Ctrl+Alt+Oops: FortiBleed criminal’s logins stitch two gangs together
Ctrl+Alt+Oops: FortiBleed criminal’s logins stitch two gangs together
Publish Date: 2026-07-02 11:32:00
Source Domain: www.theregister.com
security
Researchers scoured logs, finding opsec fail for at least one person who was working with INC and Lynx simultaneously
Security sleuths say last month’s FortiBleed campaign is tied to two separate ransomware groups, after they found evidence of one initial access broker group member logged in to two affiliate panels.
SOC Radar’s Threat Research Unit (STRU) said at least one of the group’s 20 members was actively negotiating with victims, which it believes signals a direct link between the thousands of FortiBleed victims and the ransomware ecosystem.
STRU spent weeks mapping FortiBleed’s infrastructure across hundreds of servers after the attack was disclosed. Due to an opsec failure in one of these servers, the team gained visibility into the IAB group’s internal files and logs, revealing that one of the individuals was logged into the affiliate panels of both the INC Ransom and Lynx ransomware groups.
“Finding a single operator working both panels, using infrastructure traceable back to FortiBleed, is the clearest evidence yet that FortiGate credentials harvested through this campaign are being handed off, or used directly, for ransomware deployment,” SOC Radar said.
Following examinations of both the IAB group’s internal logs, compromised endpoints, and claims made via the leak sites of INC and Lynx, STRU linked at least 12 ransomware attacks to FortiBleed victims so far.
While initial reports pegged the number of successful attacks at more than 70,000, STRU said its data was derived from scanning 11,250 Fortinet portals, although more than 430,000 firewalls were targeted.
Admin-level access was confirmed on 409 targets, and on 354 of these the attackers executed the full attack chain, compromising VPNs and gaining access to domain controllers and domain admin.
STRU said the finding is significant because it shows how the exploit was not just an exercise in harvesting…