Top news stories this week
- Stop the bleed. Thousands of Fortinet VPN credentials exposed in FortiBleed data leak
- Heavy cyber risk. Cyber extortion group claims breach of Ozempic maker
- Breaking the backend. Global law enforcement actions dismantle platforms powering cybercrime
- PeopleSoft pillage. ShinyHunters claims Council of Europe breach in Oracle PeopleSoft zero-day campaign
- A sticky situation. Ransomware attack shuts down Australia’s second-largest sugar producer
- It’s a patch affair. Simple help, Fortinet and CISCO release security advisories
1. Thousands of Fortinet VPN credentials exposed in FortiBleed data leak
A large-scale credential compromise dubbed “FortiBleed” has exposed verified VPN and administrator credentials for over 70,000 Fortinet FortiGate devices. The campaign suggests sustained, large-scale, automated credential harvesting designed to enable unauthorised initial access to targeted environments.
So what?
The exposure of thousands of VPN credentials enables threat actors to bypass perimeter defenses and gain direct access to enterprise networks at scale. Immediate patching and credential rotation are critical for remediation.
[Researcher: Tlhalefo Dikolomela]
2. Cyber extortion group claims breach of Ozempic maker, Novo Nordisk
Cyber extortion group FulcrumSec claims to have stolen more than 1.3 terabytes of data, including clinical trial data, from Novo Nordisk, the maker of Ozempic. Following a failed USD 25 million ransom demand, the company disclosed unauthorised access but has not verified the extent of the claims.
So what?
Threat actors are increasingly prioritising data theft and extortion over disruption. Organisations should focus on protecting “crown jewel” assets through strong controls and defence-in-depth.
[Researcher: Steve Ross]
3. Global law enforcement actions dismantle platforms powering cybercrime
Coordinated action led by Europol and INTERPOL has dismantled two major pieces of cybercrime infrastructure. Authorities shut down crypto laundering service “AudiA6”, which processed over EUR 336 million in illicit funds. In parallel, Operation Ramz disrupted long-running phishing platform “Sniper Dz,” resulting in over 200 arrests and the seizure of supporting infrastructure.
So what?
Law enforcement is targeting the cybercrime supply chain, disrupting monetisation and access. But these platforms are easily replaced - organisations must prioritise credential theft defences and monitor exposure to illicit crypto flows.
[Researcher: Jenny Eysert]
4. ShinyHunters claims Council of Europe breach in Oracle PeopleSoft zero-day campaign
The Council of Europe is investigating claims by extortion group ShinyHunters that it stole over 429,000 HR and payroll documents. The group said the breach was part of a wider campaign exploiting a zero-day vulnerability in Oracle's PeopleSoft enterprise software suite which has reportedly impacted more than 100 organisations, including Kodak, Ralph Lauren, and Madison Square Garden Sports.
SO WHAT?
Organisations should evaluate the supplier security risks and consider several layers of security controls to protect the third-party infrastructure hosting sensitive data, one of which is early breach detection and response.
[Researcher: Milda Petraityte]
5. Ransomware attack shuts down Australia’s second-largest sugar producer
Mackay Sugar, a major Australian sugar producer, disclosed a ransomware attack that forced the shutdown of some mills, leaving crops in the ground. While a few mills have resumed limited manual operations, many growers have been issued with “cease harvesting” advisories until such time as the incident is resolved.
So What?
Threat actors continue to target critical infrastructure and operational technology seeking maximum leverage through disruption. Companies in such sectors should review operational continuity measures and security controls, particularly those known to be targeted by threat actors.
[Researcher: Lester Lim]
6. SimpleHelp, Fortinet and CISCO address vulnerabilities
SimpleHelp has patched a vulnerability in its remote management software that allows unauthenticated attackers to create privileged accounts. Separately, Fortinet has warned of a critical Sandbox vulnerability being actively exploited and advised customers to update. Cisco has also updated a February advisory, confirming an additional SD‑WAN device is affected by a critical vulnerability (CVE‑2026‑20127), with customers urged to upgrade.
SO WHAT?
It is important for organisations to keep up to date with vulnerability alerts and implement vendor-advise accordingly to reduce the likelihood of successful exploitation.
[Researcher: Adelaide Parker]
