top of page

The FortiGate Credentials Feeding This Ransomware Wave Were an Audit Result We Published in June. Here's What We Had, and What We Didn't.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 40 minutes ago
  • 4 min read

Researchers reported this week that credentials harvested from hundreds of thousands of FortiGate firewalls are now being used as the initial access for ransomware attacks run by the INC and Lynx operations. When a story like that crosses the wire, the honest question for a threat-intelligence shop is not "did we call it." It is "could a customer pulling our feed have stopped this, and if not, exactly where does our early warning end and our blind spot begin." So here is that analysis, in three tiers, and I am going to tell you plainly which tier each claim lives in — because the difference between "we warned about the class" and "we had the kill shot" is the whole difference between honest intelligence and a victory lap.


Tier one: the exposure. On June 20 we published a piece arguing that FortiBleed was not a campaign but an audit result — that someone had run a credential-collection pass against the global population of internet-exposed FortiGate devices and found that roughly half of them were sitting on harvestable material accumulated across eight years of unpatched Fortinet CVEs. That was two weeks before this week's ransomware reporting. The credentials now feeding INC and Lynx are, by every indication, the operational payoff of exactly the exposure we described. This claim is strong and we will stand on it: we named the open door, with a number, before it became someone else's breach headline. What we said then was that a harvested credential is worse than an exploited CVE because there is no patch for a password that already left the building. This week is that sentence coming true.


Tier two: the actor. Lynx is not a stranger to our feed. It is a ransomware-as-a-service operation that emerged in 2024 as a rebrand of INC — the same pairing the new reporting names — and we have carried blockable Lynx infrastructure since February. One Lynx host in our indicators, lynx-new.mightrecoverymarketing.com, has a first-seen timestamp of February 26, 2026. We also published, back in April, the math on ACN Healthcare: Lynx was in our feed 43 days before that organization was hit. So the actor half of this chain is also early and also receipted. A defender who ingested our STIX feed had a Lynx indicator to block months before this week, and had the actor's profile — victim tempo, the hospitals-and-nonprofits policy they claim and violate — long before that.


Tier three is where I stop, on purpose, because this is the tier where most vendors keep going and shouldn't. Could we have handed you the exact indicator that would have stopped this specific FortiGate-credential wave? No. We do not have the harvested credentials themselves, and we do not have the specific source addresses conducting this particular initial-access campaign. Our Fortinet-tagged indicators are impersonation and phishing infrastructure and CVE detection artifacts — not the stolen credential set. And the reason we do not have them is not a gap we can close by working harder. It is structural. A credential harvested from a firewall and replayed against that same firewall's VPN is a Fortinet-side exposure that no external threat feed can see, because nothing about the transaction touches the public infrastructure a feed observes. The credential was valid. The login looked legitimate. There is no indicator to publish because, from the outside, there was nothing anomalous to indicate.


That third tier is the most important paragraph in this post, and it is the one a sales deck would delete. The honest shape of "could we have prevented this" is: we flagged the exposure class two weeks early, we have tracked and published the actor for months, and we could not have seen the specific stolen credentials because they were never externally visible. Two real early warnings bracketing one genuine blind spot. Anyone who tells you their feed would have caught the credential replay is either confused about how credential theft works or selling you something.


What actually follows from this is a defensive instruction, not a bragging point. If you run FortiGate, the June exposure means you have to assume credential compromise regardless of your current patch level, because patching closes the CVE but does nothing about a password that was already harvested. Rotate every credential that ever lived on an internet-exposed Fortinet device. Force re-authentication. Watch for valid-looking logins from infrastructure you do not recognize — because in tier three, the anomaly is not a bad credential, it is a good credential arriving from the wrong place. And subscribe your blocking to a feed that carries the actor, because while we could not see the credential, we can see Lynx, and we have been able to see Lynx since February.


That is the whole honest ledger. We were early on the exposure. We were early on the actor. We were blind on the credential, and we are telling you so, because the day we start rounding tier three up to tier one is the day our receipts stop meaning anything.


Sources: DugganUSA FortiBleed analysis (June 20, 2026), our Lynx adversary profile and the ACN Healthcare lead-time analysis (April 26, 2026), and this week's INC/Lynx FortiGate-credential reporting. Our Lynx indicator first-seen dates are live in the STIX feed. Check them.




The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.


bottom of page