Weekly Threat Awareness ReportFortinet 'Fortibleed' 73K Leak · SharePoint KEV Exploit · PAN-OS Auth Bypass
This week is defined by credential exposure at scale. Researchers exposed the operator behind the Fortinet 'Fortibleed' campaign - a verified database of working logins for roughly 73,000 firewalls and VPNs - while a SharePoint code-injection flaw moved into active exploitation and CISA's Known Exploited Vulnerabilities catalog. Two more items, a Microsoft Teams disclosure flaw and a PAN-OS GlobalProtect authentication bypass, round out the list. This issue is synthesized from 68 intelligence reports.
Vaughn Thomas
Compliance Engineer & Threat Researcher · SOClogix Cyber Group
About the Analyst
Vaughn Thomas is SOClogix's Compliance Engineer and principal threat researcher, operating at the intersection of regulatory compliance and active adversary tradecraft. Each week, Vaughn synthesizes intelligence from dark web forums, vendor security advisories, CISA KEV updates, Shodan/Censys exposure data, and real-time telemetry from SOClogix's managed client network - spanning healthcare, financial services, defense industrial base, manufacturing, and local government - to produce actionable threat awareness briefings written for security teams and executive stakeholders at every level. Vaughn actively tracks over 200 threat actor groups and contributes threat sharing intelligence to multiple ISAC communities. His analysis deliberately bridges raw technical findings and business risk so compliance teams and CISOs can act, not just read.
200+
Threat groups tracked
50+
Intel feeds monitored
3 yrs
Threat research tenure
This Week's Threat Intelligence Mindmap
A single-view synthesis of the week's intelligence: the top five threats, MITRE ATT&CK trends, most-targeted sectors, nation-state activity, key infrastructure clusters, and the recommended actions distilled from 68 reports covering June 15-21, 2026.
68
Reports analyzed
52
CVEs tracked
837
Exploited in wild
28,214
IOCs extracted
11,376
MITRE techniques
5
Shared infra clusters
Top 5 Threats
FortiBleed - 73K Firewalls Compromised
CriticalMassive credential leak exposing admin and VPN creds for 73,932 FortiGate devices across 194 countries. GPU cracking of legacy SHA-256 hashes, with Chisel and Neo-reGeorg post-exploitation. Cited in 10+ reports.
Mastra npm Supply Chain (Sapphire Sleet)
CriticalDPRK actor compromised 140+ npm packages via account takeover. The easy-day-js trojan deploys a cross-platform RAT that steals crypto wallets and credentials and enables RCE on dev and CI systems.
Velvet Ant - Operation Highland
HighChina-nexus APT maintained roughly 10 years of undetected access in air-gapped critical infrastructure. Replaced PAM modules and OpenSSH binaries for persistent authentication bypass and credential harvesting.
Gentlemen RaaS EDR Killer Framework
HighCentralized EDR-killing toolkit (GentleKiller, HexKiller, ThrottleBlood) weaponizes BYOVD exploits within days. 400+ security processes targeted. Victims across SE Asia, S. America, and W. Europe.
UNK_DeadDrop - Developer Crypto Theft
ElevatedDPRK-aligned campaign targeting developers at roughly 100 orgs via malicious GitHub repos. VS Code and Cursor IDE weaponization with a cross-platform Overlord RAT for wallet and credential exfiltration.
Weekly Trends - MITRE ATT&CK
T1195.002Supply Chain Compromise
Dominant theme: Mastra npm (Sapphire Sleet), easy-day-js, GlassWASM on Open VSX, and npm prompt-injection evasion. 12+ reports on software supply chain attacks.
T1078Valid Accounts
FortiBleed credential theft at scale, Kali365 session token hijacking, and Gentlemen RaaS initial access via stolen FortiGate credentials. Credential-first attack chains dominating.
T1566Phishing
Kali365 AiTM and device-code phishing, UNK_DeadDrop job-themed lures, FIFA FanTrap across 4,000 domains, Pink extortion group vishing, and Quarry IRS/SSA PhaaS campaigns.
T1562Impair Defenses
Gentlemen EDR Killer (GentleKiller, HexKiller, ThrottleBlood). BYOVD exploitation within days of PoC release. 400+ security processes targeted, plus Defender exclusion.
T1204User Execution
macOS ClickFix AppleScript stealer, fake FACEIT Steam verification, eBanking IPv6-mapped phishing, and Crypto Clipper USB worm propagation. Social engineering at scale.
Targeted Sectors
Software & DevOps
40%Mastra npm supply chain, GlassWASM, binding.gyp abuse, UNK_DeadDrop developer targeting, and AI agent RCE (AutoJack). Developer environments are the #1 target.
Enterprise Perimeter
25%FortiBleed 73K firewalls, Cisco SD-WAN exploitation, and Splunk RCE. Network infrastructure as a persistent attack surface across 194 countries.
Healthcare & Research
20%UNC6508 targeting medical and academic AI research. INFINITERED on REDCap servers. Defense health organizations and national labs compromised for espionage.
