Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
4JUL

FortiBleed harvest linked to Lynx crew

2 min read
11:00UTC

SOCRadar has tied the 86,644-credential FortiGate harvest to the Lynx ransomware crew, cracked offline against legacy FortiOS passwords never re-hashed to PBKDF2. A SharePoint code-execution deadline falls today under CISA's new triage regime, Cisco leads a five-vendor KEV batch, and the BlueHammer Defender flaw is now weaponised for SYSTEM access. Spring's disclosures are being cashed in as the federal machine that forced prioritisation is dismantled.

TechnologyNCSCCISA
Key takeaway

Spring's disclosures are turning into live intrusions just as CISA swaps fixed deadlines for untested triage.

This briefing mapped
Loading map…
Infrastructure
Regulatory
Economic

SOCRadar tied the 86,644-credential FortiGate harvest to the Lynx ransomware crew, which cracked legacy passwords offline on a 45-GPU rig rather than exploiting any flaw.

Sources profile:This story draws on neutral-leaning sources

SOCRadar linked the theft of 86,644 FortiGate remote-access passwords to the ransomware group Lynx. British and US agencies had flagged the set privately back in June.

The gang cracked the passwords using 45 chained graphics cards. Fortinet never modernised its old hashing method, leaving logins open to anyone holding the list. 

CISA gave federal agencies three days to remediate an actively exploited SharePoint code-execution flaw, with today's deadline the tightest on the catalogue.

Sources profile:This story draws on neutral-leaning sources

Washington's cyber-defence agency added a SharePoint Server flaw to its must-patch list on 1 July. Federal agencies got just three days to fix it, even though ransomware use is unconfirmed.

The tight deadline comes from a new risk-based patching rule. It moves fastest on internet-facing bugs, echoing 2025's SharePoint ToolShell attacks that spread within weeks. 

Sources:CISA

CISA confirmed ransomware gangs are weaponising BlueHammer, the April Windows Defender flaw, to seize SYSTEM rights before deploying their encryptors.

Sources profile:This story draws on neutral-leaning sources

US officials confirmed ransomware gangs are exploiting a 2026 Windows Defender flaw known as BlueHammer. It was disclosed by a researcher using the handle Chaotic Eclipse.

Gangs use the bug to grab full system-level access before locking victims' files. The flaw sits inside Microsoft's own security software, the very tool meant to stop attacks like this. 

CISA drew two more Cisco flaws into its catalogue this fortnight, alongside a SimpleHelp bypass that reopens the managed-service-provider route used by DragonForce in 2025.

Sources profile:This story draws on neutral-leaning sources

America's cyber-defence agency added five bugs to its must-patch list over two batches this fortnight. One is a login-bypass flaw in SimpleHelp, a remote-support tool used by many IT service companies.

SimpleHelp manages many clients from one server, so a single break-in there could reach every business it supports. That echoes the 2021 Kaseya ransomware attack on managed service providers. 

Sources:CISA

River Financial told the SEC on 25 June that ransomware had hit its Alabama bank subsidiary, with customer-data exposure still undetermined.

Sources profile:This story draws on neutral-leaning sources

River Financial Corporation, parent of a small Alabama bank, disclosed a ransomware attack to US regulators on 25 June. The intrusion reached its systems around 16 June and was caught three days later.

River Financial has not confirmed whether hackers actually stole customer data. That gap matters because banks face extra legal costs once personal information is confirmed exposed. 

Sources:SEC EDGAR

World Leaks dumped 630GB stolen from Tata Electronics, including purported Apple and Tesla design files, while Blackfield demanded $2m from Japan's Nidec.

Sources profile:This story draws on mixed-leaning sources from India
India
LeftRight

A criminal group called World Leaks says it stole more than 200,000 files from Tata Electronics. The haul, around 630 gigabytes, includes drawings it claims belong to Apple and Tesla.

Separately, a gang called Blackfield demanded $2 million from Nidec after breaching one of its suppliers. Criminals increasingly target the weaker links in a brand's supply chain. 

BlackFog's June report kept Qilin at the top of ransomware activity for a second month, despite Europol's Operation Saffron hitting 25 gangs in May.

Sources profile:This story draws on neutral-leaning sources

BlackFog's June ransomware tracker again ranked Qilin the most active gang worldwide. It was behind 16% of unreported attacks and 8% of disclosed ones, a second month on top.

The lead came a month after Europol's Operation Saffron disrupted around 25 rival gangs. Shutting down competitors, it turns out, does not cut overall ransomware activity. 

Sources:BlackFog

CISA added six exploited CVEs in the first fortnight under BOD 26-04's triage model, and let the Splunk and Ubiquiti deadlines pass without naming anyone non-compliant.

Sources profile:This story draws on neutral-leaning sources

The same US agency added six actively exploited software flaws to its list this fortnight. That works out to close to one a day, under a new risk-based patching rule.

Deadlines for separate Splunk and Ubiquiti flaws passed in the same period. Unlike before, the agency did not say publicly whether any federal agency missed them. 

Sources:CISA
Closing comments

Sideways for now. The two dated arcs, FortiBleed to Lynx and BlueHammer to SYSTEM access, are real, but six KEV additions in a fortnight at 0.86 a day sits below the roughly two-a-day pace the catalogue held through mid-June, against a proposed $707m FY27 cut to CISA itself, so there is no volume signal yet of a widening disclosure-to-exploitation gap. It tips up if CISA names an agency non-compliant on the SharePoint or SimpleHelp deadlines, the first live test of BOD 26-04's enforcement teeth. It tips down if the FortiBleed set never surfaces beyond SOCRadar's attribution and stays confined to the seven named blue-chips without a confirmed Lynx deployment.

AI-assisted, human-edited under the editorial responsibility of Bannermedia Ltd. Reviewed by Ed Woodcock on 4 July 2026. Editorial standards.

Different Perspectives
NCSC
NCSC
NCSC co-signed CISA's 18 June advisory that held the 86,644-credential FortiGate set as privately known rather than published. SOCRadar's attribution of that same set to Lynx this week puts the gap between the private warning and the public exploitation claim under fresh scrutiny.
CISA
CISA
CISA is one fortnight into BOD 26-04, giving the SharePoint deserialisation flaw a three-day remediation window while other June flaws got fourteen or sixty days. It has let the Splunk and Ubiquiti deadlines pass without naming any agency non-compliant, leaving the risk-tiered model's enforcement teeth untested.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.