Weekly Cyber Update: 18 June 2026

The Cyber Threat Intelligence Briefing is a weekly round-up of the latest cybersecurity news, trends and indicators, curated by our CISO, Nick Harris. Here’s our pick of the top stories, and why you should care.

Notorious ransomware group hid C&C traffic in Teams

The DragonForce ransomware group hid command-and-control (C2) traffic inside Microsoft Teams relay infrastructure as part of a devastating breach of a major US services company, according to Symantec. The security vendor said it was the first known in-the-wild abuse of Teams TURN infrastructure for malware C2. The ransomware affiliate used a custom malware – ‘Backdoor.Turn’ – to obtain an anonymous Teams visitor token, enabling the group to hide inside trusted traffic flows. The organisation had data stolen and encrypted.

Why it matters

This breach follows a recent trend of threat actors hiding inside trusted services such as cloud storage, collaboration tools, and SaaS applications. It makes detection by traditional network tools challenging as aggressive inspection/blocking of Teams traffic could cause business disruption.

Assured’s recommended action

Hunt for unusual Teams-related activity including suspicious processes and authentication patterns. Complement network monitoring with comprehensive endpoint detection and response (EDR) telemetry. Strengthen Teams governance and ensure the SOC has visibility of Teams audit logs.

---

Researchers uncover massive trove of credentials from compromised Fortinet devices

Researchers have discovered a leaked database containing around 75,000 credentials stolen from Fortinet and FortiGate VPN customers. The “FortiBleed” trove features usernames, email addresses and plaintext passwords for major corporations like Samsung, AT&T and Toyota, alongside tens of thousands of other organisations across 194 countries and over 21,000 unique domains. The Russian-speaking threat actors behind the campaign most likely scanned the internet for exposed Fortigate Management Interface instances. They then stole configuration data, extracting and brute-forcing the credentials within.

Why it matters

The leak apparently contains credentials on around half of all internet-accessible Fortinet firewalls. Most of the compromised Fortinet devices remain online. Organisations with credentials in the list have either already been breached or were on a hitlist for the threat actors behind the campaign.

With FortiGate admin access, hackers could download configuration backups; extract VPN configurations; obtain LDAP, RADIUS and service account credentials; create new administrator accounts; modify VPN policies and firewall rules; and use the firewall as a staging point for internal compromise.

Assured’s recommended action

Use this handy checking tool to see if you’re exposed. Rotate all credentials associated with the tool (local admin, SSL VPN, TACACS accounts, LDAP bind accounts, RADIUS shared accounts). Audit all administrator accounts for unknown local admins and recently created accounts. Hunt for new sysadmin accounts, modifications and exports/downloads. Review VPN users. Restrict management access immediately and remove management interfaces exposed to the internet.

---

Litespeed cPanel plugin exploited in attacks

Litespeed users with the cPanel plugin have been urged to update the software after exploitation in the wild. CVE-2026-48172 is a high-severity vulnerability which could enable attackers with FTP or web shell access to escalate privileges to root on shared hosting servers running CloudLinux/CageFS. Security updates were released by Litespeed in early June. But US agency CISA added the flaw to its known exploited vulnerabilities (KEV) catalogue this week, ordering agencies to patch within three days.

Why it matters

Litespeed helps to run around 15% of global websites, but third-party plugins can be a blind spot for patching teams. Exploitation of this CVE could lead to full server compromise at root level.

Assured’s recommended action

Check Litespeed plugins and versions against vendor advisory and update to patched version if necessary. Run Litespeed’s detection script to check for signs of exploitation. If IoCs are found, isolate the server and run additional log analysis.

---

NCSC warns three-quarters of incidents tied to nation states

The NCSC has warned that 75% of the 200 security incidents it handled impacting critical infrastructure (CNI) last year were caused by nation states. CEO Ricard Horne claimed in a speech to the RUSI think tank that by 2028, it is “highly likely” that AI will be used by attackers to exploit known vulnerabilities in legacy technology across CNI.

Why it matters

Criminal groups want access today to drive ROI, but nation-state threats can be quieter and have longer timescales. They tend to focus on identity infrastructure, operational technology (OT), telecoms, cloud administration platforms and supply chains. OT is often a blind spot. Attacks on CNI can have an outsized societal and economic impact.

Assured’s recommended action

Improve identity security by hardening privileged identity platforms, deploying phishing-resistant MFA and following zero trust principles. Enhance OT asset visibility, monitoring, telemetry and behavioural detection. Focus on resilience – operating through a crisis – which may require isolation of OT segments. Mitigate AI threats by identifying and updating legacy systems, prioritising compensating controls where patches aren’t possible, and segmenting. Check with your insurer if you have incident response support as part of your policy.

---

Sensitive data uploads to AI double in a year

There’s been a 93% annual increase in sensitive enterprise data uploads to AI services, according to Zscaler.  The firm recorded a total of 18,033 TB of data transferred to AI and machine learning applications during the past year. Over half of these transfers were driven by Grammarly (38%) and ChatGPT (21%). Other tools included OpenAI, Codium, GitHub Co-Pilot, Perplexity, Microsoft Co-Pilot, Google Gemini and Claude.

Why it matters

Well-intentioned users are pasting confidential information into systems that were never approved for corporate use, and which will probably use that data to train their underlying models. This creates significant compliance and security risks and is rapidly becoming one of the biggest governance challenges facing security teams.

Assured’s recommended action

Use Defender for Cloud Apps Shadow AI discovery or a secure web gateway to find and block unsanctioned apps – backed up by a clear policy. Detect personal logins to AI services. Restrict clipboard and browser data transfers. Use endpoint DLP to detect copy-and-paste activity involving sensitive data.