EXECUTIVE SUMMARY
This article is to inform our partners and clients on the various happenings within the cybersecurity space. That includes items such as relevant breaches, emerging vulnerabilities, research, threat actor movement, and what you need to do as an organization to mitigate a future threat.
KEY TAKEAWAYS
SUMMARY
Researchers discovered and detailed a critical vulnerability (CVE-2026-20253) in Splunk's PostgreSQL Sidecar Service Endpoint. The vulnerability allows for arbitrary file creation and truncation resulting in remote code execution, due to a lack of authentication controls. It impacts Splunk versions 10 and above, especially those deployed on AWS.
Category
Critical Vulnerabilities
Industry
Multiple (especially cloud deployed versions such as on AWS)
Sources
https://advisory.splunk.com/advisories/SVD-2026-0603
https://malpedia.caad.fkie.fraunhofer.de/details/win.ranbyus
https://malpedia.caad.fkie.fraunhofer.de/details/win.tinba
Internal OSec Research
ANALYST COMMENTS
Splunk Enterprise is a software platform that collects and analyzes machine-generated data, indexing logs and metrics for real-time querying and analysis. A recent vulnerability, CVE-2026-20253, affects Splunk versions 10 and above and involves the PostgreSQL Sidecar Service Endpoint, which lacks authentication controls. This allows any user to create or truncate files without needing credentials. The vulnerability is particularly exploitable on Splunk Enterprise installed on AWS, where the PostgreSQL Sidecar Service is installed and enabled by default. Through a series of HTTP requests, attackers can leverage the endpoint to create empty files at any location or overwrite existing files, potentially leading to arbitrary code execution if the files contain executable scripts.
The vulnerability is not currently known to be exploited in the wild. This assessment is based on the absence of detected signals from our own and other public honeypots that would indicate active exploitation at this time. We have observed scanning activity that is likely attempting to identify potential Splunk targets. However, exploitation is likely due to the release of the researcher analysis and a viable PoC. We have high confidence that this will likely be exploited in the short-term due to the public release of the PoC code.
The current PoC exploit code abuses Splunk’s backup and restore endpoints to execute arbitrary file overwrites. This can allow malicious code to be introduced through database backups and loaded onto a vulnerable Splunk instance, potentially enabling code execution when the Splunk web root is accessed through a browser.
ACTIONABLE GUIDANCE
A patch is available for the affected versions of Splunk and should be applied as soon as possible, as exploitation is likely in the short-term. If immediate patching is not possible, a workaround is available that involves disabling support for the PostgreSQL sidecar service.
Product Base Version Component Affected Version Fix Version
Splunk Enterprise 10.4 splunkd Not affected 10.4.0
Splunk Enterprise 10.2 splunkd 10.2.0 to 10.2.3 10.2.4
Splunk Enterprise 10.0 splunkd 10.0.0 to 10.0.6 10.0.7
Splunk Enterprise 9.4 splunkd Not affected NA
Splunk Enterprise 9.3 splunkd Not affected NA
SUMMARY
A critical vulnerability (CVE-2026-48558) in SimpleHelp's remote management software allows unauthenticated attackers to create privileged technician accounts via OIDC. The issue affects versions 5.5.15 and older, and 6.0 pre-releases. Exploitation requires specific configurations, but approximately 14,000 exposed servers may be affected.
Category
Critical Vulnerabilities
Industry
Technology, Healthcare, Financial and Fintech
Sources
https://simple-help.com/security/simplehelp-security-update-2026-05
https://x.com/DailyDarkWeb/status/2067154940212949185
ANALYST COMMENTS
A critical vulnerability (CVE-2026-48558) in SimpleHelp versions 5.5.15 and older, as well as 6.0 pre-release versions, allows unauthenticated attackers to create privileged technician accounts through OpenID Connect (OIDC), bypassing multi-factor authentication. This flaw enables attackers to perform privileged management activities like remotely accessing managed endpoints and executing scripts. The vulnerability affects SimpleHelp servers that rely on OIDC and have specific group settings enabled, impacting approximately 1,008 servers worldwide. SimpleHelp has patched this issue in versions 5.5.16 and 6.0RC2. organizations should update to these versions or restrict technician login sources with IP-based allowlists.
