================================================================ INFOSECFOLLOW -- security, markets, business, pittsburgh Wednesday, June 17, 2026 - 10:53 PM EDT ================================================================ A leaked trove of working Fortinet VPN credentials exposes Oracle, Lenovo, FedEx, and a NATO contractor even as Britain's cyber chief warns that hostile states have prepositioned across the nation's critical infrastructure. CONTENTS: What's changed | Emerging Trends | Security | Business and Politics | Pittsburgh | Sports | Reading | Markets WHAT'S CHANGED SINCE THE LAST UPDATE ---------------------------------------------------------------- * FortiBleed dump names Oracle, Lenovo, FedEx, NATO contractor as victims [new] * RoguePlanet Defender zero-day CVE-2026-50656 has public PoC, no patch yet [new] * CISA orders Joomla CVE-2026-48907 patch; Oracle ships 245 fixes [new] * UK NCSC: hostile states behind three-quarters of critical-infrastructure attacks [new] * Kodak confirms ShinyHunters breach accessing company data [new] * Warner warns CISA budget, staffing cuts threaten agency mission [new] * OMB lists 3,611 federal AI use cases, up 70 percent [new] * Fed held rates unanimously and scrapped explicit forward guidance [updated] * US-Iran accord now takes immediate effect, officials confirm [updated] * Thompson adds SpaceX's acquisition of Cursor to analysis [updated] * Commissioners voted against borough-township merger, halting consolidation talks [updated] EMERGING TRENDS ---------------------------------------------------------------- * Credential Harvesting: Mass credential theft dominates the day, from FortiBleed's 73,932 exposed firewall URLs to rising account takeovers that slip past legacy multifactor authentication. * State Prepositioning: Britain reports hostile states behind three-quarters of attacks on its critical infrastructure, embedding access now to enable kinetic targeting in a future conflict. * AI Offense: Researchers show low-skill attackers driving Claude and Codex to breach companies while Microsoft and well-funded startups field agentic defenders to keep pace. * Exploited Flaws: Maximum-severity Joomla and Fortinet bugs reach attackers within days, forcing tight CISA deadlines atop a heavy vendor patch cycle led by Oracle's 245 fixes. * Government AI: The US government now lists 3,611 AI use cases even as senators warn of CISA budget and staffing cuts, widening the gap between AI ambition and cyber capacity. SECURITY ---------------------------------------------------------------- 1. FORTIBLEED LEAK NAMES ORACLE, LENOVO, AND A NATO CONTRACTOR Vulnerabilities and Exploits · [breach, vpn, patch] · first identified Jun 17, 2026 Latest developments: Ars Technica named the high-profile victims in the FortiBleed credential dump—Oracle, Lenovo, FedEx, a NATO contractor, and Fortinet itself—and Dark Reading reported attackers across nearly 200 countries now hold a compiled list of working credentials for tens of thousands of compromised devices. The FortiBleed leak publishes working VPN credentials for 73,932 Fortinet and FortiGate firewall URLs, traced to three recently patched FortiSandbox flaws, CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089. SOCRadar counts roughly 30,000 compromised firewalls, and the named victims reach into critical supply chains. Any organization running an exposed FortiGate should rotate VPN credentials, apply the FortiSandbox patches, and hunt for intrusions immediately. - Ars Technica Security: https://arstechnica.com/security/2026/06/massive-breach-spills-credentials-for-thousands-of-sensitive-networks/ - BleepingComputer: https://www.bleepingcomputer.com/news/security/fortibleed-leak-exposes-fortinet-vpn-credentials-for-73-000-devices/ - Dark Reading: https://www.darkreading.com/cyberattacks-data-breaches/sweeping-credential-harvesting-heist-compromises-30k-fortinet-devices - SecurityWeek: https://www.securityweek.com/3-recently-patched-fortinet-fortisandbox-vulnerabilities-in-hacker-crosshairs/ 