Risky Bulletin Newsletter
June 24, 2026
Risky Bulletin: The FortiBleed incident is so much worse than a simple credentials leak
Written by
News Editor
This newsletter is brought to you by Trail of Bits. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business" in your podcatcher or subscribing via this RSS feed. You can also add the Risky Business newsletter as a Preferred Source to your Google search results by going here.
FortiBleed, a massive hacking campaign that targeted Fortinet devices this year, was far more sophisticated than security researchers initially thought.
Initial reports painted the picture of a campaign that gained access to Fortinet devices, collected credentials and authentication hashes, cracked the hashes, and then the data mysteriously leaked online.
The reality is that the campaign was far more complex and targeted a lot more things than just Fortinet devices. Compiling data from reports published by Fortinet itself, SOC Radar, CloudSEK, Palo Alto Networks, and Prodaft we have a clear picture of a broad hacking campaign that began in February this year and was initially just an internet mass-scan and brute-forcing operation.
Initial attacks targeted technologies such as RDWeb, Sophos and Citrix SSL VPNs, exposed RDP instances, and MSSQL databases.
The operation eventually transitioned into targeting Fortinet FortiGate firewalls, every e-crime group's favorite device, and the brute-force scans also evolved into actual exploits that abused old and unpatched vulnerabilities (CVEs mentioned in the Fortinet report) to bypass authentication and gain control over the devices.
The attacker collected plaintext passwords from Fortinet configs, but sometime in May they also started deploying a novel script that intercepted traffic going "through" the firewalls.
The script, which researchers named FortigateSniffer, targeted 24 internet protocols.
The threat actor extracted anything that looked like credentials, tokens, secrets, and authentication hashes on those protocols' ports (see table below).
The attacker also took these password and other authentication hashes and fed them into a GPU-based cluster to crack them back to their plaintext versions.
The passwords were then validated inside hacked companies' networks, first to confirm them, then later to expand the attacker's access. Then, the network access was sold to other groups.
While the initial FortiBleed coverage focused on the 74,000 leaked Fortinet device passwords that were found online inside an open directory on a web server, there's actually EVEN MORE passwords collected through this operation by the attacker that we don't know about.
All of this was done with a custom-built attack server infrastructure that, honestly, seems to have impressed most of the people writing reports about it.
The entire operation is believed to be the work of a Russian-speaking threat actor who specializes in breaching networks and then selling access to them to other groups. Security firms call threat actors like these "initial access brokers."
Although several security firms have also reached the same conclusion, it was only PAN's Unit42 who named the attacker as an individual going online as SantaAd.
According to SOC Radar, the "threat actor behind the FortiBleed campaign remains active" and "portions of the infrastructure continue to operate at the time of writing."
Risky Business Podcasts
In this edition of Between Two Nerds, Tom Uren and The Grugq discuss the idea that the People's Republic of China has mobilised its influence operations against the construction of US data centres and its build out of AI capacity.
Breaches, hacks, and security incidents
Belgian State Security Service breach: Hackers have stolen the mobile phone details of Belgian intelligence service officials. According to Belgium's public service broadcaster, the data was taken from a company that managed the agency's mobile device management platform. The hack was linked to a series of attacks targeting Ivanti EPMM servers last year. The stolen data includes the names, phone numbers, and email addresses of employees of the Belgian State Security Service. [RTBF]
Tata Electronics breach: Tata Electronics has confirmed a security breach on Monday after a hacking group listed its name as a recent victim. The World Leaks group claims it has stolen more than 200,000 documents from the Indian company. The files allegedly contain sensitive data on Apple and Tesla electronic components. [CNBC]
LastPass impacted by Klue breach: Password management service LastPass has added its name to the list of companies that had data stolen from their Salesforce account after a breach at third-party market analytics service Klue. [LastPass]
Mount Royal University hack: The Mount Royal University in Calgary is rebuilding its entire IT infrastructure after a hack last week. [Mount Royal University]
Taiko crypto-heist: A hacker has stolen $1.7 million worth of tokens from the Taiko blockchain bridge. [Taiko // CoinTelegraph]
