================================================================ INFOSECFOLLOW -- security, markets, business, pittsburgh Tuesday, June 16, 2026 - 9:04 PM EDT ================================================================ Attackers turned the defenders' own gear against them, exploiting Fortinet's FortiSandbox and Cisco's SD-WAN Manager as CISA stacked fresh patch deadlines and a ransomware crew hid inside Microsoft Teams. CONTENTS: Emerging Trends | Security | Business and Politics | Pittsburgh | Sports | Reading | Markets EMERGING TRENDS ---------------------------------------------------------------- * Tools as Targets: Attackers exploited FortiSandbox and Cisco SD-WAN Manager this week, turning the appliances meant to enforce defense into the way in. * Trusted-Platform Abuse: Malware rode legitimate services—Microsoft Teams relays, Steam Workshop, the JetBrains Marketplace, and the Arch User Repository—to blend command traffic and delivery into normal noise. * AI Attack Surface: Flaws in Microsoft Copilot, the JetBrains plugin ecosystem, and Google Vertex AI widened what attackers can steal from the AI tooling developers now lean on daily. * Identity Mandates: Britain moved to require ID or a face scan for new social-media accounts while India blocked Telegram over exam-cheating fraud, tying online access ever closer to verified identity. SECURITY ---------------------------------------------------------------- :: VULNERABILITIES AND EXPLOITS 1. ATTACKERS EXPLOIT FORTISANDBOX THREAT PLATFORM [zero-day, patch, exploit] Latest developments: Defused logged attacks against three FortiSandbox flaws—CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089—inside 24 hours, one of them patched only last week, and judged one of the exploits vibe-coded and likely faulty. FortiSandbox renders threat verdicts that other Fortinet products trust to block traffic and trigger automated responses, so compromising it blinds an entire defensive stack. CVE-2026-39813, a path-traversal flaw in the JRPC API, rates 9.1. Organizations running FortiSandbox should apply Fortinet's fixes now and hunt for forged verdicts or unexpected API calls. - Help Net Security: https://www.helpnetsecurity.com/2026/06/16/fortisandbox-vulnerabilities-cve-2026-39813-cve-2026-39808-cve-2026-25089/ - The Hacker News: https://thehackernews.com/2026/06/attackers-exploit-three-fortinet.html - BleepingComputer: https://www.bleepingcomputer.com/news/security/critical-fortinet-fortisandbox-flaws-now-exploited-in-attacks/ 2. CISA SETS NEW DEADLINES FOR EXPLOITED WEB FLAWS [patch, exploit, policy] Latest developments: CISA added Joomla Content Editor flaw CVE-2026-48907 to its known exploited catalog, gave agencies until June 18 to patch LiteSpeed cPanel plugin flaw CVE-2026-54420, and Cisco shipped fixes for Catalyst SD-WAN Manager flaw CVE-2026-20262, which it found in internal testing yet attackers reached first. All three flaws give attackers a foothold on internet-facing infrastructure: Joomla content editing, LiteSpeed's cPanel plugin at root, and Cisco's SD-WAN management plane. CVE-2026-54420 rates 8.5 and enables root privilege escalation. Federal civilian agencies face binding deadlines, and private operators of the same software should treat the timelines as their own. - CISA Advisories: https://www.cisa.gov/news-events/alerts/2026/06/16/cisa-adds-one-known-exploited-vulnerability-catalog - BleepingComputer: https://www.bleepingcomputer.com/news/security/cisa-warns-of-another-actively-exploited-cpanel-plugin-flaw/ - Help Net Security: https://www.helpnetsecurity.com/2026/06/16/cisco-sd-wan-cve-2026-20262-exploited/ 3. ATOMIC ARCH ATTACK SWELLS TO 1,500 PACKAGES [supply-chain, malware] Latest developments: The Atomic supply-chain campaign against the Arch User Repository grew to roughly 1,500 malicious packages, and Arch Linux suspended new account registrations to stem the upload wave. Attackers rewrote build scripts across AUR packages to ship a Rust infostealer and