A massive credential-harvesting campaign, dubbed FortiBleed, is linked to two ransomware-as-a-service operations, tracked as INC ransom and Lynx, according to a blog post Wednesday by cybersecurity firm SOCRadar.
An operator with access to FortiBleed infrastructure was found to be logged into negotiation panels for INC as well as Lynx, researchers said.
In certain cases, the attacks may have involved exploitation of a vulnerability in a content collaboration platform called Nextcloud. The analysis is still ongoing, so a public advisory or common vulnerabilities and exposures number has not yet been assigned.
“The Nextcloud issue appears to have been used as part of the attackers’ broader operational workflow, likely for expansion or infrastructure access after initial compromise,” Ensar Seker, CISO at SOCRadar, told Cybersecurity Dive.
Not all cases involved Nextcloud, nor was compromise fully dependent on exploitation of the zero day.
The Cybersecurity and Infrastructure Security Agency last month warned that hackers have been targeting both government and private-sector organizations using tens of thousands of compromised Fortinet firewall and virtual private network credentials.
Source: Cybersecurity Dive