Today’s roundup
CISA Warns of Active Exploitation Following FortiBleed Leak
Unpatchable 'usbliter8' Exploit Breaks Apple A12 and A13 SecureROM Boot Chain
The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes
AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution
Klue OAuth breach victim list grows as Icarus hackers claim attack
Texas govt data breach exposes over 3 million driver’s licenses
Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys
Operation Endgame Disrupts SocGholish Servers, Cleans 14,971 WordPress Sites
Summary
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent alert on June 18 regarding active exploitation following the "FortiBleed" leak. This incident exposed credentials for approximately 74,000 Fortinet firewalls and VPN gateways, with a Russian-speaking threat group actively leveraging these to target systems globally. Investigations revealed 1.16 billion credential attempts against 320,777 FortiGate targets, and the leaked data appears to stem from exported device configurations. CISA recommends immediate termination of active sessions, resetting all VPN and administrative passwords, enabling phishing-resistant multi-factor authentication, and reviewing logs for unauthorized access.
Security researchers from Paradigm Shift have unveiled "usbliter8," an unpatchable exploit for Apple's A12 and A13 chips. This exploit achieves arbitrary code execution within the SecureROM, a core component burned into the silicon during manufacture, meaning it cannot be fixed via software updates. The attack requires physical access to the device, but its fundamental nature poses a persistent threat to affected hardware.
The "The Gentlemen" ransomware-as-a-service (RaaS) operation is employing a sophisticated EDR (Endpoint Detection and Response) killer framework named "GentleKiller." This framework is designed to target and disable approximately 400 security processes, enhancing affiliates' ability to bypass defensive measures before deploying ransomware encryptors.
Microsoft researchers have detailed a new exploit chain, dubbed "AutoJack," which transforms an AI browsing agent into a vector for remote code execution (RCE). The attack allows an attacker's web page, when loaded by the AI agent, to leverage JavaScript to interact with a privileged local service on the same machine, subsequently spawning a process on the host without requiring credentials or further user interaction.
Market intelligence platform Klue has confirmed a security incident where threat actors stole OAuth tokens used to connect to customer Salesforce environments. A new extortion group, "Icarus," has publicly claimed responsibility for the attack, expanding the list of victims impacted by the breach.
The Texas Parks and Wildlife Department (TPWD) has disclosed a significant data breach affecting a vendor's license system, which exposed personal information for over three million individuals. The compromised data includes driver’s licenses, highlighting the risks associated with third-party service providers holding sensitive government data.
Threat actors are actively exploiting an unauthenticated information disclosure vulnerability, tracked as CVE-2026-4020 with a CVSS score of 5.3, in the Gravity SMTP WordPress plugin. This flaw, present in approximately 100,000 active sites, allows attackers to extract sensitive configuration data, API keys, secrets, and OAuth tokens.
In a multi-national effort, law enforcement authorities from the Netherlands, Canada, Germany, and the U.S. conducted "Operation Endgame," disrupting malicious infrastructure associated with the SocGholish threat group. The operation resulted in the cleanup of nearly 15,000 infected WordPress websites, significantly hindering the cybercriminals' access to compromised systems.
Want to dig deeper?
Vulnerabilities
Cyber Groups
| Sea Turtle | Teal Kurma, Marbled Dust, Cosmic Wolf, SILICON |
Malware Families
| Broomstick | CLEANBOOST CleanUp CleanUpLoader Oyster |