Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

FortiBleed: The Slick Ransomware Operation Exposed 430,000 FortiGate Firewalls Worldwide



FortiBleed is a large-scale campaign that has compromised over 430,000 FortiGate firewalls worldwide. This operation links directly to two active ransomware operations: INC Ransom and Lynx. With this exposure, organizations using these devices are at risk of not just having their credentials stolen but also facing targeted attacks involving ransomware linked to FortiBleed-derived access.

  • Over 430,000 FortiGate firewalls worldwide have been compromised by the FortiBleed ransomware operation.
  • The attack uses a custom tool to intercept authentication traffic and harvest credentials without sending malicious payloads.
  • FortiBleed is linked to two active ransomware operations: INC Ransom and Lynx, with an operator directly involved in handling ransom demands.
  • The operation involves a structured team of around 20 people, including primary operators, specialists, and junior staff.



  • The recent discovery of a massive ransomware operation known as FortiBleed has exposed over 430,000 FortiGate firewalls worldwide. This cyber threat, first documented by SOCRadar's Threat Research Unit in the past year, has far-reaching implications for organizations using these devices.

    FortiBleed is a large-scale campaign that harvested credentials from over 430,000 FortiGate firewalls across more than 150 countries. The operation uses a custom tool written in Go called FortigateSniffer, which passively intercepts authentication traffic by abusing FortiOS's own built-in packet diagnostic command across two dozen protocols.

    It is worth noting that the attacker never sends malicious payloads to the firewall; they just listen to the traffic the device generates itself. This quiet method of collecting credentials at scale has allowed for a significant amount of sensitive information to be gathered, which can then be used to launch targeted attacks on organizations with FortiGate firewalls.

    SOCRadar's Threat Research Unit connected FortiBleed directly to two active ransomware operations: INC Ransom and Lynx. The link wasn't circumstantial; an operator with access to FortiBleed's own infrastructure was found actively logged into the negotiation panels of both groups, handling ransom demands in real-time.

    This highlights a critical vulnerability in organizations using FortiGate firewalls. Not only do they risk having their credentials compromised, but also potentially falling victim to ransomware attacks that have been linked directly to FortiBleed-derived access.

    In addition to this threat, SOCRadar discovered that the infrastructure used by FortiBleed contained an internal tracking document that recorded which credentials were used and which networks were accessed. Analysis of this document pointed to a structured operation involving roughly 20 people. This includes a small core of primary operators who handle high-impact intrusions, dedicated specialists who focus on network scanning, and a back-office layer of junior operators and technical support staff.

    This structure and organization suggest that FortiBleed is not just an access broker quietly monetizing stolen credentials through underground markets but also involves direct connections between the same infrastructure used for credential collection and those deploying ransomware operations. This raises significant concerns about the safety of organizations using FortiGate firewalls, which could be exposed to both credential theft and potential precursor attacks that involve ransomware.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/FortiBleed-The-Slick-Ransomware-Operation-Exposed-430000-FortiGate-Firewalls-Worldwide-ehn.shtml

  • https://securityaffairs.com/194645/security/430000-fortigate-devices-exposed-in-fortibleed-ransomware-link.html


  • Published: Thu Jul 2 07:23:54 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us