Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

The FortiBleed Fiasco: Unraveling the Threads of a Ransomware Convergence



The FortiBleed Fiasco: Unraveling the Threads of a Ransomware Convergence

A massive password-stealing attack has taken on a new dimension, weaving itself into the ransomware ecosystem. The attack, dubbed FortiBleed, exposed numerous organizations to vulnerability and has significant implications for those relying on Fortinet infrastructure. Learn more about this developing story and how you can protect your organization from similar attacks.

  • FortiBleed is a massive password-stealing attack that compromised thousands of firewalls and exposed organizations to vulnerability.
  • The attack has woven itself into the ransomware ecosystem, with attackers using FortiBleed credentials to access victims' Active Directory environments.
  • Researchers discovered an opsec failure that provided visibility into the IAB group's internal files and logs, revealing a connection between the IAB group and two other ransomware groups.
  • The attack has been linked to at least 12 ransomware attacks so far, with over 70,000 initial reports but only a fraction of those actually compromised.
  • Organizations running Fortinet infrastructure are urged to take immediate action to secure their systems due to the risk of exposure to FortiBleed being a precursor to ransomware.



  • FortiBleed, the massive password-stealing attack that beset thousands of firewalls and exposed numerous organizations to vulnerability, has taken on a new dimension. According to researchers at SOC Radar's Threat Research Unit (STRU), the attack is not just an isolated credential theft operation but has woven itself into the very fabric of the ransomware ecosystem.

    The FortiBleed campaign, which was first disclosed in June 2026, exploited a critical vulnerability in the SSL VPN authentication process. Attackers intercepted and cracked the hashes of over 73,000 unique firewall URLs using a 45-GPU cluster hosted by Hashtopolis, thereby gaining access to victims' Active Directory environments.

    The team at STRU mapped FortiBleed's infrastructure across hundreds of servers after the attack was disclosed. They discovered an opsec failure in one of these servers that provided them with visibility into the IAB group’s internal files and logs. This breakthrough revealed that one of the individuals working for the IAB group was logged into the affiliate panels of both the INC Ransom and Lynx ransomware groups.

    The finding is significant because it underscores how FortiBleed feeds directly into the ransomware economy, with the same access broker infrastructure used by attackers to quietly intercept authentication traffic across hundreds of thousands of firewalls. The connection between the two ransomware groups and the IAB group's shared operator signals a direct link between FortiBleed victims and the ransomware ecosystem.

    The implications of this discovery are far-reaching. Organizations that rely on Fortinet infrastructure must now confront the possibility that exposure to FortiBleed could be a precursor to ransomware. Admin-level access was confirmed on 409 targets, with 354 of these attackers executing the full attack chain, compromising VPNs and gaining access to domain controllers and domain admin.

    Researchers at STRU linked at least 12 ransomware attacks to FortiBleed victims so far. While initial reports pegged the number of successful attacks at more than 70,000, the team's data was derived from scanning 11,250 Fortinet portals. The attack targeted over 430,000 firewalls but only managed to compromise a fraction of these.

    The revelation has sent shockwaves through the cybersecurity community, with many questioning how organizations can prevent such vulnerabilities in the future. The use of PBKDF2 for storing credentials was introduced by Fortinet in early 2025, but many organizations were still using SHA-256 with salt due to the changes not being applied until each admin logged back in.

    As a result, many major organizations were compromised, including FoxConn, Samsung, Comcast, Siemens, Lenovo, FedEx, PwC, Accenture, and Oracle. An unnamed Turkish NATO defense contractor was also thought to be among those listed after investigators found signs of classified files being copied.

    The discovery highlights the urgent need for organizations running Fortinet infrastructure to take immediate action to secure their systems. The stakes have been raised on an already pressing finding: exposure to FortiBleed is not just a credential exposure risk but a potential precursor to ransomware.

    In conclusion, the FortiBleed fiasco has revealed a complex web of vulnerabilities and converging attack vectors that threaten the security of organizations worldwide. As cybersecurity experts urge vigilance and swift action, it becomes increasingly clear that the consequences of inaction will be dire.

    Related Information:
  • https://www.ethicalhackingnews.com/articles/The-FortiBleed-Fiasco-Unraveling-the-Threads-of-a-Ransomware-Convergence-ehn.shtml

  • https://www.theregister.com/security/2026/07/02/ctrlaltoops-fortibleed-criminals-logins-stitch-two-gangs-together/5265912


  • Published: Thu Jul 2 11:16:21 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us