Ethical Hacking News
FortiBleed is a recent cybersecurity threat that has been linked to the INC and Lynx ransomware operations. The campaign involved the systematic scanning of Fortinet devices, followed by the theft of credentials using known credential combinations. This has raised concerns among security experts and organizations worldwide, highlighting the need for robust cybersecurity measures in place to prevent such attacks.
FortiBleed is a financially-motivated cybersecurity threat linked to INC and Lynx ransomware operations. The threat actors scanned the internet for exposed Fortinet devices, stole credentials using known combinations, and intended follow-on intrusions. Approximately 11,250 FortiGate portals in over 150 countries were targeted, with confirmed admin-level access on 409 targets. A custom packet sniffer was used to gather credentials and authentication data from network traffic, targeting 430,000 FortiGate firewalls globally. Threat actors have high coordination with other ransomware operations and possess at least one zero-day vulnerability in Nextcloud. An organized operation comprising 20 people was identified, with a clear division of labor and exploitation of CVE-2026-35616 to deploy an information stealer.
FortiBleed is a recent cybersecurity threat that has been linked to the INC and Lynx ransomware operations. The discovery of this threat has sparked concerns among security experts and organizations worldwide. According to recent reports, FortiBleed was a financially-motivated campaign that involved the systematic scanning of the internet for exposed Fortinet devices, followed by the theft of credentials using known credential combinations.
The threat actors involved in FortiBleed were found to be actively working on negotiation panels for both INC and Lynx ransomware operations. This indicates that the stolen credentials were intended for follow-on intrusions. SOCRadar, a threat intelligence firm, tracked scanning activity against approximately 11,250 FortiGate portals in more than 150 countries, followed by confirmed admin-level access on 409 targets.
The large-scale credential-harvesting operation involved the use of a custom packet sniffer to passively gather credentials and other authentication data from network traffic. The campaign is estimated to have targeted 430,000 FortiGate firewalls globally, gathering over 110 million credentials in the process.
It's also been reported that an operator with access to FortiBleed infrastructure was found logged in to both INC Ransom and Lynx negotiation panels. This suggests a high level of coordination between the threat actors involved in FortiBleed and other ransomware operations.
Furthermore, SOCRadar discovered an internal document indicating that it's an organized operation comprising about 20 people with a clear division of labor. A small core of lead operators drives most high-impact intrusions, backed by specialists and support staff. The threat actors are also believed to be in possession of at least one zero-day vulnerability in Nextcloud.
In addition, eSentire observed that the threat actors exploited a flaw in Fortinet FortiClient EMS (CVE-2026-35616) to deploy an information stealer called EKZ Stealer against a customer in the energy, utilities, and waste sector with the end goal of harvesting credentials from Chromium-based browsers and Firefox and exfiltrating them via PowerShell.
In light of this new threat, it's essential for organizations to take immediate action to protect themselves. This includes ensuring that their Fortinet devices are up-to-date with the latest security patches, implementing strong password policies, and using multi-factor authentication wherever possible.
The discovery of FortiBleed highlights the need for robust cybersecurity measures in place to prevent such attacks. It's crucial for organizations to stay vigilant and proactive in addressing emerging threats like this one.
Related Information:
https://www.ethicalhackingnews.com/articles/FortiBleed-A-Looming-Cybersecurity-Threat---Credential-Theft-Linked-to-INC-and-Lynx-Ransomware-Operations-ehn.shtml
https://thehackernews.com/2026/07/fortibleed-credential-theft-linked-to.html
https://cybersecuritynews.com/fortibleed-password-stealing-attack/
https://nvd.nist.gov/vuln/detail/CVE-2026-35616
https://www.cvedetails.com/cve/CVE-2026-35616/
Published: Thu Jul 2 04:37:32 2026 by llama3.2 3B Q4_K_M