an eBPF rootkit, expanding from the roughly 400 packages reported earlier in the week. The community repository lets any registered user publish, which made it easy to flood with tainted entries. Arch users should audit recently installed AUR packages, rebuild from clean sources, and assume credentials touched on affected systems are exposed. - SecurityWeek: https://www.securityweek.com/atomic-arch-supply-chain-attack-hits-1500-aur-packages/ :: RANSOMWARE AND CYBERCRIME 4. DRAGONFORCE HIDES C2 INSIDE MICROSOFT TEAMS [ransomware, malware] Latest developments: Symantec caught the DragonForce ransomware group routing command-and-control traffic through Microsoft Teams TURN relay infrastructure with custom malware called Backdoor.Turn during an intrusion at a U.S. services company, the first known abuse of Teams relays for this purpose. DragonForce runs a ransomware-as-a-service operation active since 2023, arming affiliates for a cut of payments. By tunneling traffic through Teams relays, the group disguises its command channel as routine collaboration traffic that defenders rarely block. Security teams should scrutinize Teams TURN connections and treat unexplained relay traffic as a possible hiding place for malware. - Help Net Security: https://www.helpnetsecurity.com/2026/06/16/dragonforce-microsoft-teams-malware-backdoor-turn/ - BleepingComputer: https://www.bleepingcomputer.com/news/security/ransomware-gang-abuses-microsoft-teams-relays-to-hide-malicious-traffic/ :: AI SECURITY 5. SECURITY EXPERTS FIGHT THE ANTHROPIC EXPORT BAN [ai, policy] Latest developments: Dozens of security professionals signed an open letter pressing Washington to reverse its order blocking export of Anthropic's Claude Fable 5 and Mythos 5, and Wired argued models with advanced hacking ability will soon be common regardless of the restriction. The Trump administration ordered Anthropic to block all foreign nationals, pulling both models worldwide on June 13 and framing the move as export control over offensive AI capability. Signatories call the cited jailbreak narrow and the underlying ability already widespread, warning the ban hampers defenders more than attackers. The fight sets an early precedent for how governments treat frontier models that can find and exploit software flaws. - Dark Reading: https://www.darkreading.com/vulnerabilities-threats/security-community-slams-us-ban-on-exporting-mythos-fable - Wired Security: https://www.wired.com/story/dangerous-ai-models-are-coming-no-matter-what/ 6. AI CODING TOOLS BLEED KEYS AND 2FA CODES [ai, vulnerability, supply-chain] Latest developments: Researchers disclosed SearchLeak, a critical Microsoft Copilot flaw that let attackers steal users' two-factor authentication codes, and BleepingComputer found at least 15 malicious JetBrains Marketplace plugins harvesting developers' AI API keys. SearchLeak shows how prompt and retrieval features can be turned to exfiltrate sensitive data the assistant can see, including login codes. The rogue JetBrains plugins target the API keys developers store for their AI services, handing attackers paid access and a route into projects. Developers should remove untrusted plugins, rotate exposed keys, and treat AI assistants as systems that handle secrets. - Ars Technica Security: https://arstechnica.com/security/2026/06/critical-copilot-vulnerability-allowed-hackers-to-seal-2fa-code-from-users/ - BleepingComputer: https://www.bleepingcomputer.com/news/security/malicious-jetbrains-marketplace-plugins-steal-ai-api-keys-from-developers/ :: DATA BREACHES 7. HEALTH AND SPORTS DATA SPILLS IN FRESH HACKS [breach, healthcare, extortion] Latest developments: iRhythm confirmed hackers stole patient personal and health data from third-party-hosted apps and demanded a ransom, the FulcrumSec group claimed it lifted 1.3TB from Novo Nordisk, and attackers published Madison Square Garden and New York Knicks data, including a risk-rated list of celebrities and players. iRhythm, a cardiac-monitoring