InfoSec Briefing - June 25, 2026

🎧 Audio Briefing

Playback Speed:

Cyber security developments for Thursday the 25th of June 2026 covering articles added to the BlueTeamSec community on infosec.pub. Today we have 6 articles to cover. All attribution is by the article authors. All article analysis is automated.

SOC Radar have written up the FortiBleed campaign we've been tracking this week, now with attribution to a Russian-speaking syndicate. They compromised over 86,000 Fortinet devices across 194 countries using stolen credentials and a custom Golang harvesting tool, primarily targeting IT service providers in the US and India. Worth reading for the technical detail on the tooling if you're tracking this campaign.

Andrea Termine has released HoneyWire, an open-source deception platform that turns any Linux machine into a distributed canary in about a minute. It's designed for low false positives using a tripwire model, so one for organisations looking to add deception capability without enterprise pricing.

A researcher has published a denial-of-service proof of concept for CVE-2026-41089, a critical stack buffer overflow in Windows Netlogon affecting all domain controllers. The exploit crashes LSASS via crafted UDP packets to port 389, forcing a reboot — theoretical remote code execution remains possible but undemonstrated. Patches went out in May, so flag this if you've got unpatched DCs still kicking about.

InfoGuard have identified a widespread Exchange Online misconfiguration they're calling Ghost-Sender. Organisations using external MX records can end up bypassing SPF, DKIM, and DMARC entirely, allowing attackers to spoof internal users or external domains and land messages straight in the inbox. Particularly relevant if you're running hybrid Exchange with third-party spam filtering.

SentinelOne have analysed a rather clever bit of malware called macOS.Gaslight, attributed to DPRK-aligned actors. It's a Rust-based backdoor that embeds prompt injection payloads in its own code to trick LLM-driven analysis tools into aborting or misclassifying the threat — adversarial machine learning turned back on the analyst rather than the sandbox. Uses Telegram for command and control with AES encryption.

And finally, Trend Micro report active exploitation of CVE-2026-33017, an unauthenticated remote code execution flaw in Langflow. Attackers are deploying a Go-based cryptominer that disables defences, establishes persistence, and attempts SSH lateral movement — so this one extends well beyond resource theft if your Langflow instances are publicly exposed.

That concludes today's briefing.

📰 Articles Covered

Dismantling Fortibleed: Inside a Russian Fortinet compromise operation - socradar.io

The "FortiBleed" campaign refers to a massive, ongoing, and sophisticated credential-harvesting operation that has compromised over 86,000 Fortinet FortiGate firewalls and SSL VPN gateways across 194 countries 【6】【7】.

Contrary to the implications of its name, **FortiBleed is not a software vulnerability or a zero-day exploit** in Fortinet's products 【2】. Instead, it is a professionalized campaign utilizing stolen credentials, mass scanning, and custom tooling to gain unauthorized access to network infrastructure 【1】.

### What Happened
A Russian-speaking cybercriminal syndicate launched a coordinated effort to identify and compromise internet-exposed Fortinet devices. The campaign followed a rigorous "productization" lifecycle that involved scanning over 59 million hosts to fingerprint and target more than 430,000 devices 【1】【4】.

The actors obtained vast lists of credentials—likely from previous, unrelated breaches—and used them to systematically authenticate into firewalls and VPNs that had not implemented updated password policies or Multi-Factor Authentication (MFA) 【2】.

### Who Is Affected
The campaign has a global reach, impacting 194 countries, with a significant concentration of targets in the United States and India 【4】【7】. Small and medium-sized businesses (SMBs) in the IT services sector have been explicitly identified as key targets 【4】.

### Security Implications
* **Initial Access:** Attackers gain authorized-level access to the edge of corporate networks, providing a perfect jumping-off point for ransomware, data exfiltration, or further lateral movement 【1】.
* **Credential Harvesting:** The attackers do not just use existing credentials; they deploy sophisticated tools to turn compromised firewalls into active collection points for new credentials passing through the device 【3】.

### Technical Details
* **Tooling:** SOCRadar identified a Golang-based tool named `FortigateSniffer` used by the attackers. This tool leverages the built-in diagnostic command `diagnose sniffer packet` to passively capture authentication traffic across 24 different protocols from the compromised firewall 【3】.
* **Methodology:** The operation uses a combination of brute-force pipelines and credential stuffing, targeting devices that remain internet-accessible and rely on outdated or reused credentials 【2】【4】.

