Tata Ransomware Leak, Bajaj Cyberattack Disrupts, Fortinet Firewalls Compromised – Cybersecurity News [June 22, 2026]

Here’s your weekly roundup of the most important cybersecurity stories from June 23-29, 2026. It was a particularly intense week, with major ransomware attacks striking Indian manufacturing giants, a global Fortinet credential crisis affecting nearly half of all internet-facing firewalls, new Linux kernel flaws, a law enforcement crackdown on malware networks, and a surge of cyber threats shadowing the ongoing FIFA World Cup. Read on for the full breakdown.

Tata Electronics hit by ransomware” Apple and Tesla secrets allegedly leaked

One of Apple’s biggest iPhone manufacturers in India, Tata Electronics, confirmed a cybersecurity incident this week after the World Leaks ransomware group published what it claims is over 200,000 stolen files on the dark web. The leaked file listing appears to include Apple and Tesla documents, technical drawings, and employee passport scans” and the incident highlights growing supply-chain risks as cybercriminals increasingly target major manufacturers and their vendors.

The disclosure came after World Leaks, a ransomware group that previously claimed responsibility for a cyberattack on Nike, published what it described as stolen data from Tata Electronics on its dark web leak site. According to information posted by the group, the dataset comprises more than 200,000 files amounting to over 630 gigabytes of data.

Apple confirmed it was investigating the breach and that a full analysis was underway. Sources also revealed that Tata had received a ransom demand related to the incident, though Tata Electronics declined to comment on that specific detail. This is a serious development” Tata Electronics currently accounts for roughly one-third of Apple’s iPhone production in India, making the potential exposure of manufacturing IP and design blueprints a supply-chain crisis that stretches far beyond Tata itself.

Bajaj Auto ransomware attack rattles Indian manufacturing sector

Hot on the heels of the Tata breach, Indian automotive giant Bajaj Auto disclosed it too had fallen victim to a ransomware attack. In a regulatory filing, Bajaj Auto said the ransomware attack occurred on June 23 at around 8:00 AM IST. The company said its technical teams, management, and external cybersecurity experts responded immediately and initiated precautionary actions and response protocols to mitigate the impact. The incident was also reported to the Indian Computer Emergency Response Team (CERT-In).

Bajaj Auto did not disclose whether any customer or business data was compromised, whether manufacturing operations were affected, or whether a ransom demand had been received. The back-to-back attacks on two of India’s most prominent manufacturers in the same week have raised serious alarm bells about the cybersecurity posture of the country’s industrial sector, which is increasingly interconnected with global supply chains.

FortiBleed: 86,000+ Fortinet firewalls compromised across 194 countries

Arguably the most alarming story of the week, the FortiBleed credential campaign continued to escalate. A Russian-speaking cybercriminal syndicate has quietly harvested verified administrator and VPN credentials from 86,644 Fortinet FortiGate firewalls across 194 countries, exposing roughly half of all internet-facing Fortinet perimeter devices” in what researchers are calling the largest industrialized credential-harvesting campaign in Fortinet’s history.

According to data from SOCRadar, generic admin accounts (35%) and built-in Fortinet system accounts (28.3%) together make up the majority of compromised credentials, pointing directly to a widespread failure to rename default accounts or rotate factory credentials.

Critically, this campaign does not exploit a software vulnerability” there is no patch that closes this exposure. CISA, the UK NCSC, and Fortinet itself all issued urgent advisories during the week, urging all affected organizations to immediately reset all admin and VPN credentials, enable multi-factor authentication, and restrict firewall management interfaces from public internet access. High-profile organizations including Samsung, Siemens, Oracle, and Accenture are reportedly among those with credentials in the exposed dataset.

Amadey and StealC malware networks disrupted” 27 million stolen credentials recovered

In a significant law enforcement win, a coordinated international operation took down the criminal infrastructure behind two prolific malware families. A coordinated law enforcement operation, in partnership with private sector companies including Bitdefender, Bitsight, ESET, and Microsoft, resulted in the takedown of criminal infrastructure powering Amadey and StealC. “The main common goal was to disrupt the ‘assembly lines’ cybercriminals use to launch ransomware, financial fraud, and attacks on critical infrastructure,” Europol stated.

Hundreds of command-and-control servers were disrupted in the operation. The recovery of 27 million stolen credentials represents a massive blow to the underground economy that relies on infostealer malware to fuel follow-on attacks such as ransomware deployments, business email compromise, and account takeovers. The takedown is part of a broader trend of law enforcement agencies collaborating closely with the private sector to go beyond arrests and directly dismantling criminal infrastructure.

CISA flags PTC Windchill critical RCE vulnerability under active exploitation

Industrial and manufacturing organizations were put on high alert as a critical software flaw was added to CISA’s Known Exploited Vulnerabilities catalog. The vulnerability in question is CVE-2026-12569 (CVSS score: 9.3), a case of improper input validation in PTC Windchill PDMlink and PTC FlexPLM software that could allow an attacker to execute arbitrary code by sending a malicious request to the network. PTC confirmed “continued reports of heightened threat activity” even after patches were released.

The flaw is particularly concerning because Windchill and FlexPLM are enterprise Product Data Management (PDM) and Product Lifecycle Management (PLM) platforms widely deployed across defense contractors, aerospace companies, and manufacturing firms. Exploitation of these platforms could give threat actors direct access to valuable intellectual property, product designs, and sensitive engineering data.

DirtyClone: New Linux kernel flaw enables root access

Linux system administrators had a rough week with the disclosure of a new high-severity privilege escalation vulnerability. DirtyClone is a new Linux kernel privilege escalation in the DirtyFrag family, tracked as CVE-2026-43503 (CVSS 8.8). It lets a local user corrupt file-backed memory through a cloned network packet and gain root. JFrog Security Research published a working exploit walkthrough on June 25” the first public demonstration for this variant.

The attack works by loading a privileged binary into memory, wiring those memory pages into a network packet, and forcing the kernel to clone it through an IPsec tunnel controlled by the attacker” allowing overwriting of security checks with attacker-chosen bytes. Any system running a kernel version that predates the May 21 mainline patch is at risk and should be updated immediately.

New Linux “pedit COW” flaw also grants root access

In a double-hit for Linux security, a second kernel privilege escalation flaw was disclosed in the same week. CVE-2026-46331, nicknamed “pedit COW,” is an out-of-bounds write in the packet-editing action subsystem (act_pedit) that corrupts shared page-cache memory. A public, working exploit appeared within a day of the CVE assignment on June 16.

Both DirtyClone and pedit COW fall into a family of flaws that are particularly dangerous in shared or multi-tenant environments such as cloud infrastructure, enterprise servers, and hosting platforms, where multiple local users coexist on the same system. Organizations running Linux systems should audit kernel versions and apply available patches without delay.

FBI and CISA warn of Russian actors hijacking Signal accounts via backup keys

A chilling advisory was updated this week targeting users of the encrypted messaging app Signal. The FBI and CISA updated their March warning about Russian intelligence phishing Signal accounts, noting that operators have added a step: they now coax targets into handing over their Signal Backup Recovery Key. Once obtained, the attacker can restore the account’s backup, read private and group message history, and take over the account. Worse, the key keeps working even if a new account is created on the same phone number.

The updated advisory added two public tracking names: UNC5792 and UNC4221, and tied the activity to multiple Russian Intelligence Services (RIS) groups. The fix is straightforward: generate a new backup key in Settings, which invalidates the old one for future backup downloads. However, anything the attacker already pulled remains compromised.

Turla deploys new STOCKSTAY backdoor in Ukraine espionage campaign

Russian state-sponsored threat actor Turla is back with a previously undocumented malware strain. Google detailed Turla’s new STOCKSTAY backdoor, a .NET-based implant that has been deployed against government and military organizations in Ukraine and entities with an interest in Italian foreign policy.

Turla, one of the most sophisticated and long-running Russian APT groups, is known for its patient, stealthy approach to espionage. The deployment of a previously unknown backdoor specifically in Ukrainian government targets signals continued Russian investment in cyber espionage alongside its kinetic conflict with Ukraine. The use of Italian foreign policy targets as a secondary focus also indicates broader geopolitical intelligence-gathering objectives.

Microsoft warns of hotel phishing campaign delivering Node.js implant

The hospitality sector was put on notice this week after Microsoft disclosed an active phishing campaign targeting hotels across Europe and Asia. An active phishing campaign has been targeting hotel and hospitality organizations across Europe and Asia since April 2026, using photo-themed ZIP files to drop a Node.js implant and dig into front-desk machines. Microsoft has not attributed the activity to a known threat actor, and the operators’ end goal remains unclear, but the lure plays to how hotels routinely receive external files.

The campaign is particularly sophisticated in that it exploits the natural workflow of hotel front-desk staff, who regularly receive photo files and attachments from guests and external parties. Once the implant is active on front-desk machines, it has access to guest personal data, credit card information, and reservation systems” a valuable trove for cybercriminals.

FIFA World Cup 2026 hit by surge in cyber threats from criminals and nation-states

The ongoing FIFA World Cup, being held across the United States, Canada, and Mexico through July 19, has become a major magnet for cybercriminal activity. Flashpoint analysts described the threat environment as dynamic, “spanning physical security, civil unrest, cyber threats, and geopolitical developments,” with a wide range of threat actors” both financially motivated and nation-state” targeting those participating in and attending the event.

Researchers at KELA report that over 4,300 fake FIFA domains have been created and more than 1.5 million compromised accounts are already circulating on the dark web, with state-sponsored APTs aligned with Russia, Iran, and China actively engaged in espionage and influence operations targeting event infrastructure.

Fans are being warned to exercise extreme caution around ticket purchase sites, streaming links, and World Cup-themed mobile apps, all of which are being heavily exploited by cybercriminals for credential theft and financial fraud.

Russia used Cellebrite tools to hack jailed activist’s iPhone” after sales cutoff

A deeply troubling report emerged this week about the misuse of commercial forensic technology. Russian authorities used Cellebrite’s UFED forensic tools to break into the iPhone of detained opposition activist Andrey Pivovarov in June 2021, three months after Cellebrite had publicly stated it would stop selling its tools and services to Russia and Belarus. The finding was published on June 25 by the Citizen Lab and rests on traces found on the phone itself alongside official Russian documentation.

The revelation raises serious questions about how effectively commercial surveillance technology vendors can enforce end-user agreements and sales restrictions, particularly when governments can stockpile or transfer tools before a cutoff takes effect. It also underscores the ongoing threat to activists and dissidents who rely on mobile devices to communicate securely.

The Gentlemen ransomware group emerges as second most active gang globally

A relatively new ransomware-as-a-service (RaaS) group is rapidly climbing the ranks of the most dangerous threat actors. wCheck Point found The Gentlemen to be the second most active ransomware group by victim count so far this year, claiming at least 332 published victims since the group’s inception in mid-2025 and more than 240 in 2026 alone. A 90/10 affiliate revenue split” compared to the industry standard 80/20” is accelerating the group’s growth by attracting experienced operators from competing programs.

According to Check Point, the group targets internet-facing devices such as VPNs and firewalls as their entry point, and once inside moves quickly to encrypt entire networks within hours. The group’s EDR-killing framework, dubbed GentleKiller, has been highlighted by security researchers as particularly effective at disabling endpoint security tools before ransomware is deployed.

ShinyHunters expand Salesforce attack campaign” Icarus group also joins the fray

The prolific ShinyHunters cybercrime group, which has dominated breach headlines throughout 2026, continued its aggressive expansion this week. The scope of Salesforce attacks expanded further as threat actor Icarus leaked data, with Dark Reading reporting on June 23 that the ShinyHunters-linked activity now encompasses a growing number of enterprise victims whose Salesforce environments were compromised.

ShinyHunters has remained one of the most disruptive cybercrime brands of the past two years, surviving arrests, the BreachForums takedown in January 2026, and the conviction of its alleged founder. The group has been linked to breaches at AT&T, Banco Santander, Ticketmaster, and the University of Nottingham, with researchers describing it as part of a broader cybercrime supergroup whose members overlap with Scattered Spider and LAPSUS$.

npm supply chain attack spreads to Go ecosystem” developer credentials at risk

A sophisticated supply chain attack that has been targeting software developers expanded its reach this week. Cybersecurity researchers flagged the latest evolution of a supply chain attack linked to the Mini Shai-Hulud, Miasma, and Hades malware family, which has compromised a new set of npm packages and propagated to the Go ecosystem. The latest activity includes malicious npm releases affecting LeoPlatform and RStreams packages, GitHub Actions workflow abuse, and a related Go module compromise involving the Verana Blockchain project.

The end goal of the campaign, as before, is to harvest developer or maintainer credentials and weaponize the stolen data to spread across package registries, repositories, and trusted developer workflows. This is a particularly insidious form of attack because it can spread invisibly through legitimate-looking software updates, potentially compromising thousands of downstream applications and organizations that depend on the affected packages.

DoJ seizes Huione cloud account linked to multi-billion dollar cyber scam laundering

US law enforcement struck a major blow against a Southeast Asian cybercrime financial network this week. The U.S. Department of Justice announced the seizure of a cloud computing account used by subsidiaries of Cambodia-based corporate conglomerate HuiOne Group, as the Treasury also unveiled fresh sanctions against nine individuals and 26 entities linked to Prince Group.

The HuiOne Group has been identified by researchers as a key financial infrastructure provider for cyber scam operations across Southeast Asia, including pig-butchering fraud schemes that have collectively stolen billions of dollars from victims worldwide. The seizure of cloud infrastructure represents a new front in law enforcement’s efforts to disrupt the financial plumbing that sustains these operations.