2. EXPLOITED WEB FLAWS DRIVE A HEAVY PATCH CYCLE Vulnerabilities and Exploits · [patch, exploited, ics] · first identified Jun 17, 2026 Latest developments: CISA ordered federal agencies to patch the maximum-severity Joomla Content Editor flaw CVE-2026-48907 by Friday after confirming active exploitation, and researchers reported attackers chaining Joomla and LiteSpeed cPanel bugs to run PHP and gain root on shared hosts, as Oracle shipped 245 fixes and Chrome, Firefox, and Rockwell Automation patched critical bugs. The CVSS 10.0 Joomla JCE flaw lets unauthenticated attackers execute arbitrary PHP, and the LiteSpeed cPanel bug escalates to root on shared hosting. The same day, Oracle's June Critical Patch Update closed 245 vulnerabilities, Chrome and Firefox fixed memory-safety bugs that allow remote code execution, and Rockwell patched Logix, RSLinx, and FactoryTalk. Administrators also face a near deadline to refresh expiring Secure Boot keys on Windows and Linux. Patch internet-facing web software first, then work through the vendor backlog. - BleepingComputer: https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-max-severity-joomla-plugin-flaw-by-friday/ - SecurityWeek: https://www.securityweek.com/joomla-litespeed-vulnerabilities-exploited-in-attacks/ - SecurityWeek: https://www.securityweek.com/oracles-second-monthly-security-updates-deliver-245-patches/ - Ars Technica Security: https://arstechnica.com/security/2026/06/windows-and-linux-users-the-deadline-to-update-secure-boot-keys-is-near/ 3. ROGUEPLANET DEFENDER ZERO-DAY AWAITS A PATCH Vulnerabilities and Exploits · [zero-day, patch] · first identified Jun 17, 2026 Latest developments: Microsoft formally disclosed RoguePlanet as CVE-2026-50656 at CVSS 7.8 and confirmed public proof-of-concept code exploits a race condition in the Malware Protection Engine to spawn a command prompt with System privileges, with a patch still in development. RoguePlanet is an elevation-of-privilege flaw in the engine that powers Microsoft Defender, one of three zero-days an actor calling itself Nightmare Eclipse dropped to punish the company. Any local attacker who wins the race condition gains System-level control of a Windows machine. Until Microsoft ships the fix, defenders should watch endpoints for local privilege-escalation attempts and unexpected System-level command shells. - The Hacker News: https://thehackernews.com/2026/06/microsoft-confirms-rogueplanet-defender_02022423645.html - SecurityWeek: https://www.securityweek.com/microsoft-working-on-patch-for-rogueplanet-zero-day/ - BleepingComputer: https://www.bleepingcomputer.com/news/microsoft/microsoft-working-on-defender-patch-for-rogueplanet-zero-day/ 4. WESTERN GOVERNMENTS RECALIBRATE CYBER-DEFENSE FUNDING Policy and Regulation · [policy] · first identified Jun 17, 2026 Latest developments: Senator Mark Warner warned the acting CISA chief that budget cuts and staffing gaps threaten the agency's mission and pressed DHS Secretary Markwayne Mullin to fund the MS-ISAC, while the European Union granted Ukraine access to its reserve of pre-approved incident-response firms. Warner's letters argue that DHS must prioritize CISA and underwrite the MS-ISAC that defends state and local governments. Across the Atlantic, the EU integrated Ukraine into its pool of vetted responders as Kyiv moves toward formal accession. The two moves show Western governments rethinking who funds and staffs cyber defense as threats intensify. - The Record: https://therecord.media/warner-warns-of-cisa-cuts-staffing-shortages - The Record: https://therecord.media/ukraine-access-eu-cybersecurity-reserve 5. BRITAIN WARNS OF HOSTILE-STATE PREPOSITIONING Nation-State Activity · [apt, critical-infrastructure] · first identified Jun 17, 2026 Latest developments: NCSC Chief Executive Richard Horne told a RUSI audience that hostile states sit behind three-quarters of attacks on Britain's critical infrastructure