Security Intelligence for Real-World Decisions
← Back to Archive

Splunk RCE Exploited in Active Attacks as FortiBleed Exposes 75,000 Firewall Credentials; Evil Corp's SocGholish Botnet Dismantled

Critical Infrastructure Intelligence Briefing

Report Date: Friday, June 19, 2026

Reporting Period: June 12-19, 2026

1. Executive Summary

This week's threat landscape presents significant challenges for critical infrastructure operators, with multiple high-impact developments requiring immediate attention:

  • Active Exploitation Alert: CISA has added CVE-2026-20253, a critical Splunk Enterprise vulnerability enabling unauthenticated remote code execution, to its Known Exploited Vulnerabilities catalog. Federal agencies have been given only three days to patch, indicating active exploitation in the wild.
  • Massive Credential Exposure: The "FortiBleed" leak has exposed VPN credentials for approximately 75,000 Fortinet/FortiGate firewall devices worldwide, creating immediate risk for organizations relying on these perimeter security devices.
  • Major Botnet Disruption: International law enforcement successfully dismantled Evil Corp's SocGholish botnet, taking down 106 servers and remediating nearly 15,000 infected WordPress sites—a significant victory against a prolific cybercriminal operation.
  • Nation-State Activity: The UK's NCSC reports that 75% of cyber-attacks targeting British critical infrastructure originate from nation-state actors. Separately, Chinese threat actors have been conducting a year-long undetected campaign targeting AI, cybersecurity, and national defense research.
  • Industrial Cybersecurity Consolidation: Accenture's $4.18 billion acquisition of majority stakes in Dragos, runZero, and NetRise signals major investment in operational technology (OT) security as AI-driven threats to critical infrastructure intensify.
  • ICS Vulnerability Surge: CISA released seven ICS advisories affecting Schneider Electric, Mitsubishi Electric, Rockwell Automation, and other vendors widely deployed in energy and manufacturing sectors.

2. Threat Landscape

Nation-State Threat Actor Activities

  • Chinese APT Targeting Research Institutions: A sophisticated campaign attributed to Chinese threat actors has targeted artificial intelligence, cybersecurity, and national defense research organizations. The campaign remained undetected for more than one year, highlighting advanced tradecraft and persistent access objectives. Organizations in these sectors should conduct thorough network reviews for indicators of compromise.
    Source: Security Magazine
  • Volt Typhoon Infrastructure Reconnaissance: Water ISAC reports (TLP:AMBER) that indicators of compromise associated with the Chinese state-sponsored group Volt Typhoon have been observed performing network enumeration against Utah infrastructure. This aligns with ongoing concerns about pre-positioning for potential disruptive attacks against U.S. critical infrastructure.
    Source: Water ISAC
  • UK Critical Infrastructure Under Siege: NCSC CEO Richard Horne disclosed that hostile nation-states are responsible for 75% of cyber-attacks targeting UK critical infrastructure, underscoring the persistent threat from state-sponsored actors across multiple sectors.
    Source: Infosecurity Magazine
  • Iranian Retaliation Concerns: Water ISAC has issued an updated situation report (TLP:AMBER+STRICT) regarding heightened threat environment and potential retaliation by Iranian threat actors following recent U.S. military strikes. Critical infrastructure operators should maintain elevated vigilance.
    Source: Water ISAC

Ransomware and Cybercriminal Developments

  • INC Ransomware Emerges as Major Threat: Security researchers have documented INC ransomware's evolution from nascent ransomware-as-a-service (RaaS) operation to one of 2026's most prolific cybercrime groups, claiming over 830 victims since 2023. Critical infrastructure operators should ensure detection capabilities address INC's known TTPs.
    Source: The Hacker News
  • Gentlemen RaaS Develops EDR Killer Suite: The Gentlemen ransomware-as-a-service operation is actively developing and maintaining multiple endpoint detection and response (EDR) killers to help affiliates evade security controls. This represents a concerning trend of ransomware operators investing in defensive evasion capabilities.
    Source: Bleeping Computer
  • DragonForce Abuses Microsoft Teams for C2: DragonForce ransomware operators have been observed using a custom Go-based RAT called "Backdoor.Turn" to conceal command-and-control traffic within Microsoft Teams relay infrastructure, making detection significantly more challenging for defenders.
    Source: The Hacker News
  • Evil Corp SocGholish Botnet Disrupted: A coordinated international law enforcement operation successfully dismantled Evil Corp's SocGholish botnet infrastructure, taking down 106 servers and cleaning nearly 15,000 infected WordPress sites. While a significant victory, organizations should remain vigilant for reconstitution efforts.
    Source: CyberScoop
  • "Icarus" Salesforce Data Theft Campaign: Threat actors dubbed "Icarus" exploited an OAuth breach at market intelligence platform Klue to steal Salesforce CRM data from multiple organizations in an ongoing extortion campaign. This supply chain compromise highlights third-party risk management challenges.
    Source: Bleeping Computer

