top of page
ALL POSTS
FortiBleed: Global Credential-Spraying Operation Uncovered Across Multiple Platforms
Key Findings Multi-operator crew conducted industrial-scale credential-spraying campaign against Fortinet FortiGate SSL VPN devices across 207 countries Campaign generated 1.16 billion login combinations against 320,777 FortiGate endpoints and 2.1 billion attempts against 163,650 MSSQL servers Operators used custom tools running up to 50,000 threads and a 45-way NVIDIA RTX 4090 GPU cluster for password cracking At least four organizations fully compromised, including a Turkis
Jun 212 min read
Critical ArcGIS Account Recovery Vulnerability Exploited in Ongoing Attack Campaign
Key Findings Cybercriminals are actively exploiting ArcGIS Account Recovery configurations to breach customer environments right now Attackers bypass hardened primary login defenses by targeting weaker account recovery mechanisms instead Built-in application accounts with weak security questions or common usernames are primary targets Organizations using centralized identity providers instead of built-in accounts are protected from this specific threat Esri will release a sec
Jun 202 min read
FortiBleed: Global Credential Breach Affects 73,932 Fortinet Firewalls Across 194 Countries
Key Findings FortiBleed campaign exposed valid login credentials for 73,932 Fortinet firewall URLs across 194 countries, affecting 21,632 unique domains Attackers conducted approximately 1.16 billion credential attempts against over 320,000 FortiGate targets using a self-feeding system Compromised organizations include Samsung, Oracle, Foxconn, Comcast, Siemens, Lenovo, Spotify, Sony, and numerous government and critical infrastructure entities The operation leverages previou
Jun 184 min read
Phishing Attacks Surge Across Fortune 100: Employee Data Exposed at 86% of Companies
Key Findings 86% of Fortune 100 companies had employee data exposed through phishing attacks in the past 12 months 78% of large organizations experienced increased phishing volume over the past year 84% report AI-generated phishing attacks are becoming more prevalent or harder to defend against Phishing attacks now target enterprise users five times more frequently than malware infections Only 38% of organizations can confidently detect and respond to credential theft within
Jun 172 min read
Ukrainian Extradited to US Pleads Guilty in Conti Ransomware Operation
Key Findings Ukrainian national Oleksii Lytvynenko pleaded guilty to conspiracy to commit wire fraud for his role in Conti ransomware operations Conti infected over 1,000 computers and networks across 47 U.S. states, 31 countries, and generated at least $150 million in ransom payments by January 2022 Lytvynenko joined the conspiracy in September 2021 and worked on malware development including creating a "loader" for delivering additional malicious tools He possessed stolen d
Jun 142 min read
FBI dismantles massive China-based cybercrime network responsible for $1.9B in losses
Key Findings FBI, Google, and Lumen Technologies dismantled Outsider, a China-based cybercrime network responsible for $1.9 billion in losses across 55 countries Operation Ghost Hook seized multiple domains, admin servers, a Shopify storefront, approximately $100,000 from payment wallets, and thousands of domains Outsider provided phishing kits as a subscription service starting at $88 per week, enabling criminals to target hundreds of thousands of victims The network used AI
Jun 132 min read
Conti Ransomware Member's Guilty Plea Signals Breakthrough in Global Cybercrime Crackdown
Key Findings Ukrainian national Oleksii Oleksiyovych Lytvynenko pleaded guilty to wire fraud conspiracy related to Conti ransomware operations Conti attacked over 1,000 organizations across 47 U.S. states and 31 countries from 2020 to 2022, extorting at least $150 million Lytvynenko joined the conspiracy in September 2021 and developed malware used in the attacks He faces up to 20 years in prison with sentencing scheduled for September 10, 2026 Authorities continue pursuing f
Jun 133 min read
ShinyHunters Exploits Oracle PeopleSoft Zero-Day to Breach 100+ Universities Worldwide
Key Findings ShinyHunters exploited CVE-2026-35273, a zero-day remote code execution vulnerability in Oracle PeopleSoft Enterprise PeopleTools rated 9.8/10, to breach over 100 organizations between May 27 and June 9 The vulnerability required only network access over HTTP with no authentication or user interaction, affecting any organization with Environment Management Hub endpoints exposed externally Approximately 68 percent of affected organizations were in higher education
Jun 113 min read
University of Nottingham Data Breach: 454,635 Accounts Compromised in ShinyHunters Leak
Key Findings University of Nottingham suffered a significant data breach in June 2026 affecting approximately 454,635 accounts Attack attributed to ShinyHunters group operating a "pay or leak" extortion campaign Over 40GB of sensitive data stolen including student records from UK, China, and Malaysia campuses Exposed data includes email addresses, names, addresses, phone numbers, passport numbers, National Insurance numbers, and financial records Both current students and alu
Jun 112 min read
ServiceNow Security Incident Exposes Customer Data and Unauthorized Access
Key Findings ServiceNow applied a security update on June 5, 2026 to address an unauthenticated access vulnerability affecting hosted customer instances The flaw allowed unauthorized users to gain elevated access to ServiceNow instances and query customer data Evidence shows successful data access occurred for a subset of customers between June 2-4, 2026 The vulnerability stems from an API endpoint configuration that did not require authentication Community reports allege Ser
Jun 103 min read
