Cyber Security News

Hacking Editorial Brief — June 18, 2026

Fortinet Credential Stuffing Campaign Compromises Over 30,000 Devices

Cybercriminals have compromised more than 30,000 Fortinet firewalls and VPN devices worldwide through credential-based attacks exploiting reused and previously leaked passwords, according to reports from researchers. The campaign represents systematic exploitation of weak authentication practices rather than technical vulnerabilities, affecting enterprise perimeter security infrastructure globally. Separately, researchers at Malwarebytes discovered an exposed collection containing 24 billion credential records aggregated from 36 sources, including infostealer logs and Telegram channels. The dataset includes usernames, passwords, and account data that directly enables credential stuffing and account takeover operations at scale. The simultaneous disclosure highlights the operational cycle between credential theft, aggregation, and systematic reuse against enterprise infrastructure.

Threat Actors Abuse AI Infrastructure and Cloud Logging for Offensive Operations

Threat actors are weaponizing misconfigured Ollama AI model servers as reasoning engines to power autonomous penetration testing frameworks, according to researchers. Attackers are using exposed inference servers to generate exploit code, analyze target systems, and synthesize attack chains without requiring local computational resources. In parallel operations, sophisticated threat actors are manipulating AWS CloudTrail and Google Cloud Logging configurations to redirect security telemetry to attacker-controlled destinations, effectively blinding enterprise security teams while maintaining persistent access. Both techniques demonstrate adversary adaptation to cloud-native and AI-enabled infrastructure, exploiting operational blind spots in emerging technology deployments.

Ransomware and Extortion Activity Targets Critical Infrastructure and Healthcare

The Gentlemen, a Russian-speaking ransomware group, has reportedly claimed responsibility for a cyberattack that disrupted operations at Mackay Sugar, Australia's second-largest raw sugar producer. The claim has not been independently verified. Iranian-linked group Handala claims to have breached water infrastructure systems in Bakersfield, Visalia, and Chico, California, and posted alleged proof of compromise. The claims have not been confirmed by affected municipalities. Separately, threat group FulcrumSec claims it exfiltrated over one terabyte of data from Novo Nordisk in an ongoing $25 million extortion attempt, while cardiac monitoring firm iRhythm Technologies disclosed to the SEC that attackers recently stole proprietary and patient data. Comcast investigators linked recent compromise activity to Midnight Blizzard, a group associated with Russia's Foreign Intelligence Service, though specific operational details remain under investigation. Meanwhile, researchers report that China-nexus actor UNC6508 maintained undetected access to U.S. academic, medical, and military research institutions for over a year using custom malware designed for credential theft and research data exfiltration.

Sources: Pluang · Malwarebytes · CyberPress · CyberPress · ABC News · KGET · Yahoo Finance · BankInfoSecurity · WSJ · [Dark Reading](https://www