Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
14JUL

One operator worked both ransomware brands

2 min read
08:46UTC

SOCRadar traced the FortiBleed credential haul to 12 confirmed ransomware deployments and found one operator working the negotiation panels for both INC Ransom and Lynx. Microsoft closed the Nightmare Eclipse zero-day series with an out-of-band Defender patch. NCSC and 18 agencies named Russia's FSB Centre 16 over SNMP router attacks, and the UK cyber bill reached the Lords with a £17m fine ceiling.

TechnologyNCSCCISA
Key takeaway

Ransomware brand names and KEV freshness are both losing value as prioritisation signals; access exposure is the more reliable read.

This briefing mapped
Loading map…
Infrastructure
Regulatory

SOCRadar tied the FortiBleed credential haul to 12 confirmed ransomware deployments and found one operator working the extortion desks of both INC Ransom and Lynx.

Sources profile:This story draws on neutral-leaning sources

SOCRadar confirmed that stolen Fortinet login credentials, the FortiBleed haul, led to 12 ransomware deployments and 409 administrator account compromises. One operator worked negotiation panels for two rival ransomware crews at once.

The overlap shows ransomware crews increasingly share one stolen-credential supply chain. That makes tracking gangs by name less useful than tracking the broker who sold the access. 

Microsoft shipped an out-of-band Defender update on 9 July patching RoguePlanet, the seventh and final zero-day from the researcher known as Nightmare Eclipse.

Sources profile:This story draws on neutral-leaning sources from United Kingdom
United Kingdom

Microsoft shipped an emergency Defender engine update, version 1.1.26060.3008, on 9 July to fix a security flaw called RoguePlanet. It was the seventh and final flaw in a series found by researcher Nightmare Eclipse.

Shipping the fix through the engine rather than a monthly patch closed the exposure window faster, but only for machines still receiving live Defender updates. 

Sources:The Register

NCSC and 18 partner agencies named Russia's FSB Centre 16 over an SNMP router-hijacking campaign, a different service from the GRU unit named in April.

Sources profile:This story draws on neutral-leaning sources

The UK's National Cyber Security Centre and 18 partner agencies published a joint advisory on 9 July. They blamed a router-hijacking campaign on Centre 16, a unit of Russia's Federal Security Service (FSB), separate from the group named over an April hijacking campaign.

The technique exploits weak, decades-old default settings on network equipment rather than a new software flaw. That makes it hard to fix with a single patch. 

The Cyber Security and Resilience Bill had its Lords second reading on 14 July, carrying a £17m fine ceiling and pulling MSPs and data centres into critical-infrastructure scope.

Sources profile:This story draws on neutral-leaning sources

The Cyber Security and Resilience Bill had its House of Lords second reading on 14 July. It would bring managed service providers and data centres into critical-infrastructure scope, with fines up to £17m or 4% of global turnover.

The bill also adds a duty to report near-miss incidents, not just successful breaches. That extends UK cyber law beyond the narrower rules set in 2018. 

CISA's Known Exploited Vulnerabilities catalogue added seven low-profile CVEs between 5 and 14 July, capped by an 18-year-old Cisco IOS flaw.

Sources profile:This story draws on neutral-leaning sources

The US Cybersecurity and Infrastructure Security Agency added seven security flaws to its Known Exploited Vulnerabilities list between 5 and 14 July, taking it to 1,638 entries. Six were in web software; the seventh was an 18-year-old flaw in Cisco's router software.

A fix for that bug has existed since 2008. Its addition now means the agency has fresh evidence criminals are exploiting it, almost certainly against routers running software that was never updated. 

Sources:CISA
Closing comments

Sideways on volume, upward on structural exposure. FortiBleed's pool of 86,644 credentials, still valid until individually rotated regardless of Fortinet's device patches, is the mechanism that would tip this: each new confirmed deployment SOCRadar or a peer firm attributes to it, now at 12 as of 8 July, adds to a pool that patching cannot shrink. The Cyber Security and Resilience Bill reaching Lords committee stage without amendment narrowing its MSP definition, carrying fines up to £17m, would mark the regulatory side moving from proposal to near-certain statutory footing within this session.

AI-assisted, human-edited under the editorial responsibility of Bannermedia Ltd. Reviewed by Ed Woodcock on 14 July 2026. Editorial standards.

Different Perspectives
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.