The vulnerability will likely be used to abuse legitimate sources and URLs during later stages of attack chains. Attackers may compromise SimpleHelp instances to gain access to hosted environments for reconnaissance, but the higher value is likely in using vulnerable SimpleHelp instances to execute attacks against external organizations or internal hosts. This is more likely given recent threat actor trends involving abuse of RMM software for initial access and C2 operations. In normal scenarios, a victim would likely need to download and install an RMM binary first. By compromising SimpleHelp infrastructure directly, attackers may bypass that step and increase the likelihood of successful targeting against one or more victims.
ACTIONABLE GUIDANCE
Applying the patch or upgrading to the most recent version of the software is recommended to reduce the risk of compromise. Indicators of potential abuse may include unfamiliar OIDC authentication activity in SimpleHelp logs or unknown technician accounts identified during an audit of currently logged in users. The fixed versions are as follows:
5.5.16
6.0RC2
SUMMARY
DragonForce ransomware employs a custom malware called Backdoor.Turn to conceal its command-and-control communications by leveraging Microsoft Teams' TURN protocol. This marks the first known in-the-wild abuse of this infrastructure for malicious purposes, which uses advanced techniques including Bring Your Own Vulnerable Driver (BYOVD) to gain kernel-level access and evade detection.
Category
Ransomware
Industry
Business Services, Agriculture and Food, Construction, Manufacturing, Hospitality and Tourism
Sources
https://www.bleepingcomputer.com/news/security/ransomware-gang-abuses-microsoft-teams-relays-to-hide-malicious-traffic/
https://www.security.com/threat-intelligence/dragonforce-msteams-backdoor
https://www.praetorian.com/blog/ghost-calls-abusing-web-conferencing-for-covert-command-control-part-2-of-2/
https://www.group-ib.com/blog/dragonforce-ransomware/
ANALYST COMMENTS
DragonForce ransomware leverages custom malware called Backdoor.Turn to disguise its command-and-control traffic by exploiting Microsoft Teams' TURN protocol, enabling it to hide communications within trusted network traffic. This technique, observed in attacks against a major U.S. services company, allows attackers to establish stealthy communication channels and avoid detection by security systems. The malware uses legitimate Teams credentials and TURN relays to mask its command-and-control traffic, making it appear as normal Teams traffic to defenders. In addition to its sophisticated communication tactics, DragonForce employs various techniques including exploitation of vulnerabilities and BYOVD tactics with drivers from different vendors.
The technique, known as TURNt, uses relay servers from Microsoft, Zoom (currently patched), and likely other providers such as Cisco or Google to act as C2 infrastructure for attacks. In regards to Microsoft Team relay servers, the TURN servers it relays will usually follow the pattern below:
*.relay.teams.microsoft.comAside from the novel technique, many of the threat actor’s tactics, techniques, and processes remain consistent. This is corroborated by reports of this incident and separate reporting on the threat actor in January. Initial access is typically achieved through exploitation of unpatched services or software, such as MSSQL in this case, or through the use of valid domain credentials against exposed RDP servers.
The threat actor also makes heavy use of PowerShell and known reconnaissance and exploitation tools, such as ADFind, Netscan, and Mimikatz. The threat actor will also use DLL sideloading VirtualBox related DLLs for security evasion (vboxrt.dll), and using BYOVD techniques to disable security monitoring solutions. For persistence, the threat actor is known to rely on scheduled tasks and Windows Run keys within the registry, such as Software\Microsoft\Windows\CurrentVersion\Rune.