and are prepositioning access throughout it for future conflict. Horne warned that adversaries embed in energy, water, telecom, and transport systems today to enable targeting tomorrow, saying kinetic targeting in any conflict will rest on intelligence gathered now. The warning frames espionage and access operations as preparation for physical war. Operators of critical systems should assume persistent adversary presence and harden detection, segmentation, and recovery accordingly. - The Record: https://therecord.media/britain-nation-state-cyberattacks-richard-horne-rusi 6. KODAK CONFIRMS SHINYHUNTERS BREACH Data Breaches · [breach, extortion] · first identified Jun 17, 2026 Latest developments: Kodak confirmed intruders accessed company data and engaged external responders, validating an extortion claim by ShinyHunters, the gang tied to the Oracle PeopleSoft zero-day campaign. Kodak joins a widening run of enterprise breaches and extortion driven by ShinyHunters. The company has not detailed which data the attackers took. Organizations should treat ShinyHunters claims as credible, review exposure to Oracle PeopleSoft and other recently exploited enterprise software, and prepare for follow-on extortion pressure. - BleepingComputer: https://www.bleepingcomputer.com/news/security/kodak-confirms-data-breach-claimed-by-shinyhunters-extortion-gang/ 7. AI USE BALLOONS ACROSS THE US GOVERNMENT Policy and Regulation · [policy, ai] · first identified Jun 17, 2026 Latest developments: Bruce Schneier flagged an Office of Management and Budget disclosure from April 14, 2026, listing 3,611 active or planned AI use cases across the federal government, a 70 percent jump over the final Biden-era list and including plans to hand sensitive functions to automated systems. The disclosure marks the broadest accounting yet of federal AI adoption, spanning core operations and some sensitive governmental functions. The scale raises accountability, oversight, and security questions as agencies wire automated decision-making into critical workflows. Each new use case widens the attack surface and the consequences of model failure or manipulation. - Schneier on Security: https://www.schneier.com/blog/archives/2026/06/ai-use-by-the-us-government.html BUSINESS AND POLITICS ---------------------------------------------------------------- * Fed Holds Rates, Scraps Forward Guidance Latest developments: The Warsh-led committee held rates steady in a unanimous vote Wednesday and eliminated explicit forward guidance, hardening the hawkish signal reported earlier into a formal decision. Kevin Warsh's first meeting as Federal Reserve chair left the benchmark rate unchanged, dropped the bias toward cuts, and projected at least one increase this year to tame inflation that the Iran war pushed toward 4%; stocks fell while Treasury yields and the dollar climbed. - FT World: https://www.ft.com/content/0fda593c-7de5-44e2-825c-53d7451d5f70 - WSJ Markets: https://www.wsj.com/finance/stocks/global-stocks-markets-dow-update-06-17-2026-05228bac?mod=rss_markets_main * US-Iran Deal Takes Effect Latest developments: Senior US officials read the full memorandum to reporters Wednesday and Pakistan's premier said the accord takes immediate effect, moving past the signing reported earlier. The agreement winding down the war that began February 28 lets Iran resume oil sales at once—potentially more than $60 billion a year—and waives banking and transport sanctions, while Trump pledged to release frozen funds and Tehran keeps its ballistic missiles. - FT World: https://www.ft.com/content/d4f89b6b-c213-4550-924b-a9ae45e24c37 - WSJ World News: https://www.wsj.com/world/middle-east/deal-gives-iran-chance-to-turbocharge-its-oil-revenue-5b481eb6 PITTSBURGH ---------------------------------------------------------------- Weather: Tonight: Showers And Thunderstorms, low 68F. Thursday: Showers And Thunderstorms then Mostly Sunny, high 83F. Thursday Night: Partly Cloudy, low 59F. Business: * Skill Games Face Taxation Latest developments: Operators and players weighed their tax and regulatory exposure Wednesday, with the practical mechanics of how the state will license and tax the machines still unsettled after this week's ruling. Pennsylvania's Supreme Court classified the cash-paying skill-game terminals in bars, convenience stores, and clubs as slot machines under state law this week, opening the largely untaxed devices to regulation and taxation and pressing Harrisburg to write rules. - WPXI: https://www.wpxi.com/news/local/pennsylvanians-weigh-court-ruling-that-could-lead-taxation-skill-games/SH3EGHR7OREYNL5727KLV52Y2Y/ * AHN Pairs Cancer Patients With Ambassadors Latest developments: Allegheny Health Network spotlighted its cancer ambassador program Wednesday, pairing newly diagnosed patients with survivors who guide them through treatment. The program at Allegheny Health Network's Cancer Institute connects patients facing a new diagnosis with former patients who volunteer as ambassadors, aiming to ease the isolation that follows a diagnosis. - KDKA: https://www.cbsnews.com/pittsburgh/news/allegheny-health-network-cancer-ambassadors/ Around town: * Tornado Threat, Storms Early Thursday Latest developments: Forecasters now expect the strongest storms overnight into Thursday morning, with a brief tornado possible before dawn, and Duquesne Light urged customers to prepare for outages. The National Weather Service placed the Pittsburgh region under a severe risk for flash flooding, damaging winds, hail, and an isolated tornado as a line of storms crosses overnight Wednesday into the Thursday commute, with strong winds lingering through the day. - KDKA: https://www.cbsnews.com/pittsburgh/news/tornado-strong-winds-thursday-morning-pittsburgh/ - WTAE: https://www.wtae.com/article/severe-weather-alert-day-thursday-risk-for-flash-flooding-and-gusty-winds/71610265 - WTAE: https://www.wtae.com/article/duquesne-light-western-pa-storms-june-18-2026/71618783 * Borough-Township Merger Talks End Latest developments: Commissioners voted Wednesday against advancing a proposed borough-township merger, halting consolidation talks a day after officials had moved toward a November ballot question. Officials had weighed folding a local borough into the neighboring township and putting the question to voters in November, but commissioners voted to stop the merger discussions. - WPXI: https://www.wpxi.com/news/local/officials-taking-steps-put-merger-local-borough-township-november-ballot/ZOAR4CVHDZH2JMOB47GTRYBOS4/ * Indiana Township Church to Rebuild After Fire Latest developments: Trinity United Church of Christ's pastor said Wednesday the May fire damage forces the congregation to demolish and rebuild rather than restore the historic building. A May fire devastated the historic Trinity United Church of Christ in Indiana Township, Allegheny County, and the pastor said the congregation will tear it down and rebuild, aiming to mirror the original at the community's request. - KDKA: https://www.cbsnews.com/pittsburgh/news/trinity-united-church-of-christ-rebuilding/ * Mount Pleasant Police Add Trail E-Bikes Latest developments: Mount Pleasant Township police added two e-bikes to their fleet this month to patrol the Panhandle and Montour trails. Mount Pleasant Township police began using two electric bicycles to cover the Panhandle and Montour trails, extending visibility and response to paths that patrol cars cannot reach. - WTAE: https://www.wtae.com/article/mt-pleasant-police-e-bikes-trails-reported-incident-response/71618760 SPORTS ---------------------------------------------------------------- Pirates (37-37) Tue Jun 16 · Pirates 6 · Athletics 5 · Final Lowe hits go-ahead homer, Reynolds connects twice as Pirates rally past Athletics for 6-5 victory https://plaintextsports.com/mlb/2026-06-16/pit-ath Wed Jun 17 · Pirates 7 · Athletics 0 · Top 4th (in progress at last update) https://plaintextsports.com/mlb/2026-06-17/pit-ath