ctipilot.ch

Home · Live brief · Weekly 2026-W27

FortiBleed

high synthesis discovered 2026-06-29 00:21 UTC

Entities: FortiBleed

Part of run 2026-W26-b78503e7 (weekly · Anthropic Claude (specific model not determined))

The W25 top story continued without a scale revision — the device count holds at the 86,644 figure the dailies reported — but the in-window development is the clearest state-interest signal yet: CISA updated its hardening alert on 06-22 to link Fortinet's revised guidance, and reporting now confirms that on in mid-June the Russian-speaking operator completed offline Kerberos-hash cracking from captured FortiGate configs and immediately exfiltrated DFS backup data from a NATO-aligned defence contractor — a full AD domain takeover (Security Affairs). Outstanding for defenders: treat any FortiGate admin/VPN credential active May–June 2026 as compromised, rotate, then hunt AD for pass-the-hash, DCSync and DFS-backup exfiltration (Kerberos ticket anomalies, LSASS access, ntdsutil/impacket artefacts). Patch level is irrelevant — this is credential reuse, not a new CVE.

actively-exploited data-breach identity russia-nexus global europe switzerland