FortiBleed has identified over 80,000 internet‑facing Fortinet FortiGate devices with working usernames and passwords, according to SOCRadar — a scale that prompted CISA to urge Fortinet customers to secure appliances now.
FortiBleed: credential reuse, brute force, and a sprawling attack surface
SOCRadar says the campaign, dubbed FortiBleed, has been active since at least February 2026 and uses automated tools to test credentials around the clock. The activity has been attributed to suspected Russian‑speaking actors who combined credential reuse from past incidents (including CVE‑2026‑24858, CVE‑2025‑59718, and CVE‑2025‑59719) with brute‑force attempts against devices that lack multi‑factor authentication (MFA) and exhibit weak password hygiene. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged Fortinet customers with FortiGate appliances to take steps to secure against ongoing malicious activity aimed at thousands of internet‑accessible devices.
GentleKiller: ransomware groups weaponizing EDR evasion
The Gentlemen ransomware‑as‑a‑service operation is actively developing and distributing an EDR‑killing framework called GentleKiller. The group maintains eight variants of the toolset, each impersonating a different legitimate product and abusing distinct kernel drivers. GentleKiller targets more than 400 processes across 48 security products — including CrowdStrike, SentinelOne, Microsoft Defender, Sophos, Kaspersky, and ESET — and is handed to affiliates to disable endpoint detection and response tools prior to encryptor deployment.
Splunk CVE‑2026‑20253: unauthenticated file operations can lead to RCE
Splunk's Product Security Incident Response Team said it observed "limited exploitation" of CVE‑2026‑20253 in Splunk Enterprise. In affected versions (below 10.2.4 and 10.0.7), an unauthenticated, network‑reachable user could invoke a PostgreSQL sidecar service endpoint to create or truncate arbitrary files because that endpoint lacks authentication controls. Resecurity warned the flaw is "particularly dangerous" because chaining weaknesses can allow an attacker to move from unauthenticated file operations to remote code execution, exposing logs, credentials, and operational data and providing a foothold for persistence and lateral movement.
Rokarolla and the continuing mobile threat: invasive Android trojans
Zimperium described a new Android trojan called Rokarolla that is distributed via malicious websites while masquerading as popular apps such as TikTok or Google Chrome. Rokarolla targets 217 cryptocurrency and banking applications with fake overlay login screens and implements 137 commands that grant extensive device control: harvesting lock‑screen credentials, exfiltrating contacts and SMS, monitoring screen content (including WhatsApp), taking screenshots via Accessibility services, redirecting crypto transactions, and continuous keylogging. The dropper masquerades as Google Play Protect to facilitate installation and evade Android restrictions; the campaign also deactivates Google Play Protect, hides from the launcher, blocks calls, suppresses audio, and uses overlays to frustrate user intervention.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: Prioritize MFA and credential‑hygiene checks on FortiGate and similar appliances, patch Splunk Enterprise to supported fixed releases, and hunt for signs of EDR tampering — GentleKiller targets hundreds of security processes and kernel drivers.
- Affected enterprises and procurement leaders: Review third‑party integrations and legacy credentials after Salesforce disabled the Klue app integration following unusual activity tied to an extortion group (Icarus). Audit supply chains for embedded JavaScript and SDKs after incidents like the Okendo Reviews compromise and Popa SDK findings.
- End users and the general public: Exercise caution with downloads and browser extensions; researchers warned that “Featured” Chrome add‑ons like SiderAI and MaxAI contained unpatched flaws that let malicious sites take screenshots or run code, and mobile users should be wary of apps or prompts that impersonate Google Play Protect.
Conclusion
This week’s reporting repeats a familiar pattern: scale and simplicity are the attackers' force multipliers. From FortiBleed's tens of thousands of internet‑facing FortiGate credentials to GentleKiller's blunt instrument for disabling EDR, the common threads are reused credentials, permissive integrations, unpatched services, and social engineering. As the bulletin put it bluntly: "most attacks do not need a genius move." The concrete steps in the reporting point to where defenders must start — enforce MFA, rotate and vet legacy credentials, patch exposed services (Splunk and other CVEs listed), and treat third‑party apps and browser extensions as high‑risk control points.