IOCs based on TURN relay exploitation incident from external reporting:
# Malware hashes
82b37a92589dfd4d67ca87eb9e52ac8e682e8e60d2211f59074cd5ccc693013b – Downloader
821da79d727351dd67ce5df7950e9a3de6647a3cf474bb3a093f67507fed92a6 – Backdoor.Turn
b6628d201c2a68d2a3de2a87de7a5acfe21b101a97928e1c8d5c82102d967383 – GameDriverx64 vulnerable driver
ce66b8221446c9b6d83f0ce6382f430e519601641e5daaaf1ca7a8a8806cb0b0 – Shellcode containing Backdoor.Turn
f174c19902523dcf005fa044b6598403a5e5c0a5982398d1bc0dcc5ec1cd351b – Sideloaded DLL mimicking VirtualBox
142bac0e2148e0d47891b6cd7311195c4acbe33b700fad54a201c52a2bc46219 – ADExplore
8395b621bb4415090f232c59fc41d24ea41a519b58eabe512f3ae7d2fdf049a3 – ADExplore
9335f61f8ad276d94455c5b6876fea48152c3cea759f2598c8108ee461fa5759 – Malicious ZIP archive
cd078957167e1af4de39aecdb981cd14156fa81d5a9c6ac51e74ae5b6199a12a – Malicious ZIP archive
b16e217cdca19e00c1b68bdfb28ead53b20adeabd6edcd91542f9fbf48942877 – K7 vulnerable driver
d20a3c928761fe00ac522eeb474612b5804cd9108453ea8591106d5d4428428e - sideloaded DLL mimicking VirtualBox
8284c8676cc22c4b2e66826ac16986da7ddecba1f2776b16771be17bfdc45dc2 – ABYSSWORKER driver
65ab49119c845801f29a57e8aa177146b2ffbd289d4278109b146f933380f951 – ABYSSWORKER driver
6bbf10bcbef7ac5102b54c81137859891a3802dbacd888be90f990d50e18b0b4 – AV killer
252a8bb2eb9c96c5e6cc7cab822e2ed0d508032f9350351221781684e86c03ab – Topaz Antifraud vulnerable driver
8a4033425d36cd99fe23e6faef9764fbf555f362ebdb5b72379342fbbe4c5531 – Havoc Process Terminator
e45b18c93d187aac5c4486f57483bc87580e15def82a312bfb377ff16eb96b22 – DragonForce ransomware
087f002df0a02c8c74f3ba5cd99cf29fb9efff38bf57b3d808e34a5dd4200dd2 – Tower of Fantasy vulnerable driver
048e18416177de2ead251abdf4d89837f6807c6aba4d5b1debe49adfdecbf05c – Backdoor.Turn
6f9fbe29f8cc2788e2bc9d631e0eea2a8e9837076837b55838005a0e654f0a9e – AV killer
d0da2832ae1e13a98f7ce7e33a66c1b0d9797b81f69ece134e4462ea55ac923e – Netscan
aea26980059ef2ad11e99556a4edfa1f8ec769fa9f06aa573b81bedf319954b5 – Netscan
# Network Indicators
projetosmecanicos.com[.]br – C&C for downloading additional tools
socialbizsolutions[.]com - C&C for downloading additional tools
professionalhomebasedbusiness[.]com - C&C for downloading additional tools
safefire[.]jo - C&C for downloading additional tools
glanz-gmbh[.]de - C&C for downloading additional tools
turnkeyaiagents[.]com - C&C for downloading additional tools
comunidadesparentais.com[.]br - C&C for downloading additional tools
mysimerp[.]net - C&C for downloading additional tools
http://192.36.27[.]51/TechSupV18Fix3.zip - Malicious zip archive download URL
62.164.177[.]25 - Backdoor.Turn C&C
ACTIONABLE GUIDANCE
Monitor for excessive traffic to *.relay.teams.microsoft.com. Alerts should also be considered when relay server activity differs from legitimate requests, such as unexpected regional subdomains.
Organizations should restrict the use of PowerShell for non-administrator users, enforce timely patching of internet exposed software and devices, and audit exposed services to reduce the attack service available to threat actors. Disruption to security monitoring controls may also indicate potential compromise if it cannot be attributed to regular maintenance. If VirtualBox is used within the environment, replacement or alteration of files such as VBoxRT.dll is a known signal associated with this threat actor.
SUMMARY
A security incident has been identified that resulted in impact to 75,000 Fortinet FortiGate devices, resulting in the leakage of hashed passwords. This incident has been dubbed FortiBleed by researchers.
Category
Known Exploited Vulnerabilities
Industry
Technology, Public Sector and Government Administration, Financial and Fintech
Sources
https://www.hudsonrock.com/fortinet
https://www.linkedin.com/feed/update/urn:li:activity:7471222472193830913/
https://github.com/inm7ripe/Fortigate-password-recovery/issues/1
https://dashboard.shadowserver.org/
Internal OSec Research
ANALYST COMMENTS
A security incident has been identified that resulted in over 75,000 Fortinet FortiGate devices impacted, resulting in the leakage of hashed credentials. It is currently unknown how the attackers obtained the hashed credentials. However, it is highly likely that the threat actors obtained Fortinet device configurations and cracked the contained hashes offline to recover the plain text passwords. The method used to obtain the configurations remains unknown. The information that has been leaked has been confirmed to be genuine by multiple sources. At least one source with insider knowledge of some affected organizations confirmed that the impacted devices had the latest available Fortinet patches applied.
