Cyber Roundup: Week of June 22

Here are the main stories you missed last week.

1. Fortinet: FortiBleed exposed verified credentials for 75,000 firewalls across 194 countries

The headline: Security researcher Volodymyr “Bob” Diachenko discovered an exposed threat actor server on June 13 hosting a growing database of verified administrator and SSL VPN credentials for 73,932 Fortinet FortiGate firewalls across 194 countries and more than 21,000 domains. Kevin Beaumont independently verified that sampled credentials were real and active. CISA issued an emergency advisory on June 18 and the UK NCSC published a global warning the same day. Named organizations in the dataset include Samsung, Siemens, Oracle, DHL, Accenture, Foxconn, and a Turkish NATO defense contractor that suffered confirmed exfiltration of classified defense documents. Fortinet itself appears in the list. As Risky Biz reported on June 24, this is significantly worse than a simple credentials leak.

What we’re actually watching: FortiBleed is not a vulnerability. There is no CVE and no patch to apply. The attackers sourced passwords from prior Fortinet breach dumps and infostealer malware logs, tested 1.16 billion authentication attempts against more than 320,000 FortiGate targets, cracked intercepted SSL VPN hashes offline using a 45-GPU cluster, and organized the results by organization name, sector, and estimated revenue. The output is an enriched access inventory built for ransomware targeting and initial access broker sales. You can read CybelAngel’s coverage of this evolving story hier.

Diachenko did not find a dark web paste. He found the attackers’ own server, left exposed with directory indexing enabled, containing automated scanning scripts, credential-testing tools, data logs, cron jobs showing the operation’s timing and structure, and bash histories from the operators themselves. This is how researchers reconstructed the campaign methodology with such specificity. The dataset is organized like a product catalogue. Credentials are sorted by country, sector, and revenue. That is not credential stuffing. That is a targeting system.

FortiBleed follows the same playbook as three prior Fortinet incidents going back to 2018. The CVE-2018-13379 incident exposed credentials for roughly 500,000 FortiGate VPNs. The 2021 Belsen dataset added another batch from a zero-day. Each time, unrotated credentials from the previous incident fed the next one. CybelAngel covers the six things you need to know about FortiBleed in detail, including the SSL VPN hash cracking methodology and what to do if your organization appears in the dataset.

The CISO question: If your organization runs Fortinet devices, can you confirm that every admin and SSL VPN credential has been rotated since 2021, that MFA is enforced on all remote and administrative access, and that your management interfaces are not exposed to the public internet?

2. Klue: A compromised legacy credential let Icarus steal Salesforce data from 20 cybersecurity firms

The headline: Hacking group Icarus used a compromised legacy credential associated with an integration service account to access market intelligence platform Klue on June 11-12. From there, they pushed a malicious code update to harvest OAuth tokens that customers had used to connect Klue to Salesforce, Gong, HubSpot, SharePoint, Zoom, Google Drive, and Slack. They then connected to customer Salesforce environments and bulk-exported CRM data using automated scripts. As of June 29, confirmed victims include HackerOne, Huntress, Jamf, OneTrust, Recorded Future, Snyk, Tanium, LastPass, BeyondTrust, 8×8, Pendo, Sprout Social, Blackbaud, Camunda, Cresta, Deel, Lucanet, Link11, Tines, and Gong, with Risky Biz reporting the list now close to 20. Salesforce disabled the Klue Battlecards integration entirely on June 17. The TechCrunch investigation noted that Klue has no listed cybersecurity leadership on its executive team. CybelAngel covered this breach hier.

What we’re actually watching: One compromised service account credential unlocked Salesforce environments at 20 organizations simultaneously. This is the same attack pattern as Snowflake in 2024 and TanStack in 2025. The middleware provider becomes the master key.

Legacy integration credentials do not expire, do not rotate automatically, and do not trigger MFA. They sit in configuration files and service accounts for years, accumulating access across every integration the platform builds. Klue’s credential had access not just to Klue’s own systems but to every OAuth token the platform had issued on behalf of its customers. When the attacker used it, they did not need to compromise any of the individual victim organizations. They inherited the trust that those organizations had already extended to Klue.

