22nd June – Threat Intelligence Report
This threat intelligence report highlights recent data breaches involving third-party vendors, emerging AI threat vectors such as prompt injection and WebSocket abuse, and active exploitation of critical vulnerabilities in Fortinet, Cisco, and Splunk products. Additionally, seasonal phishing campaigns targeting travelers and Amazon Prime members are surging alongside a cross-platform Rust-based crypto clipboard hijacker.
- cve
- cve
- cve
- cve
- cve
- cve
- cve
Detection / HunterGoogle
What Happened
Several major organizations recently suffered data breaches due to compromised third-party vendors and legacy systems. At the same time, attackers are actively exploiting critical flaws in popular enterprise software from Fortinet, Cisco, and Splunk, while also finding new ways to trick AI assistants into leaking data or running malicious code. These incidents highlight the widespread risk to both corporate networks and everyday consumers. Organizations should urgently apply available security patches, review third-party access, and stay alert for seasonal phishing scams related to summer travel and Amazon Prime Day.
Key Takeaways
- Multiple critical vulnerabilities are under active exploitation, including flaws in Fortinet FortiSandbox, Cisco Catalyst SD-WAN, and Splunk Enterprise.
- AI agents and copilots are increasingly targeted via prompt injection and WebSocket abuse, leading to data exfiltration and RCE.
- Supply chain and third-party breaches affected major organizations, including Klue, iRhythm Technologies, and Texas Parks and Wildlife.
- Seasonal phishing campaigns are surging, leveraging travel themes and Amazon Prime Day lures to steal credentials and payment details.
Affected Systems
- Windows 10
- Windows 11
- Fortinet FortiSandbox
- Cisco Catalyst SD-WAN Manager
- Splunk Enterprise
- Microsoft 365 Copilot
- AutoGen Studio
- WordPress
- macOS
Vulnerabilities (CVEs)
- CVE-2026-42824
- CVE-2026-39813
- CVE-2026-39808
- CVE-2026-25089
- CVE-2026-50656
- CVE-2026-20262
- CVE-2026-20253
Attack Chain
Attackers are leveraging a variety of initial access vectors, including social engineering, compromised legacy integration credentials, and unauthenticated API requests. In supply chain attacks, malicious updates were delivered to install hidden plugins for credential theft. For AI threats, crafted links and hidden contacts are used to trigger prompt injections, leading to data exfiltration or remote code execution. Post-compromise activities include privilege escalation to SYSTEM or root, arbitrary file writes, and the deployment of Rust-based malware for cryptocurrency clipboard hijacking.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Check Point IPS, Check Point Threat Emulation, Check Point Harmony Endpoint
Check Point provides IPS protections for the Fortinet and Splunk vulnerabilities, as well as endpoint protections against the Rust-based crypto clipboard hijacker.
Detection Engineering Assessment
EDR Visibility: Medium — EDR can detect privilege escalation (e.g., Defender zero-day) and clipboard hijacking, but may lack visibility into appliance-level exploits (Fortinet, Cisco) or SaaS/OAuth token abuse. Network Visibility: Medium — Network sensors can detect unauthenticated API requests to FortiSandbox and Splunk, as well as connections to known phishing domains, but encrypted OAuth token abuse is harder to spot. Detection Difficulty: Moderate — While appliance exploits and phishing domains have clear signatures, detecting AI prompt injections and OAuth token abuse requires advanced behavioral analytics and SaaS log monitoring.
Required Log Sources
- Web Application Firewall (WAF) logs
- SaaS audit logs (Salesforce, Microsoft 365)
- Endpoint process execution logs
- Appliance system logs (Fortinet, Cisco, Splunk)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for anomalous OAuth token usage or access from unexpected IP addresses targeting Salesforce or other SaaS environments. | SaaS audit logs, IdP logs | Credential Access | Medium |
| Evaluate whether unauthenticated API requests containing directory traversal characters are targeting FortiSandbox appliances. | WAF logs, Network traffic analysis | Initial Access | Low |
Control Gaps
- Lack of AI prompt injection filtering
- Insufficient monitoring of legacy integration credentials
- Blind spots in appliance-level security monitoring
Key Behavioral Indicators
- Unexpected file writes in Splunk or Cisco Catalyst SD-WAN directories
- Race condition exploitation patterns in Windows Defender
- Clipboard modification events by unknown Rust-based binaries
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Apply security patches for Fortinet FortiSandbox, Cisco Catalyst SD-WAN Manager, and Splunk Enterprise immediately.
- Review and revoke unused or legacy OAuth integrations and API credentials, particularly those connected to Salesforce.
Infrastructure Hardening
- Consider implementing strict input validation and authentication checks for internal AI agents and WebSockets.
- Evaluate network segmentation for security appliances like FortiSandbox to limit the blast radius of potential compromises.
User Protection
- If applicable, deploy endpoint protections capable of detecting clipboard hijacking and unauthorized file modifications.
- Ensure Windows systems are updated to mitigate the Defender privilege escalation zero-day once a patch is available.
Security Awareness
- Consider updating security awareness training to include seasonal phishing lures, such as Amazon Prime Day and travel-themed scams.
- Educate developers on the risks of prompt injection and the importance of sanitizing inputs to AI copilots.
MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1078 - Valid Accounts
- T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
- T1566 - Phishing
- T1068 - Exploitation for Privilege Escalation
- T1115 - Clipboard Data
- T1562.001 - Impair Defenses: Disable or Modify Tools