firm, learned of its breach on June 8 and traced the loss to business applications hosted by an outside provider. The Novo Nordisk and MSG dumps show extortion crews chasing both regulated health records and embarrassing internal files. Affected customers and patients should expect targeted phishing and watch for fraud tied to the stolen records. - BleepingComputer: https://www.bleepingcomputer.com/news/security/irhythm-discloses-data-breach-says-hackers-stole-patient-info/ - SecurityWeek: https://www.securityweek.com/cybercrime-group-claims-novo-nordisk-hack/ - 404 Media: https://www.404media.co/hackers-publish-knicks-and-madison-square-garden-data-online/ :: NATION-STATE ACTIVITY 8. SCARCRUFT DROPS NARWHALRAT VIA FAKE MICROSOFT ALERTS [apt, phishing, malware] Latest developments: Genians Security Center reported North Korea's ScarCruft, also tracked as APT37, sending spear-phishing emails that impersonate Microsoft account security notifications to deploy a new remote-access trojan called NarwhalRAT. ScarCruft is a long-running North Korean espionage group that favors social-engineering lures aimed at researchers, defectors, and officials. The fake security alerts play on recipients' fear that their accounts are at risk, prompting the click that installs NarwhalRAT. Defenders should flag emails impersonating Microsoft account warnings and verify any such notice through the account portal rather than email links. - The Hacker News: https://thehackernews.com/2026/06/fake-microsoft-alerts-used-to-deploy.html BUSINESS AND POLITICS ---------------------------------------------------------------- * Bank of Japan Raises Rate to 1% Latest developments: The Bank of Japan lifted its policy rate to 1% on Tuesday, a step beyond the central-bank moves tracked in prior briefings and a milestone in its long exit from near-zero rates. Japan's central bank pushed its benchmark to 1%, the highest in roughly two decades, as it normalizes policy after years of ultra-loose settings. The move firms global yields and reshapes the carry trade that funnels Japanese capital abroad. - Financial Times: https://www.ft.com/content/8c736b73-a281-4414-b53a-bc48859b02b2 * Iran Deal Lets Tehran Sell Oil at Once Latest developments: Terms emerged Tuesday showing the U.S.-Iran agreement lets Tehran sell oil immediately and waives banking and transport sanctions, an early financial benefit beyond the signing reported earlier. The accord ending the war restores Iran's access to oil markets and the financial system needed to transact, hastening a supply recovery. Brent crude fell below $80 for a fourth straight session as traders priced the return of Strait of Hormuz flows. - Wall Street Journal: https://www.wsj.com/world/middle-east/the-trump-iran-deal-allows-tehran-to-immediately-sell-oil-37a1ebe5 - Financial Times: https://www.ft.com/content/45340e55-aa6a-4302-a606-a869f5cb6189 PITTSBURGH ---------------------------------------------------------------- Weather: Tonight: Mostly Cloudy then Chance Rain Showers, low 59F. Wednesday: Mostly Sunny, high 81F. Wednesday Night: Slight Chance Showers And Thunderstorms, low 68F. Business: * Skill Games Ruling May Spur Legislation Latest developments: Officials say Monday's state Supreme Court ruling that skill games must follow gaming law could finally push Harrisburg lawmakers to regulate and tax the machines. Pennsylvania's high court held that the loosely regulated skill games in bars, convenience stores, and clubs count as slot machines under state law. Lawmakers have stalled for years on rules and taxes for the devices, and officials see the decision as the spark to act. - TribLive: https://triblive.com/news/pennsylvania/pa-court-ruling-could-spur-legislative-action-on-skill-games-officials-say/ * Steel Industry Marks Its Legacy Latest developments: WTAE profiled the Mon Valley Works and the workers who keep Pittsburgh's steelmaking tradition alive, framing the industry's role in building modern America. Pittsburgh's