Cyber Weekly: Supply chains under siege

If you run a small or medium business and you've been treating cybersecurity as a big company problem, this week should change your mind. We had a Fortinet credential leak exposing 74,000+ devices, a WordPress plugin supply chain attack backdooring paying customers, a critical Splunk bug being exploited in the wild, and a Salesforce OAuth breach that started with one vendor's old password. The common thread? None of these required sophisticated, nation-state-level attacks. They required a forgotten admin account, an auto-update you trusted, and an exposed VPN. Here's what happened, what it means, and what to do about it.

This was one of those weeks where you sit back and think: okay, so the attackers aren't just getting better at breaking in. They're getting better at breaking in through the stuff we all trust.

Let's run through the biggest stories and what they actually mean for a business your size.

30,791 verified working Fortinet credentials. 3 weeks undetected in a WordPress supply chain attack. 1,400 internet-exposed Splunk instances. 478 ransomware victims since mid-2025. That was one week.

The Big One: FortiBleed

Security researcher Bob Diachenko found something unpleasant on the open internet this week: a criminal server holding credentials for 73,932 unique Fortinet firewall and VPN URLs across 194 countries. Usernames, email addresses, and plaintext passwords. A Russian-speaking group used a 45-GPU cluster to crack hashes offline, running 1.16 billion credential attempts. Roughly 30,791 of those credentials were verified still working at the time of discovery.

CISA issued an emergency alert on June 18. The affected organizations include Chevron, Samsung, Foxconn, Comcast, AT&T, and a long list of government agencies. But here's the thing: smaller businesses running FortiGate firewalls are in that dataset too. If you have one, your VPN credentials may already be circulating.

There is no single patch for FortiBleed. It's the result of years of credential theft, weak password hashing, and stale admin accounts.

What to do right now: Rotate every VPN and admin password on your Fortinet devices. Enforce MFA if you haven't already. Check your logs for unusual lateral movement. And make sure you're using PBKDF2 for credential storage, not the older, weaker hashing.

WordPress Plugin Supply Chain Attack (ShapedPlugin)

If you run a WordPress site and have auto-update ticked for your plugins, this one hits close to home. Attackers broke into ShapedPlugin's build pipeline around May 21 and injected backdoors into three paid Pro plugins: Smart Post Show Pro, Product Slider for WooCommerce Pro, and Real Testimonials Pro.

Attackers distributed the infected updates through ShapedPlugin's own licensing system, hitting paying customers directly. The malware, tracked as CVE-2026-10735 (CVSS 9.8), steals admin credentials, 2FA secrets, database credentials, and WooCommerce customer data. It also installs a hidden backdoor plugin that survives normal deactivation. The attack went undetected for about three weeks before Wordfence spotted it on June 11.

Your 2FA doesn't matter if the attacker steals the seeds before you even log in. This malware does exactly that.

What to do right now: If you use any ShapedPlugin Pro product, reset all admin passwords and regenerate 2FA secrets. Audit your WordPress user list for a suspicious account named wp_support_sys. And maybe rethink that auto-update everything policy.

Splunk Enterprise CVE-2026-20253: Your SIEM Against You

CISA added this one to its Known Exploited Vulnerabilities catalog on June 18, confirming active exploitation. The flaw lets unauthenticated attackers create or truncate files on vulnerable Splunk Enterprise instances through a PostgreSQL sidecar service endpoint with no authentication controls. WatchTowr published a proof of concept on June 12 showing it chains to full remote code execution. ShadowServer tracks roughly 1,400 internet-exposed Splunk instances.

Think about what that means. An attacker can compromise your security monitoring tool without a single credential. Then they suppress alerts, delete evidence, and pivot to the rest of your network. Your security tool becomes their hiding spot.

What to do right now: If you're on Splunk Enterprise 10.0.0-10.0.6 or 10.2.0-10.2.3, patch to 10.0.7 or 10.2.4 immediately. If you can't patch right away, disable the PostgreSQL sidecar service.

Klue OAuth Breach and the Salesforce Connection

Attackers used a compromised legacy credential to break into Klue's backend on June 11, then deployed malicious code that harvested OAuth tokens for customer Salesforce instances. The group behind it, calling themselves Icarus, used automated Python scripts to query Salesforce REST APIs for nearly 24 hours straight, exfiltrating CRM data including business contacts, pricing, and sales communications. Confirmed victims include Huntress, Recorded Future, Tanium, Jamf, and Gong.

This is the third major Salesforce OAuth abuse campaign in the past year. And it highlights a painful truth: every time you click Allow on a SaaS integration, you're handing over a key that never expires and can be stolen from someone else's breach.

Your CRM data is only as secure as the weakest integration partner you've ever said yes to.

What to do right now: Audit your connected OAuth apps. Revoke tokens for integrations you're not actively using. And ask your vendors: What happens to my data if you get breached? Klue just demonstrated the answer.

The Gentlemen Ransomware and a 90% Affiliate Split

Brian Krebs identified Alexander Yapaev, a 36-year-old marketing professional from Izhevsk, Russia, as the admin of The Gentlemen ransomware group. The gang has claimed 478 victims since mid-2025, making it the second most active ransomware operation.

What makes them especially dangerous for SMBs? Their 90/10 affiliate revenue split. That's way above the industry standard of 80/20, which means more attackers are joining their ranks and hitting more targets.

The group targets internet-facing VPNs and firewalls, then encrypts entire networks within hours. They've also been observed using multiple EDR killers to disable defenses before deploying the ransomware.

What to do right now: The defense hasn't changed, but the urgency has. Patch your perimeter, enforce MFA, maintain offline backups. More affiliates means more attacks. It's a math problem, and you don't want to be part of the equation.

AryStinger Botnet and the Router You Forgot About

Researchers discovered a botnet called AryStinger that's compromised over 4,300 outdated D-Link routers, mostly DIR-850L and DIR-818LW models. The malware exploits vulnerabilities from as far back as 2013. Yes, 2013. It turns these devices into proxies, scanners, and attack launchers, and can tamper with DNS settings to monitor all network traffic.

A lot of small businesses are still running that D-Link router from half a decade ago because it still works. The problem is, it doesn't work securely. It works for the attackers too.

If your office router is more than 3-4 years old and no longer getting firmware updates, replace it. Not patch it. Replace it. There is no patch coming for a 13-year-old vulnerability.

What to do right now: Check your office router's age and manufacturer support status. If it's more than 3-4 years old and no longer getting firmware updates, replace it. Not patch it. Replace it. AryStinger exploits vulnerabilities that are 13 years old. There is no patch coming.

The Rest of the Week in Brief

  • Microsoft's record Patch Tuesday: 200+ vulnerabilities fixed, including 6 zero-days and a wormable Windows Kernel flaw (CVSS 9.8). Focus on the actively exploited ones if you're short on time.
  • LiteSpeed cPanel plugin flaw: A privilege escalation bug (CVE-2026-54420) added to CISA's KEV catalog. If your web host uses LiteSpeed's cPanel plugin, ask them when they patched it.
  • DragonForce abuses Microsoft Teams: A new malware called Backdoor.Turn hides C2 traffic inside Microsoft Teams relays. Network monitoring alone won't catch it. Endpoint detection is key.
  • FTC: $3.5 billion lost to imposter scams in 2025: Losses nearly tripled since 2020. AI voice clones and deepfake video calls are driving it. If your accounts payable team doesn't have out-of-band verification for wire transfers, implement it this week.

That was a dense week. And honestly, weeks like this are becoming the norm, not the exception. The attackers are targeting the things you trust: your firewall, your plugins, your SaaS integrations, your SIEM. The playbook for defending against it hasn't changed dramatically, but the margin for error keeps shrinking.

Here's what I'd double-check at your business this week:

  1. Are your firewalls and VPNs fully patched and MFA-protected?
  2. Do you know every OAuth integration connected to your critical SaaS tools?
  3. Do you have offline, immutable backups that ransomware can't touch?
  4. Does your team have a clear process for verifying payment requests by phone, not just email?

If you answered I'm not sure to any of those, you're not alone. Most small businesses don't have the time or headcount to stay on top of all of this. That's exactly what we're here for.


Book a 15-minute security check
We'll review your current setup, identify the gaps that matter most, and give you a clear priority list. No sales pitch, no jargon, just a straight conversation about where you stand.