The attack targeted cybersecurity firms specifically, and the data stolen from Salesforce tells you why. CRM environments at security companies contain client security posture information, contract details, renewal timelines, pricing structures, and sales-related data about which security products customers are running. For an extortion group, this is leverage. For a nation-state actor looking to prioritize targets, it is a reconnaissance dataset. The Infosecurity Magazine analysis noted that adversaries are increasingly targeting SaaS integrations that hold wide-ranging API permissions and long-lived OAuth tokens as a reliable path into multiple organizations at once.

The CISO question: Can you produce a list of every third-party SaaS platform that holds active OAuth tokens connected to your Salesforce environment, when those tokens were last rotated, and whether any of those platforms hold legacy integration credentials that were created before your current security team took over?

3. Cisco: CVE-2026-20245 was used as a zero-day for two months before anyone noticed

The headline: On June 25, Mandiant published details of active exploitation of CVE-2026-20245, a command injection flaw in Cisco Catalyst SD-WAN Manager, used as a zero-day at least two months before Cisco publicly disclosed it. The attacker uploaded a crafted CSV file through a legitimate management function to write entries to /etc/passwd and /etc/shadow, creating a rogue account with unrestricted shell access. Throughout the intrusion, the attacker backed up configuration files before modifying them, restored them after exploitation, deleted created files, and ran verification scripts to confirm forensic evidence had been eliminated. CISA added CVE-2026-20245 to the Known Exploited Vulnerabilities catalog on June 4 with a June 23 federal remediation deadline. This is the seventh Cisco SD-WAN vulnerability exploited in 2026.

What we’re actually watching: The attacker did not just exploit a flaw. They ran a forensic cleanup operation inside a managed network infrastructure platform, used that platform to push configuration changes to every downstream edge device in the deployment, and left clean logs behind. A clean log review does not confirm you were not affected.

SD-WAN Manager sits at the management plane of an SD-WAN deployment. Successful exploitation does not give you access to one device. It gives you access to the configuration management interface for every edge device in the network. The attacker used legitimate management functions throughout. The exploit payload was a CSV file processed by a real management feature. The rogue account was created through the same file parsing path that administrators use for normal operations. This is the technique that makes post-compromise detection so difficult. Nothing happened that could not have been a normal administrative action.

The two-month dwell time between exploitation and discovery is consistent with a targeted campaign rather than opportunistic scanning. The anti-forensic measures, including configuration backup and restore before and after exploitation, and the use of a cleanup verification script, indicate operational maturity that most enterprise incident response procedures are not designed to catch. If your SD-WAN infrastructure was reachable between March and June 2026, absence of visible evidence is not confirmation of absence of compromise.

The CISO question: For your organization’s SD-WAN infrastructure, have you audited authentication logs for SSH sessions using administrative accounts between November 2025 and June 2026, checked for new accounts with root-level shell access, and confirmed that your incident response procedures can detect compromise through legitimate administrative channels rather than only through anomalous tool usage?

4. Europol: Amadey and StealC takedown disrupts two of the most widely deployed criminal tools in Europe

The headline: Europol and a coalition of security firms took down Amadey, a malware loader used to distribute ransomware, infostealers, and remote access trojans, and StealC, an infostealer used to harvest credentials, browser data, and cryptocurrency wallet information, in a coordinated operation announced June 26. Hundreds of command-and-control servers were disrupted across the operation. Amadey has been active since 2018 and was present in the initial access chains of multiple major ransomware incidents. StealC credentials have appeared in data sales on criminal forums since 2023 and are a known component of the infostealer log ecosystem that feeds campaigns like FortiBleed.

What we’re actually watching: Taking down Amadey and StealC simultaneously removes two components of the same pipeline. Amadey delivers infostealers. StealC harvests credentials. Credentials feed campaigns like FortiBleed. The pipeline is the story, not the individual tools.