Nation-State APT Activity
China
UNC6508 & Velvet Ant
UNC6508 targeting medical, academic, and defense research with INFINITERED malware on REDCap servers. Velvet Ant ran a decade-long air-gap intrusion. Showbat Linux RAT deployed against Middle East telecom.
North Korea
Sapphire Sleet & DeadDrop
Industrialized supply-chain attacks on npm (Mastra). UNK_DeadDrop targeting developer workflows via IDE task injection. Both campaigns focused on cryptocurrency theft.
Russia
WinRAR Exploitation & FortiBleed
Continued exploitation of the patched WinRAR flaw against Ukraine. A Russian-speaking group is behind FortiBleed credential monetization on underground forums.
Cross-region
SloppyLemming & OceanLotus
SloppyLemming deployed the BurrowShell backdoor via Cloudflare Workers abuse against S. Asian critical sectors. OceanLotus resurfaced with updated TTPs and supply-chain capabilities.
Also Notable
- AutoJack: RCE via AI agent localhost trust-boundary abuse
- FIFA FanTrap: 4,000 FIFA World Cup 2026 scam domains
- PhaaS / Octopus PhaaS bypassing Microsoft 365 at scale
- Operation Endgame takedown of SocGholish infrastructure
- LLMjacking: stolen AI compute building offensive agentic tools
- Vidar Infostealer bypasses Chrome ABE via APC injection
Key Infrastructure Clusters
FortiBleed
73,932 devices · Chisel / Neo-reGeorg tunneling · legacy CVE-2022-40684 and CVE-2023-27997
Sapphire Sleet
C2 at 23.253.164.92/123 · teams.onweblive[.]org · maskasd[.]com
GlassWASM
Solana wallet 6ExrZay... · dodod[.]lat C2
IOC Type Breakdown (7-day)
Urgent - Immediate
- Rotate ALL FortiGate admin and VPN credentials
- Audit npm dependencies for easy-day-js / Mastra
- Patch Cisco SD-WAN CVE-2026-20262 (CISA KEV)
- Patch Splunk CVE-2026-20253 (unauth RCE)
- Block FortiBleed IOCs and scan for Chisel / Neo-reGeorg
Important - This Week
- Verify PAM and OpenSSH binary integrity (Velvet Ant)
- Audit VS Code / Open VSX extensions for GlassWASM
- Monitor Solana RPC calls from dev environments
- Enforce MFA and token hygiene vs Kali365 PhaaS
- Review FIFA 2026-themed domain blocklists
Executive Outlook
The FortiBleed mega-leak will fuel ransomware and espionage campaigns for months: credential rotation is now existential for 73,000+ organizations. North Korean developer-targeting operations (Sapphire Sleet, UNK_DeadDrop) have industrialized supply-chain compromise, signaling that npm, PyPI, and IDE ecosystems remain high-value, low-friction targets. The Gentlemen EDR killer framework's BYOVD agility means security vendors must assume evasion will arrive within days of new proofs of concept. Expect FIFA World Cup 2026 fraud to peak through July with 4,000+ active scam domains. China-nexus actors (UNC6508, Velvet Ant) demonstrate that authentication infrastructure itself - PAM, SSH, and compliance rules - is the new crown jewel for long-dwell espionage. And AI agent frameworks face an emerging localhost trust-boundary collapse (AutoJack) that will reshape how developers isolate agent workloads.
Synthesized from 68 reports · Ti-Mindmap · June 22, 2026
CVEs Affecting Client Assets
Vulnerabilities identified this week with direct relevance to common enterprise environments.
CVE-2025-49704 CISA KEV · ExploitedMicrosoft Office SharePoint - Code Injection (Actively Exploited)
Code Injection (CWE-94) · In CISA KEV · Public exploits available · 10+ IOCs
This is the most urgent item this week. A severe code-injection flaw in Microsoft Office SharePoint lets an authorized attacker execute malicious code remotely over the network, stemming from improper control over how the system generates and processes code. Successful exploitation can hand an attacker complete control of the SharePoint server - a staging point to steal data, deploy ransomware, or pivot deeper into your network. Unlike the other flaws below, this one is not theoretical: it is being actively exploited, has been added to CISA's Known Exploited Vulnerabilities catalog, and public exploit code exists. Multiple APT groups, including APT27, Bitwise Spider, and Silent Crow, are associated with exploiting this class of SharePoint weakness, and over ten Indicators of Compromise confirm ongoing activity.
