Attackers who harvested credentials from over 430,000 FortiGate firewalls in the "FortiBleed" campaign have been directly linked to feeding that access to at least two ransomware gangs, according to new research. The finding moves the threat from a widespread credential theft issue to a confirmed operational pipeline for deploying ransomware.
Research from SOCRadar's Threat Research Unit, published by Security Affairs, identifies an operator within the harvesting campaign who provided initial network access to the INC Ransom and Lynx ransomware-as-a-service (RaaS) operations. This privileged entry from compromised perimeter devices facilitated at least 12 subsequent ransomware attacks.
The campaign represents a strategic weaponization of defensive infrastructure. Rather than merely bypassing network security, threat actors systematically subverted trusted FortiGate appliances at scale, turning them from protective barriers into primary attack vectors. This grants attackers a privileged foothold that can often bypass traditional defenses entirely.
The concrete link between mass credential harvesting and ransomware affiliates confirms the existence of a specialized criminal supply chain. Initial access brokers now feed a steady stream of compromised firewall credentials directly to ransomware operators, enabling efficient lateral movement and high-impact payload deployment.
In response, experts urge a multi-pronged remediation. Immediate priorities are to patch all FortiGate appliances and forcibly reset all administrative credentials on potentially exposed devices. Organizations must also deploy enhanced monitoring to identify suspicious lateral movement originating from firewall-sourced credentials.
Beyond technical fixes, this campaign underscores a critical paradigm shift. Security teams must manage network appliances like firewalls not as passive perimeter walls, but as critical assets requiring active integrity verification and rigorous, ongoing credential hygiene. The FortiBleed incident demonstrates that the security infrastructure itself has become a primary battlefield in the ransomware economy.
根據一項新研究,在「FortiBleed」行動中從超過43萬台 FortiGate 防火牆收割憑證的攻擊者,已被證實與將這些存取權直接提供予至少兩個勒索軟件集團有關。此發現將威脅從大規模憑證竊取問題,升級為已確認的勒索軟件部署運作管道。
由 SOC Radar 威脅研究部進行、並由 Security Affairs 發佈的研究指出,在該收割行動中,有一名操作者為 INC Ransom 及 Lynx 勒索軟件即服務(RaaS)運作提供初始網絡存取權。這種來自受損周邊設備的特權存取,促成至少12宗後續勒索軟件攻擊。
此行動代表防禦基礎設施的策略性武器化。威脅行為者並非僅繞過網絡安全,而是系統性地大規模顛覆可信的 FortiGate 設備,將其從保護屏障轉化為主要攻擊向量。這賦予攻擊者特權據點,往往能完全繞過傳統防禦。
大規模憑證收割與勒索軟件附隨組織之間的具體關聯,證實了專業犯罪供應鏈的存在。初始存取仲介現正將受損防火牆憑證的穩定來源,直接提供予勒索軟件操作者,促成高效的橫向移動及高影響力載荷部署。
作為回應,專家敦促採取多管齊下的補救措施。即時優先事項是修補所有 FortiGate 設備,並強制重設可能暴露設備上的所有管理憑證。組織亦必須部署增強監控,以識別源自防火牆憑證的可疑橫向移動。
除了技術修復,此次行動凸顯了關鍵的典範轉移。安全團隊必須管理防火牆等網絡設備,不應將其視為被動的周邊圍牆,而是需要主動完整性驗證及嚴格、持續憑證衛生的關鍵資產。FortiBleed 事件證明,安全基礎設施本身已成為勒索軟件經濟中的主要戰場。