NL health agency apologizes for inopportune phishing test: A Canadian healthcare agency has apologized to staff for a phishing test about an extra paid vacation day. Nurses across the Newfoundland and Labrador province were invited to apply for an extra day off on a phishing site. They were lured to the site under the guise of a reward for the successful implementation of the province's new IT system CorCare. The province's registered nurse union called the test in "very poor taste" and "insensitive" at a time when staff is overworked. [NL Health Service // RNUNL]
Israel behind Iranian bank attack: Intelligence sources believe Israeli hackers were likely behind the cyberattack that crippled Iranian banks earlier this month. [Telegraph]
Meta leaks employee keystrokes: Meta is pausing indefinitely an internal program that collected employee keystrokes following an internal data exposure. The program was rolled out earlier this year to collect mouse movements and keystrokes to train AI models. According to WIRED, data gathered by the program was left on servers accessible by all Meta employees. Collected data exposed personal data, performance info, private conversations, and AI prompt histories. [WIRED]
Let me tell you about the time we ended up doing a lot of additional training for a few hundred call Center staff WHO WERE NOT TURNING OFF CALL RECORDING when making personal calls. So colour me surprised on on this
— Dermot Casey (@dermotcasey.bsky.social) June 23, 2026 at 1:16 AM
[image or embed]
General tech and privacy
New PACT protocol: Cloudflare, Google, Microsoft, and Mozilla have committed to developing a new web protocol to help distinguish between authentic and malicious traffic. The new Private Access Control Tokens (PACT) will allow browsers and online platforms to issue anonymous digital tokens for legitimate traffic. The tokens will be issued to verified human users or authorized bots and then used to filter legitimate from malicious traffic. [Cloudflare]
Steam Machine launches: Steam has entered the gaming console market and launched the Steam Machine on Monday. The new console has a steep price though, available in $1,049 and $1,349 versions. [Steam]
Meta rolls out new safety settings: Meta has rolled out 13 new privacy settings for teen accounts across the Facebook, Instagram, and WhatsApp platforms. The new settings are meant to help verify children's age and inform parents of any irregularities in their behavior. [Meta]
Cookie banners may not go away: After the EU set out a plan to phase out the annoying cookie banners via a GDPR facelift this year, now some member states and even Google are in favor of keeping, probably because most people get so annoyed with them that they eventually end up approving any tracking script companies like Google roll out. [Noyb]
Oracle cuts 21K: Everyone's favorite big corpo, Oracle, is firing 21,000 employees to focus resources on AI. [BBC]
Government, politics, and policy
Trump signs post-quantum EOs: US President Donald Trump signed two executive orders on Monday on the topic of quantum computing. The first executive order aims to accelerate the government's adoption of post-quantum encryption. It imposes a hard headline for implementing PQC algorithms across the federal government by the end of 2030. The second executive order boosts government funding to support the US quantum computing industry, its supply chain, and materials. [EO 14409 // EO 14411 // White House fact sheet // CyberScoop // PostQuantum]
Five Eyes warn of shift in cyber operations driven by AI: The Five Eyes intelligence-sharing alliance warns that powerful AI models capable of devastating cyberattacks are mere months away. Intelligence and cyber agencies are urging governments to take action and address the risks right now. Suggested measures include the adoption of AI for cyber defense, monitoring new threats, and implementing secure-by-design and secure-by-default principles. [Australia // Canada // New Zealand // UK // US]
Russia to separate M2M-SIM and eSIM from regular SIM: The Russian government is preparing legislation to separate M2M-SIM and eSIM from regular SIM cards. Machine-to-machine SIMs are used by devices to send data to each other or to backend servers while electronic SIMs are used by software apps to obtain a phone number on devices where a physical card cannot be inserted. The government says these two types of SIM cards have been used to automate scams and frauds. Lawmakers plan to put M2M and eSIM cards on separate parts of mobile networks where they can't contact Russian citizens via voice calls or SMS. M2M-SIM cards are believed to account for a fifth of all SIM cards in Russia. [Kommersant]
Sponsor section
In this Risky Business sponsor interview, James Wilson chats with Trail of Bits founder and CEO Dan Guido about its newly announced partnership with OpenAI. Together, they’ve started a new initiative called "Patch the Planet" to support open source maintainers.