Emerging Attack Vectors

  • China-Linked UNC6508 Targeting REDCap Servers: The majority of internet-accessible REDCap research data collection servers remain outdated and are being actively targeted by China-linked threat group UNC6508 for initial access and backdoor deployment. Healthcare and research organizations using REDCap should prioritize patching.
    Source: SecurityWeek
  • USB Worm Spreading Crypto-Stealing Malware: Microsoft has disclosed a Windows-based cryptocurrency clipper campaign active since February 2026 that spreads via USB shortcut (LNK) files and uses Tor-based command-and-control infrastructure. The malware relies on Windows Script Host and ActiveX for execution.
    Source: The Hacker News
  • Rokarolla Banking Trojan Targets 200 Applications: A new Android banking trojan named Rokarolla enables operators to take full control of infected devices and harvest sensitive information from approximately 200 applications, including financial services apps.
    Source: SecurityWeek
  • AI Platform Abuse for Malware Delivery: Attackers are abusing Google Ads, GitLab, and Anthropic's Claude AI chatbot to deliver malware, demonstrating continued innovation in leveraging legitimate platforms for malicious purposes.
    Source: CSO Online
  • Popa Botnet Linked to Israeli Firm: Security researcher Brian Krebs has linked the "Popa" Android botnet—which has compromised millions of consumer TV boxes for advertising fraud, account takeovers, and data theft—to a publicly-traded Israeli company.
    Source: KrebsOnSecurity

Physical Security Threats

  • Coordinated Attack Plot Disrupted: Water ISAC reports (TLP:AMBER) that five individuals were arrested in connection with a plot to target government officials and attendees at a UFC event at the White House in what was described as a "complex coordinated attack." This underscores the continued convergence of physical and cyber threats to high-profile events.
    Source: Water ISAC
  • Ideologically Motivated Threats to Water Sector: Water ISAC has issued an alert (TLP:AMBER) regarding ideologically motivated online threats directed against water and wastewater utilities, highlighting the heightened critical infrastructure threat environment.
    Source: Water ISAC

3. Sector-Specific Analysis

Energy Sector

ICS Vulnerabilities Affecting Energy Infrastructure:

  • Schneider Electric Products: CISA released multiple advisories affecting Schneider Electric Easergy, EcoStruxure, PowerLogic, Saitel DP, and EasyLogic T150 products widely deployed in energy sector environments. Successful exploitation could allow attackers to impact grid monitoring and control systems.
    Source: CISA ICS Advisory
  • Mitsubishi Electric MELSEC iQ-F Series: Two advisories address vulnerabilities in Mitsubishi Electric's MELSEC iQ-F Series and FX5-ENET/IP Ethernet Module, commonly used in industrial automation including energy sector applications.
    Source: CISA ICS Advisory
  • Rockwell Automation FactoryTalk Historian: Vulnerabilities in Rockwell Automation's FactoryTalk Historian Site Edition could impact historical data collection and analysis capabilities critical for energy operations.
    Source: CISA ICS Advisory

Analyst Note: Energy sector operators should prioritize review of these advisories and implement vendor-recommended mitigations. The concentration of vulnerabilities in widely-deployed industrial control system components warrants immediate attention.

Water & Wastewater Systems

  • FortiBleed Credential Exposure: Water ISAC has issued a TLP:GREEN Security & Resilience Update regarding the "FortiBleed" credential exposure campaign. Water utilities using Fortinet/FortiGate devices should immediately verify whether their credentials have been compromised and rotate all potentially affected credentials.
    Source: Water ISAC
  • Volt Typhoon Reconnaissance: The reported network enumeration activity by Volt Typhoon-associated infrastructure against Utah systems is particularly concerning given the group's documented interest in water sector targets and pre-positioning for potential disruptive operations.
  • Email Impersonation Risks: Water ISAC has issued guidance (TLP:CLEAR) noting that email impersonation remains a persistent risk for water utilities, emphasizing the need for robust email authentication and employee awareness training.
    Source: Water ISAC
  • Ideologically Motivated Threats: The heightened threat environment includes ideologically motivated actors specifically targeting water and wastewater utilities. Operators should review physical and cyber security postures accordingly.

