30,000 ShareFile servers told to shut down. 430,000 FortiGate firewalls with stolen credentials. 81 million Azure login attempts in 14 days. 7 million driver's license records from one phished employee. 2 million devices in a botnet. A Microsoft-signed driver used to blind EDR. That was two weeks.
Progress tells ShareFile customers to shut down their servers
Let me start with the story that sets the tone for everything else. Progress Software emailed ShareFile customers using on-premises Storage Zone Controllers (SZC) with an instruction I have rarely seen from a vendor: turn off your Windows servers immediately. Not "patch within 48 hours." Not "apply this workaround." Physically power them down.
The company cited a "credible external security threat" against the Storage Zone Controller component. Progress had already disabled cloud-side access but said that was not enough. They told customers to manually shut down the servers. This follows two critical CVEs in SZC from earlier this year, CVE-2026-2699 (CVSS 9.8) and CVE-2026-2701 (CVSS 9.1), which chain together for pre-auth remote code execution.
WatchTowr estimated roughly 30,000 internet-facing SZC instances as of April 2026. Progress has not disclosed whether the current threat is a new zero-day or if any controllers have been compromised.
When a software vendor tells you to pull the plug instead of patch, you do not wait. You shut it down and ask questions later.
What to do right now: If you run ShareFile with an on-premises Storage Zone Controller, shut down the Windows server now. Do not wait for more details. If you use a managed ShareFile instance, ask your provider what they are doing. This is the same kind of supply-chain file-sharing vulnerability pattern that made MOVEit and GoAnywhere headline news.
FortiBleed confirmed: The credential-to-ransomware pipeline is real
The FortiBleed story got worse. SOCRadar's Threat Research Unit confirmed that the campaign which harvested credentials from over 430,000 FortiGate firewalls globally is directly feeding two active ransomware operations: INC Ransom and Lynx. A single operator was found simultaneously logged into ransom negotiation panels for both groups.
Here's the truly frustrating part. The attackers aren't using sophisticated zero-days. They're abusing a diagnostic tool that's built into every FortiGate. A custom Go-based packet sniffer called FortigateSniffer uses FortiOS's native diagnose sniffer packet command to intercept cleartext authentication traffic across 24 protocols. About 19,000 devices had these sniffers actively deployed.
They didn't break into these firewalls. They walked through a door that was left open on the management interface.
The pipeline from credential theft to full ransomware deployment is estimated at 30 to 60 days. At least 12 ransomware deployments have been confirmed so far, with hundreds of endpoints encrypted. Attackers persistently installed a backdoor account named "adminin" on compromised devices.
What to do right now: If you run a FortiGate firewall, rotate ALL local admin, service account, and SSL VPN credentials. Disable the diagnose sniffer packet utility if you don't need it. Patch FortiClient EMS to 7.4.7 or later. And please, take your management interface off the public internet. That alone would have stopped most of this. We covered the initial FortiBleed findings in last week's roundup if you need the full backstory.
AssuranceAmerica: 7 million records from one phished employee
US auto insurer AssuranceAmerica confirmed a data breach affecting 6,998,886 individuals. Attackers compromised a single employee account through a credential-stealing phishing attack on March 17. The stolen data includes names, contact information, driver's license numbers, policy details, vehicle information, claims data, and potentially Social Security numbers and Tax IDs.
The investigation took from March 17 to June 15. Three months to fully scope the damage from one phished credential.
One employee. Seven million records. That is the math of credential theft in 2026.
What to do right now: If your business collects driver's license numbers, SSNs, or financial information, a single phished credential can expose millions of records. Phishing-resistant MFA, conditional access policies, and strict access controls are no longer optional for any business handling PII. Review who has access to your most sensitive data. The answer may surprise you.
81 million login attempts: MFA never stood a chance
Huntress documented a massive password-spray campaign targeting Microsoft 365 through the Azure CLI. Between June 12 and 26, threat actors made 81 million login attempts against Huntress customer accounts, compromising 78 user accounts across 64 organizations.
The key detail: attackers abused the OAuth Resource Owner Password Credentials (ROPC) flow. This is a deprecated authentication method that bypasses MFA because it sends credentials directly to the token endpoint without triggering an MFA prompt. MFA didn't fail. It was never engaged. As we saw with the BlueKit campaign, attackers are actively finding ways around MFA.
Common configuration gaps included MFA applied only to specific apps instead of all cloud apps, MFA enforced only for administrators, and policies left in report-only mode. Huntress observed a 155-fold increase in password-spraying attacks over six months.