Amadey is a loader. Its purpose is to establish a foothold and then deliver secondary payloads. Its presence in a compromised environment means the attacker has not just gained access. They have installed a mechanism for delivering additional tools on demand. Amadey’s eight-year operational lifespan reflects how resilient criminal malware infrastructure becomes once it is embedded across thousands of campaigns. Taking it down removes a distribution layer but does not eliminate the footholds already established on systems where it was previously deployed.

StealC credentials do not disappear when the tool is taken down. Logs harvested over the past three years remain in circulation on criminal marketplaces. The FortiBleed campaign used infostealer logs as one of its two primary credential sources. The datasets those logs produced are still being bought and sold. The Europol operation disrupts new credential harvesting but does not invalidate historical data already integrated into attacker targeting pipelines. Organizations should treat the Amadey and StealC takedown as intelligence about what credential sources attackers have been using, not as confirmation that previously harvested credentials are now safe.

The CISO question: Have you audited whether credentials for your employees or your organization’s infrastructure have appeared in StealC or Amadey-adjacent infostealer logs, and do you have a process for identifying and rotating compromised credentials when they surface in criminal marketplaces rather than waiting for an active attack to confirm exposure?

5. Microsoft: StegoAd hid malware commands inside images to backdoor 2.6 million browsers

The headline: Microsoft’s security team removed 119 malicious Edge extensions from the official Microsoft Edge Add-ons store on June 29 as part of a coordinated disruption of the StegoAd operation. The extensions were published through 90 different developer accounts, shared infrastructure and parts of their codebase, and used steganography to hide malicious commands inside images to evade detection. All 119 extensions delivered genuine functionality but deployed malicious payloads three to five days after installation. The operation also had Chrome and Firefox extensions under its umbrella. More than 2.6 million users downloaded extensions from the group, which has been active since at least 2021. The malicious extensions included ad blockers, color pickers, AI tools, video downloaders, PDF editing tools, and weather apps. The StegoAd operators successfully ported their extensions from the old Manifest V2 standard to the new Manifest V3, which was specifically designed to improve browser extension security.

What we’re actually watching: StegoAd ran for five years across three major browser ecosystems, hid inside 119 extensions that all worked as advertised, and waited three to five days after installation before activating. The Manifest V3 bypass is the part that matters most. Browser makers spent years redesigning the extension permission model specifically to stop this class of attack. StegoAd defeated it.

The steganography technique explains why the operation lasted five years undetected. Steganography hides data inside other data, in this case, malicious C2 commands concealed inside images that the extensions loaded during normal operation. Security tools scanning extension code see images. They do not see commands. The malicious payload was never stored in the extension code itself, which means static analysis, code review, and store security scanning all returned clean results. The extensions only became malicious at runtime, when they fetched and decoded the commands hidden in remote images.

The three-to-five-day delay between installation and payload activation defeats sandbox testing. Browser stores test new extensions in automated environments for a period after submission. StegoAd’s extensions behaved legitimately during that window and only activated after passing review. The 90 separate developer accounts meant that removing one extension or one account did not disrupt the operation. Each account was an independent publishing channel. The operation continued across the rest while any single account was suspended.

The CISO question: Does your organization have visibility into which browser extensions are installed across employee devices, and do you have a process for auditing extensions that use remote image loading, given that steganography-based C2 communication is invisible to code review and static analysis tools?

The pattern across all five stories

Every story this week traced back to a credential that should not have been valid.

FortiBleed cracked firewall passwords from old breach dumps. Klue lost control of a legacy token nobody had rotated. Cisco’s attacker used a real admin account and deleted the evidence. Amadey and StealC monetized stolen credentials for years. StegoAd harvested logins from 2.6 million browsers through extensions users never questioned.

Stolen credentials are not just an authentication problem. They are how attackers get in, stay in, and sell access to others. Every organization in the FortiBleed dataset, every Klue customer, and every company whose employees installed a StegoAd extension shared the same exposure: their credentials were visible outside their control before anyone noticed.

CybelAngel monitors infostealer logs, dark web forums, and criminal marketplaces for your exposed credentials. If a FortiBleed-style operation is targeting your infrastructure right now, the trail is already there. Our analysts find it before it becomes a headline.