Coverage: Last 24 hours

Today’s Highlights

Today’s update highlights critical credential leaks from Fortinet, ongoing supply chain attacks via WordPress plugins, active ransomware tool evolution to neutralize defender EDRs, and targeted OAuth token abuse exposing CRM data. Defender focus should be on credential hygiene, privileged integrations, and prompt patching of high-impact vulnerabilities across both user-facing and infrastructure assets.

Table of Contents

1. CISA warns Fortinet users to secure devices after FortiBleed leak
2. Gentlemen ransomware uses multiple EDR killers to disable defenses
3. Nintendo confirms data stolen in WebMD subsidiary cyberattack
4. USB worm spreads crypto-stealing malware via Windows shortcut files
5. Klue OAuth breach linked to ‘Icarus’ Salesforce data theft attacks
6. Police cleans nearly 15,000 SocGholish-infected sites tied to Evil Corp
7. ShapedPlugin update flow hacked to infect WordPress sites
8. ‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm
9. Salesforce Disables Klue App Integration After OAuth Token Abuse Exposes Customer Data
10. Apple Patches Beats Studio Buds Flaw Letting Nearby Attackers Spy via Microphone

Top Stories

CISA warns Fortinet users to secure devices after FortiBleed leak

Source: BleepingComputer | Risk: Critical | Impacted: Fortinet firewall administrators, VPN gateway operators, Hybrid cloud environments

Summary: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged Fortinet customers to secure their devices after nearly 74,000 firewall and VPN credentials were exposed in a data leak dubbed “FortiBleed.”

Why it matters: Compromised firewall and VPN credentials can enable direct access to internal networks, bypassing most perimeter defenses and exposing sensitive business systems.

Practitioner Perspective

Organizations running Fortinet firewalls or VPNs must treat the FortiBleed leak as active credential exposure with downstream risk of targeted intrusion and lateral movement. Attackers will prioritize direct exploitation of these credentials for initial access, particularly where MFA is not enforced or device inventories are outdated. CISA’s warning suggests the operational window before exploitation is narrow, and defenders should assume credentials are in hostile hands if listed. Security teams cannot rely solely on patching and must coordinate credential resets and session invalidations for all potentially affected devices. The most urgent task is verifying and retiring any credentials exposed in the FortiBleed leak to prevent opportunistic compromise.

Recommended Actions

• Reset all passwords and keys associated with affected Fortinet firewall and VPN devices listed in the FortiBleed leak
• Purge and audit all active VPN sessions on Fortinet equipment for suspicious or unrecognized activity

Gentlemen ransomware uses multiple EDR killers to disable defenses

Source: BleepingComputer | Risk: High | Impacted: Enterprises with standard EDR deployments, Organizations with ransomware landscape exposure, Security operations centers relying on EDR telemetry

Summary: The Gentlemen ransomware-as-a-service (RaaS) is actively developing and maintaining a suite of endpoint detection and response (EDR) killers to help affiliates evade detection in attacks.

Why it matters: Attackers with the ability to systematically terminate EDR solutions remove a critical line of defense, dramatically increasing the likelihood of ransomware execution and data loss before response teams can react.

Practitioner Perspective

Ransomware actors leveraging the Gentlemen RaaS are investing in custom-built EDR termination tools, an indicator that reliance on commodity detection mechanisms is insufficient. The operational threat extends to organizations using major EDR platforms, where a single misconfiguration or unpatched agent could nullify an entire layer of defense. Security leaders should correlate this development with broader trends among affiliate-based ransomware groups, particularly those adapting to bypass layered enterprise controls. Teams cannot assume endpoint security telemetry is authoritative if threat actors actively neutralize agents. The main focus should be on defense-in-depth and layered monitoring outside endpoints to catch ransomware precursor activity.

Recommended Actions

• Review EDR agent deployment coverage and configurations for vulnerabilities exploited by Gentlemen ransomware tools
• Hunt for indicators of EDR service stoppage or agent tampering across Windows event logs and SIEM

Nintendo confirms data stolen in WebMD subsidiary cyberattack

Source: BleepingComputer | Risk: Medium | Impacted: Enterprises using TinyPulse or similar survey SaaS, HR and employee engagement teams, Third-party risk programs

Summary: Nintendo of America has confirmed to BleepingComputer that threat actors stole survey data from the third-party TinyPulse service used internally, but its systems were not compromised.

Why it matters: Business-sensitive survey data lost through a third-party SaaS provider can expose customer insights, employee sentiment, or competitive strategy even without direct compromise of core systems.

Practitioner Perspective

Third-party SaaS integrations remain a soft spot for internal data, as recent events show even robust organizations like Nintendo can lose information via providers such as TinyPulse. The threat context is SaaS supply chain risk: even if your security on primary assets is strong, attackers can gain valuable data from poorly segmented or lightly governed SaaS extensions. Defenders need to revisit trust boundaries and contractual controls with data processors and evaluate what is being shared through productivity tools, especially when vendor enforcement may be weak. Teams should scrutinize what survey or feedback platforms are tied to operational or sensitive business functions. The most critical question is whether the ‘harmless’ SaaS in your stack actually holds data worthy of advanced threat actor targeting.

Recommended Actions

• Audit integrations and data sharing with TinyPulse and any survey SaaS platforms holding internal company data
• Enforce strict data minimization for HR tools and require contractual breach notifications for processors

USB worm spreads crypto-stealing malware via Windows shortcut files

Source: BleepingComputer | Risk: High | Impacted: Organizations handling cryptocurrencies, Financial trading environments, Industrial control networks with USB access

Summary: Threat actors targeting cryptocurrency wallets have been distributing clipboard-stealing malware with self-spreading capabilities and using the Tor network to conceal communication.

Why it matters: Self-propagating malware delivered via USB can bypass network controls and compromise air-gapped or isolated environments, endangering users with cryptocurrency assets and sensitive credentials.

Practitioner Perspective

Organizations dealing with sensitive financial data, trading desks, or even retail endpoints are at risk from clipboard-stealing malware that spreads using Windows shortcut files on USB drives. This attack vector circumvents most border security and leverages user behavior or misconfigured autorun policies, with threat actors operating through anonymizing Tor channels for remote command and control. The risk extends beyond cryptocurrency theft and applies to any scenario where USB device policy is lax. Security teams should ensure removable media controls and endpoint protections are enforced, and should not assume segmented networks are immune to physical cross-contamination. The single biggest error would be to ignore USB threats as a legacy problem: they remain effective for motivated attackers.

Recommended Actions

• Enforce group policy restrictions on autorun and execution of Windows shortcut (LNK) files from USB drives
• Deploy EDR signatures and YARA rules for clipboard-stealing and self-propagating malware

Klue OAuth breach linked to ‘Icarus’ Salesforce data theft attacks

Source: BleepingComputer | Risk: High | Impacted: Organizations using Klue-Salesforce integrations, Sales and CRM owners, Third-party SaaS integrated via OAuth

Summary: Market intelligence platform Klue suffered a OAuth breach that enabled the “Icarus” threat actors to steal Salesforce CRM data from multiple organizations in an ongoing extortion campaign.

Why it matters: Compromised third-party OAuth tokens that permit access to CRM platforms expose entire customer datasets, undermining trust and risking further account takeovers or targeted phishing.

Practitioner Perspective

The Icarus campaign linked to Klue’s OAuth breach illustrates how attackers can pivot across vendor integrations to extract high-value Salesforce data. This signals an operational imperative: OAuth tokens with sensitive scopes are now prime targets in highly automated extortion operations. Security teams must map and review every third-party integration with privileged data access, particularly as these tokens may evade traditional credential monitoring. Salesforce data accessed by Klue or similar vendors should be treated as potentially breached. Defenders should challenge assumptions about SaaS ecosystem boundaries and the sufficiency of single-vendor controls.

Recommended Actions

• Audit active OAuth tokens granted to Klue and other vendor integrations for Salesforce
• Revoke or rotate credentials and tokens issued prior to the breach window

Police cleans nearly 15,000 SocGholish-infected sites tied to Evil Corp

Source: BleepingComputer | Risk: Medium | Impacted: WordPress site operators, Managed service providers, Incident responders tracking loader malware

Summary: International law enforcement agencies cleaned nearly 15,000 malware-infected WordPress websites and took down more than 100 servers linked to the SocGholish botnet and the Evil Corp Russian cybercrime group.

Why it matters: The mass cleanup of thousands of compromised web properties disrupts a major malware delivery infrastructure, reducing immediate risk but creating uncertainty as threat actors seek alternate distribution methods.

Practitioner Perspective

While law enforcement disabled the SocGholish loader campaign across nearly 15,000 WordPress sites, security teams should anticipate rapid shifts in attack infrastructure by affiliated crime groups like Evil Corp. Previous SocGholish campaigns weaponized trusted sites to deliver malware, and follow-on threats may leverage new or less-monitored platforms. Web admins and incident responders should not become complacent or assume long-term relief: attackers will likely pivot tactics. Continuous vigilance and validation of web assets for unauthorized modifications remain critical. Visibility into plugin updates and hosting server logs is essential to preempt future mass infections.

Recommended Actions

• Verify all WordPress installations for residual SocGholish artifacts or other malware
• Monitor DNS, CDN, and hosting logs for indicators of re-compromise

ShapedPlugin update flow hacked to infect WordPress sites

Source: BleepingComputer | Risk: High | Impacted: WordPress admins using ShapedPlugin products, Web developers managing plugin updates, SMBs running third-party WP plugins

Summary: Multiple WordPress plugins from ShapedPlugin were compromised in a supply chain attack that distributed infected releases to paying customers via the vendor’s official update system.

Why it matters: Supply chain compromise in a WordPress plugin vendor can push malware to thousands of legitimate sites in a single stroke, bypassing normal user or admin scrutiny and amplifying attack surface.

Practitioner Perspective

The compromise of ShapedPlugin’s update mechanism exposes WordPress operators to risk far beyond typical plug-in vulnerabilities. Attacks through vendor update channels succeed even on well-managed sites, eliminating the defender’s ability to catch threats solely through OWASP-style plugin vetting. The incident highlights the fragility of the WordPress plugin ecosystem, where even paid/licensed customers are now prime supply chain targets. Defenders should not trust integrity at the download source alone and need to monitor for malicious plugin behaviors post-installation. The most important strategy is layered detection and rapid rollback capability for any third-party packages deployed from WordPress vendors.

Recommended Actions

• Validate all ShapedPlugin extensions for unauthorized code updates or unexpected behaviors
• Check server and web logs for signs of compromise connected to recent plugin updates

‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

Source: Krebs on Security | Risk: Medium | Impacted: Organizations relying on residential proxy blocklists, Network teams filtering by IP reputation, Ad fraud detection teams

Summary: For the past four years, a sprawling Android-based botnet called Popa has forced millions of consumer TV boxes to relay Internet traffic linked to advertising fraud, account takeovers, and mass data-scraping efforts. This week, researchers from multiple security firms concluded that the Popa botnet is linked to NetNut, a “residential proxy” provider operated by the publicly-traded Israeli firm Alarum Technologies

Why it matters: Android-based residential proxy botnets fueled by consumer TV boxes enable large-scale ad fraud and can threaten enterprise security posture by offering stealth traffic relay paths for attackers.

Practitioner Perspective

The exposure of the Popa botnet’s linkage to a commercial residential proxy provider escalates risk for any entity filtering traffic by geolocation or trust-based IP lists. Devices like TV boxes are being conscripted as persistent, unmonitored relays for ad fraud, credential stuffing, and data harvesting, most enterprise controls do not treat these as high risk. Network defenders should reevaluate any trust placed in residential proxies or home-like device traffic, especially when threat actors can easily abuse these for obfuscation. Attention should also turn to vendor supply chain risk: if consumer gadgets are pre-infected, corporate and remote users may inadvertently participate in malicious networks. The biggest challenge is building and maintaining blocklists for dynamic residential proxies used by criminal infrastructure.

