3 min Security

FortiBleed linked to ransomware groups INC and Lynx

FortiBleed linked to ransomware groups INC and Lynx

New research into the large-scale FortiBleed campaign points to a direct link with the ransomware groups INC and Lynx. This suggests that the theft of tens of thousands of Fortinet login credentials was part of a broader operation aimed at future ransomware attacks.

The scale of FortiBleed was already evident last month when researchers discovered an unsecured server containing configuration files and login credentials for over 73,000 Fortinet devices. Security firm SOCRadar has now concluded that the infrastructure behind that campaign is closely intertwined with the ransomware groups INC and Lynx.

The researchers base this conclusion on a Windows server that was part of the infrastructure used. During a forensic investigation, they found evidence indicating that the administrators had access to the negotiation portals of both ransomware groups. Browser sessions found on the system displayed dashboards used to conduct conversations with victims of ransomware attacks. According to SOCRadar, this is a strong indication that the same individuals or closely collaborating groups are behind both the theft of the login credentials and the subsequent extortion campaigns.

Intercepting VPN traffic

Previous research had already shown that the attackers used a specially developed tool called FortiGate Sniffer. This software was deployed on compromised FortiGate firewalls and intercepted VPN login credentials and other authentication data directly from network traffic. In addition, the group had infrastructure in place to crack password hashes and automatically test stolen accounts on other systems.

According to SOCRadar, the operation extended far beyond what was initially assumed. The researchers estimate that more than 430,000 FortiGate firewalls worldwide were targeted. Sniffers were actually installed on approximately 19,000 systems to eavesdrop on network traffic. After affected organizations were alerted, that number is said to have been reduced to approximately 11,000.

During the follow-up investigation, SOCRadar identified over 200 additional operational servers that had not previously been linked to FortiBleed. In total, the campaign is believed to have utilized approximately 500 servers. The researchers also found victim data that later resurfaced on the INC ransomware public leak site.

In addition, evidence was found suggesting that the organization behind FortiBleed consists of about twenty people, each with a specific role within the operation. On several compromised systems, the researchers also discovered a persistent backdoor account with the username “adminin.”

Possible zero-day vulnerability in Nextcloud

SOCRadar further suspects that the attackers exploited a currently unknown vulnerability in Nextcloud to further expand their access to networks once they had gained entry. Technical details regarding this suspected zero-day have not yet been made public.

The researchers are still working on their analysis and say they are, among other things, attempting to recover ransomware decryption keys. Once the investigation is complete, a second technical report will be published, containing indicators of compromise (IoCs), additional attribution evidence, and further technical details about the campaign.