steel mills shaped skyscrapers, bridges, and wartime production for more than a century, and the Mon Valley Works still runs today. The piece centers on the pride of current workers carrying a generations-old trade. - WTAE: https://www.wtae.com/article/pittsburgh-steel-industry-history-mon-valley-works/71603515 Around town: * Fern Hollow Bridge Settlement Latest developments: Pittsburgh City Council is reviewing a proposed $445,000 settlement for nine people hurt when the Fern Hollow Bridge collapsed on January 28, 2022. The Forbes Avenue bridge over Frick Park fell on a snowy morning, dropping vehicles and a bus into the ravine. The proposed payout would resolve claims from nine victims, with council weighing approval. - WTAE: https://www.wtae.com/article/council-reviews-settlemen-fern-hollow-bridge-victims/71605905 * Tornado Count Rises to Five Latest developments: The National Weather Service confirmed two more tornadoes in Butler County, including an EF1 near Moraine State Park, raising Sunday's regional total to five across eastern Ohio and northwestern Pennsylvania. Sunday's line of severe storms spawned multiple twisters, with surveys still ongoing. Earlier confirmations covered Beaver County and Columbiana County, Ohio; the Butler County additions bring the count to five. - KDKA: https://www.cbsnews.com/pittsburgh/news/confirmed-tornadoes-pennsylvania-ohio-storm-damage/ * Free Summer Meals for Kids Latest developments: CitiParks reopened its free summer meal program Tuesday, offering breakfast, lunch, and snacks to any child under 18 through mid-August. As Pittsburgh schools close, the city, Pittsburgh Public Schools, and the Greater Pittsburgh Community Food Bank serve free meals at eight rec centers and more than 40 partner sites. No registration is required for children under 18. - KDKA: https://www.cbsnews.com/pittsburgh/news/free-summer-meal-program-pittsburgh/ * State Funds Security for South Side Fest Latest developments: Pennsylvania granted $125,000 to the South Side Community Action Network to hire private security this summer for the adults-only South Side Street Fest along East Carson Street. East Carson Street anchors much of Pittsburgh's nightlife, and the network runs a summer festival there. The state money pays private guards to supplement city police at the event. - TribLive: https://triblive.com/local/private-security-to-supplement-pittsburgh-cops-at-south-side-festival/ * Mt. Oliver Internet Restored Latest developments: Xfinity restored service Tuesday to Mt. Oliver customers on Margaret Street after a near-48-hour outage that cut residents off from remote work. The blackout left a borough block disconnected for two days, stranding people who clock in for jobs online. Comcast brought the connection back Tuesday. - KDKA: https://www.cbsnews.com/pittsburgh/news/internet-restored-mt-oliver/ Events: * Juneteenth Events Across the Region Latest developments: The Post-Gazette rounded up Pittsburgh's Juneteenth observances for the June 19 holiday, spanning festivals, film screenings, and more. Juneteenth, Friday, June 19, 2026, marks the end of slavery in the United States. Pittsburgh hosts a slate of festivals, films, and gatherings around the date; see the guide for locations and times. - Post-Gazette Arts & Entertainment: https://www.post-gazette.com/life/recreation/2026/06/16/juneteenth-events-pittsburgh-2026/stories/202606170002 SPORTS ---------------------------------------------------------------- Pirates (36-37) Mon Jun 15 · Pirates 2 · Athletics 11 · Final Nick Kurtz and Jeff McNeil power the A's to an 11-2 victory over the struggling Pirates https://plaintextsports.com/mlb/2026-06-15/pit-ath Up Next · Pirates @ Athletics · Tue Jun 16, 9:40 PM https://plaintextsports.com/mlb/2026-06-16/pit-ath Around the Teams: * Kyler Fedko's MLB Debut Latest developments: The Post-Gazette featured Pirates prospect Kyler Fedko making his major-league debut, watched from the stands by his father, Pittsburgh broadcaster