defense · TheHackerNews
Security researchers at SOCRadar have attributed the FortiBleed credential-theft campaign to operators working with INC Ransom and Lynx ransomware groups. The campaign scanned approximately 11,250 FortiGate portals across 150+ countries, achieving admin-level access on 409 targets and completing the full attack chain on 354 of them, resulting in at least 12 confirmed ransomware deployments. An exposed operational server revealed that a single operator maintained access to negotiation panels for both ransomware groups, directly linking credential theft to subsequent intrusions. The broader campaign targeted an estimated 430,000 FortiGate firewalls globally and harvested over 110 million credentials using custom packet sniffers deployed on approximately 12,000 devices. SOCRadar assessed the operation as Russian-speaking, organized, and comprising roughly 20 people. Reconnaissance artifacts also suggest preparation for targeting Citrix environments, though large-scale credential harvesting against Citrix has not yet been confirmed.
Organizations managing internet-facing Fortinet and Citrix infrastructure should treat this as a direct threat vector for initial compromise leading to ransomware deployment. Defense contractors handling CUI on FortiGate devices, SaaS platforms with remote access technologies, and healthcare providers relying on Fortinet appliances should immediately verify authentication logs, rotate credentials, and enforce multi-factor authentication. The campaign's success in obtaining admin-level access underscores the criticality of CMMC Level 3 compliance requirements around access controls and credential management for defense vendors. An Omniware engagement can scope asset inventory, access-control hygiene, and detection-response readiness across your Fortinet and Citrix deployments.
Source: The Hacker News - https://thehackernews.com/2026/07/fortibleed-credential-theft-linked-to.html
Source: TheHackerNews
All briefings