// NEXUSVOID CYBER NEWS
<- ALL CYBER NEWS
Critical
Fortinet, FortiGate, ransomware, credentials, INC, Lynx
FortiBleed: Credentials From Hundreds of Thousands of FortiGate Firewalls Now Fueling INC and Lynx Ransomware
Researchers link the FortiBleed credential-theft campaign to active ransomware operations: credentials harvested from hundreds of thousands of FortiGate firewalls are being used by the INC and Lynx ransomware groups for initial access.
BRIEFING · Fast coverage. Original reporting credited below.
What happened: SecurityWeek reports that credentials harvested from hundreds of thousands of FortiGate firewalls in the FortiBleed campaign are now being used to facilitate ransomware attacks by the INC and Lynx operations. The Hacker News has corroborating coverage linking the credential-theft campaign to the same two ransomware groups.
Why it matters: This is the second act of a credential-theft campaign - the part that arrives weeks or months after the headline everyone forgot. Stolen VPN and firewall credentials do not expire on their own; they sit in access-broker inventories until a ransomware affiliate buys them. If your FortiGate was exposed during the FortiBleed window and you only patched - without rotating credentials - the patch did not close your door.
What to do now:
Rotate ALL credentials that touched affected FortiGate appliances: admin accounts, VPN users, LDAP bind accounts
Revoke and reissue any certificates stored on the device
Review VPN authentication logs since the exposure window for logins from unfamiliar networks
Enforce MFA on every VPN account - stolen passwords are exactly what it exists for
Sources: SecurityWeek · The Hacker News