Cyber Intelligence Weekly

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Echelon Events & Thought Leadership Highlight

One click on a malicious link. Copilot silently exfiltrates your emails, MFA codes, and SharePoint data before a single audit log fires.

CVE-2026-42824 weaponizes Microsoft 365 Copilot through a three-stage chain: prompt injection via a crafted URL, silent data scraping across the M365 tenant, and exfiltration routed through Bing's image search as an SSRF proxy to bypass Content Security Policies. The audit logs miss the exfiltration phase entirely.

Senior Cybersecurity Consultant Alex Watts, Cybersecurity Consultant Mitchel Sykes, and Cybersecurity Associate Drew Foley broke down exactly how the exploit works and built a detection pack to hunt it using CrowdStrike Falcon Next-Gen SIEM. The article covers behavioral detection across all four attack phases, plus pivot queries for scoping blast radius once an alert fires.

Read the full breakdown here: https://lnkd.in/eSxS7dNW

Away we go!

1. CISA Warns Organizations to Immediately Secure Fortinet Devices Following Massive Credential Exposure

Federal cybersecurity officials are urging organizations around the world to take immediate action after reports emerged that credentials tied to tens of thousands of internet-facing Fortinet devices may have been exposed. The campaign, now widely referred to as FortiBleed, is believed to involve compromised credentials associated with approximately 74,000 Fortinet firewalls and SSL VPN gateways deployed across government agencies, private companies, and critical infrastructure organizations in nearly 200 countries. While the exposed credentials do not represent a newly discovered software vulnerability, they create a significant opportunity for attackers to gain unauthorized access to networks that have not properly secured or rotated administrative accounts.

Recognizing the potential impact, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert recommending that organizations treat the situation as an active threat rather than a theoretical risk. Administrators are encouraged to immediately terminate all active VPN and administrative sessions, reset passwords for both user and administrator accounts, and verify that Fortinet appliances are using modern password hashing with PBKDF2 instead of older legacy algorithms. CISA also recommends reviewing firewall, authentication, and domain controller logs for signs of suspicious activity, unauthorized configuration changes, or evidence of lateral movement that may indicate an attacker has already established persistence within the environment.

The incident highlights a growing reality facing security teams. Increasingly, attackers are not relying on sophisticated zero day exploits to compromise organizations. Instead, they are leveraging previously stolen credentials, automated scanning tools, and artificial intelligence to rapidly identify exposed systems and gain access through valid accounts. Internet-facing VPN appliances, remote access gateways, and firewall management interfaces have become some of the highest value targets because they often provide direct entry into enterprise environments. Once valid credentials are obtained, attackers can frequently bypass traditional perimeter defenses without triggering immediate alarms.

Organizations using Fortinet products should view this alert as an opportunity to validate the security of their remote access infrastructure. In addition to rotating credentials and enforcing phishing-resistant multifactor authentication, organizations should ensure management interfaces are never exposed directly to the public internet, remove unnecessary administrative accounts, and continuously monitor authentication activity for anomalies. As credential-based attacks continue to outpace traditional exploit-driven campaigns, identity security has become one of the most important layers of modern cyber defense. The organizations that regularly validate privileged access, rotate credentials, and limit administrative exposure will be significantly better positioned to defend against the next wave of attacks.

FortiBleed Highlights the Growing Threat of Credential Based Attacks

One of the biggest cloud and infrastructure security stories this week is FortiBleed, a campaign involving the exposure of credentials tied to approximately 74,000 internet-facing Fortinet devices worldwide. The Cybersecurity and Infrastructure Security Agency (CISA) has warned that attackers are actively leveraging these leaked credentials to target government agencies, enterprises, and critical infrastructure organizations. Unlike many recent attacks, this campaign does not rely on exploiting a new software vulnerability. Instead, attackers are simply logging in using valid credentials, making the activity much harder to detect through traditional security monitoring.

CISA is urging organizations to immediately terminate all active SSL VPN and administrator sessions, rotate all Fortinet administrative and VPN passwords, enable phishing-resistant multifactor authentication, and verify that administrator credentials are stored using Fortinet's newer PBKDF2 hashing algorithm. Organizations should also review firewall, VPN, authentication, and domain controller logs for signs of lateral movement or unauthorized configuration changes.

This incident reinforces a trend we've been seeing throughout 2026. Identity has become the new perimeter. As cloud adoption continues to grow, attackers increasingly prefer credential theft over vulnerability exploitation because it provides faster, quieter access into enterprise environments. Organizations should treat privileged account management, MFA enforcement, continuous authentication monitoring, and regular credential rotation as foundational cloud security controls rather than optional best practices.

Key Takeaway: Your firewall is only as secure as the credentials protecting it. Strong identity governance, phishing-resistant MFA, and continuous monitoring are now essential components of any mature cloud security program.

2. Microsoft and Global Law Enforcement Strike at the Cybercrime Supply Chain

For years, cybersecurity defenders have spent enormous resources taking down individual malware families, ransomware gangs, and criminal infrastructure. Microsoft is now pursuing a far more ambitious strategy. Rather than chasing one threat actor at a time, the company is targeting the cybercrime supply chain itself, disrupting the interconnected tools, infrastructure, and services that criminals rely on to launch attacks at scale.