### What Defenders Should Know
* **Immediate Action:** Organizations should check if their IP addresses or domains appear in the publicly available FortiBleed dataset (many security vendors, including SOCRadar, have released free checkers for this purpose) 【5】【9】.
* **Hardening:** CISA has urged organizations to harden their Fortinet devices immediately 【8】. This includes:
* Forcing a password reset for all administrative and VPN users.
* Implementing Multi-Factor Authentication (MFA) across all remote access points.
* Reviewing device logs for unauthorized administrative access or the use of diagnostic sniffing commands.
* Limiting exposure by restricting management interfaces to trusted IP addresses only.
HoneyWire: HoneyWire: The Open-Source, Unlimited Deception Platform. Turn any Linux machine into an enterprise-grade canary in 60 seconds. - Andrea Termine

HoneyWire is a lightweight, distributed deception-based security system designed to detect intruders by monitoring unauthorized movement within internal networks. It functions as an early-warning mechanism that moves away from traditional, high-noise SIEM approaches in favor of a "High-Fidelity Tripwire" model, where alerts are generated only by deviations from established, authorized behavior.

### What Happened
HoneyWire has been introduced as an open-source, extensible platform that allows organizations to deploy sensors throughout their infrastructure. These sensors are designed to flag unauthorized access to sensitive files or unused network services, as well as to detect interaction with synthetic decoys that serve no legitimate business purpose.

### Who Is Affected (Target Audience)
The system is intended for security teams, network administrators, and defenders managing internal network security. Organizations looking to augment their existing SIEM infrastructure with high-fidelity, low-false-positive alerts are the primary users.

### Technical Details
HoneyWire operates as a platform of four modular, sensor-agnostic microservices:

* **Hub:** The central control plane. It is a Go binary that includes an embedded SQLite database and a Vue 3 web dashboard. It is deployed as a non-root user in a distroless container.
* **Sensors:** Lightweight, statically-linked Go binaries that monitor network segments, trap activity, and report back to the Hub via secure POST requests.
* **SDKs:** Developer tools that allow users to create custom sensors using any language, provided they adhere to the "HoneyWire Event Standard V2.0."
* **Wizard:** A TUI-based CLI tool used to automate deployment, testing, node discovery, and reconciliation of the network state.

The system supports various detection methods, including Deep Packet Inspection (DPI), DNS sinkholes, canary tokens, and TCP port tripwires.

### Security Implications
* **Reduced Noise:** Because decoys have no legitimate purpose, any interaction with them is treated as a high-confidence security event.
* **Blast Radius:** The architecture emphasizes segregation; the Hub and its sensors should be deployed on separate infrastructure to ensure that a compromise of a sensor node does not immediately jeopardize the central Hub.
* **Hardening:** The system employs distroless containers and operates under the principle of least privilege.
* **Communication:** Inter-node communication relies on unique `Node Keys`.
* **Traffic Privacy:** In a production environment, the Hub's UI and API should be shielded by a reverse proxy (e.g., Nginx, Caddy) to enforce HTTPS and prevent the exposure of sensitive dashboard credentials or node keys.

### Guidance for Defenders
* **Maintenance Awareness:** The Hub allows administrators to "arm" or "disarm" sensors. Defenders should utilize this feature to suppress alerts during authorized maintenance windows or scheduled vulnerability scans to prevent false positives.
* **SIEM Integration:** HoneyWire is designed to complement existing tools rather than replace them. It offers native integration with common communication platforms (Slack, Discord, Ntfy, Gotify) and supports RFC5424 Syslog forwarding, enabling seamless integration into established SIEM environments like Splunk, Elastic, or Wazuh.
* **Deployment Strategy:** To maximize effectiveness, defenders should strategically place sensors near high-value assets and on otherwise quiet or unused network segments.
CVE-2026-41089: CVE-2026-41089 PoC — Netlogon CLDAP stack buffer overflow (CVSS 9.8 CRITICAL) - only a Denial of Service PoC not RCE - 0xABCD01

The provided precis accurately summarizes the core aspects of the vulnerability as described in the source. Here is the structured breakdown based on the information provided:

| Category | Details |
| :--- | :--- |
| **What Happened** | A stack-based buffer overflow (CVE-2026-41089) exists in the Windows Netlogon service, allowing an unauthenticated attacker to crash the Local Security Authority Subsystem Service (LSASS) via a single crafted UDP packet to port 389, causing a Domain Controller reboot. |
| **Who is Affected** | All Windows Server versions operating as Domain Controllers (e.g., 2016, 2019, 2022, 2025). |
| **Security Implications** | CVSS 9.8 (Critical). While current exploitation is limited to Denial of Service (DoS), the nature of the vulnerability (CWE-121) makes Remote Code Execution (RCE) a theoretical possibility. |
| **Technical Details** | Caused by `NetpLogonPutUnicodeString` misinterpreting a maximum length parameter (bytes vs. WCHAR count), leading to an overflow of a 528-byte stack buffer in `BuildSamLogonResponse` when a CLDAP "User" field exceeds 130 WCHARs. |
| **Defensive Measures** | Patch systems (May 2026 updates), restrict inbound UDP/389 to trusted subnets, monitor for long "User" filter attributes in CLDAP traffic, and track LSASS crashes (Event ID 1000) related to `netlogon.dll`. |

This information was synthesized from the documentation provided at [https://github.com/0xABCD01/CVE-2026-41089](https://github.com/0xABCD01/CVE-2026-41089) 【1】.
Ghost-Sender - Universal Email Spoofing against Exchange Online - InfoGuard AG

The article outlines a significant, widespread misconfiguration known as "Ghost-Sender" that affects organizations using Exchange Online in conjunction with external MX records (such as third-party spam filters). This vulnerability allows attackers to bypass standard email authentication protocols and deliver spoofed messages directly to users' inboxes.

### What Happened
The "Ghost-Sender" vulnerability arises because Exchange Online is often configured to accept email directly—bypassing the intended security gateway—without performing proper SPF, DKIM, or DMARC checks. Attackers exploit this behavior to inject arbitrary emails into a target's environment, successfully impersonating any sender, including internal users and high-profile external domains.

### Who Is Affected
Organizations utilizing **Exchange Online** (or hybrid environments) that route email through external MX records are at risk. Research indicates that this is a systemic issue, with approximately **20% of scanned bug-bounty domains** using Exchange Online identified as vulnerable at the time of the report.

### Security Implications
The vulnerability poses a severe threat, as it enables highly credible social engineering attacks:
* **Arbitrary Spoofing:** Attackers can send emails from any external address or any internal address within the target organization.
* **Increased Credibility:** For internal spoofing, Outlook may display the legitimate sender’s profile picture and details, significantly increasing the likelihood that a target will fall for phishing or CEO fraud attempts.
* **Bypassing Protections:** Because the email bypasses the MX-level filtering, security policies that might otherwise catch malicious content are ineffective.

### Technical Details
* **Bypass Mechanism:** Exchange Online accepts incoming emails at its direct endpoint without requiring the authentication checks (SPF/DKIM/DMARC) that would normally occur at an email gateway.
* **Configuration Gaps:** Standard "secure" configurations provided by Microsoft, including typical connector settings and security presets, often fail to address this flow.
* **Lack of Visibility:** Microsoft’s own security dashboards and configuration analyzers typically do not flag this configuration as insecure, leading many administrators to believe they are protected when they are not.

### What Defenders Should Know
Defenders cannot rely on default configurations to prevent this attack. The following actions are recommended:
* **Implement Specific Mitigations:**
* Configure a **"Partner Organization" connector** that uses a wildcard (`*`) for sender domains and strictly enforces IP or certificate-based validation.
* Establish a **high-priority transport rule** to quarantine inbound mail that lacks the `X-MS-Exchange-Organization-AuthAs: Internal` header or that arrives from unauthorized IP ranges.
* **Disable "Direct Send":** This is critical to prevent the spoofing of internal email addresses.
* **Use Validation Tools:** Organizations can test their exposure using the tool provided by the researchers at [ghost-sender.com](https://ghost-sender.com/).
* **Detection Challenges:** There are no universal Indicators of Compromise (IoCs). Defenders must manually analyze email headers to identify discrepancies in the intended mail gateway flow.

**Status of Disclosure:** The researchers reported this to Microsoft in April 2026. Initially dismissed as an "architectural limitation," the case was reopened by MSRC after the publication of this research.
macOS.Gaslight | Rust Backdoor Turns Prompt Injection on the Analyst, Not the Sandbox - SentinelOne

The report from SentinelLabs detailing the "macOS.Gaslight" threat highlights a sophisticated evolution in malware development, where the focus shifts from evading traditional sandboxes to actively deceiving the LLM-driven tools used by cybersecurity analysts. Below is a detailed precis of the findings.

### What Happened
SentinelLabs identified "macOS.Gaslight," a Rust-based macOS implant and infostealer attributed to threat actors aligned with the DPRK (North Korea). First appearing in June 2026, the malware utilizes an innovative "adversarial machine learning" technique: it embeds malicious instructions within its own code to manipulate the Large Language Models (LLMs) used by security researchers during the automated triage and analysis process.

### Who Is Affected
The primary targets are macOS environments. Because the malware is designed to sabotage the analysis pipeline, security analysts and researchers utilizing AI-assisted tools are the immediate targets of the "prompt injection" component of the backdoor.

### Security Implications
This incident marks a critical shift in malware development. Adversaries are no longer just concerned with bypassing endpoint detection; they are actively weaponizing the AI-based security stack. By attempting to trick automated triage systems into aborting analysis, truncating logs, or misclassifying malicious files, attackers can effectively blind defenders and increase the dwell time of their implants.

