Read Time: 9 minutes

Brought to you by:

Howdy friends!

Writing from rural Nevada outside Lake Tahoe. Sorry for all of you who hang out in my live streams, it’s been hard to find good internet connection in a quiet spot out here. I did stream a few times from the basement of a museum and a closed book store. You have to get creative to keep making content on the road!

I’ve also apparently fallen into this new hobby of scuba diving since my keynote at Descent Cyber and decided to bring my gear and dive in the very cold Lake Tahoe. I was very jealous of the other guy on the boat who was in a dry suit with a heater in it.

ICYMI

🎧️ Something I heard: I heard I’ll be speaking on a panel with Low Level, Clint Gibler, and Daniel Miessler @ PlanetScale HQ during the AI Engineer World’s Fair on Monday

🎤 Something I said: GitHub is not OK

🔖 Something I read: An Open Letter On Transparent AI Cyber Protections

Vulnerable News

Russian Initial Access Broker Behind FortiBleed Campaign

A Russian initial access broker has been running a credential harvesting operation called FortiBleed, targeting over 430,000 FortiGate firewalls since at least February. The attacker uses a custom Golang tool called FortigateSniffer that abuses legitimate FortiOS diagnostic commands to passively sniff authentication traffic across 24 protocols. They're SSH brute-forcing their way into exposed firewalls, capturing cleartext credentials and password hashes, then cracking and selling that access. SOCRadar estimates over 110 million credentials have been compromised through 650+ harvesting pipelines.

They're heavily focused on SMBs under 200 employees, and the operation isn't even Fortinet-exclusive despite the name. The threat actor is also hitting Sophos SSL-VPNs, RDWeb portals, MSSQL, Citrix, and grabbing RADIUS, NTLM, and Kerberos data. They successfully cracked Kerberos hashes and exfiltrated DFS backup data from a NATO-aligned defense contractor in June. SOCRadar suspects this Russian-speaking IAB might be providing access to state-sponsored groups or ransomware gangs, illustrating how initial access brokers fuel the broader cybercrime ecosystem. (read this)

The Hidden Operational Costs Slowing Down Network Teams*

Modern network operations are more complex than ever, but the work behind them is still too manual. Security teams are stuck chasing context across tools. IT teams are slowed down by repetitive operational work. The result is slower response, more friction, and duplicated effort.

Tines’ new guide explores how IT and security teams can move faster with fewer manual steps, clearer audit trails, and better operational visibility. Inside, you’ll learn practical ways to streamline incident response, change management, network troubleshooting, and more.

Get the guide

*Sponsored

Password manager maker LastPass says hackers stole customer support case data during Klue breach

LastPass with another breach, though this time it's not directly their fault. A market research firm called Klue got hit by an extortion group named Icarus, and since LastPass uses them via their Salesforce integration, customer names, phone numbers, email addresses, physical addresses, and support ticket data all got swept up in the theft. No password vaults were touched this time, which is an important bit.

That said, support ticket data is nothing to brush off - those records tend to contain sensitive fragments like account recovery info and billing details. And given LastPass's 2022 breach where entire encrypted vaults were stolen and later cracked, their customers are understandably a little jumpy. Klue seems to have a big blast radius with HackerOne, Recorded Future, and Tanium are also in the affected list. Icarus is threatening to release the data if ransom isn't paid, so this one's still developing. (Read more)

From Langflow to Monero: Inside CVE-2026-33017 Cryptominer

Trend Micro dropped a pretty detailed writeup on a cryptomining campaign targeting Langflow, the AI workflow builder. CVE-2026-33017 is an unauthenticated RCE in Langflow's API that lets attackers just POST a Python payload to a public endpoint - no auth required. From there, a shell script drops a Go-based miner called lambsys that goes full scorched earth: kills rival miners, disables AppArmor, SELinux, and UFW. It then spreads laterally via SSH key reuse to every host the victim can reach. If you're running Langflow exposed to the internet, especially as root on infra with broad SSH access, you've had a bad time.