Over the weekend, a security researcher uncovered a compromise of FortiGate credentials. The information was obtained due to the threat actor leaking parts of their infrastructure that allowed the researcher to uncover the compromise. Information has not yet been released explaining how the threat actors obtained the SSL VPN Authentication hashes. Prior to 2025, FortiGate had used a publicly known, hard-coded key in order to create the hashes. If passwords were hashed before the updated hashing mechanism was implemented, they may still be vulnerable to bruteforcing with the old hard-coded key.
During our research of this incident, we identified suspected signals from underground forum activity at the end of May that may indicate early staging for an attack. However, it is still currently unknown if this activity is related or not.
More recently, we have observed an overall increase in exploitation traffic against Fortinet devices since Saturday, June 13th. CVE-2026-21643, a FortiClient EMS SQL injection vulnerability, has seen increased exploitation activity. This may align with the reported targeting of MSSQL servers by the attacker. However, this connection remains speculative and should not be regarded as confirmed until more evidence is released or uncovered.
ACTIONABLE GUIDANCE
Credentials should be rotated and MFA should be enforced for all users. FortiGate and other Fortinet devices should be upgraded to the latest versions available, including all current hot fixes.
Administrators should audit devices for potential compromise, including administrator logins from unknown sources or activity occurring at unusual times without attribution to known employees. If compromise is confirmed, the device should be rebuilt as there is a high likelihood that a backdoor may have been planted.
Management interfaces should not be exposed to the public internet, as this unnecessarily expands the attack surface and creates additional opportunities for attackers.
*Domain and IP checking is available by request.
SUMMARY
Three critical vulnerabilities in Fortinet’s FortiSandbox, including authentication bypass and remote code execution, are being actively exploited. Patches are available for two of the vulnerabilities, with a fix for the remaining issue expected soon.
Category
Known Exploited Vulnerabilities
Industry
Multiple
Sources
https://xcancel.com/DefusedCyber/status/2066575288503255274#m
https://doublepulsar.com/an-update-on-fortibleed-whats-happening-with-victim-orgs-c0671a50e7f4
https://blog.gayint.org/fortibleed.html
Internal OSec Research
ANALYST COMMENTS
Three critical vulnerabilities in Fortinet’s FortiSandbox have been actively exploited by attackers, allowing for authentication bypass, privilege escalation, and execution of malicious code. The flaws are CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089. CVE-2026-39813 is a path traversal bug allowing for authentication bypass, CVE-2026-39808 is an OS command injection flaw enabling code execution, and CVE-2026-25089 is another OS command vulnerability allowing for unauthorized command execution. Despite Fortinet's patches, threat intelligence researchers report that exploitation has begun, particularly for CVE-2026-25089.
All the vulnerabilities, except CVE-2026-25089, have associated PoCs and are simple to exploit. Exploitation is likely being carried out by multiple threat actor groups. Currently available PoCs for CVE-2026-25089 are likely fake until additional verification is conducted. All the unconfirmed PoCs for this vulnerability target the /api/vnc/start endpoint and are included as reference indicators in case suspicious traffic is observed against this endpoint.
While exploitation of these vulnerabilities have been detected, the publicly exposed attack surface appears to be limited. According to Shodan searches for “http.title:FortiSandbox”, only 44 instances of FortiSandbox are publicly available. Similar searching platforms, such as FOFA, identified approximately 200 instances exposed publicly. A majority of publicly exposed FortiSandbox instances appear to be located in the US.
Given the limited number of publicly exposed FortiSandbox instances, exploitation is likely to have a reduced overall impact compared to more widespread Fortinet technologies, such as FortiGate and other Fortinet products.
