The attackers behind FortiBleed made one operational security mistake: they left the server holding their loot exposed on the open internet. That's the only reason we know the numbers — roughly 430,000 FortiGate firewalls targeted, more than 110 million credentials stolen, scanning against about 11,250 FortiGate management portals across 150+ countries, admin-level access on 409 targets, and a completed attack chain on 354 of them. And unlike most credential dumps, this one comes with a confirmed customer list: INC Ransom and Lynx.
The technique: your firewall as the attacker's sensor
FortiBleed isn't the usual "one unpatched CVE" Fortinet story. The core tool is a custom packet sniffer researchers call FortiGate Sniffer, deployed directly onto compromised FortiGate appliances. Once installed, it passively intercepts VPN credentials and authentication data flowing through the firewall as employees log in normally.
That design is what makes it nasty. There's no phishing lure to spot and no exploit fired at the moment of theft — the sniffer just sits inside the security appliance and collects fresh, valid credentials continuously. Password rotation doesn't help; the sniffer captures whatever comes through next. The device you bought to keep attackers out becomes their most reliable, self-refreshing data source.
The ransomware supply chain, caught on camera
What elevates this from "big credential leak" to "documented ransomware supply chain" is the forensic detail: researchers found an operator with FortiBleed infrastructure access logged into both INC Ransom's and Lynx's victim negotiation panels simultaneously, and victims on INC Ransom's leak site overlap directly with organizations in the FortiBleed dataset. At least 12 confirmed ransomware deployments trace back to access gained through this campaign, with hundreds of endpoints encrypted.
The two brands are closer than they look. INC Ransom has run financially motivated extortion since 2023, favoring industrial, healthcare, and education targets across the US and Europe. Lynx emerged in 2024 as an offshoot, sharing an estimated 70% functional and 50% code similarity with INC. One credential-harvesting operation feeding both panels suggests a shared affiliate structure, not two independent gangs — the line between "initial access broker" and "ransomware operator" barely exists here.
Why this matters even if you don't run Fortinet
The strategic lesson isn't Fortinet-specific: attackers are systematically targeting the perimeter devices organizations trust implicitly — firewalls, VPN concentrators, edge routers. These boxes run outside your EDR coverage, get less security review than any server or workstation, and sit in the single best position to observe authentication traffic for the entire organization. Every vendor's edge appliance fleet has the same structural blind spot.
It also compounds this week's other story: "authentication required" vulnerabilities like the SharePoint flaw CVE-2026-45659 are far less protective when 110 million fresh credentials are in circulation. Stolen credentials are the raw material; authenticated RCE is the finished product.
What to do this week if you run FortiGate
- Audit firmware and configuration on every appliance. Current firmware, plus a review for unauthorized config changes, unexpected admin accounts, or unfamiliar scheduled tasks — the artifacts a sniffer install leaves behind.
- Rotate every credential that transited a potentially compromised device. That includes service accounts, not just human passwords. Given the interception scale, "assume burned" is the correct posture.
- Require phishing-resistant MFA on all VPN and remote access paths. A sniffed password is nearly worthless against a hardware key or platform authenticator. This is the control that breaks the entire FortiBleed business model.
- Monitor the appliance's own outbound behavior. FortiGate Sniffer operates from within the firewall, so anomaly detection has to watch what the appliance itself sends — not just the traffic passing through it. Most network monitoring setups don't do this today.
- Sweep your logs against published IOCs as researchers continue releasing FortiBleed indicators.
The honest takeaway: if your remote access story is "VPN with passwords, terminated on an edge appliance nobody has audited since deployment," FortiBleed is what that architecture looks like from the attacker's side. Rotate the credentials now because you have to — but the durable fix is phishing-resistant MFA and treating your perimeter devices as monitored, patched infrastructure rather than install-and-forget hardware.