Post
June 24th – This Week’s Top Cybersecurity and Dark Web Stories
This week’s cybersecurity and dark web news stories discuss the 75,000 Fortinet firewalls that have been exposed, Icarus claiming an attack on Klue, and law enforcement investigating a hack on the Brazilian emergency alert system.
75,000 Fortinet Firewalls Compromised
A newly discovered cyber espionage operation has compromised roughly half of all internet-facing Fortinet firewalls worldwide, according to researchers Volodymyr “Bob” Diachenko, Hudson Rock, and Kevin Beaumont. Dubbed FortiBleed, the campaign targeted 73,932 unique firewall URLs across 194 countries, exposing 21,632 unique domains.
A Russian-speaking criminal group is believed to be behind the operation, which ran an estimated 1.16 billion credential attempts against more than 320,000 FortiGate devices, alongside 2.1 billion brute-force attempts against over 160,000 MSSQL servers. The attackers intercepted SSL VPN authentication hashes and cracked them using a 45-GPU cluster, then pivoted directly into victims’ internal Active Directory environments.
Confirmed full compromises span Japan, Taiwan, Vietnam, Iraq, and Turkey, including a Turkish NATO defense contractor from which classified documents were exfiltrated. Victims with leaked, working credentials include Foxconn, Samsung, Comcast, Siemens, Lenovo, PwC, Accenture, and Oracle. Researchers note many compromised devices were fully patched – the weakness lay in older SHA-256 password hashing that persisted unless admins logged in again after a 2025 security update. Fortinet customers are urged to remove management interfaces from public exposure, force a credential rehash by upgrading and re-authenticating, and enforce MFA universally on external gateways.
Icarus Extortion Group Goes Public with Klue Breach
The list of companies caught up in the Klue/Salesforce breach keeps growing. Klue, a market intelligence platform, confirmed that attackers compromised a legacy integration credential on June 12, stole OAuth tokens connecting Klue to customers’ Salesforce environments, and used that access to siphon data from multiple organizations’ CRM instances.
Klue says no data stored directly within its own platform was affected, and the company has revoked the compromised credentials, disabled the impacted integrations, and brought in CrowdStrike to assist with the response. Researchers at Huntress and ReliaQuest documented attackers generating OAuth tokens and running Python scripts against Salesforce’s API for extended periods to extract data undetected.
A group called Icarus has now publicly claimed the attack on their leak site, confirming “a number of other companies’ Salesforce instances, which were partners to Klue, were exfiltrated,” and pressuring victims to make contact via the Session messaging app. Confirmed victims now include Huntress itself, Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity – most reporting that only Salesforce-stored business contacts, sales communications, and pricing data were taken, with no impact to core platforms or payment systems. Several have warned customers to watch for follow-on phishing using the stolen contact information.
Hackers Hijack Brazil’s Emergency Alert System
Brazil’s Federal Police and civil defense authorities are investigating after attackers breached the national Civil Defense Alert platform and fired off a string of fake “Extreme Alert” notifications reading “Alerta extremo – Defesa Civil:misantropi4” – Portuguese for misanthropy, styled with hacker-typical letter substitution.
The first rogue alert hit phones in Paraná around 11:40pm on June 19; within hours the same siren-loud notification – the kind designed to override silent mode – had reached São Paulo, Rio de Janeiro, Brasília, Bahia, Pará, and several other states. Some reports put the number of affected phones as high as 30 million. The Ministry of Integration and Regional Development took the platform offline at 1:30am once the intrusion was confirmed, and Brazil’s telecom regulator Anatel said the messages did not come from any authorized source.
Officials say roughly ten unauthorized alerts went out before the shutdown and that the attacker was someone outside the national civil defense network, though no suspect has been confirmed. The system, built under a 2022 Anatel mandate and rolled out nationwide by October 2025, broadcasts directly to any phone in range of a cell tower without requiring registration. Security researchers note that Cell Broadcast systems generally lack cryptographic authentication, meaning a receiving device has no way to verify an alert actually came from civil defense authorities – a structural weakness with no fixed timeline for resolution.
Related Content
Post
Three Days to Patch: What CISA’s New Directive Says About the Pace of Modern Exploitation
Government News Preemptive Threat Exposure Management
Post
June 17th – This Week’s Top Cybersecurity and Dark Web Stories
News
Post
14 Months of Warning: What Preemptive Threat Intelligence Reveals about the ShinyHunters Supply Chain Breaches
Cyber Risk Supply Chain Threat Intelligence Uncategorized
Post
Targeting Illicit Crypto Flows: Searchlight Cyber Supports Law Enforcement Takedown of AudiA6 Crypto-Mixer
News
Post
Attack Surface Management FAQ: Expert Answers to Common Security Questions
ASM
Post
June 10th – This Week’s Top Cybersecurity and Dark Web Stories
News
Post
Preemptive Threat Exposure Management in the Age of AI
AI
Post