What to do right now: Block legacy authentication in your Microsoft 365 tenant. Review your Conditional Access policies. Is MFA applied to "All Cloud Apps" or just a subset? Enforce phishing-resistant MFA for every user, not just admins. Then check your sign-in logs for ROPC authentication attempts.
JADEPUFFER: The first AI-orchestrated ransomware attack
This one kept me up. Sysdig's Threat Research Team documented JADEPUFFER, the first fully autonomous AI-driven ransomware campaign. An LLM-based agent executed the entire attack chain from initial exploitation to encryption to ransom note generation. No human operator.
The agent exploited CVE-2025-3248, a Langflow RCE vulnerability (CVSS 9.8) that was added to CISA's KEV catalog over a year ago. It executed more than 600 distinct payloads, recovered from its own errors (it fixed a failed login in 31 seconds), and encrypted 1,342 Nacos configuration entries using AES-128.
Here's the part that matters. The encryption key was generated randomly, printed once, and never saved. No recovery is possible even if a ransom were paid. The final stage dropped entire databases.
The skill floor for running a destructive ransomware campaign just dropped to zero. You don't need a hacker anymore. You need access to an AI agent and the willingness to point it at a target.
What to do right now: Patch aggressively. CVE-2025-3248 has been known for over a year. If you run Langflow, Nacos, or any AI or ML tooling exposed to the internet, patch today. Keep immutable offline backups. Assume that AI-powered scanning will find your exposed services faster than any human attacker would.
GodDamn ransomware uses a Microsoft-signed driver to blind your defenses
A new ransomware family named GodDamn (first detected May 21, 2026) uses a kernel driver called PoisonX that carries a valid Microsoft cryptographic signature. The driver loads at kernel level and kills endpoint detection and response tools before encryption begins. Your antivirus, your EDR, your monitoring agents. All gone before you see the ransom note.
The attacks come from a group tracked as Hyadina and have already hit US companies. GodDamn joins Akira, BlackByte, AvosLocker, and RobbinHood in using the Bring Your Own Vulnerable Driver (BYOVD) technique. The PoisonX driver was originally associated with a Chinese-speaking threat group before being repurposed here.
Standard EDR is useless once this driver loads. The attack happens before your defenses know there is an attack happening.
What to do right now: Check that the Microsoft Vulnerable Driver Blocklist is enabled on all Windows systems. Open Windows Security > Device Security > Kernel Isolation and verify the "Microsoft Vulnerable Driver Blocklist" toggle is on. This is not enabled by default on all Windows versions, and it is one of the few things that can stop this attack before it starts. Standard endpoint protection alone will not cut it against GodDamn.
Vidar infostealer campaign directly targets SMBs
A financially motivated malvertising campaign is using cracked and pirated software lures to deliver a dual payload to SMBs: Vidar infostealer and a cryptominer. The attack chain uses compromised WordPress sites, fake CAPTCHA pages, HTA scripts, MSI installers, and a GoLang loader that runs entirely in memory to evade detection. Vidar steals browser credentials, cryptocurrency wallets, banking information, and session cookies including cookies that bypass MFA.
Infostealers collectively stole an estimated 1.8 billion credentials in 2025, according to Flashpoint data.
What to do right now: One employee downloading "free" software can expose every credential your business uses. Block the use of pirated software through acceptable use policies and technical controls where possible. Enable session token protection where available and treat browser-stored passwords as high-risk.
The Gentlemen: 20 victims in 24 hours, now the most active ransomware group
The Gentlemen ransomware group posted 20 new victims in 24 hours across 14 countries, making it the most active ransomware operation globally. They now claim 483 victims across 66 countries since launching in mid-2025.
The group offers affiliates a stunning 90% revenue split, above the 80% industry standard, and has demonstrated worm-like self-propagation capabilities. Their playbook relies on unpatched edge appliances (especially FortiGate devices) and stolen credentials. The median ransom demand across H1 2026 was $150,000, with an average of $1.36 million.
H1 2026 by the numbers: Comparitech recorded 4,217 total ransomware attacks in the first half of 2026, an 11% increase from H2 2025. That's 23 attacks per day. The US was the most targeted country with 1,832 attacks.
What to do right now: Unpatched FortiGate devices and stolen credentials are the two biggest enablers. Prioritize patching, enforce MFA everywhere, and maintain offline backups that are tested regularly.
NetNut botnet disrupted: 2 million infected devices cut off
This one is actually good news. Google's Threat Intelligence Group, the FBI, and IRS Criminal Investigation disrupted the NetNut residential proxy network, also known as Popa. The operation cut off 2 million compromised Android devices, including smart TVs and streaming boxes that were being used as unwitting proxy nodes.
