A massive credential-harvesting campaign, dubbed FortiBleed, is linked to two ransomware-as-a-service operations, tracked as INC ransom and Lynx, according to a blog post Wednesday by cybersecurity firm SOCRadar.
An operator with access to FortiBleed infrastructure was found to be logged into negotiation panels for INC as well as Lynx, researchers said.
In certain cases, the attacks may have involved exploitation of a vulnerability in a content collaboration platform called Nextcloud. The analysis is still ongoing, so a public advisory or common vulnerabilities and exposures number has not yet been assigned.
“The Nextcloud issue appears to have been used as part of the attackers’ broader operational workflow, likely for expansion or infrastructure access after initial compromise,” Ensar Seker, CISO at SOCRadar, told Cybersecurity Dive.
Not all cases involved Nextcloud, nor was compromise fully dependent on exploitation of the zero day.
The Cybersecurity and Infrastructure Security Agency last month warned that hackers have been targeting both government and private-sector organizations using tens of thousands of compromised Fortinet firewall and virtual private network credentials.
Layered operation
An operator linked to the campaign has been working as an initial access broker, using a custom Golang-based tool to intercept authentication traffic, according to SOCRadar. The hacking operation is believed to involve 20 people. Researchers are still working on a follow-up report, which will contain additional details about the operation.
Researchers identified traffic sniffing on 19,000 Fortinet devices. After a round of notifications were made, that figure dropped to 11,000 devices.
Fortinet said last month it was working with government authorities to notify customers who may be at risk from the campaign.
The hackers have obtained administrator-level access to 409 targets and fully compromised 354 targets, researchers said. Thus far, SOCRadar has confirmed 12 ransomware deployments and hundreds of endpoints have been encrypted.