FortiBleed Credential Theft Campaign Linked to INC Ransomware and Lynx, Exploiting Fortinet Devices and a Potential Nextcloud Zero‑Day
What Happened — The FortiBleed operation, which harvests administrative credentials from Fortinet firewalls, has been tied to the INC ransomware group and the Lynx ransomware gang. Researchers also note a concurrent investigation of a zero‑day flaw in Nextcloud that may have been leveraged to broaden access.
Why It Matters for Compliance & Audit Readiness
- Credential theft directly tests the effectiveness of SOC 2 Access Control (CC6.1) and Identity Management policies.
- Continuous evidence of privileged‑account monitoring is required to demonstrate due diligence in an audit.
- The incident underscores the need for Security Awareness Training that covers credential‑theft tactics and rapid revocation processes.
Who Is Affected — Enterprises that rely on Fortinet network security appliances, cloud‑based collaboration platforms (e.g., Nextcloud), and any organization whose privileged credentials could be harvested for ransomware deployment.
Recommended Actions — Review and tighten privileged‑access controls, enforce MFA on all admin accounts, implement real‑time credential‑theft detection, and update security awareness curricula to include FortiBleed tactics. Source: HackRead
Technical Notes — The campaign exploits a FortiOS parsing flaw (details undisclosed) to exfiltrate admin passwords; a separate Nextcloud zero‑day (CVE‑2025‑XXXX) is under active investigation. Source: HackRead