Back to Blog
Fortinet Ransomware: FortiBleed Credential Theft Enables INC and Lynx Deployments (July 2026)
ransomware

Fortinet Ransomware: FortiBleed Credential Theft Enables INC and Lynx Deployments (July 2026)

breachwire TeamJul 3, 20265 min read

Fortinet: What Happened

The FortiBleed campaign targeted Fortinet FortiGate firewalls globally, resulting in the compromise of at least 354 devices and the theft of over 110 million credentials from approximately 430,000 FortiGate appliances. The stolen credentials were subsequently linked to ransomware deployments by the INC and Lynx ransomware groups, with confirmed encryption events affecting hundreds of endpoints, including those at an energy sector customer. The campaign leveraged a zero-day vulnerability in Nextcloud and exploited CVE-2026-35616 in Fortinet FortiClient EMS, facilitating credential theft via the EKZ Stealer malware. Attack infrastructure included over 200 FortiBleed servers and scanning activity against approximately 11,250 FortiGate portals.

Attack Vector & Technical Detail

Initial access was achieved through exploitation of CVE-2026-35616 in Fortinet FortiClient EMS, allowing attackers to deploy the EKZ Stealer and harvest credentials at scale. Attackers also leveraged a Nextcloud zero-day to expand their reach. MITRE ATT&CK tactics observed include Initial Access (TA0001), Lateral Movement (TA0008), Defense Evasion (TA0005), and Credential Access (TA0006). The threat actors maintained a target list of 29,000 Citrix-related IP addresses and 37 domains, indicating broader reconnaissance and potential for future attacks. Over 200 FortiBleed infrastructure servers were identified as part of the operational ecosystem supporting credential collection and ransomware deployment.

Confirmed Impact

At least 12 ransomware deployments were confirmed, resulting in the encryption of hundreds of endpoints across affected organizations, including those in the energy sector. The campaign compromised a global footprint, with credential theft impacting approximately 430,000 FortiGate devices and scanning activity observed worldwide. Regulatory exposure is heightened for organizations in critical infrastructure sectors, given the scale of credential loss and operational disruption. The targeting of Citrix infrastructure and remote access systems signals ongoing risk beyond the initial wave of attacks.

What This Means for Your Organization

Organizations utilizing Fortinet FortiGate firewalls or FortiClient EMS are at elevated risk from credential theft and subsequent ransomware deployment. The attack demonstrates the effectiveness of exploiting unpatched vulnerabilities and the rapid weaponization of stolen credentials by ransomware groups. Immediate review of remote access infrastructure, credential hygiene, and patch management processes is essential. Proactive monitoring for scanning activity and anomalous authentication attempts should be prioritized to detect early-stage compromise.

Detection & Response

  • Immediate: Audit and reset credentials on all FortiGate and FortiClient EMS devices; monitor for unauthorized access.
  • Hunt: Investigate connections to known FortiBleed infrastructure servers and scanning against FortiGate portals.
  • Patch: Apply updates addressing CVE-2026-35616 in Fortinet FortiClient EMS and monitor for Nextcloud zero-day advisories.

Source: https://thehackernews.com/2026/07/fortibleed-credential-theft-linked-to.html

Start Your 14-Day Free Trial

Get curated cyber intelligence delivered to your inbox every morning at 6 AM. No credit card required.

Get Started Free
Share this article: