EXECUTIVE SUMMARY
This article is to inform our partners and clients on the various happenings within the cybersecurity space. That includes items such as relevant breaches, emerging vulnerabilities, research, threat actor movement, and what you need to do as an organization to mitigate a future threat.
KEY TAKEAWAYS
SUMMARY
New research on FortiBleed disclosed analysis of the toolset used during intrusions, which recently impacted 75,000 Fortinet FortiGate devices and resulted in the leakage of hashed passwords
Category
Threat Actor Activities
Industry
Technology, Financial and Fintech, Public Sector and Government Administration
Sources
https://socradar.io/wp-content/uploads/2026/06/Dismantling-FortiBleed.pdf
https://www.hudsonrock.com/fortinet
https://www.linkedin.com/feed/update/urn:li:activity:7471222472193830913/
https://github.com/inm7ripe/Fortigate-password-recovery/issues/1
ANALYST COMMENTS
Researchers have detailed a large-scale FortiBleed campaign targeting Fortinet FortiGate devices, where custom sniffers were used to harvest authentication secrets and steal credentials from over 430,000 firewalls globally since at least February 2026. This most recent incident has affected 75,000 FortiGate devices based on disclosed compromise lists. The threat actors, operating as initial access brokers, used custom tooling that included a Golang-based tool called "FortigateSniffer" to exploit FortiOS's diagnose sniffer packet functionality to monitor network traffic. This tool captured authentication traffic from compromised devices, while Python and Hashcat tooling extracted and cracked credentials and password hashes from the collected data. Additional custom tooling was used for post compromise activity to find stored passwords or hashes stored within configuration files and scripts stored on the compromised FortiGate devices.
Initial access was typically gained by identifying exposed FortiGate devices through tools such as Shodan or Masscan, then using credential based attacks such as brute forcing, credential stuffing, and password guessing against weak credentials. The threat actor also appears to conduct longer term post-compromise activities using FortigateSniffer to identify credentials and hashes transmitted over the network, while also searching files on compromised devices for stored credentials. Code comments suggest Russian attribution, although the specific group remains unknown. Public reporting indicates that known victims are primarily located in India and the United States, which largely aligns with the current distribution of exposed FortiGate devices in those regions.
ACTIONABLE GUIDANCE
Credentials should be rotated and MFA should be enforced for all users. FortiGate and other Fortinet devices should be upgraded to the latest versions available, including all current hot fixes as these devices are the primary infiltration point for the threat actor.
Administrators should audit devices for potential compromise, including administrator logins from unknown sources or activity occurring at unusual times without attribution to known employees. If compromise is confirmed, the device should be rebuilt as there is a high likelihood that a backdoor may have been planted.
Management interfaces should not be exposed to the public internet, as this expands the attack surface and creates additional opportunities for attackers.
SUMMARY
A critical SSRF vulnerability in Cisco Unified Communications Manager Server, CVE-2026-20230, allows unauthenticated attackers to gain root access through improper input validation, despite available security updates.
Category
Known Exploited Vulnerabilities
Industry
Technology, Public Sector and Government Administration, Telecommunications
Sources
https://x.com/DefusedCyber/status/2069074520057557244
https://github.com/HORKimhab/CVE-2026-20230/blob/main/cve-2026-20230.py
https://ssd-disclosure.com/cisco-unified-communications-manager-arbitrary-file-write-to-rce/
ANALYST COMMENTS
A high-severity server side request forgery (SSRF) vulnerability, CVE-2026-20230, in Cisco Unified Communications Manager Server allows unauthenticated attackers to gain root privileges through improper validation of HTTP requests. Cisco released updates for this flaw on June 3, emphasizing the critical nature of the exploit. Threat intelligence researchers reported active exploitation, noting that attacks are using specific file:// payloads to write files, such as a test file named '/tmp/cve-2026-20230-test.txt', to identify vulnerable devices. SSD Secure provided a technical write-up and PoC, detailing that exploitation abuses the Webdialer component to write arbitrary files and ultimately achieve remote code execution, though exploitation requires knowledge of the target hostname.
While the vulnerability has been reported as exploited in the wild, the currently available data appears to match IoCs of an initial PoC released about 3 weeks ago. That PoC came from a user known for AI-generated or false PoCs, although they have previously published working PoCs after prior disclosure. The text file naming also appears to align with the released code. The original vulnerability researchers have now published technical details, and some of those details do not fully align with the exploitation activity reported by threat intelligence researchers.
Threat intelligence researchers claim CVE-2026-20230 exploitation based on the following:
# Claimed exploitation - matches https://github.com/HORKimhab/CVE-2026-20230/blob/main/cve-2026-20230.py
POST /webdialer/Webdialer HTTP/1.1
Host: [redacted]
User-Agent: Mozilla/5.0(compatible; CVE-2026-20230-PoC)
Content-Type: application/x-www-form-urlencoded
Content-Length: 136
dest=file%3A%2F%2F%2Ftmp%2Fcve-2026-20230-test-txt&url=file%3A%2F%2F%2Ftmp%2Fcve-2026-20230-test-txt&action=doSomething&phoneNumber=testThe original exploitation reported by the threat intelligence researcher is unlikely to reflect activity from a sophisticated actor or organized threat group. However, the release of the genuine vulnerability details will likely drive broader exploitation in the wild. We are not currently aware of any verified data tied to the recently disclosed exploitation method. Based on the original report, the known network IOC is primarily associated with residential proxy networks and spam activity.
