FortiBleed Leak Exposes Fortinet VPN Credentials for 73,000 Devices

Article Link: https://www.bleepingcomputer.com/news/security/fortibleed-leak-exposes-fortinet-vpn-credentials-for-73-000-devices/

• A data leak, dubbed FortiBleed, contains what appear to be valid Fortinet and FortiGate VPN and administrative credentials for over 70,000 firewall URLs across 194 countries. It impacts over 21,000 organizations in sectors including telecommunications, finance, government, healthcare, education, and manufacturing.
• Security researcher Bob Diachenko discovered an exposed server containing usernames, email addresses, and plain text passwords. Evidence suggests a threat group carried out large-scale credential attacks against FortiGate VPNs and Microsoft SQL servers, allegedly executing billions of login attempts, collecting authentication data, cracking hashes with GPU clusters, and compiling a database of verified credentials.
• Independent researchers verified portions of the dataset as authentic, and many affected Fortinet devices are still online, making the credentials potentially usable. The leak could enable unauthorized VPN access, administrative compromise, lateral movement into internal networks, Active Directory attacks, data theft, and persistence within enterprise environments.
• The original source of the configuration data remains unknown. Researchers have not determined whether it resulted from old Fortinet vulnerabilities, a new flaw, stolen backups, or other methods. Fortinet states the dataset appears to be a repackaging of credentials obtained from prior incidents and brute-force activity, not evidence of a newly disclosed Fortinet vulnerability. Organizations should immediately rotate credentials, enforce MFA, review logs, and investigate potential exposure.
• Additional information: https://www.infostealers.com/article/fortibleed-75000-fortinet-firewalls-compromised-global-enterprises-exposed-claim-your-ethical-disclosure/

SQL Server 2025 AI Features Can Be Abused to Exfiltrate Sensitive Data

Article Link: https://cyberpress.org/sql-server-2025-ai-features/

• Researchers demonstrated that new AI-focused features in Microsoft SQL Server 2025 can be abused for data exfiltration, credential theft, and covert command-and-control (C2) communications.
• Features such as sp_invoke_external_rest_endpoint, CREATE EXTERNAL MODEL, and AI_GENERATE_EMBEDDINGS allow SQL Server to send data to external endpoints, define attacker-controlled AI models, and disguise malicious traffic as legitimate AI embedding requests. The techniques make post-compromise activity significantly stealthier and more difficult to detect, undermining traditional assumptions that outbound database traffic is inherently suspicious.
• Attackers with elevated database privileges can exfiltrate database contents, steal files, capture NTLM hashes, establish persistence through database triggers, and communicate with implants while blending into normal AI-related traffic.
• Microsoft determined the behavior does not warrant a security update, making defensive controls critical. Organizations should restrict SQL Server internet access, remove unnecessary sysadmin privileges, and monitor for use of AI-related SQL Server features.
• Additional information: https://specterops.io/blog/2026/06/10/oops-i-weaponized-the-database-abusing-ai-features-in-mssql-2025/#h-foreword

Sysco Hit by Second Extortion Claim Over 61M Records, Weeks After Qilin Ransomware Threat

Article Link: https://cybernews.com/news/sysco-shinyhunters-61-million-salesforce-records/

• ShinyHunters claims to have stolen more than 61 million Salesforce records from food distribution giant Sysco, including alleged customer, employee, and internal corporate data.
• Details of the intrusion remain unclear and ShinyHunters has not publicly provided proof of the alleged theft. The group claims the data was extracted from Sysco’s Salesforce environment and has threatened to publish it if the company does not engage.
• Sysco is one of the world’s largest food distributors, serving customers across healthcare, government, education, hospitality, transportation, and other critical sectors, making any potential data compromise significant.
• If confirmed, the breach could expose sensitive customer and employee information, create privacy and fraud risks, and disrupt a key supplier within multiple critical infrastructure and supply chain sectors.
• The claim comes just weeks after Sysco was named by the Qilin ransomware gang, highlighting the growing trend of data-extortion campaigns targeting large enterprises.

CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution

Article Link: https://thehackernews.com/2026/06/cisa-warns-of-actively-exploited-joomla.html

• CISA added a maximum-severity vulnerability in Widget Factory Joomla Content Editor, tracked as CVE-2026-48907 (CVSS 10.0), to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation.
• The flaw is caused by improper access controls that allow unauthenticated attackers to create editor profiles, upload malicious PHP code, and execute it on vulnerable Joomla websites. Public exploit code and automated attacks are reportedly targeting vulnerable sites, allowing attackers to deploy web shells and establish persistent access without needing valid credentials.
• Successful exploitation could lead to full website compromise, data theft, unauthorized file access, malware deployment, SEO manipulation, and use of compromised servers for additional attacks. The incident highlights the ongoing threat from internet-facing applications and third-party software, where unpatched vulnerabilities can provide attackers with low-effort paths into enterprise environments.
• Organizations using affected Joomla JCE versions should upgrade immediately, review logs for suspicious profile import activity, and investigate systems for signs of existing compromise since patching does not remove attacker backdoors.
• Additional information: https://nvd.nist.gov/vuln/detail/CVE-2026-48907

INC Ransomware Thrives by Mastering the Basics

Article Link: https://www.darkreading.com/cyberattacks-data-breaches/inc-ransomware-thrives-by-mastering-the-basics

• INC ransomware, a ransomware-as-a-service (RaaS) group active since 2023, has become one of the more active ransomware operations, claiming more than 800 victims across sectors including healthcare, manufacturing, technology, legal, and education.
• The group uses a proven ransomware playbook rather than novel techniques, relying on phishing, stolen credentials, initial access brokers, and exploitation of known vulnerabilities in internet-facing systems.
• The group uses double extortion tactics, encrypting systems and threatening to leak stolen data to pressure victims into paying. Its attacks can cause operational disruption, data exposure, and significant recovery costs.
• INC demonstrates that ransomware actors do not always need advanced techniques to be effective. Many attacks rely on common security weaknesses that organizations can address through foundational controls such as MFA, timely patching, security awareness training, and access management.
• Additional information: https://www.acronis.com/en/tru/posts/from-emerging-threat-to-top-tier-ransomware-as-a-service-the-evolution-of-inc-ransomware/

CISA Orders Feds to Patch Actively Exploited Ivanti Flaw by Sunday

Article Link: https://www.bleepingcomputer.com/news/security/cisa-gives-feds-3-days-to-patch-ivanti-flaw-exploited-in-attacks/

• The United States Cybersecurity and Infrastructure Security Agency has issued an urgent mandate ordering federal offices to immediately isolate or remediate internet-exposed Ivanti Sentry administration portals.
• Threat actors are actively leveraging an operating system command injection vulnerability, tracked as CVE-2026-10520, which carries a maximum severity rating and allows remote code execution. Successful exploitation could allow attackers to gain unauthorized control of affected edge devices and use them as a foothold inside targeted environments.
• Unpatched edge devices grant hostile entities immediate network entry, allowing them to establish backdoors, monitor internal communications, and leverage access to compromise broader infrastructure components.
• Organizations operating affected systems should take immediate action by removing management interfaces from public internet exposure, restricting access to administrative port 8443 through firewall rules and access control lists, and applying the latest vendor-provided security updates.
• Additional information: https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2026-10520-CVE-2026-10523?language=en_US   

Chinese Hackers Breached North American Research Institutions via REDCap Servers

Article Link: https://www.helpnetsecurity.com/2026/06/15/chinese-hackers-redcap-medical-research-institutions-breach/

• A China-linked cyber espionage group compromised North American medical research institutions by targeting vulnerable REDCap servers, gaining access to environments containing sensitive research and strategic data.
• After establishing a foothold, attackers deployed custom INFINITERED malware that modified legitimate REDCap files, survived software upgrades, harvested credentials, and enabled persistent remote access.
• The threat actor leveraged stolen administrator credentials to create covert email monitoring rules, allowing the collection of communications related to medical research, advanced technologies, and geopolitical interests.
• Organizations using REDCap should immediately upgrade to supported versions, remove legacy deployments, and routinely audit email compliance rules for unauthorized forwarding destinations.
• Additional information: https://cloud.google.com/blog/topics/threat-intelligence/prc-targets-us-medical-research

Cisco Releases Security Updates for Actively Exploited SD-WAN Manager Flaw

Article Link: https://thehackernews.com/2026/06/cisco-releases-security-updates-for.html

• Cisco has released security updates for an actively exploited vulnerability in Catalyst SD-WAN Manager, warning that attackers are targeting the platform despite the flaw carrying a medium-severity CVSS score.
• Tracked as CVE-2026-20262, the vulnerability arises from improper validation of file uploads and allows authenticated attackers to create or overwrite arbitrary files on affected systems, potentially leading to root-level compromise.
• Although exploitation requires valid credentials with write privileges, attackers can leverage the flaw to deploy malicious code, establish persistence, and gain deeper access to critical network management infrastructure.
• Cisco and CISA are urging organizations to immediately apply available patches and investigate systems for indicators of compromise. Administrators should review logs for suspicious file uploads, unauthorized deployments, and other signs of malicious activity.
• Additional information: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-arbfw-c2rZvQ