NetNut distributed hidden SDKs through IPTV apps and streaming utilities that silently enrolled devices into the botnet. Cybercriminals and espionage groups routed malicious traffic through these home IP addresses to hide their origin. In a single week in June, Google observed 316 distinct threat actor clusters using NetNut exit nodes.
What to do right now: Review what's connected to your business network. Those smart TVs and streaming sticks in your conference rooms? If they're Android-based and connected to the same network as your workstations, they could be compromised without any visible signs. Segment IoT devices from your production network.
CISA adds SharePoint RCE to KEV: the deadline already passed
CISA added CVE-2026-45659 (CVSS 8.8) to its Known Exploited Vulnerabilities catalog on July 1 with a remediation deadline of July 4. This is a deserialization flaw in on-premises Microsoft SharePoint Server that allows authenticated attackers to achieve remote code execution.
Microsoft shipped fixes in May 2026 Patch Tuesday. Affected versions include SharePoint Server 2016, 2019, and Subscription Edition. Post-exploitation activities observed include Velociraptor deployment, Cloudflare Tunnels, Zoho Assist, and SSH via VS Code. CISA's July 4 deadline has passed.
What to do right now: If you run on-premises SharePoint Server, check your build versions today. The attacker must be authenticated, but credential compromise combined with this RCE is a potent combination. If you can move to SharePoint Online, that eliminates this entire class of risk.
Vect + TeamPCP: Supply chain attacks now fuel ransomware directly
Sophos CTU researchers documented a formal operational partnership between Vect ransomware and TeamPCP, a credential-theft gang. TeamPCP compromised 10,000 CI/CD workflows and stole over 500,000 login credentials through supply chain attacks on Aqua Security's Trivy scanner, LiteLLM, Checkmarx KICS, and the Telnyx Python SDK.
Vect also partnered with BreachForums to distribute affiliate keys to all roughly 300,000 members, meaning anyone on the forum can become a Vect affiliate with no skill check.
What to do right now: Rotate your CI/CD secrets. If you use Trivy, LiteLLM, or KICS, review your credential exposure. Supply chain attacks aren't just about data theft anymore. They've become a direct ransomware enabler, as we saw in our supply chain roundup. Consider a managed security partner who can monitor your pipelines for unauthorized access.
Quick hits: ColdFusion, BeyondTrust, job interview phishing, and more
Adobe ColdFusion CVE-2026-48282 (CVSS 10.0): CISA added this maximum-severity path traversal vulnerability to its KEV catalog on July 7. Exploitation began within two hours of technical details going public. If you run ColdFusion 2025 or 2023, apply Update 10 or Update 21 immediately. Shadowserver tracks approximately 800 exposed instances online.
BeyondTrust patched two critical pre-authentication vulnerabilities (CVSS 9.2 each) in Remote Support and Privileged Remote Access. Remote support tools are high-value targets because compromising one grants access to every system it can reach.
Job interview phishing: A sophisticated campaign is impersonating 34 well-known brands using fake job interview invitations to steal Google accounts. Attackers use real recruiter names and photos from LinkedIn and a browser-in-the-browser fake sign-in page. Active for at least five months. Train your team to verify recruiter outreach independently.
Russian router attacks: Security agencies from nine countries warned that Russian state-sponsored hackers are targeting vulnerable and poorly configured routers. SMBs with default router passwords are exactly the kind of soft targets they look for. Change default passwords and disable remote management if you don't need it.
RoguePlanet (CVE-2026-50656): Microsoft issued an out-of-band patch for an elevation-of-privilege flaw in Windows Defender's Malware Protection Engine. Ensure Windows Defender version 1.1.26060.3008 or later is installed.
GhostLock (CVE-2026-43499): A 15-year-old Linux kernel privilege escalation vulnerability. If you run Linux servers, watch for patches from your distribution vendor.
Two weeks. That is what these stories span. And in that time, we saw a vendor tell customers to unplug their servers, an AI agent run ransomware without human help, a Microsoft-signed driver used to disable endpoint defenses, and 7 million records stolen through one phished password.
The barriers to running a devastating cyberattack are lower than they have ever been. AI agents that don't need human operators. Ransomware affiliates that don't need skill checks. Credential pipelines that bypass MFA entirely.
The question isn't whether your business will be targeted. It's whether your credentials are already out there and whether your recovery plan will work when the call comes.
If you are reading this and realizing you are not sure about either of those answers, that is exactly the right reason to get a clear picture now.
Book a 30-minute credential and recovery check
We'll review your MFA config, check for exposed credentials, and validate your backup strategy. No sales pitch, just a fix list.