156.146.38.167 - AS60068 datacamp limited - Dallas,TX USACTIONABLE GUIDANCE
The vendor has released patches and mitigation strategies that address this issue. Organizations should also avoid exposing these devices to the public internet, as doing so increases the likelihood of exploitation by external threat actors. Exploitation will likely follow the chain request below, with the assumption that a webshell or other malware may be uploaded to a vulnerable server instance:
GET /cmplatform/installClusterStatusExecute
GET /webdialer/services/randomR11
GET /platform-services/axis2-web/<unknown jsp file>SUMMARY
An initial access broker known as KongTuke has been using a new RAT called Backdoor.Mistic since April 2026 to target multiple industries through social engineering and compromised sites. The threat actor is linked to various ransomware groups for brokering initial access.
Category
Threat Actor Activities
Industry
Multiple
Sources
https://www.securityweek.com/new-mistic-rat-opens-door-to-several-ransomware-families/
https://www.security.com/threat-intelligence/new-mistic-backdoor-modelorat
https://www.zscaler.com/blogs/security-research/technical-analysis-mltbackdoor
ANALYST COMMENTS
Researchers report that an initial access broker (IAB) known as KongTuke (aka WoodGnat), active since May 2024, has started using a new remote access trojan (RAT) called Backdoor.Mistic (also known as MLTBackdoor). KongTuke, having connections to ransomware groups like Qilin and Black Basta, deploys Mistic as a DLL and uses techniques such as credential stealing and social engineering to compromise networks. The RAT provides capabilities like file manipulation and code execution and is deployed alongside tools like PowerShell and Certutil for extensive network manipulation and data exfiltration.
Mistic RAT/ MLTBackdoor may likely be a variant of a Havoc C2 binary, due in part to at least one sample that contained metadata of the executable with company and product names listed as “Nuance Communications / Dragon Data Protection ” associated with “endpointdlp.dll”. The company and product names point to Havoc C2. Later samples did not have this metadata, which may indicate this was in error by the threat actor and have since corrected newer versions by removing the identifying metadata, however further verification is needed. Based on recent samples uploaded to public malware repositories, The newest samples seen were from the middle of May.
New KongTuke sample submissions tied to this threat actor show heavy use of MINTLOADER across a majority of reported samples. MINTLOADER is a PowerShell loader designed to execute further stages of the threat actors attack chain.
Since April 2026, the threat actor has utilized helpdesk and IT-support lures via Microsoft Teams to trick victims into running malicious code for initial compromise, in addition continued use of ClickFix and related techniques. Recent samples suggest a shift from Teams abuse to Cisco Spark abuse, based on .tar archives observed in early June that contained several executables and .dll files related to the Cisco product.
Persistence commonly includes registry runkeys, scheduled tasks, start-up folder abuse, with files typically dropped within the user’s AppData folder under Local\Temp. As the threat actor abuses Traffic Distribution Systems (TDS), domains and network addresses change often, so detection should focus on the group’s behaviors and tooling rather than static network indicators.
ACTIONABLE GUIDANCE
Since the threat actor uses PowerShell in MINTLOADER related attack chains, organizations should restrict PowerShell for most non-IT users to limit attack progression. Users should also receive guidance on ClickFix and related campaigns, while disabling the Win + R shortcut through default user group policy may reduce the likelihood of initial infection.
Teams should examine the presence of RMM software, unattributed registry changes, and file system activity, especially excessive writes to AppData\Local\Temp. Use of living off the land binaries and scripts, including certutil.exe, should generate alerts for further investigation.
SUMMARY
Several downstream breaches of Salesforce data have affected multiple prominent security vendors including LastPass, Huntress, Jamf, and Recorded Future. The compromised data does not appear to be sensitive and is primarily associated with sales activity.
Category
Confirmed Breach
Industry
Technology
Sources
https://www.huntress.com/blog/klue-breach-investigation
https://blog.lastpass.com/posts/klue-supply-chain-incident-and-lastpass-response
ANALYST COMMENTS
Several prominent security and technology companies have been affected by the Klue compromise of extortion actor Icarus. The threat actor successfully breached the Salesforce data of several of these companies, which contributed to downstream compromises against affected organizations. Recent examples include Salesforce data leaks affecting cybersecurity firms like Huntress and password security organization LastPass. This activity is similar to the attacks perpetrated by ShinyHunters and other COM related hackers.
In regards to LastPass specifically, the company has stated that the data does not include credentials, PII, or other sensitive data. However, the advisory from LastPass also states that support data was also included in the breach. While the majority of the data is not classed as sensitive, user submitted support data might contain sensitive data related to troubleshooting LastPass issues. The threat actor’s dark web presence is no longer online, so further analysis of the breach contents cannot be verified. The current list of compromised organizations affected by the Klue breach include the following:
Icarus is a recent threat actor that uses API automation, OAuth token phishing, and pressure tactics while extorting victims with stolen data. There are no updates to the actors currently known IOCs.
ACTIONABLE GUIDANCE
Organizations that partner with any of the affected companies should audit the level of information that is submitted to the breached companies. In the case of LastPass, support tickets were also affected which may contain sensitive billing or credential information submitted. Other companies may have seen similar impact to their environments, therefore partnerships should audit the level of data being shared and obtain clear guidance on what potential information could have been affected by this event. If a partner is confirmed to have been affected by this breach, it is recommended that partner accounts have their credentials rotated and ensure that MFA is applied for all users, while restricting the Device Code Flow to prevent potential OAuth device phishing attacks that the threat actor has used during this breach.
The full Intelligence Desk brief includes exhaustive IOC lists, YARA detection rules, detailed remediation playbooks, and OSec's original threat research. Delivered weekly to our partners and clients. REQUEST ACCESS