Home / Episodes / Jun 18, 2026
Episode show notesJun 18's Top Cyber News NOW! - Ep 1156
At a glance
Fortinet VPN credentials for 73,000 devices leaked with active exploitation underway; threat actors are using these to pivot into Active Directory. Kodak confirmed a data breach affecting 2.2 million records from Shiny Hunters. Estonia plans to assign digital ID numbers to AI agents for access control. Microsoft confirms Rogue Planet privilege escalation in Windows Defender, patch in development.
Stories covered
How many Fortinet VPN credentials were exposed in the "FortiBleed" leak?
What happened: Security researcher Bob Diachenko discovered an exposed repository containing usernames and plaintext passwords for approximately 73,932 Fortinet VPN and firewall devices. The dataset is authentic and appears to have come from exported Fortinet configurations; affected organizations include Chevron, Samsung, Mercedes-Benz, Comcast, and AT&T.
Why it matters: Credentials are being actively weaponized—Hudson Rock reported 1.16 billion login attempts against 300,000 targets. Attackers are using VPN access as initial entry to move laterally and compromise Active Directory domains. This affects roughly half of all internet-accessible Fortinet firewalls globally.
What to do: If running Fortinet VPN, immediately check exposure at the Hudson Rock lookup tool. Rotate credentials, isolate affected systems, and assume lateral movement. Escalate to leadership and incident response if compromised.
Why is Estonia assigning digital ID numbers to AI agents?
What happened: Estonia announced plans to become the first nation to issue digital ID numbers to AI agents, enabling better control over what systems they can access and what actions they're authorized to perform. The move addresses legal and security challenges posed by increasingly autonomous AI systems.
Why it matters: As AI agents conduct machine-speed transactions with other agents, accountability and access control become critical. Without identity and authorization frameworks, rogue or compromised agents could execute unauthorized actions at scale.
What to do: Monitor for now. Estonia's approach may set precedent for other governments, but enforcement and PKI implementation challenges remain unresolved.
What is the "Rogue Planet" zero day in Windows Defender?
What happened: Security researcher Chaotic Eclipse (also known as Nightmare Eclipse) publicly disclosed a proof-of-concept exploit for Rogue Planet, a privilege escalation vulnerability in Microsoft Defender's malware protection engine. CVSS score 7.8, EPSS score 39. Microsoft confirmed the flaw and says a patch is in development.
Why it matters: This is the fourth Defender vulnerability disclosed by Chaotic Eclipse in recent months. The flaw is in a security tool itself, which is concerning, but requires attackers to already have initial access. Exploitation success varies across systems.
What to do: Monitor for now. Patch when available, but this is not an emergency—focus on preventing initial access instead.
Is Kodak facing a data breach from Shiny Hunters?
What happened: Kodak confirmed a breach after hacking group Shiny Hunters claimed to have stolen 2.2 million records including customer PII and internal company data. Shiny Hunters threatened to leak the data by June 18th. Kodak says the incident was contained and didn't affect operations.
Why it matters: Shiny Hunters typically targets weak access controls on overlooked business systems like Salesforce. Breach may have exploited unpatched or legacy internet-facing systems.
What to do: Enable MFA on all internet-facing systems. Audit and decommission legacy applications still online. Don't let new technology projects ship without sunsetted old systems.
How are malicious Python packages using fake reviews and AI to spread crypto-stealing malware?
What happened: Checkpoint researchers discovered a cryptocurrency clipper malware campaign using AI-generated YouTube tutorials, fake reviews, inflated download counts, and coordinated Virus Total comments to build false legitimacy. The malware swaps legitimate wallet addresses for attacker-controlled ones.
Why it matters: Threat actors are leveraging marketing tactics and AI at scale to social-engineer downloads. The fake reputation infrastructure—bot armies, multiple YouTube channels, poisoned Virus Total classifications—is uncommon operational overhead but highly effective at exploiting user trust.
What to do: Verify software legitimacy independently before download. Don't rely solely on review counts, ratings, or Virus Total verdicts. If you manage developers, educate teams on supply chain risks.
Why did Anthropic CEO push G7 nations to cooperate on AI access?
What happened: Anthropic CEO Dario Amodei used a G7 meeting to urge international cooperation on AI after the US administration blocked exports of Anthropic's latest models. OpenAI CEO Sam Altman and Google DeepMind CEO Demis Hassabis backed the position. France's Macron warned allies they cannot be cut off from AI systems vital to their economies.
Why it matters: From a business perspective, export restrictions directly harm Anthropic's revenue and market reach. From a geopolitical perspective, AI is now a strategic asset with the same leverage as technology export controls.
What to do: Monitor for now. This is a policy story; no immediate operational impact on practitioners.
Is Telegram's block in India going to stick until June 22nd?
What happened: India temporarily blocked Telegram until June 22nd after cheating rings allegedly used the platform to share leaked medical entrance exam answers. The block affects 150+ million users and includes telecom-level restrictions and app store removal. Telegram challenged the block in Delhi High Court, arguing it's disproportionate.
Why it matters: Telegram has precedent fighting blocks (Russia blocked it for two years). This block is temporary and Telegram may be establishing legal grounds to resist future bans. Loss of Indian users would force migration to competing platforms like Signal.
What to do: Monitor for now. Expect the ban to expire or be lifted before any court decision materializes.
Is Google's use of IP addresses for ad targeting a privacy violation under GDPR?
What happened: Starting August 2026, Google will use IP addresses for ad measurement and personalization in the UK, EU, and Switzerland—regions where IP addresses are considered personal data under GDPR. This can enable device fingerprinting and cross-service tracking.
Why it matters: IP addresses, while seemingly anonymous, reveal user identity through device fingerprinting. Google abandoned opposition to fingerprinting less than two years ago. EU regulators may demand explicit user consent.
What to do: Monitor for now. This is a privacy/regulatory story, not a cyber threat. US practitioners have been tracked this way for years.
Key takeaways
- Fortinet VPN credentials are actively exploited for lateral movement into Active Directory—check Hudson Rock's tool immediately if you run Fortinet infrastructure; rotate all VPN credentials and assume lateral compromise.
- Legacy systems left online are your biggest attack surface liability—decommission old tech deliberately; don't let new projects ship without sunset plans for replaced systems.
- Threat actors are investing heavily in fake reputation infrastructure—AI-generated tutorials, bot armies, and review poisoning are becoming standard tactics to trick downloads; verify software independently.
- Estonia's AI agent ID system signals coming regulatory pressure on autonomous systems—expect other nations to follow with access control and accountability frameworks; PKI implementation will be the hard part.
- IP addresses are not anonymous and never have been—device fingerprinting via IP is now mainstream in ad targeting; assume you're tracked if you're in the EU/UK under GDPR; US users have no similar protections.
Topics covered
Want the live experience? The Daily Cyber Threat Brief airs live every weekday at 5am PT / 8am ET on YouTube. 400+ practitioners join the chat in real time.