ctipilot.ch

Home · Briefs · CTI Daily Brief — 2026-07-03

UPDATE: FortiBleed FortiGate credential-harvesting linked to INC Ransom / Lynx deployments; scale revised ~5× up

From CTI Daily Brief — 2026-07-03 · published 2026-07-03

UPDATE (originally covered 2026-06-18; last daily update 2026-06-24): The new delta is a ransomware connection. SOCRadar's Threat Research Unit reports what it calls the first confirmed link between the FortiBleed FortiGate credential-harvesting operation and actual ransomware deployment — an operational-security lapse on attacker infrastructure exposed logs showing a single operator working negotiation panels for both the INC Ransom and Lynx RaaS operations, with victim data overlapping between the FortiBleed dataset and an INC-linked open directory, and at least 12 ransomware deployments stemming from the harvested access (SOCRadar, 2026-07-01). The campaign's scale (430,000+ targeted firewalls) and Russian-speaking initial-access-broker attribution were already reported in the 2026-06-24 brief and are unchanged; the ransomware-deployment link and the two items below are what is new.

Separately, SOCRadar says the group holds at least one undisclosed Nextcloud zero-day (no CVE assigned, technical detail withheld pending a whitepaper) that it states it is disclosing to Nextcloud responsibly; The Hacker News adds that the exposed staging server also held reconnaissance on ~29,000 Citrix IP addresses, suggesting targeting beyond Fortinet (The Hacker News, 2026-07-02). These are SOCRadar's investigative claims from a single exposed server and are not yet independently corroborated by a second telemetry-holding lab (see § 7). Defender action for FortiGate operators: the newly-confirmed credential-theft-to-ransomware link means any historically internet-exposed FortiGate management/VPN interface should be treated as credential-compromised — rotate local/VPN and downstream domain credentials and hunt the VPN → domain-controller → domain-admin path; Nextcloud operators should track the coordinated disclosure.