Hackers stole thousands of Fortinet login credentials, and now they're using them to break into company networks and deploy ransomware.
Today is 2 July 2026, and this matters because Fortinet firewalls are everywhere — they're the gatekeepers between company networks and the internet. If attackers get real login credentials, they can slip through the front door undetected. This is one of the most dangerous kinds of cyberattacks because it looks legitimate.
What Is FortiBleed?
FortiBleed is the name for a massive campaign where attackers stole login credentials for Fortinet firewalls and related services. Fortinet is one of the biggest firewall companies in the world. Their products protect networks at thousands of organizations — banks, hospitals, government agencies, tech companies, schools, and more.
The stolen data included usernames and passwords for administrative accounts. With real credentials, attackers don't need to find vulnerabilities or break anything. They just log in like legitimate administrators.
How the Attack Chain Works
Here's what security researchers discovered: the stolen credentials aren't being used in random attacks. They're being deliberately supplied to ransomware gangs, specifically groups linked to Lynx ransomware and an older operation called INC.
The chain looks like this:
- Attackers steal Fortinet credentials through the FortiBleed campaign
- They sell or share these credentials with ransomware gangs
- Ransomware operators use the credentials to log into company firewalls
- They quietly move through the network, planting malware and surveying what's there
- Weeks or months later, they activate the ransomware and demand payment
This is much quieter than a traditional cyberattack. Normal attacks try to find vulnerabilities and exploit them — that creates alerts and noise. With real credentials, attackers look like they belong there.
Why This Is Different from Other Ransomware
Most ransomware attacks start with phishing — attackers trick an employee into clicking a malicious link or opening a bad file. Those attacks leave traces. Email gateways can filter them. Users can be trained to spot them.
FortiBleed bypasses that entirely. An attacker with a real password can log in during business hours. They can disable alerts. They can delete logs. They can move through the network undetected for weeks or months.
A firewall is supposed to be your first line of defense. When someone with a real password gets past it, the network is wide open.
What Organizations Should Do
If your company uses Fortinet firewalls, here's what your security team should prioritize:
Step 1: Reset All Fortinet Passwords Immediately
Any password used on a Fortinet device before the FortiBleed campaign was discovered should be treated as compromised. Reset them now.
Use long, complex passwords — at least 16 characters with uppercase, lowercase, numbers, and special characters. Avoid patterns or dictionary words. Better yet, use a password manager to generate random passwords.
Step 2: Enable Multi-Factor Authentication
Multi-factor authentication (MFA) requires a second form of proof beyond the password. Usually this is a code from an authenticator app on your phone.
Even if attackers have a real password, they can't get in without that second factor. Fortinet firewalls support MFA. Turn it on for every administrative account. This single step would stop most FortiBleed attacks.
Step 3: Review All Firewall Access Logs
Look at who has logged into your firewalls in the past several months. Check for:
- Logins from IP addresses you don't recognize
- Administrative access at unusual times (3 AM, weekends, holidays)
- New administrator accounts you didn't create
- Changes to firewall rules or settings
On a FortiGate device, you can find this in the System > Administrators section. Document anything that looks suspicious.
Step 4: Search for Signs of Lateral Movement
If an attacker did gain firewall access, they may have already planted malware or created hidden accounts. Look for:
- Unexpected user accounts created on domain controllers or servers
- Unusual network traffic between departments or to external IPs
- Database backups being copied to strange locations
- Scheduled tasks or cron jobs you didn't create
- Unexpected remote access tools installed
Ransomware gangs spend weeks preparing the network for the final attack. Early detection during this phase can stop everything before it starts.
Step 5: Engage Security Experts
If you find suspicious activity, don't handle it alone. Bring in cybersecurity professionals who can:
- Properly investigate the breach
- Determine what data was accessed
- Find all the malware that was planted
- Coordinate with law enforcement if needed
Amateurish handling can destroy evidence or push attackers to activate their ransomware early.
Step 6: Report to Fortinet
Fortinet has published security advisories about FortiBleed. Report any suspicious activity to them through official channels. They can help coordinate a response and warn other customers about specific attack patterns they see.
Why Credential Theft Is So Common
FortiBleed is just one example of a much bigger problem. Every data breach, every password list sold on the dark web, every phishing attack that steals login credentials feeds attacks like this.
Credentials are valuable. They're reused. They're sold. They're shared among criminal groups. An attacker doesn't need technical skill to use stolen credentials — they just need patience and the ability to blend in.
This is why security experts keep repeating the same advice: use unique passwords everywhere, enable multi-factor authentication everywhere possible, and assume that some of your login credentials have already been compromised somewhere.
Conclusion
FortiBleed demonstrates that stolen credentials remain one of the easiest ways for attackers to break into networks. When someone has real administrative access, they can move quietly and set up ransomware without detection. The good news is this attack is preventable using well-established security practices: strong unique passwords, multi-factor authentication on critical systems, and careful monitoring of who logs in and what they do.
Merits
- Preventable with standard practices — strong passwords and MFA stop this attack
- Detectable through logs — administrators can review access history to find suspicious activity
- Clear attack pattern — defenders know what to look for after FortiBleed
- No social engineering needed — this attack doesn't rely on tricking employees
- Vendor support available — Fortinet is actively helping customers secure against this campaign
Demerits
- Difficult to detect early — attackers with real credentials appear as legitimate administrators
- Widespread exposure — Fortinet firewalls are deployed at thousands of organizations worldwide
- Long window to act — ransomware gangs can remain hidden for months before activating attacks
- Credentials continue to be available — stolen logins are actively traded on criminal marketplaces
- Requires comprehensive response — organizations need to change policies and practices, not just patches
Caution
The usernames, passwords, IP addresses, and hostnames mentioned in this article are placeholders — use your actual values when implementing these steps. Always test any configuration changes in a non-production environment before applying them to live systems. Your security situation is unique to your organization, so consult Fortinet's official security advisories and work with your security team to understand your specific risk. Follow your organization's change management processes. Proceed at your own risk.
Frequently asked questions
- What is a Fortinet firewall and why do attackers want access to it?
- How do I know if my organization's credentials were stolen in the FortiBleed campaign?
- What is multi-factor authentication and how does it protect against credential theft?
- Can ransomware be removed from a network after it is deployed?
- How often should administrator passwords be changed on critical systems?
- What should I do if I find suspicious logins in my firewall access logs?
- What is the difference between FortiBleed attacks and traditional ransomware attacks?
- How long do ransomware gangs typically stay in a network before deploying the final attack?
Tags
#cybersecurity #ransomware #firewall #FortiBleeddiscover #credentialtheft #networksecurity #infosec #malware


Responses
Sign in to leave a response.
Loading…