John Fedko. Fedko reached the majors with the Pirates, a milestone the paper framed through his proud father's presence. The piece runs as a human-interest look at the call-up. - Post-Gazette Pirates: https://www.post-gazette.com/sports/pirates/2026/06/16/mlb-news-rumors-minnesota-twins-kyler-john-fedko/stories/202606160027 * SNR Drive on QB Tiers, Offseason Moves Latest developments: On Tuesday's SNR Drive, Matt Williamson and Wes Uhler ran through league news, broke down Evan Silva's 2026 fantasy quarterback tiers, and weighed the best offseason moves and longest playoff droughts. The Steelers' SNR Drive is a daily team-channel show with analysts Matt Williamson and Wes Uhler. The June 16 episode mixed minicamp storylines with a fantasy-football quarterback ranking. - Pittsburgh Steelers (YouTube): https://www.youtube.com/watch?v=rJFWmDKDNDc * Which Steelers Rookies Contribute Early Latest developments: A Post-Gazette video assessed which Steelers rookies looked ready to contribute after OTAs and minicamp, singling out receiver Germie Bernard and offensive lineman Max Iheanachor. Pittsburgh wrapped its spring program, giving beat writers a first read on the draft class. The video weighs which newcomers could earn early roles. - Post-Gazette Steelers: https://www.post-gazette.com/sports/steelers/2026/06/15/nfl-news-rumors-germie-bernard-max-iheanachor/stories/202606150028 * Termarr Johnson Trending Up Latest developments: MiLB Monday in the Post-Gazette asked whether former top Pirates pick Termarr Johnson is turning his minor-league season around. Johnson, a high first-round selection, has struggled to develop in the Pirates system. The column tracks recent signs of improvement among him and other prospects. - Post-Gazette Pirates: https://www.post-gazette.com/sports/pirates/2026/06/15/mlb-prospects-termarr-johnson-edward-florentino-tony-blanco/stories/202606150020 READING ---------------------------------------------------------------- * Ed Zitron -- Exclusive: OpenAI Losses Increased Nearly 8X in 2025, With Spending Hitting $34 Billion Zitron reports figures showing OpenAI's losses ballooned almost eightfold in 2025 on $34 billion of spending, arguing the company has no path to profitability. https://www.wheresyoured.at/exclusive-openai-financials/ * Stratechery -- Fox Buys Roku, The Problem With Fox’s Smart Strategy, Streaming That Works Thompson argues Fox's purchase of Roku trades extraction from rights holders for the weaker leverage of a distribution renter, explaining why the market dislikes the deal. https://stratechery.com/2026/fox-buys-roku-the-problem-with-foxs-smart-strategy-streaming-that-works/ * Stratechery -- Anthropic’s Safety Superpower Thompson contends Anthropic's faith in its own safety commitment licenses it to push its business aggressively and even challenge the U.S. government. https://stratechery.com/2026/anthropics-safety-superpower/ * Cal Newport -- AI Isn’t Breaking Work. It’s Already Broken. Newport uses a survey of 6,000 digital workers to argue that AI exposes dysfunction already baked into knowledge work rather than creating it. https://calnewport.com/ai-isnt-breaking-work-its-already-broken/ MARKETS (weekly average, change vs prior week) ---------------------------------------------------------------- S&P 500 7,431.68 ▼ -0.4% Dow 51,128.10 ▲ +0.3% Nasdaq 25,985.66 ▼ -0.8% WTI crude 86.31 ▼ -7.1% EUR/USD 1.1569 ▼ -0.1% GBP/USD 1.3403 ▲ +0.1% USD/JPY 160.25 ▲ +0.1% ================================================================ Generated 2026-06-16 21:04 EDT. Sources: 24 security feeds; 9 Pittsburgh feeds; 4 Pittsburgh arts and events feeds; 6 Pittsburgh sports beat and podcast feeds; the Wall Street Journal, the Economist, and the Financial Times; and Ed Zitron, Stratechery, Cal Newport. Markets from Yahoo Finance, weather from the NWS, scores from ESPN. Summaries are AI-generated from the linked reporting; verify at the sources. ================================================================