Author: Staff Writer

Essential Insights The Gentlemen ransomware gang used a sophisticated framework called GentleKiller, capable of disabling over 400 security processes by impersonating legitimate security drivers at the kernel level through BYOVD techniques. GentleKiller contains at least eight variants, each targeting specific security products, and swiftly integrates newly published exploits—demonstrating rapid, agile development. The operation also incorporates three externally sourced EDR killers—HexKiller, ThrottleBlood, and HavocKiller—standardized to evade detection, complicating attribution efforts. To defend against this threat, security measures should include driver allowlisting, monitoring for suspicious driver loads and process terminations, and enforcing Microsoft’s Driver Blocklist. Problem Explained In June 2026, ESET revealed…

The theme ‘Secure our World’ emphasizes collective responsibility in cybersecurity, highlighting that protecting information is a shared effort crucial in a global, interconnected society. Eduardo Takamura’s career transitioned from computer science to cybersecurity, inspired by a passion for security, mentorship, and obtaining CISSP certification, with a focus on safeguarding federal information systems. At NIST, he contributes to developing standards that enable organizations to manage security and privacy risks proactively, with projects supporting continuous monitoring and international security standards. Takamura values the opportunity to empower practitioners, learn from top experts—including Nobel laureates—and collaborate with a dedicated team that feels like a…

Essential Insights Attackers can unauthenticatedly extract sensitive configuration data, API keys, and system details via a REST API endpoint in the Gravity SMTP plugin, enabling further exploitation. Exploited vulnerability has led to over 17 million HTTP GET requests, with threat actors potentially using exposed credentials to send unauthorized emails and compromise site security. Immediate update to version 2.1.5 of Gravity SMTP and credential rotation are critical to prevent ongoing data leaks and unauthorized access, especially for sites with third-party email integrations. Threat, Attack Techniques, and Targets Threat actors are exploiting a security flaw in the Gravity SMTP plugin for WordPress.…

Top Highlights The ransomware group "The Gentlemen" has developed and is sharing advanced EDR-killing tools, notably "GentleKiller," to weaken enterprise defenses and facilitate successful attacks. These tools include the use of BYOVD (Bring Your Own Vulnerable Driver) techniques, enabling attackers to load old, exploitable drivers that grant kernel-level privilege and disable security software. The proliferation of EDR killers democratizes access, lowering skill barriers for affiliates and increasing the frequency of ransomware campaigns. To defend against these tactics, enterprises should implement protections like HVCI, enforce strict driver policies, and continuously audit drivers to prevent the loading of vulnerable or malicious drivers.…

Essential Insights Compromised VPNs grant attackers internal network access, enabling lateral movement, credential attacks, and expanding the attack surface significantly. Attackers can pivot from VPN access into internal systems like Active Directory, enabling privilege escalation, persistence, and identity compromise. Patching edge devices alone is insufficient; organizations must also invalidate credentials, monitor activity, and implement stronger controls to prevent post-compromise harm. Threat, Attack Techniques, and Targets The main threat is VPN and Secure Remote Access Gateway compromise. Attackers aim to gain unauthorized access by stealing credentials, using brute force, credential stuffing, exploiting vulnerabilities, or bypassing authentication. Once they succeed, they move…

Top Highlights CISA has added a critical LiteSpeed cPanel Plugin vulnerability (CVE-2026-54420) to its KEV list due to active exploitation, mainly affecting shared hosting and CloudLinux environments. The vulnerability stems from improper handling of UNIX symbolic links, allowing attackers with limited access (e.g., FTP or web shell) to access sensitive files outside restricted directories. Exploitation could lead to privilege escalation or data exposure, especially in multi-tenant hosting setups like CageFS, with potential for significant security breaches. CISA recommends immediate application of vendor patches, enhanced monitoring, strict permission policies, and, if necessary, discontinuation of affected products to mitigate risks. The Issue…

Essential Insights Threat actors are exploiting default and organization-specific credentials on Fortinet FortiGate devices through large-scale brute-force and credential stuffing attacks, compromising over 86,000 devices globally. The attack employs automated tools that scan for vulnerable internet-facing Fortinet endpoints, verify only valid credentials, and then passively monitor network traffic to harvest additional credentials for further infiltration. Many organizations remain vulnerable due to outdated credential storage methods (SHA-256 hashes) and poor password hygiene, enabling persistent and widespread exploitation across sectors and regions. Threat, Attack Techniques, and Targets The threat, called FortiBleed, is a large-scale cyber campaign involving Russian-speaking threat actors. It targets…

Quick Takeaways Salesforce disabled Klue Battlecards app integration after detecting unauthorized activity linked to a security breach, but this incident does not stem from a platform vulnerability. The breach involved data exfiltration from Klue’s infrastructure through compromised legacy credentials, allowing attackers to access OAuth tokens and connected customer systems. The threat actor, identified as Icarus, exploited long-dormant credentials to steal OAuth tokens, enabling mass data queries and exfiltration from Salesforce-connected environments. Security experts highlight that the attack reflects a broader issue with third-party OAuth integration abuse, emphasizing the need for tighter monitoring of trusted third-party access points. Salesforce Suspends Klue…

Summary Points INC ransomware has evolved from a newcomer to a major global threat in 2023, with over 800 victims across various industries, including healthcare, education, and manufacturing, by employing a Ransomware-as-a-Service model. The group’s technical upgrades include fully rewriting Windows and Linux/ESXi encryptors in Rust, enhancing cross-platform functionality and making detection more difficult. INC relies on double extortion, combining data encryption with threats to leak stolen information, increasing pressure on victims to pay ransoms quickly. Recent advancements involve sophisticated lateral movement tactics using legitimate remote tools, updated credential theft methods, and the spreading of related ransomware families like Lynx…

Summary Points Threat actors exploited compromised Fortinet credentials, impacting around 74,000 devices globally, enabling unauthorized access and lateral movement within networks. The attack campaign, "FortiBleed," primarily used leaked credentials to bypass security controls, risking malware deployment and data exfiltration. Organizations face increased risks from exposed devices accessible via the internet, with threat actors leveraging stolen credentials to escalate privileges and compromise network security. Threat, Attack Techniques, and Targets CISA issued an urgent warning about a large-scale campaign called “FortiBleed.” The threat involves hackers exploiting compromised credentials for tens of thousands of Fortinet devices worldwide. These devices include FortiGate firewalls and…