Miasma Worm Supply Chain Attack Compromises 73 Microsoft GitHub Repositories
Key Findings A self-replicating worm called Miasma compromised 73 Microsoft GitHub repositories across Azure infrastructure and core .NET, Go, Java, JavaScript, and Python frameworks GitHub staff disabled affected repositories after attackers injected malicious workflows that harvested OIDC tokens and developer credentials The attack exploited AI coding tools as an automatic execution mechanism, triggering malware when developers cloned infected repos and opened them in IDEs
Jun 93 min read
Meta's Account Recovery Tool Vulnerability Exposes 20,000+ Instagram Users to Unauthorized Password Resets
Key Findings Meta's AI-powered Instagram account recovery tool, known as High Touch Support (HTS), contained a critical flaw that exposed over 20,000 accounts to unauthorized password resets The vulnerability existed for approximately seven weeks, from April 17 to early June 2026, before Meta discovered it on May 31 The flaw allowed attackers to request password reset links for any Instagram account and have them sent to email addresses they controlled, bypassing identity ver
Jun 84 min read
Critical WordPress Vulnerabilities: Valve Platform and Forms Plugin Exploited for Web Shell Distribution
Key Findings Gaming platform profiles weaponized to distribute WordPress web shells via invisible Unicode steganography Nearly 2,000 websites compromised through Steam profile command injection technique Critical Everest Forms Pro vulnerability (CVE-2026-3300, CVSS 9.8) actively exploited to create rogue admin accounts Attackers using cookie-authenticated backdoors to maintain persistent access and rewrite code remotely Over 17,900 exploit attempts blocked in single day as at
Jun 43 min read
Signal Users Targeted in Coordinated Phishing Campaign to Steal Backup Recovery Keys
Key Findings Attackers are conducting a coordinated phishing campaign targeting Signal users by impersonating Signal Support via text messages The campaign specifically seeks backup recovery keys, which decrypt entire message archives stored on Signal's servers, not just future communications Journalists, activists, and human rights workers are confirmed targets, with reports of campaigns against Chinese activists and German officials A 64-character recovery key grants access
May 303 min read
PAN-OS GlobalProtect Authentication Bypass Vulnerability Under Active Exploitation in the Wild
Key Findings CVE-2026-0257 is an authentication bypass vulnerability actively exploited in the wild against Palo Alto Networks PAN-OS appliances Threat actors can forge valid VPN authentication cookies without credentials if specific certificate configurations exist CISA added this flaw to the Known Exploited Vulnerabilities catalog due to active exploitation campaigns A single threat actor orchestrated at least two waves of attacks starting May 17, 2026, successfully obtaini
May 303 min read
19.6 Billion Open Files Exposed on the Internet Without Password Protection
Key Findings 19.6 billion files exposed across 535,480 publicly accessible cloud storage buckets on AWS S3, Google Cloud, Azure, DigitalOcean, and Alibaba 685,047 credential and key files including .env files, private keys, and password vault databases sitting unprotected 985,645 database exports (.sql files) and 733,040 backup files (.bak) accessible without authentication Over two-thirds of exposed storage located on AWS due to its dominance as the default cloud provider No
May 293 min read
Luxury and Financial Services - 586,705 breached accounts
Key Findings ShinyHunters group conducted two separate "pay or leak" extortion campaigns against major companies in early 2026 Mytheresa luxury fashion platform: 84,108 breached accounts containing emails, names, phone numbers, addresses, purchase history, and partial credit card data Ameriprise Financial: 502,597 breached accounts with emails, names, phone numbers, addresses, and employer information from Salesforce and SharePoint systems Both companies had ransom demands th
May 272 min read
Ghost CMS Vulnerability Exploited in Large-Scale ClickFix Campaign Affecting Hundreds of Sites
Key Findings Attackers are actively exploiting CVE-2026-26980, a patched SQL injection flaw in Ghost CMS, to compromise over 700 unpatched websites The vulnerability allows unauthorized access to admin API keys, enabling attackers to inject malicious JavaScript into published articles Compromised sites are being weaponized to deliver ClickFix attacks, tricking users into running malicious commands via fake CAPTCHA pages Affected organizations include universities, media outle
May 254 min read
Global Law Enforcement Dismantles First VPN Used by 25 Ransomware Groups in Historic Takedown
Key Findings First VPN Service, a criminal VPN operating since 2014, was dismantled in a coordinated international operation led by France and the Netherlands At least 25 ransomware groups used the service to conduct attacks, including network reconnaissance, data theft, fraud, and denial-of-service operations The takedown involved 16 countries and resulted in the seizure of 33 servers across 27 countries and the shutdown of associated domains First VPN marketed itself specif
May 223 min read
Kimwolf Botmaster 'Dort' Arrested and Charged in U.S. and Canada
Key Findings 23-year-old Jacob Butler of Ottawa arrested Wednesday on suspicion of operating Kimwolf, a massive IoT botnet that infected millions of devices Kimwolf launched over 25,000 DDoS attacks measuring up to 30 terabits per second, the highest recorded volume, causing financial losses exceeding $1 million for some victims Butler faces charges in both the United States and Canada, with potential 10-year prison sentence if extradited and convicted in U.S. court March 202
May 223 min read
bottom of page
