FortiBleed Campaign Linked to Lynx and INC Ransomware Groups

SOC Radar ties the FortiBleed attack campaign, which scanned 11,250 Fortinet devices and gained domain admin access at 354 organizations, to the Lynx and INC ransomware groups.

Vulnerability Threat Intelligence

Security research firm SOC Radar has attributed the FortiBleed attack campaign to the Lynx and INC ransomware groups. According to the report, the attackers scanned 11,250 Fortinet devices, achieved administrative access on 405 of them, and escalated to domain admin access at 354 organizations. Ransomware has already been deployed at roughly 12 of the affected companies, with more likely still in earlier stages of the attack lifecycle.

The scale here is the notable part: scanning over eleven thousand devices to land admin access on several hundred, and domain admin at over 300 organizations, describes a mass-exploitation operation rather than a series of targeted intrusions. This is the now-familiar pattern with edge device vulnerabilities — a single flaw in widely deployed perimeter hardware gives attackers a repeatable path from internet-facing scan to full domain compromise, at scale, across unrelated victims.

The gap between “354 organizations with domain admin access” and “12 with deployed ransomware” is the part that should concern defenders most. It implies a large number of organizations have already been fully compromised and are sitting in the attacker’s queue, waiting for ransomware deployment, data exfiltration, or both — with no visible impact yet to tip them off.

If you operate Fortinet appliances, confirm patch levels immediately, review authentication logs for anomalous admin logins on those devices, and check domain controller logs for unexpected privilege escalation or new admin accounts tracing back to the affected timeframe. Given the domain admin foothold described here, treat any confirmed device compromise as a full domain compromise until proven otherwise.

Why it matters: If you run Fortinet devices, don't wait for a ransomware deployment to find out you were part of the 354 domain-admin-compromised organizations — audit device patch status and admin account activity against this campaign's timeline now.

Read source →