CISA Warns of Mass Fortinet Credential Leak; Splunk RCE and Microsoft Defender Zero-Day Under Active Exploit

Gentlemen Ransomware Emerges with Aggressive EDR Evasion Tactics

A new Ransomware-as-a-Service (RaaS) operation known as 'The Gentlemen' is targeting organizations with a novel and aggressive approach to defense evasion. The malware deploys a framework of multiple Endpoint Detection and Response (EDR) killer tools concurrently before initiating its encryption routine. This multi-pronged attack on security software is designed to maximize the chances of disabling defenses from a wide array of vendors, including CrowdStrike, SentinelOne, and Sophos. By neutralizing EDR and antivirus products, the ransomware can operate without obstruction, significantly increasing its likelihood of success. This development highlights a growing trend among threat actors to focus on actively dismantling security measures as a primary step in their attack chain.

Gentlemen RansomwareRaaSEDR EvasionDefense EvasionTamper Protection +1 more

6 min read

New 'Gentlemen' Ransomware Uses EDR Killer Framework to Blindside Security Tools

Operation Endgame: Global Law Enforcement Disrupts SocGholish, Cleans 15,000 Infected Websites

MEDIUM

International 'Operation Endgame' Dismantles SocGholish Botnet Infrastructure Linked to Evil Corp

In a major blow to cybercrime, an international law enforcement coalition under 'Operation Endgame' has disrupted the notorious SocGholish malware delivery network. The operation took down 106 command-and-control servers and cleaned nearly 15,000 malware-infected WordPress websites. SocGholish, also known as 'FakeUpdates,' is a prolific initial access broker attributed to the Russian cybercrime group Evil Corp. It operated by compromising websites and using fake browser update lures to infect visitors. This access was then sold or used to deploy secondary payloads like the LockBit and RansomHub ransomware. The coordinated takedown involved authorities from the U.S., Germany, the Netherlands, and Canada, significantly hampering a key entry point for numerous ransomware and espionage campaigns.

SocGholishOperation EndgameBotnet TakedownEvil CorpInitial Access Broker +2 more

4 min read

Operation Endgame: Global Law Enforcement Disrupts SocGholish, Cleans 15,000 Infected Websites

WordPress Supply Chain Hit Again: ShapedPlugin Update Mechanism Compromised

ShapedPlugin Becomes Latest Victim in String of WordPress Supply-Chain Attacks

The WordPress ecosystem is reeling from another supply-chain attack after threat actors compromised the update mechanism for ShapedPlugin products. The breach allowed attackers to push malicious code directly to customer websites that had automatic updates enabled. This incident follows similar recent attacks on UpdraftPlus and OptinMonster, revealing a dangerous and escalating trend of threat actors targeting trusted plugin vendors instead of individual sites. By compromising the distribution channel, attackers can achieve widespread infection with minimal effort. This pattern highlights a systemic risk in the software supply chain, where a single vendor's breach can have a cascading impact on thousands of downstream users.

Supply Chain AttackWordPressShapedPluginMalwareCyberattack +1 more

6 min read

WordPress Supply Chain Hit Again: ShapedPlugin Update Mechanism Compromised

Unpatchable 'usbliter8' BootROM Exploit Released for Apple A12/A13 Chips

'usbliter8' Exploit Creates Permanent, Unpatchable Vulnerability in Millions of iPhones and iPads

Researchers have publicly disclosed 'usbliter8,' a new and unpatchable BootROM exploit affecting Apple's A12 and A13 System-on-Chips (SoCs). The vulnerability, which resides in the physical silicon of the chips, cannot be fixed with a software or firmware update. It impacts a vast range of devices, including the iPhone XS, XR, 11, and SE (2nd gen) series, as well as several iPad and Apple Watch models. The exploit allows an attacker with physical access to a device in DFU mode to bypass Apple's secure boot chain and load arbitrary, unsigned code. While it doesn't directly compromise the Secure Enclave, it opens the door for advanced forensics, security research, and highly targeted physical attacks, creating a permanent security risk for these hardware generations.

usbliter8AppleBootROMExploitUnpatchable +5 more

Unpatchable 'usbliter8' BootROM Exploit Released for Apple A12/A13 Chips

New 'Agentjacking' Attack Turns AI Coding Assistants into Malicious Insiders

'Agentjacking' Attack Abuses Sentry Error Reports to Hijack AI Coding Agents

Researchers have detailed a novel attack vector called 'Agentjacking,' which allows threat actors to hijack AI coding assistants and execute arbitrary code on a developer's machine. The attack exploits the trust AI agents place in diagnostic platforms like Sentry. By finding a public Sentry DSN, an attacker can submit a fake error report containing hidden malicious commands. When a developer instructs their AI agent (e.g., Claude Code, Cursor) to fix the bug, the agent fetches the malicious report and, misinterpreting it as valid guidance, executes the embedded commands with the developer's full privileges. This can lead to the theft of sensitive credentials, API keys, and private source code, highlighting a major architectural risk in the AI-assisted development workflow.

AgentjackingAI SecurityLLMSentrySupply Chain Attack +2 more

New 'Agentjacking' Attack Turns AI Coding Assistants into Malicious Insiders

New 'Icarus' Extortion Group Hits Klue, Steals Customer Salesforce Data via OAuth Attack

Klue Confirms Breach by 'Icarus' Group, Who Abused OAuth Tokens to Access Customer Salesforce Data

The competitive intelligence platform Klue has confirmed a security breach where attackers gained unauthorized access to its customers' connected Salesforce environments. A new extortion group named 'Icarus' has claimed responsibility. The attack vector involved the theft and abuse of OAuth tokens, which allowed the threat actors to bypass traditional authentication and directly query the Salesforce API through the trusted Klue application integration. This method highlights the significant risks in interconnected SaaS ecosystems, where a compromise in one application can cascade into others. Klue has advised customers to rotate credentials and audit OAuth tokens granted to third-party applications.

