June 18, 2026 by sig9

Hacker Wars - June 18, 2026

bulletin-feature-image

Your daily dose of infosec chaos

Today’s theme is “things that should have been patched yesterday” - we’ve got leaked VPN credentials, a Defender zero-day, and ShinyHunters adding Kodak to their trophy wall. Plus a junior hacker who watched one too many red team tutorials.

FortiBleed Leak Dumps Credentials for 73,000 Fortinet VPNs

A data leak dubbed FortiBleed has exposed what looks like VPN credentials for nearly 74,000 Fortinet and FortiGate firewall URLs worldwide. The exposed data could give attackers direct access to corporate VPN endpoints without needing to exploit a single vulnerability. If you’re running Fortinet gear, this is your five-alarm fire.

What to do: Rotate all Fortinet VPN credentials immediately, audit your firewall configs, and check whether your URLs appeared in the leak.

Microsoft Confirms RoguePlanet Defender Zero-Day (CVE-2026-50656)

Microsoft has formally acknowledged a privilege escalation flaw in Windows Defender, codenamed RoguePlanet, now tracked as CVE-2026-50656 with a CVSS of 7.8. The company says a patch is in development but hasn’t given a timeline, which is corporate speak for “we’re working on it, stop emailing.” In the meantime, attackers with local access can escalate to SYSTEM.

What to do: Monitor for Microsoft’s patch cycle, restrict local access to endpoints, and consider additional EDR layers until a fix ships.

Kodak Admits Data Breach After ShinyHunters Come Calling

ShinyHunters - the same crew that recently hit Oracle PeopleSoft and universities - now claims they’ve breached Kodak. The imaging giant confirmed the incident but insists there’s no threat to its systems or operations, which is the corporate equivalent of “this is fine” while the building burns. Details on what was actually exfiltrated remain thin.

What to do: If you’re a Kodak partner or supplier, review any shared credentials or integration tokens and assume they may be compromised.

Junior Hacker Builds Persistence With Tailscale and OpenSSH

A French-speaking attacker compromised a small automotive business, planted a keylogger, and stole banking credentials. Standard script kiddie stuff - until he installed OpenSSH and Tailscale on the victim’s machine as a backup backdoor before his C2 went dark. Creative? Sure. Smart? Debatable. But it worked, and it shows how legitimate tools are the new go-to for maintaining access.

What to do: Monitor for unauthorized installations of remote access tools like Tailscale, SSH servers, and other “dual-use” software on endpoints. Block them by default via application control.

Catch you tomorrow. In the meantime, go check your attack surface.

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

This bulletin is provided for informational purposes. Contact us for tailored security analysis.