### Technical Details
* **Implant Design:** Built in Rust, the implant maintains communication with its command-and-control (C2) server via a Telegram Bot API polling loop, utilizing AES-GCM encryption and certificate pinning to bypass network traffic inspection.
* **Persistence:** The malware masquerades as a legitimate system service by establishing a `LaunchAgent` under the label `com.apple.system.services.activity`.
* **Stealer Architecture:** To remain lightweight until active, it uses a modular approach, fetching a full CPython 3.10.18 environment from `astral-sh/python-build-standalone` only at the moment of execution.
* **Prompt Injection:** The malware contains a 3.5 KB payload consisting of 38 fabricated "system" messages delimited by `{{DATA}}` tokens. This structured data is designed to mimic the internal instructions of an LLM triage agent, forcing the model to ignore, misinterpret, or refuse to process the sample.
* **OpSec:** The malware includes self-redaction capabilities, automatically scrubbing sensitive credentials (like the Telegram bot token) from its own diagnostic outputs.

### What Defenders Should Know
The discovery of Gaslight necessitates an update to defensive workflows regarding AI and automation:
* **Zero-Trust Analysis:** Defenders must stop treating the contents of analyzed malware samples as passive data. Assume that any text, configuration file, or string within a sample is potentially an adversarial prompt designed to compromise the analysis environment.
* **Input Sanitization:** Security teams using LLM-assisted pipelines must implement strict input sanitization. Ensure that files being analyzed are treated as untrusted input and are properly isolated from the LLM’s instruction set.
* **Pipeline Hardening:** Expect to see more malware designed to exploit the LLM-assisted analysis lifecycle. Organizations should audit their AI triage pipelines to ensure they can handle adversarial prompts without failing or being misled.
From Langflow to Monero: Inside CVE-2026-33017 Cryptominer - Trend Micro

The information provided covers the critical aspects of the exploitation of CVE-2026-33017, as detailed by Trend Micro. Below is the summarized precis.

### What Happened
Threat actors are actively exploiting **CVE-2026-33017**, an unauthenticated remote code execution (RCE) vulnerability in Langflow. By targeting exposed instances, attackers execute arbitrary code to download and deploy a sophisticated cryptomining malware suite. The campaign functions as a "front door" for broader system compromise, extending beyond simple resource theft to include lateral movement and the systematic dismantling of host security.

### Who is Affected
* Organizations running Langflow instances that are exposed to the public internet.
* Instances running with elevated or privileged accounts (e.g., as root on CI/CD runners) are at the highest risk, as these environments facilitate easier lateral movement and persistent control.

### Security Implications
* **Resource Hijacking:** Unauthorized deployment of Monero miners (`procq`) leads to significant system performance degradation.
* **Security Neutralization:** The malware actively disables host-level security mechanisms, including AppArmor, SELinux, firewalls, and cloud-native security agents, leaving the system highly exposed.
* **Lateral Movement:** The threat actor attempts to spread to any SSH-reachable host by enumerating and abusing SSH keys and agent sockets.
* **Evasion:** The malware deletes system logs to hinder forensic analysis and incident response.

### Technical Details
* **Initial Access:** Exploitation occurs via an unauthenticated POST request to Langflow’s `/api/v1/build_public_tmp/{flow_id}/flow` endpoint.
* **Payload Chain:**
* A dropper script (`isp.sh`) is executed, which fetches a Go-based binary (`lambsys.elf`).
* **`lambsys.elf` functionality:** This binary eliminates rival cryptominers, strips file protections (`chattr`), establishes persistence via cron jobs and bash loops, and beacons to command-and-control (C&C) infrastructure at `83.142.209.214`.
* **Mining:** A custom version of XMRig is deployed to execute the mining operation.

### What Defenders Should Know
* **Detection:**
* Monitor for unauthenticated POST requests to Langflow public build endpoints.
* Identify suspicious process spawns (e.g., Langflow process executing shell download patterns like `curl ... | sh`).
* Watch for specific file artifacts such as `/var/tmp/.xlamb/` and `init_rmount`.
* Look for the removal of specific accounts (e.g., `akay`, `vfinder`) and DNS queries to `ipinfo.io` from application-server subnets.
* **Mitigation:**
* **Update:** Immediately patch Langflow to version 1.9.0 or later.
* **Exposure Control:** Restrict or remove public internet access to Langflow instances.
* **Principle of Least Privilege:** Run applications with the absolute minimum permissions required.
* **Incident Response:** If a compromise is detected, treat it as an SSH-key-exposure event. Rotate all associated SSH keys and perform a comprehensive inspection of all connected or reachable systems.