The malware traces back to a 2019 KORKERDS dropper called is[.]sh, and this one's named isp[.]sh - same SSH worm pattern, same userdel commands for rival miner accounts. The operator has been quietly iterating this toolchain since at least May 2024 with near-zero public visibility. The fix is straightforward - update Langflow to 1.9.0 and stop exposing it to the public internet. (read more)

Scattered Spider Hackers Plead Guilty on Day 1 of Trial

Two Scattered Spider members, Thalha Jubair (20) and Owen Flowers (18), saved everyone a six-week trial by pleading guilty on day one in the UK. These two were behind the 2024 Transport for London attack, but that's almost the least interesting thing about them. Jubair co-ran a SIM-swapping Telegram channel called Star Chat, was allegedly behind the massive 2022 SMS phishing campaign that hit 130+ organizations including LastPass and Signal, and was selling fake emergency data requests to extract user data from tech companies - all starting at age 15. Flowers, meanwhile, is reportedly the guy who gave those anonymous media interviews bragging about the MGM and Caesars casino hits back in 2023.

The Scattered Spider takedown is slowly but surely wrapping up. Noah Urban already got 10 years last August, Tyler Buchanan pleaded guilty in April and is awaiting sentencing, and three more members still have charges pending. Jubair is also staring down a separate New Jersey federal indictment covering 120 network intrusions across 47 US companies with $115 million in ransom payments. Sentencing for Jubair and Flowers is set for July 15th in London, but something tells me the US will want their turn after that. (read more)

Is Your Attack Surface Ready for the AI-Attack Era?*

AI-generated exploits don't need sophistication, just a gap you don't know exists.

runZero knows every asset, finds every exposure, and maps every attack path across IT, OT, IoT, cloud, and mobile, then prioritizes the vulnerabilities most likely to be exploited and verifies they're remediated. No agents. No credentials.

Defenders win by default. Even against AI. They also offer a 21-day free trial, so go test it out. (read more)

FFmpeg PixelSmash Flaw Allows RCE on Video Players, Media Servers, NAS Appliances

Nasty one dropped for FFmpeg - CVE-2026-8461, dubbed "PixelSmash," is a heap out-of-bounds write in the MagicYUV decoder that allows RCE via crafted media files. Given that FFmpeg's libavcodec is basically everywhere - video players, media servers, NAS devices, cloud transcoding pipelines - the attack surface here is massive. JFrog confirmed successful exploitation against a pretty impressive list of targets including Jellyfin, Emby, Nextcloud, Immich, Kodi, OBS Studio and more.

The delivery mechanism is a 50KB AVI, MKV, or MOV file that requires zero authentication to trigger. On the server side it fires when a file gets uploaded and auto-processed, and on desktop it can even trigger just by browsing to a folder containing the file if your file manager uses ffmpegthumbnailer for thumbnails. There's even a zero-click torrent attack path if the victim auto-downloads into a monitored media library. Patch to FFmpeg 8.1.2 now, but in reality you’re not the one that needs to upgrade it as its embeded in so much. Watch for patch notes …everywhere this week. (read more)

WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool

Kaspersky's flagging an active campaign spreading malicious VBScript files through WhatsApp, hitting users across Malaysia, Brazil, India, and several other countries. The attack is pretty straightforward social engineering - compromised WhatsApp accounts are being used to send contacts what look like business and financial documents ("Financial Reports.vbs"). Once opened, it kicks off a multi-stage infection chain that ends with ManageEngine RMM Central getting installed on the victim's machine, handing the attacker remote access. The campaign's got some interesting obfuscation techniques, with the VBScript files stuffed with fake Windows Update metadata and comments written in Chinese.

Attribution is still up in the air, but Kaspersky found infrastructure overlaps with Gh0st RAT and ValleyRAT activity. The infection chain also behaves slightly differently depending on whether you're using WhatsApp Web vs the Desktop app - in the Desktop version, WhatsApp itself spawns the malicious WScript process, which is a neat trick. Standard advice applies here: if you weren't expecting a file attachment, even from a known contact, don't open it - especially anything ending in .vbs, .js, .ps1, or .bat. (read more)

Photo ZIP campaign targeting hospitality industry delivers Node.js implant for persistent access

Microsoft dropped a detailed threat intel report on an active campaign specifically targeting hotel and hospitality staff. Staff are getting phishing emails through Calendly's notification infrastructure (which neatly passes SPF/DKIM/DMARC checks) with lures like bedbug complaints and guest reviews, leading them to download what looks like a photo ZIP. Inside is a fake .png shortcut that kicks off an obfuscated PowerShell chain, ultimately dropping a Node.js implant for C2 persistence. The attacker has been actively evolving their PowerShell obfuscation through seven distinct phases since April 2026, which is a good sign they're watching for detections and adjusting.

What makes this one worth paying attention to is the dual persistence mechanism - they're using both HKCU\Run for the Node.js implant and a RunOnce loop for the PE payload that keeps repopulating itself. Microsoft confirmed that even after Defender blocked the PE payload on a compromised device, the Node.js persistence survived and resumed beaconing two days later. If you're in the Defender/Sentinel world, Microsoft dropped a full set of KQL hunting queries in the article worth grabbing. The campaign is dubbed TonRAT internally, and attribution is currently unknown. (read more)

macOS Weaknesses Chained to Silently Disable Endpoint Security Agents

XM Cyber just showed how a regular macOS user — no admin rights needed — can silently kill enterprise security tools like EDR and MDM agents. The attack chains together some older known primitives (abusing XPC connections and NIB file injection) with a clever new trick: exploiting how the kernel's code-signing trust cache sticks around after a legit signed app runs. Basically, you can inject malicious code that the system still trusts as if it's the real deal, then use it to call privileged functions that shut down security tools.

They demo'd this against CrowdStrike Falcon (completely unloaded it) and Kandji MDM (permanently killed it in two stages). CrowdStrike paid out a bounty and added detection, Kandji patched and got CVE-2026-39118, and a third unnamed EDR vendor is working on fixes. XM Cyber is dropping an open source tool called XPC Hunter at Black Hat 2026 that'll help find these exploitable XPC surfaces across all your installed apps, which should be fun for both sides of the aisle. (read more)

Zero-Day Exploitation of Vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN Manager

Mandiant caught a threat actor exploiting a zero-day (CVE-2026-20245) in Cisco's SD-WAN Manager to escalate from admin to root access at a service provider. The attack chain started with rogue peering connections—possibly leveraging two other critical auth bypass vulns (CVE-2026-20127 and CVE-2026-20182) that weren't patched yet, or stolen certificates from an earlier compromise. Once in via SSH, the attacker toggled the default admin password back and forth to stay under the radar, then dropped a malicious CSV file called "evil_tenant.csv" through a file upload feature that didn't properly sanitize input. The CSV created a root-privileged account called "troot" by injecting entries into /etc/passwd and /etc/shadow.

The attacker deleted artifacts, restored original configs, and ran a validation script to confirm all traces were scrubbed. They backed up files before modification so the device wouldn't throw alerts from broken configs. This is "living off the edge" tradecraft where network appliances become prime targets because they lack the logging depth for forensics while sitting at the perfect chokepoint for long-term intelligence collection. Cisco's pushed patches (20.9.9.2, 20.12.7.2, and newer versions), and if you're running SD-WAN infrastructure, now's the time to pull admin-tech logs and hunt for suspicious peering connections, rapid-fire password changes, or unexpected su commands to non-standard accounts. (read more)

Third DraftKings Hacker Sentenced to 18 Months in Prison

The third and final defendant in the 2022 DraftKings credential-stuffing attack just got sentenced. Nathan Austad, aka "Snoopy," is heading to prison for 18 months and has to fork over $1.8 million in restitution and forfeiture. The crew used credentials from other breaches to access 60,000+ accounts, then drained funds or sold the accounts off.

They were apparently joking about the FBI investigation in their own messages while still committing the crimes. All three are now convicted: Garrison got 18 months back in 2024, Stokes got 30 months in April, and now Austad wraps it up. Turns out the FBI could, in fact, do something about it. (read more)

Miscellaneous mattjay

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay