daily plain-text briefing: security, markets, business, and pittsburgh
A leak called FortiBleed hands attackers working VPN credentials for tens of thousands of Fortinet firewalls at Oracle, Lenovo, FedEx, and a NATO contractor, even as Microsoft races to patch a Defender zero-day and Britain warns of hostile states burrowing into critical infrastructure.
Latest developments: Ars Technica named victims among the exposed networks—Oracle, Lenovo, FedEx, a NATO contractor, and Fortinet itself—and Dark Reading reported attackers have compiled working credential lists for tens of thousands of devices across nearly 200 countries.
FortiBleed published Fortinet and FortiGate VPN credentials for 73,932 firewall URLs, and SOCRadar counts roughly 30,000 devices already compromised. The exposed networks span nearly 200 countries and include Oracle, Lenovo, FedEx, a NATO contractor, and Fortinet itself. Attackers reached the credentials by working three recently patched FortiSandbox flaws. Organizations should rotate VPN credentials immediately and confirm the FortiSandbox patches.
Sources: Ars Technica Security · BleepingComputer · Dark Reading · SecurityWeek
Latest developments: Microsoft confirmed the RoguePlanet zero-day as CVE-2026-50656 and said a patch is in development, one week after the flaw surfaced with public proof-of-concept code that races the Defender engine to spawn a System-level command prompt.
RoguePlanet, now CVE-2026-50656 at CVSS 7.8, is a privilege-escalation flaw in the Microsoft Malware Protection Engine that powers Defender. Public proof-of-concept code wins a race condition to spawn a command prompt with System privileges. Microsoft acknowledged the zero-day a week after it surfaced and says a fix is on the way. Defender refreshes its engine automatically, so administrators should verify the engine updates once Microsoft ships the patch.
Sources: The Hacker News · SecurityWeek · BleepingComputer
Latest developments: CISA ordered agencies to patch maximum-severity Joomla Content Editor flaw CVE-2026-48907 by Friday as SecurityWeek confirmed attackers chaining it with a LiteSpeed cPanel flaw for PHP execution and root, while Oracle shipped 245 fixes and Chrome and Firefox closed critical memory-safety bugs.
CISA added the maximum-severity Joomla Content Editor flaw CVE-2026-48907 to its exploited-vulnerabilities catalog and set a Friday deadline for federal agencies. SecurityWeek confirmed attackers chaining the Joomla bug and a LiteSpeed cPanel flaw to run arbitrary PHP and seize root on shared hosts. Oracle's June update delivered 245 fixes, and Chrome and Firefox patched critical memory-safety bugs that could enable remote code execution. Anyone running these products should apply the updates now.
Sources: BleepingComputer · SecurityWeek · SecurityWeek · SecurityWeek
Latest developments: NCSC chief executive Richard Horne told a RUSI audience that hostile states drive three-quarters of the attacks on Britain's critical infrastructure and are prepositioning across it for future conflict.
Richard Horne, who runs Britain's National Cyber Security Centre, warned that nation-state adversaries account for most attacks on the country's critical infrastructure and are embedding themselves to map networks. He cautioned that 'kinetic targeting in any conflict tomorrow will be based on intelligence gathered today.' Operators of energy, water, telecoms, and transport face attackers laying groundwork for disruption. The warning pushes infrastructure defenders to hunt for dormant intrusions rather than wait for overt attacks.
Sources: The Record
Latest developments: The Hacker News detailed a junior attacker who installed OpenSSH and Tailscale on a victim before his Havoc command-and-control server went offline to keep a backdoor, and Sophos reported that some underground actors stay skeptical that AI sharpens their craft.
Researchers keep documenting how AI tools and commodity software lower the bar for intrusions. In the latest case a French-speaking attacker broke into a small automotive firm, planted a keylogger, and—before his Havoc command-and-control server went dark—installed OpenSSH and Tailscale to preserve access outside the C2. Sophos found that some underground actors doubt AI improves their operations, even as analysts argue models with strong hacking ability will soon be common. Defenders should flag legitimate remote-access tools appearing where they do not belong.
Sources: The Hacker News · Sophos News · Ars Technica Security
Latest developments: Kodak confirmed a data breach that the ShinyHunters extortion gang claimed, and iRhythm disclosed that intruders stole patient health data from third-party-hosted apps and issued a ransom demand.
Kodak said it is working with outside experts after intruders accessed company data, a breach ShinyHunters claimed. Days earlier medical-device maker iRhythm disclosed that attackers stole patient protected health information and other personal data from third-party-hosted applications, then demanded a ransom. Both join a run of extortion-driven thefts hitting healthcare and consumer brands. Affected customers and patients should expect notification and watch for fraud.
Sources: BleepingComputer · Help Net Security
Latest developments: Check Point Research exposed a crypto-clipper operation that pays for promoted posts on legitimate news sites and seeds fake reviews, AI-voiced videos, and VirusTotal comments to push wallet-swapping malware through a WordPress phishing hub.
Check Point Research traced a crypto-clipper operation that buys promoted posts on real news sites to manufacture buzz, then funnels victims through a WordPress phishing hub backed by fake GitHub and SourceForge projects, a YouTube channel, and AI-narrated videos. The malware swaps cryptocurrency wallet addresses on the clipboard to redirect payments to the attacker. The actor even seeded VirusTotal comments to lend the warez credibility. Users should verify wallet addresses after pasting and download tools only from vetted sources.
Sources: The Hacker News
Latest developments: Senator Mark Warner warned CISA's acting chief and DHS Secretary Markwayne Mullin that staffing gaps and budget cuts threaten the agency and MS-ISAC funding, while the EU granted Ukraine access to its pool of pre-approved incident-response firms.
Senator Mark Warner pressed CISA's acting chief and DHS Secretary Markwayne Mullin over staffing shortages and budget cuts, urging DHS to prioritize the agency and fund the MS-ISAC that defends state and local governments. Across the Atlantic, the EU granted Ukraine access to its reserve of pre-approved incident-response companies as Kyiv moves toward formal accession. Both moves show how defensive cyber capacity tracks political will and funding. Defenders relying on shared federal resources should plan for possible gaps.
Sources: The Record · The Record
Latest developments: The Federal Reserve held its benchmark rate steady today as expected, and in Kevin Warsh's debut as chairman it scrapped explicit forward guidance and dropped its bias toward cuts, with projections showing nearly half of policymakers favor at least one hike this year.
Warsh chaired his first Federal Open Market Committee meeting, which left rates unchanged in a unanimous vote against a backdrop of inflation running near double the 2% target after the war in Iran. Treasury yields and the dollar rose and gold slipped after the announcement.
This Afternoon: Mostly Cloudy, high 81F.
Tonight: Showers And Thunderstorms, low 68F.
Thursday: Showers And Thunderstorms then Mostly Sunny, high 83F.
Latest developments: Carnegie Mellon University committed $3 million to Pittsburgh to support education and infrastructure work alongside Mayor Corey O'Connor's administration.
The gift extends a long partnership between the university and the city, funding shared priorities for schools and public infrastructure.
Sources: Pittsburgh Magazine
Latest developments: Though no World Cup matches play near Pittsburgh, some local bars report soccer crowds rivaling a home Steelers game.
Bar owners say the tournament has drawn heavy weekday turnout, a notable lift for hospitality businesses in a city with no host venue.
Sources: Pittsburgh Post-Gazette
Latest developments: The first major closure for the Commercial Street Bridge project will begin June 29 in Frick Park, setting a firm date after earlier detour planning.
Replacing the Commercial Street Bridge requires a lengthy full closure along the Parkway East corridor near Frick Park, rerouting one of the region's busiest commutes.
Sources: Pittsburgh Post-Gazette
Latest developments: Forecasters declared Thursday a severe weather alert day, warning of flash flooding, damaging winds, and an early-morning tornado risk for parts of the Pittsburgh area.
Storms move back into Western Pennsylvania overnight into Thursday, threatening the morning commute with heavy rain, gusts of 30 to 40 mph, and isolated tornadoes.
Latest developments: Ross Township voted to switch trash contractors, a change that will lower residents' garbage bills and alter their service.
The North Hills township's new hauler contract reduces what households pay for trash pickup.
Sources: KDKA
Latest developments: Duquesne residents got their first look at a proposal to reshape the city's government.
Officials presented a plan to restructure how the small Mon Valley city governs itself.
Sources: WPXI
Latest developments: The Pittsburgh Zoo & Aquarium opened public voting to name its two-month-old female lion cub, born in April.
The cub stays behind the scenes until later this summer, and the zoo invites the public to choose her name.
Sources: Pittsburgh Magazine
Latest developments: Crews are laying thousands of yards of dirt at Acrisure Stadium ahead of a Monster Jam weekend.
Monster Jam runs this weekend at Acrisure Stadium on the North Shore, turning the Steelers' field into a dirt track for the truck show.
Sources: WTAE
Latest developments: Alternative rock band Young the Giant brings its Victory Garden tour to Pittsburgh.
Young the Giant, the alternative rock group whose bassist favors Pittsburgh-made jewelry, plays the city on the tour.
Sources: TribLive
Latest developments: WPXI published a town-by-town list of Fourth of July fireworks displays across the Pittsburgh area.
The guide maps parades, music, food, and fireworks in communities throughout Western Pennsylvania for the July 4 holiday.
Sources: WPXI
Pirates (37-37)
Tue Jun 16 · Pirates 6 · Athletics 5 · Final
Lowe hits go-ahead homer, Reynolds connects twice as Pirates rally past Athletics for 6-5 victory
Up Next · Pirates @ Athletics · Wed Jun 17, 9:40 PM
Latest developments: Tight end Darnell Washington joined Not Just Football with Cam Heyward fresh off signing a four-year, $42 million extension with the Steelers.
On the podcast Washington discussed the new deal, Connor Heyward's departure, his back-to-back Georgia championships, and life as a 6-foot-7 tight end.
Sources: Not Just Football with Cam Heyward
Latest developments: Post-Gazette reporting says the Steelers should, and likely will, avoid quarterback Brendan Sorsby in the NFL's supplemental draft.
Sorsby enters the supplemental draft amid a gambling matter, but the beat writers expect no bid from Pittsburgh given its quarterback room behind Will Howard and Drew Allar.
Sources: Pittsburgh Post-Gazette · Pittsburgh Post-Gazette
Latest developments: Noah Hiles argued the Pirates must improve before the trade deadline, warning Ben Cherington against standing pat with Paul Skenes and prospect Konnor Griffin in the picture.
The Post-Gazette columnist weighed deadline scenarios and the cost of another lost season around ace Paul Skenes.
Sources: Post-Gazette Pirates
S&P 500 7,431.68 ▼ -0.4% Dow 51,128.10 ▲ +0.3% Nasdaq 25,985.66 ▼ -0.8% WTI crude 83.88 ▼ -8.6% EUR/USD 1.1569 ▼ -0.1% GBP/USD 1.3403 ▲ +0.1% USD/JPY 160.25 ▲ +0.1%