top of page

Cybersecurity Weekly Update: 15–22 June 2026

  • Writer: SOC Team
    SOC Team
  • 3 days ago
  • 5 min read

1. NCSC Warns: Hostile States Behind 75% of Attacks on Critical Infrastructure


During his annual lecture at the Royal United Services Institute (RUSI), NCSC Chief Executive Dr. Richard Horne issued a stark warning: the UK and its Western allies are locked in an "ongoing contest with capable adversaries." Horne revealed that the NCSC managed over 200 cyber incidents targeting critical national infrastructure (CNI) and its supporting digital ecosystems over the past year, with a staggering 75% traced directly to hostile nation-states, including Russia, China, and Iran.


The agency highlighted that state actors are actively "prepositioning" themselves inside networks—establishing covert footholds within the foundational technologies that underpin essential services to enable mass disruption in the event of a geopolitical conflict. Furthermore, the NCSC released a technical assessment predicting that by 2028, attackers will routinely leverage advanced AI capabilities to discover and exploit known vulnerabilities in legacy systems at an unprecedented scale across CNI.


  • Why it matters: Security is no longer just an IT operational risk to be quantified and managed; it is a live, dynamic geopolitical battlefield. If your organization operates within the supply chain of European or South African critical services, your network architecture is actively being scanned for state-sponsored prepositioning. Organizations must pivot from passive defense models to proactive threat hunting and rigorous Zero Trust implementation.

  • Read the official briefing: NCSC Infrastructure Threat Assessment


2. FortiBleed Leak Exposes VPN Credentials for 74,000 Devices


A massive global credential-harvesting campaign dubbed "FortiBleed" has culminated in the public leak of valid administrative credentials for more than 74,000 Fortinet FortiGate firewalls and VPN gateways worldwide. A Russian-speaking cybercriminal syndicate systematically targeted internet-facing edge devices using highly sophisticated automated brute-force and credential-stuffing methods.  


Alarmingly, the attackers targeted configuration files from active devices, cracking administrator credential hashes using massive, specialized GPU clusters running 45-GPU configurations that executed 1.16 billion guessing attempts per second. This compromise directly opens the door for attackers to gain full administrative or VPN access to victim networks, allowing them to bypass outer defenses completely.  


  • Why it matters: Edge infrastructure firewalls and VPNs are supposed to be your organization's castle walls. When administrative credentials for these systems are compromised, attackers do not need to exploit software flaws to break in—they can simply log in with full rights. From there, they can move laterally into internal networks, modify security rules, or fully compromise connected internal infrastructure like Active Directory or LDAP systems.

  • Read the technical advisory: FortiBleed Credential Leak Advisory


3. Salesforce Data Thefts Continue via Klue App Compromise


A sophisticated supply chain compromise has hit market intelligence provider Klue, triggering downstream access breaches at several major cybersecurity vendors, including Huntress, ReliaQuest, Recorded Future, Jamf, and Tanium. An unauthorized threat actor exploited an infrastructure intrusion to steal OAuth tokens—the secure digital keys that allow software applications to share data behind the scenes without exposing master passwords.  


The new "Icarus" extortion group has claimed responsibility for the attack. Armed with these tokens, the attackers successfully impersonated Klue to gain unauthorized entry into the connected Salesforce environments of Klue’s high-profile customers, enabling them to exfiltrate highly sensitive enterprise customer data before the integration was disabled by Salesforce.


  • Why it matters: This incident highlights the acute risk of "token abuse" in modern corporate software ecosystems. Even if your organization maintains flawless internal endpoint security, an insecure or forgotten legacy credential at a third-party vendor can compromise your trusted integrations. Security teams must immediately audit all active OAuth permissions and third-party API tokens interacting with core enterprise platforms like Salesforce.

  • Read the breach breakdown: Klue Supply Chain Integration Breach


4. Operation Endgame Hits SocGholish Malware Network, 14,971 Websites Cleaned


An international law enforcement coalition has delivered a massive blow to the infrastructure powering the notorious SocGholish (FakeUpdates) malware framework. Coordinated global operations successfully dismantled backend server networks and sanitized 14,971 compromised WordPress websites that were being used as watering holes to distribute malware.


SocGholish has long been a primary initial access vector for ransomware syndicates, tricking users into installing malicious payloads via fake browser update prompts. By taking out thousands of these distribution nodes simultaneously, law enforcement has significantly disrupted the automated delivery pipelines used to target enterprise networks.


  • Why it matters: While this operation represents a massive victory for global defenders, the threat landscape is already compensating. Ransomware operators are actively seeking alternative initial delivery mechanisms. Educational and healthcare systems remain highly vulnerable to these types of drive-by download attacks due to diverse user bases and varying endpoint patch levels.

  • Read the breakdown: Operation Endgame Disruption


Vulnerabilities & Patches


1. Microsoft Exchange Server Spoofing (CVE-2026-42897)


This zero-day vulnerability is actively being exploited in the wild. It allows an attacker to send a specially crafted email that, when opened via Outlook Web Access (OWA), forces arbitrary malicious JavaScript code to execute inside the victim's web browser to steal credentials or hijack sessions.


  • Action Required: Verify that the Exchange Emergency Mitigation Service (EEMS) is active on your servers and apply the official Microsoft security update immediately.

  • Read more: Microsoft Vulnerability Catalog


2. Windows Kernel Remote Code Execution (CVE-2026-45657)


A devastating flaw in the core Windows Kernel that allows an unauthenticated, remote attacker to execute arbitrary code with full SYSTEM level privileges without requiring any form of user interaction.


  • Action Required: Prioritize this patch on all high-value Windows servers and internet-facing endpoints across enterprise infrastructure.

  • Read more: Microsoft Vulnerability Catalog


Geopolitical Threats


1. Russian "NoName" Cyber Network Shifts Tactics to Local Proxy Operations


A prominent, Kremlin-linked threat group known as NoName057(16) has significantly escalated its activities in Europe. An investigation revealed that the collective is aggressively moving beyond traditional Distributed Denial of Service (DDoS) digital disruptions. The group has been actively recruiting local criminal proxies inside European target nations, using secure Telegram channels and cryptocurrency payments routed through blacklisted, sanctioned exchanges like Garantex.  


The handlers use these proxies to execute hybrid physical sabotage operations—including arson attacks and vandalism targeting critical public sectors and political infrastructure—while leveraging their core digital infrastructure to run hyper-focused, divisive propaganda campaigns designed to stoke regional instability.  


  • Why it matters: This represents a dangerous convergence where state-backed cyber capabilities are directly funding physical threat metrics. For entities in defense, telecom, or public infrastructure within Europe, corporate threat models must now bridge physical security controls with network security, particularly regarding monitoring for localized insider threats or proxy activity.

  • Read more: Russian Cyber Sabotage Operations


Key Recommendations


  • Harden Edge Infrastructure: Terminate all active VPN and administrative sessions on Fortinet devices. Force an immediate password reset, mandate MFA, and update to FortiOS versions supporting stronger PBKDF2 hashing.

  • Audit OAuth & API Tokens: Inventory and review all third-party integrations connected to your core corporate platforms (such as your CRM, HR tools, and financial databases). Revoke permissions for any legacy or inactive accounts.  

  • Structure Your Patching Sprints: Do not let update fatigue delay deployment. Task your technical teams with patching high-severity vulnerabilities (HTTP.sys and Exchange Server) within a 48-hour window.

  • Transition to Active Defense: Align your monitoring frameworks with the NCSC's Cyber Assessment Framework. Don't wait for an alert—actively hunt for unusual baseline anomalies that signal unauthorized network persistence.



 
 
bottom of page