Operation FortiBleed Exposes Critical Flaw Used By Lynx Ransomware

By 813 Staff

Operation FortiBleed Exposes Critical Flaw Used By Lynx Ransomware

Under the hood, a significant change is emerging — Operation FortiBleed Exposes Critical Flaw Used By Lynx Ransomware, according to BleepingComputer (@BleepinComputer) (on July 1, 2026).

Source: https://x.com/BleepinComputer/status/2072434490576691629

Organizations still cleaning up after the recent wave of Fortinet vulnerabilities now face an active credential-harvesting campaign that internal documents suggest has been quietly draining network access for weeks. According to cybersecurity researchers cited by @BleepinComputer, a threat cluster linked to the Lynx ransomware operation has been exploiting unpatched FortiGate firewalls to steal VPN credentials and session tokens in what is now being tracked as “FortiBleed.” Engineers close to the project say the attackers are not deploying ransomware in the initial phase — instead, they are systematically exfiltrating authentication data from compromised devices to build a persistent foothold for future extortion.

The operation, first detected by threat hunters monitoring anomalous login patterns across multiple sectors, appears to target FortiGate appliances running firmware versions with known and previously undisclosed flaws. While Fortinet has released patches for several critical vulnerabilities in the past six months, the rollout has been anything but smooth. Many enterprise IT teams have struggled with patch cycles, leaving a significant attack surface exposed. The Lynx-affiliated group, according to telemetry shared with researchers, is leveraging a combination of remote code execution and credential dumping utilities to pull plaintext passwords and session cookies directly from the firewall’s memory.

What makes this campaign particularly dangerous is the dual use of stolen credentials. Once extracted, the data is immediately tested against internal systems — VPN gateways, email servers, and cloud management consoles. If valid, the attackers quietly escalate privileges and deploy backdoors, which can later be used for ransomware deployment or data theft at the group’s discretion. Multiple incident response firms have confirmed active intrusions across healthcare, government, and financial verticals, though the full scope of the compromise remains unconfirmed.

Going forward, organizations that haven’t yet audited their FortiGate configurations are advised to treat any unpatched device as potentially compromised. Security teams should immediately rotate all VPN credentials and enforce multi-factor authentication that requires hardware tokens rather than push notifications. The researchers note that the Lynx group is known for rapid adaptation, and indicators of compromise are evolving daily. Without swift remediation, the FortiBleed campaign could become a persistent vector for ransomware attacks throughout the second half of the year.

Source: https://x.com/BleepinComputer/status/2072434490576691629

Related Stories

More Technology →