In one of its most significant coordinated operations to date, Microsoft partnered with Europol and international law enforcement agencies to dismantle infrastructure supporting the Amadey and StealC malware families. Together, the operation disrupted more than 200 command and control servers, contributed to the seizure of hundreds of criminal servers and domains, helped recover approximately €41 million in cryptocurrency tied to criminal activity, and severed attacker control over more than 18,000 compromised computers. During just the first two weeks of May, Amadey and StealC were linked to more than 140,000 infected systems worldwide, underscoring how deeply embedded these malware platforms have become within today's cybercrime ecosystem.

What makes this operation particularly noteworthy is the role artificial intelligence played behind the scenes. Microsoft's investigators used AI, including Copilot, to rapidly analyze malware samples, identify shared infrastructure, uncover hidden relationships, and connect what initially appeared to be separate criminal operations. Those findings enabled Microsoft's legal team to pursue a broader strategy under the Racketeer Influenced and Corrupt Organizations Act (RICO), treating multiple malware operations and their supporting infrastructure as part of a single criminal enterprise. That represents a significant evolution in how defenders can respond to increasingly modular cybercrime networks that operate more like sophisticated businesses than isolated hacking groups.

The broader lesson for security leaders is that cybercrime has become an industrialized assembly line. One tool gains initial access, another steals credentials, another sells that access, and yet another deploys ransomware or conducts espionage. Defenders must think the same way. Success will increasingly depend on disrupting every stage of the attack lifecycle through collaboration between technology providers, law enforcement, telecommunications companies, and threat intelligence organizations. AI is rapidly changing both sides of cybersecurity, but when combined with legal authorities and global partnerships, it also has the potential to shift the advantage back toward defenders.

AI Is Driving a New Era of Vulnerability Discovery

Microsoft's record-breaking June Patch Tuesday included fixes for more than 200 security vulnerabilities, the largest monthly release in the company's history. What's most notable isn't simply the number of vulnerabilities patched. Microsoft acknowledged that artificial intelligence played a major role in discovering many of these flaws through its internal AI-powered code analysis and vulnerability research initiatives.

AI is rapidly changing both sides of cybersecurity. Defensive teams can now analyze millions of lines of source code in a fraction of the time previously required, uncovering weaknesses before attackers exploit them. At the same time, security researchers expect threat actors to gain access to increasingly capable AI systems that can automate reconnaissance, identify vulnerable software, and accelerate exploit development. The result is a dramatically shorter window between vulnerability discovery and active exploitation.

Organizations should begin preparing for this new reality by investing in AI-assisted secure code reviews, automated vulnerability management, and faster patch deployment processes. Traditional monthly patch cycles may no longer be sufficient as AI continues to compress remediation timelines. Security leaders should also establish governance around internal AI usage, ensuring AI tools are integrated securely into software development and security operations.

Key Takeaway: AI is transforming vulnerability management from a reactive process into a race against time. Organizations that leverage AI to strengthen their defenses today will be better positioned as AI-driven attacks become faster, more sophisticated, and increasingly automated.

3. Cisco SD-WAN Zero Day Attack Shows Why Initial Access Is Only the Beginning

New forensic details released by Mandiant have shed light on one of the more sophisticated Cisco SD-WAN attacks we've seen this year, demonstrating that modern intrusions rarely depend on a single vulnerability. Instead, attackers chained together multiple techniques to quietly gain administrative control, establish persistence, and erase nearly every trace of their activity before defenders had a chance to respond.

According to Mandiant's investigation, the attackers first established unauthorized peering connections with Cisco SD-WAN infrastructure before authenticating to SD-WAN Manager devices. Researchers believe the initial access may have been tied to previously disclosed Cisco authentication bypass vulnerabilities or, in some environments, stolen certificates from earlier compromises. Once inside, the threat actors gathered configuration information across controllers and edge devices before exploiting CVE-2026-20245, a command injection vulnerability that allowed them to execute commands with root privileges. Their payload quietly created a hidden root account named "troot," giving the attackers unrestricted control of the underlying operating system while blending into normal administrative activity.

What makes this intrusion particularly concerning is the operational discipline demonstrated throughout the attack. Before making any modifications, the threat actors created backups of critical system files. After gaining root access, they restored configuration files to their original state, deleted the malicious payload, removed temporary artifacts, erased evidence of the rogue account, and even executed validation scripts to verify that no indicators of compromise remained behind. This level of anti-forensic tradecraft reflects an adversary focused on long-term persistence rather than immediate disruption, making traditional indicator-based detection significantly less effective.

For organizations running Cisco SD-WAN, patching CVE-2026-20245 is only one piece of the response. Security teams should review SD-WAN logs for unauthorized peering relationships, validate administrative account activity, inspect device configurations for unexpected changes, and collect diagnostic information recommended by Cisco and Mandiant. More importantly, this incident reinforces a broader lesson for defenders. Today's attackers rarely rely on a single exploit. They chain vulnerabilities, leverage stolen credentials, establish persistence, and actively cover their tracks. Effective defense requires continuous monitoring, threat hunting, identity protection, and incident response capabilities that assume attackers may already be inside the environment long before traditional security controls generate an alert.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about

Are you ready to get started?