Recommended Actions
- Apply the Microsoft SharePoint security update immediately - this is a CISA KEV item with a compliance-driven deadline
- Treat any unpatched on-prem SharePoint farm as presumed-targeted: hunt for web shells and anomalous w3wp.exe child processes
- Ingest the published IOCs into SIEM and EDR and alert on matches
- Restrict server-side code execution and enforce least-privilege content authoring
CVE-2026-45659 Tracked since Jun 4Microsoft Office SharePoint - Authenticated Remote Code Execution
Deserialization of Untrusted Data · Requires authorized user · Gaining researcher attention
An authorized attacker can exploit this deserialization flaw to execute arbitrary code on the affected SharePoint server, potentially taking full control, accessing sensitive data, installing malware, or disrupting operations. SharePoint improperly processes specially crafted information, which tricks it into performing unintended actions. No sophisticated APT activity or exploit code has been publicly linked yet, and no IOCs are available, which makes detection harder - but the flaw is being actively discussed across security communities, with several dozen social media mentions signaling rising interest from researchers and potential attackers alike.
Recommended Actions
- Apply the latest SharePoint security updates and confirm they reached every farm
- Audit SharePoint logs for anomalous deserialization or unexpected server-side process execution
- Restrict content authoring and elevated permissions to least-required users
- Enable SharePoint audit logging and alert on unusual activity if not already active
CVE-2026-21535 New this weekMicrosoft Teams - Information Disclosure via Improper Access Control
Improper Access Control (CWE-284) · Network-based · No IOCs reported yet
A flaw in Microsoft Teams lets an unauthorized attacker access and disclose sensitive information across a network. The root cause is improper access control - the system does not properly check who is allowed to reach certain information, like a door that should be locked but is left open. If exploited, it could expose confidential communications, documents, and other sensitive data shared inside Teams, leading to privacy breaches, reputational damage, and potential financial consequences. No IOCs have been reported, which suggests it is not yet actively exploited, but the high severity means it could become a target quickly.
Recommended Actions
- Ensure Microsoft Teams clients are updated and set to auto-update
- Review Teams external access, guest access, and sharing policies for least privilege
- Audit Teams data access and file-sharing logs for unusual cross-tenant or external access
- Remind users to limit sensitive data shared in Teams chats and channels
Active Threats & Campaigns
Threat actor campaigns with available detection rules or indicators of compromise.
Fortinet "Fortibleed" Campaign - Mass Firewall & VPN Credential Compromise
Security researchers discovered the operational server of a threat group that has been systematically breaking into internet-facing Fortinet firewalls and VPN gateways worldwide. The server held the group's tooling, automation, and a database of verified, working login credentials. Victims span banks, telecoms, hospitals, universities, energy, government, and large multinationals. Telecom was the most-hit sector, and 591 entries belong to government domains.
The attackers run fully automated tooling that scans the internet for Fortinet devices and tests a curated list of previously leaked Fortinet passwords against them. Once inside a device, they monitor passing traffic to harvest additional credentials, which are fed back into the scanner. Many victims were exposed simply because passwords were never rotated after earlier breaches, or because default and built-in accounts (generic admin and Fortinet system accounts) were never renamed.
Immediate Actions
- Rotate ALL FortiGate admin and VPN credentials - do not assume earlier rotation is sufficient
- Rename or disable default and built-in accounts (generic admin, Fortinet system accounts)
- Enforce MFA on all VPN and administrative access
- Restrict management interface exposure to the public internet
- Review FortiGate logs for unauthorized logins and traffic-harvesting indicators
Campaign Profile
Scale: ~73,000 firewalls / VPNs
Top sector: Telecommunications
Gov domains: 591 verified entries
Method: Automated scanning + credential replay
Persistence: Passive traffic credential harvesting
PAN-OS GlobalProtect Authentication Bypass Under Active Exploitation
This vulnerability affects the GlobalProtect portal and gateway authentication override cookie feature in PAN-OS. The feature lets authenticated users receive a cookie for subsequent connections without re-authenticating. The flaw becomes exploitable when the certificate used to encrypt and decrypt these cookies is the same as the portal or gateway's HTTPS service certificate - not the default, but a common shortcut in enterprise deployments that reuse certificates across features.
When the authentication override cookie shares the HTTPS service certificate, a remote unauthenticated attacker can retrieve the public key via TLS, forge a valid authentication cookie, and establish an unauthorized VPN connection. The flaw is rated CVSS 9.1 (Critical) and classified as CWE-565 (reliance on cookies without validation and integrity checking). It affects PAN-OS 10.2 through 12.1 and Prisma Access when the authentication override feature is enabled.
Recommended Actions
- Update PAN-OS to a fixed release across 10.2 through 12.1, and confirm Prisma Access is patched
- If authentication override is enabled, use a dedicated certificate distinct from the HTTPS service certificate
- Disable the authentication override feature where it is not operationally required
- Review GlobalProtect logs for forged-cookie sessions and unexpected VPN connections
Protect your environment
Vaughn Thomas
Compliance Engineer
SOClogix Cyber Group
200+
Threat groups tracked
50+
Intel feeds monitored
52×
Reports per year
Get Weekly Briefings Free
This Week at a Glance
Get Vaughn's Briefing Every Week
Free weekly threat awareness reports delivered to your inbox. CVEs, active campaigns, and actionable guidance - written for security teams, compliance managers, and executive stakeholders.
Prefer a conversation? Talk to our team about managed security monitoring.