Skip to content

FortiBleed Actors Collaborate with Inc and Lynx Ransomware Groups

To the point: FortiBleed actors monetize their access to Fortinet firewalls through cooperation with Inc and Lynx ransomware groups while also deploying zero-day exploits against Nextcloud.

Attackers who gained access to thousands of Fortinet firewalls through the FortiBleed vulnerability are now cooperating with known ransomware gangs and exploiting a zero-day vulnerability in Nextcloud.

Attackers have gained access to thousands of Fortinet firewalls through the FortiBleed vulnerability and are now leveraging these positions strategically. The actors are cooperating with the ransomware groups Inc and Lynx to monetize their access. Additionally, they are exploiting a zero-day vulnerability in Nextcloud for further attacks.

For CISOs, this represents an escalation of the threat landscape: access to perimeter security devices not only enables attackers to penetrate internal networks, but also allows them to pass on these accesses to specialized ransomware operators. The combination of established network access and zero-day exploits in widely deployed collaboration tools such as Nextcloud significantly increases the risk of compromise.

Organizations should audit their Fortinet firewall inventories for possible FortiBleed compromises, isolate or update Nextcloud instances, and strengthen ransomware prevention and lateral movement detection. Collaboration between initial access brokers and established ransomware groups is an established business model in the cybercrime infrastructure and requires comprehensive network monitoring and incident response capabilities.


Source: www.darkreading.com · Published July 2, 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification through Lumi News Pipeline v1.7.2.

Share on: