Back to Blog
Weekly CISO Digest — Week of 2026-06-22: Credential Attacks Escalate Globally
security-guides

Weekly CISO Digest — Week of 2026-06-22: Credential Attacks Escalate Globally

breachwire TeamJun 22, 20264 min read

Headline Incident: FortiBleed Exposes Global Credential-Spraying Operation

A coordinated credential-spraying campaign named FortiBleed targeted Fortinet FortiGate VPN devices worldwide, executing over a billion login attempts and compromising multiple organizations, including a Turkish defence contractor with NATO ties. Attackers leveraged exposed FortiGate endpoints to deploy network sniffers and harvest credentials, resulting in persistent access and lateral movement. The operation involved a multi-operator crew and highlights the ongoing risk posed by credential-based attacks against perimeter devices. Fortinet, Sophos, and Microsoft SQL Server products were also targeted in related campaigns, with attackers using curated password lists from previous breaches. Organizations with unpatched or poorly secured VPN devices remain at high risk. Immediate action is required to enforce strong password policies, enable multi-factor authentication (MFA), and monitor for anomalous login activity on all perimeter devices.

This Week's Incidents

Klue OAuth breach leads to Salesforce data theft by Icarus hackers

What: Klue suffered a breach where attackers used a compromised legacy credential to steal OAuth tokens, exfiltrating Salesforce CRM data from multiple organizations including Recorded Future, Tanium, and Huntress.
Who's at risk: SaaS platforms, organizations integrating with Salesforce or other third-party services.
Action: Audit OAuth integrations, revoke unused tokens, and review third-party access logs immediately.

Microsoft links Mastra AI supply chain attack to North Korean hackers

What: North Korean group Sapphire Sleet compromised over 140 npm packages in the Mastra AI supply chain, using a hijacked maintainer account to publish malware targeting developers’ credentials and crypto wallets.
Who's at risk: Software development teams using npm packages, especially those related to Mastra AI.
Action: Review npm dependencies for typosquatting, rotate developer credentials, and scan for malicious post-install hooks.

AryStinger botnet infected thousands of D-Link routers worldwide

What: The AryStinger botnet compromised 4,000+ outdated D-Link DIR-850L and DIR-818LW routers globally, exploiting CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837 to create proxies for malicious activity.
Who's at risk: Organizations with legacy D-Link routers, especially in South Korea, China, Sweden, Malaysia, and Singapore.
Action: Replace or patch vulnerable routers and segment IoT devices from critical networks.

FreeBSD KTLS Vulnerability CVE-2026-45257 Disclosure

What: CVE-2026-45257 disclosed a kernel-level TLS flaw in FreeBSD’s KTLS, potentially allowing attackers to compromise encrypted network communications.
Who's at risk: Organizations running FreeBSD with KTLS enabled, especially in North America.
Action: Apply security patches for FreeBSD KTLS immediately and audit TLS configurations.

iRhythm Hit by Cyberattack, Patient Data Stolen and Ransom Demanded

What: iRhythm experienced a ransomware attack resulting in patient data theft and a ransom demand, impacting healthcare operations.
Who's at risk: Healthcare organizations handling sensitive patient data.
Action: Review ransomware response plans and ensure robust backups and endpoint protection are in place.

LockBit5 ransomware attack on probat.ag

What: German construction firm probat.ag was hit by LockBit5 ransomware, causing data encryption/exfiltration and business disruption.
Who's at risk: Construction and industrial organizations in Europe.
Action: Harden backup strategies and monitor for LockBit TTPs in network traffic.

Qilin Ransomware Attack on Commune d’Eyguires, France

What: The Qilin group encrypted and disrupted local government systems in Commune d’Eyguires, France.
Who's at risk: European public sector and municipal IT systems.
Action: Segment critical infrastructure and validate offline backup integrity.

Ransomware Attack on Preferred Properties

What: Preferred Properties, Inc. in Ohio was targeted by the payload ransomware group, disrupting operations and system access.
Who's at risk: Real estate and property management firms globally.
Action: Patch exposed systems and test incident response playbooks for ransomware.

Super Finishing suffers ransomware attack by worldleaks

What: Brazilian manufacturer Super Finishing was attacked by worldleaks ransomware, causing operational impact.
Who's at risk: Manufacturing and industrial firms in Latin America.
Action: Review endpoint security and restrict lateral movement within OT environments.

Ransomware Attack on Qualiflex Solutions by Payload Group

What: Automation firm Qualiflex Solutions was reportedly encrypted by Payload ransomware, with public claims unconfirmed by the victim.
Who's at risk: Automation and control technology providers.
Action: Monitor for Payload ransomware indicators and validate backup recoverability.

Large-Scale Credential Attacks Targeting Fortinet and MSSQL Devices

What: FortiBleed campaign used password spraying and credential theft to target Fortinet, Sophos, and MSSQL devices, aiming for persistent high-privilege access.
Who's at risk: Organizations with exposed Fortinet, Sophos, or Microsoft SQL Server endpoints.
Action: Enforce MFA and monitor for brute-force attempts on all externally exposed services.

Ransomware Incident at Pinnacle Re-Tec

What: UK-based Pinnacle Re-Tec Ltd was disrupted by a ransomware attack attributed to the cmdorganization group, affecting US operations.
Who's at risk: Industrial service providers in the UK and US.
Action: Isolate affected systems and coordinate with law enforcement on ransomware events.

Qilin Ransomware Attack on Pacific Lamp & Supply

What: Qilin ransomware group claimed an attack on Pacific Lamp & Supply in North America, with details based on public threat actor statements.
Who's at risk: North American SMEs with limited cyber defenses.
Action: Validate endpoint detection coverage and review ransomware containment procedures.

Krybit ransomware infiltrates AASA Group

What: Krybit ransomware group claimed responsibility for a June 19 attack on Dubai-based AASA CP Holding Company, disclosed via onion blog.
Who's at risk: Middle Eastern conglomerates and holding companies.
Action: Enhance monitoring for ransomware activity and review privileged account access.

This Week's Pattern

  • Credential-based attacks surged, with FortiBleed executing over a billion login attempts and multiple incidents leveraging compromised credentials or OAuth tokens.
  • Ransomware remains pervasive, targeting diverse sectors from healthcare (iRhythm) and manufacturing (Super Finishing) to government (Commune d’Eyguires) and real estate (Preferred Properties).
  • Supply chain and IoT vulnerabilities continue to be exploited, as seen in the Mastra AI npm compromise and AryStinger botnet’s abuse of outdated D-Link routers, underscoring the need for patching and dependency hygiene.

Start Your 14-Day Free Trial

Get curated cyber intelligence delivered to your inbox every morning at 6 AM. No credit card required.

Get Started Free
Share this article: