Fortinet VPN Credentials Leaked for 73,000 Devices; Microsoft Races to Patch Defender Zero-Day as DragonForce Ransomware Exploits Teams Infrastructure

Executive Summary

The critical infrastructure threat landscape this week is dominated by several significant developments requiring immediate attention from security teams and infrastructure operators:

• FortiBleed Credential Leak: A massive data leak has exposed Fortinet/FortiGate VPN credentials for approximately 73,932 firewall URLs across organizations worldwide, creating immediate risk for network perimeter security across all critical infrastructure sectors.
• Microsoft Defender Zero-Day: Microsoft has confirmed active development of a patch for the "RoguePlanet" zero-day vulnerability (CVE-2026-50656) in Microsoft Defender, which allows attackers to spawn command prompts with System privileges via a race condition exploit.
• Fortinet FortiSandbox Exploitation: Multiple security firms report active exploitation of three recently patched FortiSandbox vulnerabilities, with SOCRadar detecting 30,000 compromised Fortinet firewalls exposing networks to ongoing attacks from multiple threat actors.
• DragonForce Ransomware Evolution: A new attack vector has emerged with DragonForce ransomware operators abusing Microsoft Teams relay servers for command-and-control operations using a novel Go-based backdoor.
• Industrial Control Systems: Rockwell Automation has released patches for vulnerabilities affecting Logix, CompactLogix, Flex, RSLinx, and FactoryTalk products—systems widely deployed across manufacturing and critical infrastructure environments.
• Supply Chain Compromise: 144 npm packages in the Mastra AI framework namespace have been compromised via a hijacked contributor account, posing risks to organizations developing AI-enabled applications.

Threat Landscape

Nation-State Threat Actor Activities

• North Korean IT Worker Fraud Operations: Security firm Nisos has infiltrated a North Korean IT-worker fraud cell operating with AI-assisted interview capabilities and US-based laptop farms. This operation represents an evolution in DPRK's revenue generation tactics, with potential implications for insider threat programs at critical infrastructure organizations. The use of AI to conduct convincing job interviews significantly lowers the barrier for placing malicious actors within target organizations.
• State Digital Surveillance Landscape: Recorded Future has published new research on the state digital surveillance risk landscape, documenting how governments are increasingly leveraging spyware, AI-enabled monitoring, and network interception capabilities. Critical infrastructure personnel traveling internationally should review organizational policies regarding device security and data protection.

Ransomware and Cybercriminal Developments

• DragonForce Ransomware - New C2 Technique: Security researchers have identified DragonForce ransomware operators abusing Microsoft Teams relay servers for command-and-control communications. The attackers deployed a previously undocumented Go-based backdoor that leverages legitimate Microsoft infrastructure, making detection significantly more challenging. Organizations should review network traffic patterns to Microsoft services for anomalous behavior.
• ShinyHunters Extortion Activity: The ShinyHunters extortion gang has claimed responsibility for a breach at Kodak, with the company confirming it is working with external cybersecurity experts to investigate. Reports suggest approximately 2.2 million records may have been stolen, potentially including internal corporate data and customer personal information.
• Crypto Clipper Campaign: Check Point Research has uncovered a sophisticated crypto clipper campaign that abuses paid promotional posts on legitimate news websites, AI-generated narration, and VirusTotal comments to establish credibility. This social engineering approach demonstrates increasing sophistication in malware distribution tactics.

Emerging Attack Vectors

• AI Development Tool Compromise: A coordinated malware campaign has resulted in 15 malicious plugins on the JetBrains Marketplace capable of exfiltrating AI API keys. Separately, malicious Chrome extensions have been identified capturing chatbot conversations. Organizations using AI development tools should audit installed plugins and extensions immediately.
• Supply Chain Attack - Mastra Framework: 144 npm packages in the @mastra/* namespace have been compromised through a hijacked contributor account. The Mastra framework is widely used for building AI applications in JavaScript and TypeScript environments. Organizations should verify package integrity and review dependency trees.
• Google Vertex AI SDK Vulnerability: Researchers have identified a vulnerability in Google's Vertex AI SDK that could allow remote code execution through bucket squatting techniques. Organizations using Google Cloud AI services should review their configurations and monitor for related patches.

Phishing and Social Engineering

• GitBait Phishing Kit: A new serverless phishing kit dubbed "GitBait" has been discovered abusing GitHub Pages and the SheetBest API to steal Mexican banking credentials. While currently targeting financial institutions in Mexico, the technique could be adapted for other regions and sectors. The abuse of legitimate platforms like GitHub for phishing infrastructure complicates detection efforts.
• MFA Bypass Techniques: Account takeover attacks continue to rise as threat actors increasingly bypass traditional defenses through phishing, session hijacking, and MFA fatigue attacks. Security teams should consider implementing device trust verification and continuous authentication mechanisms.

