SECURITYINTEL DAILY BRIEF ■ ThreatIntel BriefSaturday, June 20, 2026 INTEL CONFIDENCE 100% | THREAT LEVEL CRITICAL |
|
THREAT OF THE DAY FortiBleed Compromises 86,000 Fortinet Devices Globally | CRITICAL |
|
5 C2 IPs | 120 OTX IOCs | 28 ARTICLES |
|
■ ANALYST TLDR This brief highlights a massive credential theft campaign dubbed "FortiBleed" targeting over 86,000 Fortinet FortiGate devices, alongside a supply chain compromise of competitive intelligence platform Klue that exposed Salesforce OAuth tokens of major cybersecurity firms. Additionally, international law enforcement disrupted the SocGholish botnet under Operation Endgame, while researchers disclosed unpatchable SecureROM vulnerabilities in Apple A12/A13 chips and a critical Splunk Enterprise flaw under active exploitation. |
|
■ CRITICAL STORIES FortiBleed Credential Harvesting Campaign Threat actors have compromised credentials on over 86,000 internet-facing Fortinet FortiGate firewalls and VPNs, representing a massive exposure of enterprise perimeter defenses. |
Klue OAuth Supply Chain Breach Exposes Salesforce Environments The "Icarus" extortion group compromised competitive intelligence platform Klue, stealing OAuth tokens to access the Salesforce environments of high-profile customers, including cybersecurity firms Huntress and Recorded Future. |
Active Exploitation of Splunk Enterprise Vulnerability CISA has issued an urgent warning for a critical Splunk Enterprise vulnerability currently undergoing active exploitation, mandating federal agencies to apply patches immediately. |
Unpatchable 'usbliter8' Exploit Targets Apple SecureROM Researchers have demonstrated a working exploit that achieves arbitrary code execution inside the SecureROM boot chain of Apple A12 and A13 chips, which cannot be patched via software updates due to being burned into the silicon. |
|
■ CVEs IDENTIFIED [CVE-TBD] Splunk Enterprise — Active exploitation of critical vulnerability enabling remote code execution |
[CVE-TBD] Fortinet FortiGate — FortiBleed credential harvesting and unauthorized access |
[CVE-TBD] Gravity SMTP WordPress Plugin — Unauthenticated information disclosure vulnerability |
[CVE-TBD] Apple A12 and A13 Chips — usbliter8 SecureROM boot chain arbitrary code execution |
|
■ THREAT ACTORS Targeted competitive intelligence platform Klue to steal Salesforce OAuth tokens of cybersecurity firms |
Evil Corp | Cybercrime / State-sponsored |
Linked to the SocGholish botnet disrupted by international law enforcement in Operation Endgame |
The Gentlemen | Ransomware-as-a-Service (RaaS) |
Developing and distributing the "GentleKiller" EDR bypass framework targeting 400 security processes |
|
|
|
■ ATT&CK TTPs | T1110 | | Brute Force | Large-scale credential attacks targeting security vendors' devices |
| T1528 | | Steal Application Access Token | Icarus group stole OAuth tokens from Klue to access Salesforce |
| T1562.001 | | Impair Defenses: Disable or Modify Tools | "GentleKiller" EDR killer framework used by The Gentlemen RaaS to target 400 security processes |
| T1195.002 | | Compromise Software Supply Chain | Klue OAuth token compromise affecting downstream customers like Huntress and Recorded Future |
| T1588.006 | | Obtain Capabilities: Vulnerabilities | Exploitation of unauthenticated information disclosure in Gravity SMTP plugin |
| T1542.001 | | Pre-OS Boot: System Firmware | "usbliter8" exploit achieving arbitrary code execution in Apple SecureROM |
|
■ PATCH PRIORITY Splunk Enterprise — Actively exploited critical vulnerability under urgent CISA warning — [BC] |
Fortinet FortiGate — Over 86,000 devices compromised in FortiBleed credential theft campaign — [THN/SW] |
Gravity SMTP WordPress Plugin — Exploitation of unauthenticated info disclosure bug on up to 100,000 sites — [BC] |
Apple Beats Studio Buds — Bluetooth eavesdropping vulnerability allows nearby attackers to wiretap — [MWB/SW] |
|
|
|
■ RECOMMENDED ACTIONS TODAY | 1 | [P1] Immediately patch Splunk Enterprise to mitigate the actively exploited critical vulnerability [CVE-TBD] as mandated by CISA. |
| 2 | [P1] Audit and revoke compromised Salesforce OAuth tokens associated with the Klue Battlecards app integration to prevent unauthorized CRM data access. |
| 3 | [P1] Audit external-facing Fortinet FortiGate appliances for signs of credential harvesting under the "FortiBleed" campaign and enforce immediate password resets. |
| 4 | [P2] Update the Gravity SMTP WordPress plugin to the latest secure version to remediate the unauthenticated information disclosure vulnerability [CVE-TBD]. |
| 5 | [P2] Apply firmware updates to Apple Beats Studio Buds to patch the Bluetooth eavesdropping vulnerability [CVE-TBD]. |
|
|
|
C2 IP BLOCKLIST · AbuseCH Feodo · Showing 5 of 5 IP ADDRESS 162.243.103.246 | PORT 8080 | STATUS OFFLINE | MALWARE Emotet | COUNTRY US |
IP ADDRESS 50.16.16.211 | PORT 443 | STATUS ONLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 34.204.119.63 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 178.62.3.223 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY GB |
IP ADDRESS 27.133.154.218 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY JP |
|
FULL IOC EXPORT — GOOGLE SHEET All live IOCs with full SHA256 hashes (OTX), IPs, and domains. 2 tabs: C2 IPs · OTX IOCs
Updated daily · Export as CSV to import directly into your tools ■ Open Full IOC Sheet → |
|
IOC SOURCES: AbuseCH Feodo · AlienVault OTX
NEWS: THN · KRB · SANS · REC · BC · SW · AWS · GCP · MSFT · U42 · SCH · MWB |