ATLAS · LIVE
ATLAS INDEX
Δ 24H
ACTIVE SOURCES20
HOTSPOTS20
TIME21:46:46 UTC
← All briefs
CRITICALCyber IntelligenceFriday, July 3, 2026

FortiBleed Attackers Monetize Firewall Access Through Ransomware Partnerships

Actors who compromised thousands of Fortinet devices are now collaborating with Inc and Lynx ransomware groups, adding Nextcloud exploitation to their toolkit.

Threat actors behind the FortiBleed campaign have begun monetizing their access to compromised Fortinet firewalls by partnering with established ransomware operations. Dark Reading reports the attackers are now working with Inc and Lynx ransomware gangs, converting initial access into extortion opportunities.

The collaboration marks an escalation from reconnaissance to active exploitation. After gaining footholds in thousands of Fortinet devices, the FortiBleed actors are selling or sharing access with ransomware operators who specialize in encryption and data theft. This division of labor is consistent with the access-broker model that has matured across the cybercrime ecosystem.

The attackers have also added a Nextcloud zero-day vulnerability to their exploitation chain, expanding their attack surface beyond Fortinet infrastructure. The Nextcloud bug provides an additional entry vector for organizations running the collaboration platform, compounding exposure for networks already weakened by firewall compromise.

The rest of this brief is inside the platform

Continue reading. Free.

A free Atlas account unlocks the full briefing, the co-analyst, daily delivery to your inbox, and a sector-personalised feed.

Full brief
Implications, sources, methodology
Co-Analyst
Ask follow-ups on every brief
Sector feed
Briefs filtered to what matters to you
Implications
  • 01Organizations with unpatched Fortinet firewalls face imminent ransomware risk from Inc and Lynx operators.
  • 02Nextcloud users must assess exposure to zero-day exploitation pending vendor disclosure and patch availability.
  • 03Security teams should audit firewall logs for indicators of FortiBleed compromise and lateral movement.
  • 04Incident response plans must account for multi-vector attacks combining firewall and collaboration platform exploitation.
Source
Dark Reading
https://www.darkreading.com/threat-intelligence/fortibleed-actors-inc-lynx-ransomware-gangs
Brief is editorial commentary by Atlas Intelligence based on the cited public reporting. Atlas does not reproduce source text. Verify primary source before action.
#fortibleed#ransomware#fortinet#nextcloud#zero-day#inc ransomware
Related Briefs