Sector-Specific Analysis

Energy Sector

Industrial Control System Vulnerabilities: Rockwell Automation has released security patches addressing vulnerabilities in multiple product lines critical to energy sector operations:

• Logix controllers
• CompactLogix controllers
• Flex I/O systems
• RSLinx communication software
• FactoryTalk industrial software suite

Recommended Actions:

• Inventory all Rockwell Automation products in operational environments
• Prioritize patching based on network exposure and criticality
• Implement network segmentation to isolate vulnerable systems pending patching
• Monitor for anomalous communications to/from affected controllers

Fortinet Exposure Risk: Energy sector organizations using Fortinet/FortiGate VPN solutions should immediately assess whether their credentials may have been exposed in the FortiBleed leak. Given the sector's reliance on remote access for operational technology environments, compromised VPN credentials represent a significant risk vector.

Water and Wastewater Systems

Network Security Appliance Risks: Water utilities often rely on Fortinet products for network security. The combination of the FortiBleed credential leak and active exploitation of FortiSandbox vulnerabilities creates elevated risk for the sector:

• SOCRadar reports 30,000 compromised Fortinet firewalls currently exposing networks
• Multiple threat actors are actively exploiting recently patched FortiSandbox vulnerabilities
• Attacks originate from multiple sources, indicating widespread awareness of these vulnerabilities

Recommended Actions:

• Verify all Fortinet devices are patched to current versions
• Rotate VPN credentials as a precautionary measure
• Review access logs for signs of unauthorized access
• Consider implementing additional authentication factors for remote access

Communications and Information Technology

Browser Security Updates: Chrome and Firefox have released updates addressing multiple memory safety vulnerabilities that could potentially lead to remote code execution. IT sector organizations should prioritize browser updates across enterprise environments.

Microsoft Ecosystem Concerns:

• Defender Zero-Day: The RoguePlanet vulnerability (CVE-2026-50656) in Microsoft Defender allows privilege escalation to System level. Microsoft has confirmed a patch is in development but no timeline has been provided.
• Office Application Issues: Microsoft is investigating issues preventing third-party applications from launching Office applications or opening documents following June updates.
• Teams Infrastructure Abuse: The DragonForce ransomware group's abuse of Teams relay servers for C2 communications highlights risks in trusted Microsoft infrastructure.

AI Security Concerns: The sector faces growing challenges related to AI tool security:

• Malicious JetBrains plugins targeting AI API keys
• Compromised Mastra npm packages affecting AI application development
• Google Vertex AI SDK vulnerability enabling potential RCE
• 93% increase in employees attempting to upload sensitive data to AI models

Transportation Systems

Network Infrastructure Security: Transportation sector organizations should assess their exposure to the FortiBleed credential leak and Fortinet vulnerabilities, particularly for:

• Traffic management systems
• Rail signaling and control networks
• Aviation operational technology environments
• Maritime port management systems

Telegram Service Disruption: India has banned Telegram until June 22 following use of the platform to circulate leaked exam papers. The ban has reportedly affected service as far as the UAE due to alleged BGP hijacking. Transportation organizations using Telegram for operational communications in affected regions should implement backup communication channels.

Healthcare and Public Health

Data Breach Implications: The Kodak breach, with potentially 2.2 million records exposed, serves as a reminder of data protection challenges. Healthcare organizations should:

• Review third-party vendor security practices
• Ensure business associate agreements include appropriate security requirements
• Monitor for potential credential exposure from supply chain breaches

Upcoming HIPAA Security Event: HHS Office for Civil Rights and NIST are hosting "Safeguarding Health Information: Building Assurance through HIPAA Security 2026" on September 2, 2026. Healthcare security professionals should plan to attend for updates on compliance requirements and security best practices.

Financial Services

Targeted Phishing Operations: The GitBait phishing kit specifically targets Mexican banking institutions using GitHub Pages and SheetBest API. Financial services organizations should:

• Monitor for similar techniques targeting their customer base
• Implement domain monitoring for lookalike phishing infrastructure
• Enhance customer awareness communications regarding phishing risks

Identity and Access Management: 1Password has acquired Apono for a reported $250-300 million. Apono specializes in just-in-time access governance for humans, machines, and AI agents—a capability increasingly relevant as financial services organizations expand AI deployments.

Government Facilities

AI Governance Developments:

• The Trump administration has acknowledged widespread use of AI to automate government processes through an Office of Management and Budget disclosure.
• Estonia is planning government IDs for AI agents that would grant rights and responsibilities, representing a novel approach to AI governance that other nations may consider.

EU Cyber Support for Ukraine: Ukraine has been added to the EU Cybersecurity Reserve, which provides incident response services for large-scale cyber incidents. This development may influence threat actor targeting decisions and demonstrates continued international cooperation on cybersecurity.

Education Facilities

Physical Security Technology Deployment: Illinois' Thornton Township High School District 205 has deployed ZeroEyes AI gun detection solution, representing continued adoption of AI-enabled physical security technologies in educational environments.

Vulnerability and Mitigation Updates

Critical Vulnerabilities Requiring Immediate Attention

Vulnerability	Severity	Status	Action Required
Joomla JCE Plugin (CVE pending)	Maximum (10.0)	Actively Exploited	Patch by June 20, 2026 (CISA BOD)
Microsoft Defender RoguePlanet (CVE-2026-50656)	High	Zero-Day, Patch Pending	Monitor for patch release; implement mitigations
Fortinet FortiSandbox (3 CVEs)	High-Critical	Actively Exploited	Patch immediately
LiteSpeed Web Server	High	Actively Exploited	Patch immediately
Rockwell Automation ICS Products	Varies	Patches Available	Assess and patch based on exposure

CISA Advisories and Directives

CISA Known Exploited Vulnerabilities (KEV) Addition: CISA has added the Joomla JCE vulnerability to the KEV catalog, ordering federal agencies to patch by Friday, June 20, 2026. The maximum-severity flaw allows attackers to execute arbitrary PHP code on vulnerable systems.

Implications for Critical Infrastructure: While the CISA directive applies to federal agencies, critical infrastructure organizations should treat this as a priority given:

• Active exploitation in the wild
• Maximum severity rating
• Potential for arbitrary code execution
• Widespread use of Joomla in public-facing web applications

Notable Patches and Updates

Oracle Critical Patch Update: Oracle has released its June 2026 Critical Security Patch Update containing 245 security fixes across multiple product families:

• Oracle Communications
• E-Business Suite (EBS)
• Enterprise Manager
• Additional enterprise products

Browser Updates:

• Google Chrome: Patched critical and high-severity memory safety vulnerabilities
• Mozilla Firefox: Addressed multiple memory safety bugs with potential RCE impact

Recommended Defensive Measures

For FortiBleed Exposure:

1. Check if organizational URLs appear in the leaked dataset
2. Immediately rotate all VPN credentials regardless of confirmed exposure
3. Enable multi-factor authentication if not already implemented
4. Review VPN access logs for unauthorized access attempts
5. Consider implementing certificate-based authentication

For Microsoft Defender Zero-Day:

1. Monitor Microsoft Security Response Center for patch announcements
2. Implement application whitelisting to prevent unauthorized executables
3. Restrict local administrator privileges where possible
4. Enable enhanced logging for privilege escalation detection

For AI Tool Security:

1. Audit all IDE plugins and browser extensions
2. Implement allowlisting for approved development tools
3. Review npm dependencies for Mastra framework packages
4. Establish policies for AI API key management and rotation

Resilience and Continuity Planning

Lessons Learned from Recent Incidents

Analysis of 22,000 Breaches: CSO Online has published research examining lessons from 22,000 security breaches with key findings for incident preparedness:

• Organizations consistently overestimate their emergency response capabilities
• Gap between confidence levels and actual response effectiveness remains significant
• Regular testing and validation of response procedures is essential

Emergency Response Gap Analysis: Security Magazine reports that organizations' emergency response fails to match confidence levels:

• Nearly 50% of organizations faced lateral movement attacks in the past year
• Self-assessment of response capabilities often exceeds actual performance
• Tabletop exercises and simulations should be conducted regularly to identify gaps

Supply Chain Security Developments

Software Supply Chain Risks: This week's incidents highlight ongoing supply chain security challenges:

• Mastra npm Compromise: 144 packages compromised through single contributor account hijacking
• JetBrains Marketplace: 15 malicious plugins published to trusted marketplace
• Fortinet Credential Leak: Demonstrates risks of centralized security infrastructure

Recommended Supply Chain Controls:

• Implement software composition analysis (SCA) for all development projects
• Establish vendor security assessment programs
• Monitor for compromises in critical dependencies
• Develop incident response procedures for supply chain compromises

Cross-Sector Dependencies

Microsoft Infrastructure Dependencies: The DragonForce ransomware group's abuse of Microsoft Teams relay servers highlights risks associated with dependencies on cloud infrastructure:

• Legitimate service abuse complicates network-based detection
• Organizations should implement behavioral analysis for cloud service usage
• Consider implementing cloud access security broker (CASB) solutions

Fortinet Ecosystem Impact: The combination of FortiBleed credential leak and FortiSandbox exploitation affects organizations across all critical infrastructure sectors:

• Coordinated response may be necessary for sector-wide exposure
• Information sharing through ISACs can help identify affected organizations
• Sector-specific guidance may be warranted for OT environments

