{"id":239653,"date":"2026-07-02T11:49:00","date_gmt":"2026-07-02T15:49:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/07\/02\/fortibleed-campaign-traced-to-inc-and-lynx-ransomware-operations\/"},"modified":"2026-07-02T12:00:16","modified_gmt":"2026-07-02T16:00:16","slug":"fortibleed-campaign-traced-to-inc-and-lynx-ransomware-operations","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/07\/02\/fortibleed-campaign-traced-to-inc-and-lynx-ransomware-operations\/","title":{"rendered":"FortiBleed campaign traced to INC and Lynx ransomware operations"},"content":{"rendered":"<p><a href=\"https:\/\/www.cybersecuritydive.com\/news\/fortibleed-campaign-traced-to-inc-and-lynx-ransomware-operations\/824348\/\">FortiBleed campaign traced to INC and Lynx ransomware operations<\/a><\/p>\n<p><a href=\"https:\/\/www.cybersecuritydive.com\/news\/fortibleed-campaign-traced-to-inc-and-lynx-ransomware-operations\/824348\/\">https:\/\/www.cybersecuritydive.com\/news\/fortibleed-campaign-traced-to-inc-and-lynx-ransomware-operations\/824348\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-07-02 11:49:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.cybersecuritydive.com\">www.cybersecuritydive.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n<p>A massive credential-harvesting campaign, dubbed FortiBleed, is linked to two ransomware-as-a-service operations, tracked as INC ransom and Lynx, according to a blog post Wednesday by cybersecurity firm SOCRadar.\u00a0<br \/>\nAn operator with access to FortiBleed infrastructure was found to be logged into negotiation panels for INC as well as Lynx, researchers said.\u00a0<br \/>\nIn certain cases, the attacks may have involved exploitation of a vulnerability in a content collaboration platform called Nextcloud. The analysis is still ongoing, so a public advisory or common vulnerabilities and exposures number has not yet been assigned.\u00a0<\/p>\n<p>\u201cThe Nextcloud issue appears to have been used as part of the attackers\u2019 broader operational workflow, likely for expansion or infrastructure access after initial compromise,\u201d Ensar Seker, CISO at SOCRadar, told Cybersecurity Dive.<br \/>\nNot all cases involved Nextcloud, nor was compromise fully dependent on exploitation of the zero day.\u00a0<br \/>\nThe Cybersecurity and Infrastructure Security Agency last month warned that hackers have been targeting both government and private-sector organizations using tens of thousands of compromised Fortinet firewall and virtual private network credentials.\u00a0<br \/>\nLayered operation<br \/>\nAn operator linked to the campaign has been working as an initial access broker, using a custom Golang-based tool to intercept authentication traffic, according to SOCRadar. The hacking operation is believed to involve 20 people. Researchers are still working on a follow-up report, which will contain additional details about the operation.\u00a0<br \/>\nResearchers identified traffic sniffing on 19,000 Fortinet devices. After a round of notifications were made, that figure dropped to 11,000 devices.<br \/>\nFortinet said last month it was working with government authorities to notify customers who may be at risk from the campaign.\u00a0<br \/>\nThe hackers have obtained administrator-level access to 409 targets and fully compromised 354 targets, researchers said. Thus far, SOCRadar has confirmed 12 ransomware deployments and hundreds of endpoints have been encrypted.\u00a0<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>FortiBleed campaign traced to INC and Lynx ransomware operations https:\/\/www.cybersecuritydive.com\/news\/fortibleed-campaign-traced-to-inc-and-lynx-ransomware-operations\/824348\/ Publish Date: 2026-07-02 11:49:00 Source&#8230;<\/p>\n","protected":false},"author":1,"featured_media":239654,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/imgproxy.divecdn.com\/95OiTyZdLNwMj1EQZxvuZoIJ7JHhLXNAsH9Mqjf_Vbs\/g:ce\/rs:fit:770:435\/Z3M6Ly9kaXZlc2l0ZS1zdG9yYWdlL2RpdmVpbWFnZS9GVE5ULTkwOS1raWZlci0wNS5qcGc=.webp","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,27],"class_list":["post-239653","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/239653"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=239653"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/239653\/revisions"}],"predecessor-version":[{"id":239655,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/239653\/revisions\/239655"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/239654"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=239653"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=239653"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=239653"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}