls to intercept VPN credentials and authentication data from network traffic. SOCRadar's analysis of a Windows server associated with the FortiBleed infrastructure identified browser sessions accessing administration panels for both ransomware groups' negotiation dashboards, providing evidence that individuals with access to FortiBleed infrastructure were also involved with the ransomware operations. The operation is believed to consist of roughly 20 members with defined roles and targeted over 430,000 FortiGate firewalls worldwide, with traffic sniffers deployed on approximately 19,000 devices.
Defense contractors and other organizations managing Fortinet infrastructure and handling CUI or sensitive network access must immediately audit FortiGate firewall configurations, VPN credentials, and authentication logs to detect potential compromise. Organizations subject to NIST 800-171, CMMC, or similar standards should treat stolen VPN credentials as potential indicators of advanced network intrusion and assume defense-in-depth controls (segmentation, monitoring, multi-factor authentication) may be insufficient if perimeter devices were compromised. Healthcare providers and regulated entities should review whether compromised credentials could enable lateral movement to systems handling protected health information or other regulated data. An Omniware engagement can scope threat-hunting activities, credential rotation procedures, and detection strategy in detail.
Source: BleepingComputer - https://www.bleepingcomputer.com/news/security/fortibleed-credential-theft-campaign-linked-to-lynx-ransomware/
Source: BleepingComputer
All briefings