Regulatory and Policy Developments

Federal Guidelines and Regulatory Changes

AI in Government Operations: The Office of Management and Budget has disclosed widespread AI use in automating government processes. Critical infrastructure organizations working with federal agencies should:

• Review AI-related contract requirements
• Understand how AI automation may affect compliance obligations
• Prepare for potential AI governance requirements in federal contracts

International Policy Developments

EU Cybersecurity Reserve Expansion: The addition of Ukraine to the EU Cybersecurity Reserve demonstrates continued international cooperation on cyber defense. This may influence:

• Threat actor targeting decisions
• Information sharing arrangements
• International incident response coordination

Estonia AI Agent Identity Framework: Estonia's planned government IDs for AI agents represents a novel regulatory approach that may influence future AI governance frameworks globally. Organizations should monitor this development for potential implications on AI deployment and accountability.

Google Privacy Changes: From August 3, 2026, Google will use IP addresses from UK, EEA, and Switzerland users for ad measurement and personalization. This development comes as the UK Information Commissioner's Office weighs new consent rules and may affect data protection compliance strategies.

Compliance Considerations

CISA BOD Compliance: Federal agencies must patch the Joomla JCE vulnerability by June 20, 2026. While not binding on private sector organizations, this deadline serves as a useful benchmark for patch prioritization.

AI Risk Management: CSO Online has published guidance on 5 AI risk management frameworks for addressing key security gaps. Organizations deploying AI should evaluate these frameworks for applicability to their environments.

Training and Resource Spotlight

Security Operations Challenges

SANS Institute SOC Study: The SANS Institute has released findings indicating that staffing remains the top SOC challenge even as AI adoption increases:

• Few SOCs have built AI into defined workflows despite widespread adoption
• Alert fatigue continues to challenge security teams
• Manual processes remain prevalent despite automation opportunities

AI Threats and Alert Fatigue: A Filigran survey at Infosecurity Europe 2026 reveals AI-powered attacks as the top concern for cybersecurity teams, with false positives and alert fatigue draining resources.

Frameworks and Best Practices

AI Risk Management Frameworks: Organizations should review the 5 AI risk management frameworks identified by CSO Online for addressing security gaps in AI deployments.

Capture the Flag (CTF) for AI Readiness: Security Magazine reports that CTFs are becoming a critical measure of AI readiness as AI becomes more deeply embedded in security workflows. Organizations should consider incorporating AI-focused CTF exercises into training programs.

Tools and Technologies

AI Security Startups:

• Tenet Security: Has emerged from stealth with $6 million seed funding, focusing on detecting and stopping dangerous AI agentic behavior in real time.
• 1Password/Apono: The acquisition of Apono brings just-in-time access governance capabilities for humans, machines, and AI agents.

Email Security Considerations: Microsoft claims additional email security tools are unnecessary, but security experts advise caution. Organizations should evaluate their email security posture based on specific threat models rather than vendor claims.

Looking Ahead: Upcoming Events

Conferences and Workshops

Date	Event	Focus Area
June 22, 2026	NIST Workshop on Hardware CPE and CVSS Updates	Hardware vulnerability representation and scoring
June 25, 2026	Iris Experts Group Annual Meeting	Biometric recognition for government applications
July 21, 2026	NCCoE Cybersecurity Connections: Mobile Driver's Licenses	Digital identity and mobile credentials
July 21, 2026	2026 Time and Frequency Seminar	Precision timing for critical infrastructure
September 2, 2026	Safeguarding Health Information: HIPAA Security 2026	Healthcare security and HIPAA compliance

Key Dates and Deadlines

• June 20, 2026: CISA deadline for federal agencies to patch Joomla JCE vulnerability
• June 22, 2026: Expected end of India's Telegram ban
• August 3, 2026: Google begins using UK/EEA/Switzerland IP addresses for ad personalization

Threat Periods Requiring Heightened Awareness

• Immediate: Active exploitation of Fortinet FortiSandbox vulnerabilities from multiple threat actors
• Ongoing: FortiBleed credential leak creates extended window for unauthorized access attempts
• Pending: Microsoft Defender zero-day remains unpatched with public PoC available

Seasonal Considerations

As organizations approach the summer months in the Northern Hemisphere:

• Reduced staffing levels may impact incident response capabilities
• Vacation schedules should be coordinated with security coverage requirements
• Automated monitoring and alerting becomes more critical during reduced staffing periods
• Consider pre-positioning incident response resources before extended holiday periods

---

This intelligence briefing is compiled from open-source reporting and is intended to support critical infrastructure protection efforts. Recipients are encouraged to share relevant information with sector partners through appropriate information sharing channels.

Report Date: Thursday, June 18, 2026