The first two vulnerabilities abuse the following endpoints:
# Affected endpoints for CVE-2026-39808 and CVE-2026-39813
/jsonrpc/
/fortisandbox/job-detail/tracer-behaviorACTIONABLE GUIDANCE
Patches are now available from the vendor for all identified vulnerabilities.
Suspected malicious behavior is expected to abuse the following endpoints, with crafted HTTP requests containing path traversal strings or encoded OS commands. Confirmed affected endpoints include /jsonrpc/ and /fortisandbox/job-detail/tracer-behavior. The /api/vnc/start endpoint remains unconfirmed for CVE-2026-25089 but is known to be a valid endpoint for the vulnerable component and is included in case suspicious traffic is seen to this location. The following versions are affected per CVE entry:
# CVE-2026-25089
Version Affected Solution
FortiSandbox 5.2 Not affected Not Applicable
FortiSandbox 5.0 5.0.0 through 5.0.5 Upgrade to 5.0.6 or above
FortiSandbox 4.4 4.4.0 through 4.4.8 Upgrade to 4.4.9 or above
FortiSandbox Cloud 5.2 Not affected Not Applicable
FortiSandbox Cloud 5.0 5.0.4 through 5.0.5 Upgrade to 5.0.6 or above
FortiSandbox Cloud 4.4 Not affected Not Applicable
FortiSandbox PaaS 23.4 Not affected Not Applicable
FortiSandbox PaaS 5.2 Not affected Not Applicable
FortiSandbox PaaS 5.0 5.0.4 through 5.0.5 Upgrade to 5.0.6 or above
FortiSandbox PaaS 4.4 Not affected Not Applicable
# CVE-2026-39808
Version Affected Solution
FortiSandbox 5.0 Not affected Not Applicable
FortiSandbox 4.4 4.4.0 through 4.4.8 Upgrade to 4.4.9 or above
# CVE-2026-39813
Version Affected Solution
FortiSandbox 5.2 Not affected Not Applicable
FortiSandbox 5.0 5.0.0 through 5.0.5 Upgrade to 5.0.6 or above
FortiSandbox 4.4 4.4.0 through 4.4.8 Upgrade to 4.4.9 or aboveSUMMARY
The Icarus extortion group exploited OAuth at the market intelligence platform Klue to steal Salesforce CRM data from multiple organizations as part of an ongoing extortion campaign. In response, Salesforce and Klue have disabled affected integrations while security researchers warn victims to revoke tokens and review logs for malicious activity.
Category
Confirmed Breach
Industry
Business Services
Sources
https://reliaquest.com/blog/threat-spotlight-integration-abused-in-crm-data-theft
https://www.huntress.com/blog/klue-breach-investigation
Internal OSec Research
ANALYST COMMENTS
The Icarus extortion group exploited OAuth controls to gain access to Klue to steal Salesforce CRM data from multiple organizations as part of an ongoing extortion campaign. In response, Salesforce and Klue have disabled affected integrations while security researchers warn victims to revoke tokens and review logs for malicious activity. The attackers utilized automated scripts to exfiltrate sensitive business data, including sales communications and competitive intelligence, over an extended period before the incident was identified.
Ultimately, the threat actor was able to infiltrate the environment through re-use of an old credential. Once access to the Klue environment was achieved, the threat actor stole the tokens of several customers and used them to exfiltrate customer data. The impacted data appears to primarily consist of non-sensitive CRM data. Review of the threat actor’s dark web site indicates that the data has not yet been made available, and the threat actor claims the data set is less than 1 GB in size. Klue also integrates with a number services that have been disabled until the investigation concludes:
The threat actor appears to be very recent, with only three victims, including Klue. Two of these victims have been listed on the group's dark web site. They use notable tactics similar to COM-attributed threat actors such as ShinyHunters, however they are likely a separate group.
ACTIONABLE GUIDANCE
Organizations using Klue integrations, such as Saleforce, Zoom, and other connected services, should revoke and rotate associated credentials.
Threat hunting teams should look for indicators tied to known user-agent strings or suspicious locations being used with accessing REST API endpoints, especially of those related to Salesforce. Blocking and detecting currently known IOCs can also help reduce the risk of compromise in the short-term.
The full Intelligence Desk brief includes exhaustive IOC lists, YARA detection rules, detailed remediation playbooks, and OSec's original threat research. Delivered weekly to our partners and clients. REQUEST ACCESS