FortiBleed Attackers Monetize Firewall Access Through Ransomware Partnerships
Actors who compromised thousands of Fortinet devices are now collaborating with Inc and Lynx ransomware groups, adding Nextcloud exploitation to their toolkit.
Threat actors behind the FortiBleed campaign have begun monetizing their access to compromised Fortinet firewalls by partnering with established ransomware operations. Dark Reading reports the attackers are now working with Inc and Lynx ransomware gangs, converting initial access into extortion opportunities.
The collaboration marks an escalation from reconnaissance to active exploitation. After gaining footholds in thousands of Fortinet devices, the FortiBleed actors are selling or sharing access with ransomware operators who specialize in encryption and data theft. This division of labor is consistent with the access-broker model that has matured across the cybercrime ecosystem.
The attackers have also added a Nextcloud zero-day vulnerability to their exploitation chain, expanding their attack surface beyond Fortinet infrastructure. The Nextcloud bug provides an additional entry vector for organizations running the collaboration platform, compounding exposure for networks already weakened by firewall compromise.
- 01Organizations with unpatched Fortinet firewalls face imminent ransomware risk from Inc and Lynx operators.
- 02Nextcloud users must assess exposure to zero-day exploitation pending vendor disclosure and patch availability.
- 03Security teams should audit firewall logs for indicators of FortiBleed compromise and lateral movement.
- 04Incident response plans must account for multi-vector attacks combining firewall and collaboration platform exploitation.
Ransomware attack executed entirely by AI agent, researchers report
JadePuffer operation marks what may be the first documented case of a fully autonomous LLM-driven ransomware deployment from reconnaissance to encryption.
Agentic AI Executes Multi-Stage Ransomware Attack via Langflow
Demonstration shows large language model agents autonomously combining exploitation techniques with real-time reasoning to conduct complex intrusions without human intervention.
DHS confirms breach of classified information-sharing network
Hackers compromised the Homeland Security Information Network, a platform used by federal, state, and private partners to share sensitive intelligence.