Recommended Actions

• Update network blocklists to cover identified Popa-linked residential proxy IP ranges
• Monitor for large volumes of traffic originating from or transiting via known TV box manufacturers used in Popa botnet

Emerging Signals

Salesforce Disables Klue App Integration After OAuth Token Abuse Exposes Customer Data

Source: The Hacker News | Risk: High | Impacted: Salesforce administrators, Organizations using third-party integrations, SaaS security owners

Summary: Salesforce has revealed that it disabled the Klue Battlecards app integration within its platform in response to a security incident impacting the competitive intelligence company on June 11, 2026. To that end, organizations will be unable to connect to Salesforce via the app until further notice, the American cloud-based software company noted in an alert published this week.

Why it matters: Disabling a major third-party integration highlights the systemic risk introduced by OAuth-based access to SaaS platforms, and underscores the urgency of reviewing all privileged third-party connections.

Practitioner Perspective

Salesforce’s rapid response to the Klue OAuth token abuse incident reflects the growing need to actively manage third-party app permissions. Administrators must anticipate impacts on business processes but should not delay action when an incident is identified. Reviewing all active integrations for excessive privilege, stale tokens, or vendor lock-in is crucial, especially as attackers increasingly pivot to exploiting trusted application relationships. This serves as a visible reminder that disabling integrations is preferable to risking customer data exposure.

Recommended Actions

• Review and disable unnecessary Salesforce third-party app integrations
• Audit remaining OAuth tokens and permissions for signs of excessive or anomalous access

Apple Patches Beats Studio Buds Flaw Letting Nearby Attackers Spy via Microphone

Source: The Hacker News | Risk: High | Impacted: Beats Studio Buds users, Bluetooth device administrators, Personal device owners

Summary: Apple has updated its Beats Studio Buds wireless earbuds to patch a high-severity vulnerability that could be exploited by nearby hackers to eavesdrop on users. The vulnerability, tracked as CVE-2025-20701 (CVSS score: 8.8), refers to a case of incorrect authorization impacting the Airoha Bluetooth audio SDK that makes it possible to pair a Bluetooth audio device without user consent.

Why it matters: Vulnerabilities in widely-used Bluetooth audio devices can enable physical eavesdropping, putting user privacy and sensitive conversations at risk.

Practitioner Perspective

Users and organizations should not assume that personal-peripheral vulnerabilities lack enterprise impact, especially with the prevalence of BYOD and remote work. Rapid patching and proactive user notifications for hardware updates are necessary. IT teams supporting endpoints should treat high-severity Bluetooth device flaws with the same rigor as major OS exploits and include them in device security policies.

Recommended Actions

• Promptly deploy the latest Beats Studio Buds firmware update to all managed devices
• Audit inventory for vulnerable Bluetooth hardware and notify impacted users accordingly

Exploits & CVEs

No significant new CVEs or active exploits reported in the last 24 hours beyond those included in the stories above. Continue monitoring vendor advisories for any emerging critical vulnerabilities.

Defensive Actions

• Reset all passwords and keys associated with affected Fortinet firewall and VPN devices listed in the FortiBleed leak
• Purge and audit all active VPN sessions on Fortinet equipment for suspicious or unrecognized activity
• Enforce MFA on all internet-facing Fortinet device logins
• Monitor Fortinet syslogs and authentication logs for indications of credential-based intrusion attempts
• Review and reconcile firmware/software versions to ensure all Fortinet equipment is patched to latest supported release
• Audit integrations and data sharing with TinyPulse and any survey SaaS platforms holding internal company data
• Enforce strict data minimization for HR tools and require contractual breach notifications for processors
• Audit active OAuth tokens granted to Klue and other vendor integrations for Salesforce
• Revoke or rotate credentials and tokens issued prior to the breach window
• Validate all ShapedPlugin extensions for unauthorized code updates or unexpected behaviors

What We’re Watching

Security teams should closely monitor for further fallout from high-profile SaaS and credential compromises, anticipate fast pivots in web malware distribution tactics, and prepare for ransomware actors continuing to innovate around endpoint visibility controls. Regular reviews of plugin and integration supply chains, as well as strong device and credential hygiene, remain urgent priorities for the coming days.

Categories: Cybersecurity Blog, Cybersecurity News

Tags: Credential Exposure, Malware, OAuth breach, Ransomware, WordPress supply chain