Tech Translated

IT Security & Technology Blog

Practical IT insights for Australian businesses. Our team covers cybersecurity advisories, compliance updates, and plain-English explainers on the technology your business relies on, published regularly as the landscape shifts.

Security alert graphic with red warning triangle on dark navy background

The massive FortiBleed credential-theft operation has now been tied directly to the INC and Lynx ransomware groups, as reported by BleepingComputer. Researchers at SOCRadar found the crew behind the campaign had access to the ransomware gangs’ negotiation panels — meaning the VPN logins stolen from Fortinet firewalls aren’t sitting in a database somewhere. They’re being used to break into networks and encrypt them.

The scale is worse than first thought: over 430,000 FortiGate firewalls were targeted worldwide, with traffic sniffers planted on roughly 19,000 devices to capture VPN credentials straight off the wire. That matters here because FortiGates are the default firewall in a huge share of Australian small business and MSP-managed environments — we see them in most client networks we take over. And here’s the nasty bit: because credentials were sniffed from live traffic and config files were stolen outright, patching your firewall does not fix this on its own.

If you run a FortiGate, do three things this week. Update FortiOS to the current release. Reset every VPN and admin password — all of them, not just the ones you think were exposed — and turn on MFA for VPN logins while you’re there. Then check your local accounts for anything you don’t recognise, especially a user called “adminin”, which the attackers used as a backdoor. At least 12 ransomware deployments have already come from this campaign. Don’t be the thirteenth.

Not sure what firmware your firewall is running, or who set it up? We can check it for you.

Related Guide

Cybersecurity for Sydney SMBs

Explore our complete guide to protecting your business from cyber threats.

Read the Full Guide →