The FortiBleed credential theft campaign has been linked to the INC and Lynx ransomware operations, according to researchers. The stolen credentials are believed to be intended for future network intrusions.

This massive campaign targets Fortinet appliances, siphoning credentials that can provide initial access to corporate networks. The connection to established ransomware groups suggests a coordinated effort to stockpile access for extortion.

Technical details remain sparse, but the campaign appears to harvest credentials from exposed Fortinet devices. The stolen data could enable lateral movement and facilitate ransomware deployment.

Fortinet has released advisories urging customers to apply security updates and rotate credentials. No specific CVE was named in the report, but patching known Fortinet vulnerabilities is recommended.

The connection to INC and Lynx—both active ransomware variants—raises concern. While attribution is preliminary, the campaign fits a pattern of ransomware groups relying on stolen credentials for initial access.