Communications & Information Technology

  • Splunk Enterprise Under Active Attack: CVE-2026-20253 in Splunk Enterprise enables unauthenticated remote code execution and is being actively exploited. CISA's three-day patch deadline for federal agencies underscores the severity. Organizations using Splunk should patch immediately.
    Source: SecurityWeek
  • Critical NGINX Vulnerabilities: F5 has released out-of-band patches for two critical NGINX Open Source vulnerabilities that could allow remote, unauthenticated attackers to cause service restarts and potentially execute arbitrary code. Given NGINX's widespread deployment, this affects numerous critical infrastructure organizations.
    Source: SecurityWeek
  • Cisco ISE Command Execution Flaw: A critical vulnerability in Cisco Identity Services Engine (ISE) allows attackers to gain access to the underlying operating system and elevate privileges to root through insufficient input validation.
    Source: SecurityWeek
  • FortiBleed Credential Leak: The exposure of VPN credentials for approximately 75,000 Fortinet/FortiGate devices creates significant risk for organizations relying on these perimeter security appliances. Affected organizations should assume compromise and take immediate remediation steps.
    Source: CSO Online
  • WordPress Supply Chain Attack: Multiple WordPress plugins from ShapedPlugin were compromised in a supply chain attack that distributed infected releases through the vendor's official update system, highlighting ongoing risks in software supply chains.
    Source: Bleeping Computer

Healthcare & Public Health

  • REDCap Server Vulnerabilities: The majority of internet-accessible REDCap servers—widely used for clinical research data collection—remain outdated and are being actively targeted by China-linked UNC6508. Healthcare and research organizations should audit and patch REDCap installations immediately.
    Source: SecurityWeek
  • Insider Threat Case: The UK Information Commissioner's Office (ICO) has cautioned a healthcare worker following an incident involving attempted sale of Princess of Wales medical records, highlighting persistent insider threat risks in healthcare environments.
    Source: Infosecurity Magazine
  • Upcoming HIPAA Security Conference: HHS Office for Civil Rights and NIST are hosting "Safeguarding Health Information: Building Assurance through HIPAA Security 2026" on September 2, 2026, providing guidance on updated security requirements.
    Source: NIST

Financial Services

  • Rokarolla Banking Trojan: The new Android banking trojan targets approximately 200 applications including financial services apps, enabling device takeover and sensitive data harvesting. Financial institutions should alert customers and enhance mobile security guidance.
    Source: SecurityWeek
  • PCI DSS Compliance Concerns: New PCI DSS requirements regarding checkout page scripts are creating compliance challenges for organizations processing payment card data. Independent assessor testing has validated tools like Reflectiz for addressing these requirements.
    Source: The Hacker News
  • Salesforce Data Theft Campaign: The "Icarus" threat actors' exploitation of the Klue OAuth breach to steal Salesforce CRM data affects multiple organizations and demonstrates supply chain risks to financial services firms using third-party platforms.

Transportation Systems

  • AVer PTC Camera Vulnerabilities: CISA has issued an advisory for vulnerabilities in AVer PTC cameras, which may be deployed in transportation monitoring applications. Successful exploitation could compromise surveillance capabilities.
    Source: CISA ICS Advisory

Latin American Infrastructure

  • Operation Escaneo: CloudSEK has mapped "Operation Escaneo," a campaign actively exploiting Fortinet and Ivanti vulnerabilities to target Latin American critical infrastructure. Organizations in the region should prioritize patching these perimeter devices.
    Source: Infosecurity Magazine

Asia-Pacific Region

  • Cybercrime Surge: Interpol reports that cybercrime now accounts for one-third of all crime in over half of Asia and South Pacific countries, driven by rapid digitalization. This trend has implications for multinational critical infrastructure operators with APAC presence.
    Source: Infosecurity Magazine

4. Vulnerability & Mitigation Updates

Critical Vulnerabilities Requiring Immediate Attention

Product CVE/Advisory Severity Status Action Required
Splunk Enterprise CVE-2026-20253 Critical ACTIVELY EXPLOITED Patch within 72 hours
NGINX Open Source Multiple Critical Patch Available Immediate patching
Cisco ISE Command Injection Critical Patch Available Immediate patching
Fortinet/FortiGate FortiBleed Exposure High Credentials Leaked Credential rotation
Schneider Electric (Multiple) ICSA-26-169-04/07 High Advisory Released Review and mitigate
Mitsubishi Electric MELSEC ICSA-26-169-05/06 High Advisory Released Review and mitigate
Rockwell FactoryTalk Historian ICSA-26-169-03 High Advisory Released Review and mitigate

CISA ICS Advisories (June 18, 2026)

  • ICSA-26-169-01: AVer PTC Cameras
    View CSAF
  • ICSA-26-169-02: AzeoTech DAQFactory
    View CSAF
  • ICSA-26-169-03: Rockwell Automation FactoryTalk Historian Site Edition
    View CSAF
  • ICSA-26-169-04: Schneider Electric EasyLogic T150 and Saitel DP
    View CSAF
  • ICSA-26-169-05: Mitsubishi Electric MELSEC iQ-F Series
    View CSAF
  • ICSA-26-169-06: Mitsubishi Electric MELSEC iQ-F Series FX5-ENET/IP Ethernet Module
    View CSAF
  • ICSA-26-169-07: Schneider Electric Easergy, EcoStruxure, PowerLogic, and Saitel Products
    View CSAF

