// NEXUSVOID CYBER NEWS

<- ALL CYBER NEWS

Critical

Fortinet, FortiGate, ransomware, credentials, INC, Lynx

FortiBleed: Credentials From Hundreds of Thousands of FortiGate Firewalls Now Fueling INC and Lynx Ransomware

Researchers link the FortiBleed credential-theft campaign to active ransomware operations: credentials harvested from hundreds of thousands of FortiGate firewalls are being used by the INC and Lynx ransomware groups for initial access.

BRIEFING · Fast coverage. Original reporting credited below.

What happened: SecurityWeek reports that credentials harvested from hundreds of thousands of FortiGate firewalls in the FortiBleed campaign are now being used to facilitate ransomware attacks by the INC and Lynx operations. The Hacker News has corroborating coverage linking the credential-theft campaign to the same two ransomware groups.

Why it matters: This is the second act of a credential-theft campaign - the part that arrives weeks or months after the headline everyone forgot. Stolen VPN and firewall credentials do not expire on their own; they sit in access-broker inventories until a ransomware affiliate buys them. If your FortiGate was exposed during the FortiBleed window and you only patched - without rotating credentials - the patch did not close your door.

What to do now:

  • Rotate ALL credentials that touched affected FortiGate appliances: admin accounts, VPN users, LDAP bind accounts

  • Revoke and reissue any certificates stored on the device

  • Review VPN authentication logs since the exposure window for logins from unfamiliar networks

  • Enforce MFA on every VPN account - stolen passwords are exactly what it exists for

Sources: SecurityWeek · The Hacker News

Liked this briefing? Share it:

More briefings

Related posts appear on the live page
Get the briefings first
Breaking security news, verified fast, with the one fact the headlines skip. No spam - unsubscribe anytime.