Arrests, cybercrime, and threat intel
Phishing kit operator arrested after six years: US authorities have arrested and extradited an Algerian national on cybercrime-related charges. Abdellah Belmili, 26, has allegedly developed and sold phishing kits targeting banks. Belmili used the hacker name of SPOX and was allegedly behind the Market0Day portal where the phishing kits were sold. He was arrested six years after the FBI seized his site. [DOJ]
TfL hackers plead guilty: Two members of the Scattered Spider hacking group have pleaded guilty to hacking the London public transport authority in August of 2024. Thalha Jubair and Owen Flowers initially plead not guilty but changed their pleas on the first day of their trial on Monday. The hack caused months of disruptions at Transport for London and caused damages of £39 million. Jubair is also charged in the US for hacking and extorting 47 US companies, allegedly seeking ransoms of at least $115 million. [BBC]
Huione seizure: The US has seized a cloud account used by the Huione Group, a known cyber scam entity in SE Asia, to launder scam profits. [DOJ]
VB scripts on WhatsApp: Meta's WhatsApp security is so bad that threat actors are spamming straight-up malicious VB Scripts on the platform. YOLO! [Kaspersky]
More supply chain attacks: JFrog, SafeDep.
Storm-2603 attack: Microsoft has published an IR report from a Storm-2603 intrusion that used outdated SharePoint servers as the entry point to deploy ransomware. The investigation found a second threat actor inside the same network. [Microsoft]
A third of Samsung and LG TVs act as proxies: More than a third of all LG and Samsung smart TVs contain code that turns the devices into proxy nodes. The proxy code was found hidden in clocks, screensavers, games, and other low utility apps. Many of the apps use consent prompts hidden in terms of service to justify their behavior. [Spur]
Malware technical reports
New loader: Security researcher Matt Kirkland looks at a new malware loader spotted in the wild that has all the signs it might have been developed by Chinese e-crime group Silver Fox. [Matt Kirkland]
MYRA RAT: SafeDep looks at MYRA, a new RAT being deployed on Linux systems via malicious npm packages. Looks like a red team tool. [SafeDep]
Sponsor section
Giving employees AI tools doesn't make a company AI native. Trail of Bits founder and CEO Dan Guido explains the difference — and the operating system his 150-person security firm built to actually get there.
APTs, cyber-espionage, and info-ops
GhostShell APT: A newly discovered APT group is targeting Ukraine's UAV manufacturers and their supply chain. The new GhostShell group is behind a spear-phishing campaign impersonating Besomar, a Ukrainian drone maker. The phishing emails attempt to trick users into downloading and running malware. Security firm Synaptic Systems says there's not enough clues to link the campaign to a specific country, although Russia is the main candidate. [Synaptic Systems]
Vulnerabilities, security research, and bug bounty
DifyTap vulnerabilities: The Dify open-source AI platform has patched four vulnerabilities that could have allowed attackers to break tenant isolation. Attackers could have read AI conversations from other customers' apps, see documents uploaded to other tenants, and trigger cross-tenant API calls. The bugs are collectively known as DifyTap, and two of the four can be exploited without authentication. They were reported in December, and patched in May. [Zafran Security]
PixelSmash vulnerability: The FFmpeg project has patched a vulnerability that can be used for remote code execution attacks on multimedia servers. If remote code execution attacks can't be achieved, the bug can crash the server instead. The bug, nicknamed PixelSmash, impacts FFmpeg's MagicYUV decoder. FFmpeg is almost universally used for audio processing on both client-side and server-side software. [JFrog // CVE-2026-8461]
Eight-year-old Samsung flaw: A newly disclosed vulnerability can allow threat actors to run malicious code on Samsung smartphones released over the past eight years. Devices from Galaxy S9 to S25 are vulnerable. The bug can be exploited by malicious apps running on a device to run code in the Samsung secure KNOX kernel. Tracked as CVE-2026-20971, the bug was patched by Samsung in January. [LucidBits Labs]
Chrome sandbox escape: Exodus' Chanh Pham has published a write-up and PoC for CVE-2026-3542, a Chrome sandbox escape targeting the Ubercage sandbox that isolates Wasm code. [Exodus Intelligence]
Security updates: Dell, IBM, JetBrains, Node.js, QNAP, Red Hat, VMware.
Infosec industry
Threat/trend reports: Bitsight, CrowdStrike, JET CSIRT, Microsoft, Omega Systems, Privado, and Radware have recently published reports and summaries covering various threats and infosec industry trends.
New tool—SindriKit: A security researcher going by Sibouzitoun has released SindriKit, a C library for building offensive cyber tools.
WWHF 2026 videos: Talks from the Wild West Hackin' Fest 2026 security conference, which took place in February, are available on YouTube.
SAS 2025 videos: Talks from the Security Analyst Summit 2025 security conference, which took place last October, are available on YouTube.
Risky Business podcasts
In this episode of Risky Business Features, James Wilson and Brad Arkin talk about how to safely use open weight large language models in the enterprise.