IcarusKlueSalesforceOAuthData Breach +3 more

New 'Icarus' Extortion Group Hits Klue, Steals Customer Salesforce Data via OAuth Attack

Hackers Actively Exploit Gravity SMTP Flaw (CVE-2026-4020) to Steal API Keys from 100K WordPress Sites

Active Exploitation of Gravity SMTP Plugin Flaw (CVE-2026-4020) Exposes Sensitive Data on 100,000 WordPress Sites

A medium-severity information disclosure vulnerability in the Gravity SMTP WordPress plugin, CVE-2026-4020, is being actively and widely exploited by threat actors. The flaw affects up to 100,000 websites and allows an unauthenticated attacker to access a comprehensive system report by making a single request to an insecure REST API endpoint. This report contains sensitive information, including live API keys, OAuth tokens for email services, and detailed server configurations. Security firm Defiant has blocked over 17 million exploitation attempts, indicating automated and large-scale scanning campaigns. Administrators of sites using a vulnerable version (2.1.4 and below) are urged to update to the patched version 2.1.5 immediately and rotate all exposed credentials.

CVE-2026-4020WordPressGravity SMTPVulnerabilityAPI Key +2 more

4 min read

Hackers Actively Exploit Gravity SMTP Flaw (CVE-2026-4020) to Steal API Keys from 100K WordPress Sites

ShinyHunters Leaks Data of 368,000 JCPenney Employees in Extortion Attack

CRITICAL

JCPenney Becomes Victim of ShinyHunters; Data of 368,000 Employees Leaked After Alleged Oracle PeopleSoft Exploit

The notorious hacking group ShinyHunters has leaked the personal data of approximately 368,000 current and former employees of retail giant JCPenney. The data was published online as part of a 'pay or leak' extortion campaign after the company reportedly refused to pay a ransom. The highly sensitive compromised data includes full names, Social Security numbers, addresses, dates of birth, and financial information like W-2s. According to reports, ShinyHunters gained initial access by exploiting a zero-day vulnerability in Oracle PeopleSoft, a widely used HR and financial management platform. The incident, now cataloged by Have I Been Pwned, is part of a larger campaign by ShinyHunters targeting organizations running vulnerable instances of the enterprise software.

ShinyHuntersJCPenneyData BreachExtortionOracle PeopleSoft +3 more

ShinyHunters Leaks Data of 368,000 JCPenney Employees in Extortion Attack

Updated Articles (3)

‘FortiBleed’ Campaign: Over 70,000 Fortinet Firewalls Compromised in Global Credential Heist

CRITICAL

Massive "FortiBleed" Campaign Compromises Credentials for over 70,000 Fortinet Devices

Update:

The 'FortiBleed' campaign has now impacted over 86,000 Fortinet devices, an increase from previous reports. The U.S. CISA has issued an urgent advisory, emphasizing the severity and directing organizations to immediately rotate credentials and enable MFA. New analysis reveals attackers are leveraging infostealer malware logs for credential acquisition and using post-exploitation tools like Chisel and Neo-reGeorg for tunneling and lateral movement within compromised networks. A significant percentage of compromised accounts were default 'admin' or system accounts, highlighting persistent security hygiene issues. New hunting hints include process names for Chisel and Neo-reGeorg, and monitoring unusual outbound connections from firewall management interfaces.

June 19, 2026

Updated: June 20, 2026

FortiBleedFortinetFortiGateCredential StuffingBrute Force +2 more

‘FortiBleed’ Campaign: Over 70,000 Fortinet Firewalls Compromised in Global Credential Heist

CISA Warns of Active Exploitation of Critical Splunk Flaw (CVE-2026-20253)

CRITICAL

Splunk Enterprise Flaw (CVE-2026-20253) Under Active Exploitation, CISA Warns

Update:

Further analysis of the actively exploited Splunk RCE (CVE-2026-20253) reveals over 1,400 internet-exposed instances, according to Shadowserver Foundation scans, significantly expanding the known attack surface. The RCE chain is clarified to involve abusing PostgreSQL's `COPY FROM PROGRAM` feature to write malicious scripts like web shells. New, actionable cyber observables have been identified, including monitoring port 5432, URL pattern `/services/kvstore/postgresql/`, and suspicious child processes from `postgres.exe`. Detailed detection methods, including specific EDR and FIM checks, and a mitigation step to disable the PostgreSQL sidecar service, are also provided.

June 19, 2026

Updated: June 20, 2026

SplunkCVE-2026-20253CISAKEVRCE +2 more

CISA Warns of Active Exploitation of Critical Splunk Flaw (CVE-2026-20253)

Microsoft Scrambles to Patch 'RoguePlanet' Zero-Day in Defender Granting Full System Control

Microsoft Confirms 'RoguePlanet' Zero-Day Flaw (CVE-2026-50656) in Defender, Patch in Development

Update:

The 'RoguePlanet' zero-day (CVE-2026-50656) in Microsoft Defender remains unpatched, leaving systems vulnerable. New technical details clarify the exploitation mechanism as a TOCTOU race condition, utilizing symlinks or hard links to target critical system files like the SAM database for privilege escalation. The absence of official mitigations, coupled with the public PoC, significantly increases the immediate risk of weaponization and in-the-wild attacks, turning low-level intrusions into full system compromises. MITRE ATT&CK techniques for post-exploitation are also highlighted, along with new hunting hints.

June 19, 2026

Updated: June 20, 2026