Practical Cyber Intelligence for Business Leaders in Non-Superpower Nations

FortiBleed and the Week Credential Infrastructure Became a Weapon

Stolen Fortinet credentials compiled into databases, a new China-nexus backdoor, and insider theft at a Japanese city office — this week's incidents converge on a single question: does your organization know who has access to what?

FORTIBLEED — THE SILENT INVASION OF CREDENTIAL HARVESTING AT SCALE

The development I took most seriously this week is the full picture now emerging around what is being called "FortiBleed."

On June 19, 2026, it was confirmed that credentials stolen from Fortinet firewall and SSL VPN appliances have been systematically compiled into databases by threat actors and are being actively used in intrusion operations. The fact that U.S. authorities and multiple security vendors have issued successive warnings indicates that the scale of this problem is not limited to any single organization or region.

Also on that date, Fortinet updated its advisory covering SSL VPN vulnerabilities in FortiOS and FortiSASE. This is where the core danger lies. A situation in which stolen credentials — the stolen key — coexist with an unpatched vulnerability — the broken lock — represents an ideal compound condition for attackers. Insert a stolen key into a broken lock. There is no simpler or more reliable method of entry.

With more than two decades of experience in this field, I can say that when credential theft from edge devices reaches the stage of being systematically organized into databases, it often signals that a broad initial access phase is already complete. Right now, lateral movement may be underway inside the network of an organization somewhere in the world. I ask you to carry that sense of urgency into the next section.

Within Japan, Fortinet products are widely deployed as edge security appliances across enterprise environments and government agencies. Based on experience supporting multiple domestic organizations, I can say it is not uncommon for the very fact of having deployed a trusted vendor's product to become a justification for deprioritizing regular credential rotation and rigorous MFA enforcement. Trust in a product and the discipline to operate it securely are entirely separate matters.

This week's incident in Urasoe City illuminates a different dimension of the same problem. An employee of an outsourced contractor reportedly stole 83 work PCs, some of which contained the personal information of the city's entire resident population. This incident did not arise from a technical vulnerability — it arose from a breakdown in human and operational controls. FortiBleed and the Urasoe incident ultimately lead to the same question: does your organization know, at this very moment, who has access to what?

Looking across the Asia-Pacific region, the updated FortiOS vulnerability advisory carries equal risk not only for Japan, but for government and private-sector organizations in South Korea, Taiwan, and across ASEAN countries that have broadly adopted the same products. Recognizing that the entire region shares a common attack surface is, in my view, the essential posture to adopt this week.

Reviewing this week's incidents together, it might appear that only large enterprises and government systems are being targeted. I would push back on that reading.

CVE-2026-35273 in Oracle PeopleSoft PeopleTools is a vulnerability chain enabling unauthenticated remote code execution. Even a small or mid-sized business that uses HR or financial core systems through an outsourced cloud service inherits this risk indirectly if that service provider runs PeopleSoft. This is the structure of supply chain risk. Auditing only your own systems will not surface this category of exposure.

The phishing campaign targeting Japan's hotel industry via TON blockchain abuse is more direct. Small and mid-sized accommodations that accept reservations through Booking.com are in the crosshairs, and the campaign was deliberately timed to coincide with high inbound tourism demand — making it all the more likely to go unnoticed by smaller operators without dedicated security staff. The assumption that "we are not a big enough target" is precisely what dismantles the first line of defense.

The same logic applies to the EDR-killer framework attributed to the Gentlemen RaaS group. For small businesses that have not deployed EDR at all, news of increasingly sophisticated techniques for disabling EDR may seem irrelevant. In reality, organizations without EDR simply have no first line of defense to begin with. As threats grow more sophisticated, the gap between organizations that are prepared and those that are not continues to widen.

Two incidents this week stood out as suggesting state-level involvement.

The first is the discovery of the SprySOCKS Windows backdoor attributed to FishMonger APT. According to findings published by ESET on June 16, 2026, this new backdoor features advanced stealth capabilities through weaponized kernel drivers and significantly enhances the group's previous SOCKS proxy functionality. FishMonger is tracked as a China-nexus APT that primarily targets government agencies, technology firms, and research institutions across the Asia-Pacific region. Kernel-level persistence techniques of this kind require substantial resources and technical capability to develop and maintain — the hallmark of a well-resourced threat actor.

The second is the strategic implication of the combination of FortiBleed and the VPN vulnerabilities. An operation that compiles stolen edge device credentials into databases at this scale is difficult to explain through the profit motive of a single criminal group alone. The hypothesis that a national intelligence service is maintaining and sharing this kind of "credential infrastructure" cannot be ruled out given the context of similar historical operations. I will avoid making any political attribution, but these signals collectively suggest that an advanced persistent threat underlies the cluster of incidents this week.

Practical defensive actions drawn from this week's incidents

① Rotate credentials on all Fortinet appliances today, and enable multi-factor authentication on every management interface and VPN access point. Review the updated advisories for FortiOS and FortiSASE and apply all applicable mitigations. This is the most direct response to FortiBleed and the SSL VPN vulnerabilities, and it is the top-priority action of the week.

② Organizations running Splunk Enterprise should immediately apply the patch for the vulnerability disclosed on June 10, 2026. Attacks against SOC and SIEM platforms neutralize the organization's security monitoring capability itself. Eliminating the risk of losing visibility should take precedence over remediation of any other vulnerability.

③ All organizations that use Oracle PeopleSoft — directly or indirectly — should confirm the status of CVE-2026-35273 remediation with their vendors and system administrators. Even where your organization does not operate the system directly, verify from a supply chain perspective whether your SaaS providers or contractors rely on the affected platform.

④ Accommodations that accept bookings through Booking.com should immediately conduct staff phishing awareness training and share intelligence on the characteristics of C2 communications abusing the TON blockchain. Regarding ClickFix attacks impersonating claude.ai and GitLab Pages, promptly distribute alerts to developer and technical teams. Techniques that exploit trust in AI-related tools will, in my assessment, continue to increase.

⑤ Review your data governance policies for contracted vendors and external business partners this week. Confirm that full-disk encryption is enforced on all contractor-held devices, verify that data access is scoped in accordance with the principle of least privilege, and ensure that a remote wipe capability is in place for lost or stolen devices. As the scale of the Urasoe City incident demonstrates — 83 machines — the damage a single insider can cause is equal to or greater than that of a technical attack.

Next week, we continue tracking the evolving threat landscape — including any further developments on FortiBleed and the FishMonger APT campaign targeting Asia-Pacific. See you Friday.

Written by a Japan-based information security professional with over 20 years of experience, in collaboration with AI assistants.

© 2026 Samurai Cyber Watch. Redistribution with attribution permitted for non-commercial use.