Up Next · Pirates @ Rockies · Fri Jun 19, 8:40 PM https://plaintextsports.com/mlb/2026-06-19/pit-col Around the Teams: * Washington Talks $42M Deal on Heyward Podcast Latest developments: Tight end Darnell Washington joined Not Just Football with Cam Heyward to discuss his new four-year, $42 million extension and Connor Heyward's departure. Fresh off signing a four-year, $42 million extension with the Steelers, tight end Darnell Washington went on Not Just Football with Cam Heyward to talk through the deal, his back-to-back national titles at Georgia, and life as a 6-foot-7 blocking and receiving threat. - Not Just Football with Cam Heyward: https://www.youtube.com/watch?v=bI9k0IEdvzA * Hiles: Pirates Must Improve or Face a Reckoning Latest developments: In a Wednesday column, the Post-Gazette's Noah Hiles wrote that general manager Ben Cherington should hope the team never learns what happens if the Pirates fail to improve. Post-Gazette columnist Noah Hiles weighed the Pirates' trade-deadline choices around ace Paul Skenes and prospect Konnor Griffin, warning that continued underperformance would force a reckoning for general manager Ben Cherington. - Post-Gazette Pirates: https://www.post-gazette.com/sports/pirates/2026/06/17/mlb-rumors-trade-deadline-skenes-konnor-griffin-cherington/stories/202606170046 * Beat Writers Say Steelers Should Pass on Sorsby Latest developments: Post-Gazette writers laid out the case this week for the Steelers to avoid quarterback Brendan Sorsby in the NFL's supplemental draft. The Post-Gazette argued the Steelers would be right to skip quarterback Brendan Sorsby, who entered the supplemental draft amid a gambling matter, with prospects Drew Allar and Will Howard also part of the discussion. - Post-Gazette Steelers: https://www.post-gazette.com/sports/steelers/2026/06/16/sorsby-gambling-supplemental-draft-allar-howard/stories/202606160042 - Post-Gazette Steelers: https://www.post-gazette.com/sports/steelers/2026/06/17/nfl-news-rumors-brendan-sorsby/stories/202606170039 READING ---------------------------------------------------------------- * Stratechery -- The State of Fable, The Jailbreak Problem, SpaceX Acquires Cursor Ben Thompson argues the administration is very likely wrong about Anthropic's Fable model, though policing that falls ultimately to Anthropic, and works through the jailbreak problem and SpaceX's acquisition of Cursor. https://stratechery.com/2026/the-state-of-fable-the-jailbreak-problem-spacex-acquires-cursor/ * Ed Zitron -- Exclusive: OpenAI Losses Increased Nearly 8X in 2025, With Spending Hitting $34 Billion Zitron reports financials showing OpenAI's losses grew almost eightfold in 2025 as spending reached $34 billion, sharpening his case that the company has no path to profitability. https://www.wheresyoured.at/exclusive-openai-financials/ * Cal Newport -- AI Isn’t Breaking Work. It’s Already Broken. Responding to a Financial Times interview with the Work AI Institute's Rebecca Hinds, Newport contends that AI is not damaging knowledge work so much as exposing dysfunction that already plagued it. https://calnewport.com/ai-isnt-breaking-work-its-already-broken/ MARKETS (weekly average, change vs prior week) ---------------------------------------------------------------- S&P 500 7,462.30 ▲ +0.8% Dow 51,442.85 ▲ +1.3% Nasdaq 26,156.09 ▲ +1.1% WTI crude 83.88 ▼ -8.6% EUR/USD 1.1584 ▲ +0.2% GBP/USD 1.3414 ▲ +0.3% USD/JPY 160.25 ▲ +0.1% ================================================================ Generated 2026-06-17 22:53 EDT. Sources: 24 security feeds; 9 Pittsburgh feeds; 4 Pittsburgh arts and events feeds; 6 Pittsburgh sports beat and podcast feeds; the Wall Street Journal, the Economist, and the Financial Times; and Ed Zitron, Stratechery, Cal Newport. Markets from Yahoo Finance, weather from the NWS, scores from ESPN. Summaries are AI-generated from the linked reporting; verify at the sources. ================================================================