Additional Patches and Updates

  • Oracle Critical Patch Update: Oracle has released 245 new security patches, all rated as "high-priority security" fixes. Organizations using Oracle products should review and prioritize deployment.
    Source: CSO Online
  • Atlassian Security Updates: Atlassian has patched dozens of flaws in third-party dependencies across its product portfolio.
    Source: SecurityWeek
  • Splunk AI Toolkit: In addition to the actively exploited vulnerability, Splunk has patched an OS command injection flaw in its AI Toolkit.
    Source: SecurityWeek
  • Apple Beats Studio Buds: Apple has patched a high-severity flaw in Beats Studio Buds that could allow attackers in Bluetooth range to eavesdrop on conversations.
    Source: Bleeping Computer
  • Microsoft Windows Server 2016: Microsoft has fixed a known issue causing June 2026 security updates to fail on Windows Server 2016 systems that weren't up to date.
    Source: Bleeping Computer

Recommended Defensive Measures

  • FortiBleed Response:
    • Check if your organization's Fortinet devices appear in the leaked dataset
    • Immediately rotate all VPN credentials regardless of confirmed exposure
    • Review VPN access logs for unauthorized access attempts
    • Implement multi-factor authentication if not already in place
    • Consider network segmentation to limit lateral movement potential
  • Splunk Enterprise:
    • Apply patches immediately; do not wait for scheduled maintenance windows
    • If patching is not immediately possible, implement network-level access controls
    • Monitor for indicators of compromise associated with exploitation
  • ICS/OT Environments:
    • Review all seven CISA ICS advisories for applicability to your environment
    • Implement vendor-recommended mitigations where patches cannot be immediately applied
    • Ensure network segmentation between IT and OT environments
    • Monitor for anomalous traffic patterns to/from industrial control systems

5. Resilience & Continuity Planning

Lessons Learned from Recent Incidents

  • SocGholish Botnet Takedown: The successful disruption of Evil Corp's SocGholish infrastructure demonstrates the value of coordinated public-private action. However, organizations should:
    • Not assume the threat is eliminated—reconstitution is likely
    • Verify WordPress installations are clean and updated
    • Implement web application firewalls and content security policies
    • Maintain detection capabilities for SocGholish indicators
  • Klue/Salesforce Supply Chain Incident: The "Icarus" campaign exploiting OAuth vulnerabilities highlights critical supply chain security considerations:
    • Audit third-party application OAuth permissions regularly
    • Implement least-privilege access for integrated applications
    • Monitor for anomalous data access patterns in CRM systems
    • Maintain incident response procedures for third-party breaches

    Source: Recorded Future

Supply Chain Security Developments

  • WordPress Plugin Supply Chain Attack: The ShapedPlugin compromise demonstrates that even official vendor update channels can be weaponized. Organizations should:
    • Implement integrity verification for software updates where possible
    • Maintain awareness of vendor security incidents
    • Consider staged rollouts for plugin and software updates
    • Monitor for behavioral changes following updates
  • Open Source Software Risks: Analysis of the TeamPCP threat group's success targeting open-source software highlights industry-wide challenges in balancing development speed with security. Organizations should evaluate their open-source dependencies and implement software composition analysis.
    Source: CyberScoop

Cross-Sector Dependencies

  • Fortinet/FortiGate Exposure: The FortiBleed credential leak affects organizations across all critical infrastructure sectors. Given the widespread deployment of Fortinet devices for perimeter security, this represents a cross-sector risk requiring coordinated response.
  • Splunk Enterprise: As a widely-deployed SIEM and log management platform across critical infrastructure, the actively exploited Splunk vulnerability creates potential visibility gaps if systems are compromised or taken offline for patching.
  • NGINX Dependencies: The critical NGINX vulnerabilities affect web infrastructure across multiple sectors. Organizations should inventory NGINX deployments including those embedded in other products and appliances.

AI and Autonomous Systems Considerations

  • Orphaned AI Agents: Security researchers highlight emerging risks from autonomous AI agents with access to enterprise systems where authorization and accountability chains are unclear. Organizations deploying AI agents should:
    • Maintain clear documentation of AI agent authorizations
    • Implement monitoring for AI agent activities
    • Establish procedures for AI agent lifecycle management
    • Consider AI agents in access reviews and privilege audits

    Source: The Hacker News

6. Regulatory & Policy Developments

Legislative Activity

  • No FAKES
Disclaimer

This briefing is generated using AI analysis of public news sources. Always verify critical information through authoritative sources before taking action.