FortiBleed Credential Campaign Confirmed as Lynx Ransomware Entry Point
The FortiBleed credential-theft campaign has been formally tied to two active ransomware operations — INC and Lynx — confirming that the mass-harvesting of Fortinet VPN credentials was never exfiltration for its own sake. Those stolen credentials are now fueling initial-access operations that end in ransomware deployment.
What Happened
FortiBleed exploited vulnerabilities in FortiGate SSL-VPN appliances to extract plaintext credentials, session cookies, and device configurations from internet-facing devices — in many cases from organizations that had already applied patches, because attackers accessed configuration files written to disk before remediation was complete. The result was a sprawling credential dump affecting thousands of Fortinet customers. Researchers have now confirmed that the INC and Lynx ransomware groups are actively consuming those stolen credentials to conduct network intrusions.
Why This Is Serious
Fortinet appliances are edge devices. They sit between the internet and your internal network, and compromised VPN credentials give an attacker authenticated access that looks identical to a legitimate employee login. The INC and Lynx groups are known for low-and-slow intrusions: they establish persistence, move laterally, exfiltrate data, and only deploy ransomware after weeks or months of dwell time. If your credentials were taken, the breach may not be detectable yet — and the clock is already running.
Both ransomware groups have claimed victims across healthcare, manufacturing, and critical infrastructure. The FortiBleed pipeline is now a documented, confirmed initial-access vector for active operators.
What To Do Right Now
1. Patch all FortiGate devices. Ensure every appliance is running a FortiOS version that addresses CVE-2022-40684, CVE-2023-27997, and CVE-2024-21762. If you are unsure of your exposure, consult Fortinet's PSIRT advisory portal directly.
2. Rotate all credentials on internet-facing Fortinet devices. This includes VPN user accounts, local admin accounts, and any service accounts that authenticate through FortiGate. A patched device does not mean clean credentials — if the appliance was ever vulnerable, credentials present at that time should be treated as compromised.
3. Audit VPN logs for anomalous logins. Look for off-hours access, logins from unfamiliar IPs or geographies, and accounts accessing resources outside their normal scope.
4. Enforce MFA on all SSL-VPN access immediately. Stolen credentials become substantially less useful when a second factor is required. If MFA is not enforced on your VPN today, that is your first action item.
5. Threat-hunt for INC/Lynx TTPs. Both groups rely on common post-exploitation tooling. Search your SIEM for Cobalt Strike beacon behavior, unauthorized AnyDesk or ScreenConnect installations, and unusual SMB lateral movement patterns.
If your organization uses FortiGate as its VPN perimeter and those devices were internet-exposed at any point in the last 18 months, treat this as an active incident until you have evidence otherwise. The window between credential theft and ransomware detonation is the only window you have.
Synthesized by Claude · sanity-checked before publish.