Fortinet 2FA Bypass, Cloud Abuse, and Botnet Supply-Chain Hits

Active defenses took center stage as incidents continued to surface. More than 10,000 Fortinet firewalls remain exposed to an actively exploited two‑factor authentication bypass first fixed in 2020, according to BleepingComputer. Separately, attackers misused Google Cloud Application Integration to send phishing emails from legitimate Google addresses before the abuse was blocked, as reported by The Hacker News. These developments framed a day where platform hardening and abuse of trusted services ran in parallel with large botnet activity and notable breach fallout.

Platform defenses and abused workflows

Researchers and responders warn that thousands of internet‑exposed FortiGate devices remain vulnerable to CVE‑2020‑12812, a 9.8‑rated authentication flaw that can bypass FortiToken prompts in certain LDAP‑dependent configurations. Fortinet released fixes in July 2020 and suggested disabling username case sensitivity as a temporary mitigation for those unable to patch immediately. Recent telemetry shows more than 10,000 unpatched systems, including over 1,300 U.S. IPs, underscoring persistent exposure despite past government warnings and inclusion in known exploited vulnerability lists. The lesson is straightforward: long‑standing authentication bugs continue to yield high‑impact access when patching and configuration hygiene lag.

At the same time, a coordinated phishing campaign exploited a Google Cloud workflow feature to send thousands of messages that passed SPF/DMARC checks and mimicked enterprise notifications. The operation delivered links hosted on trusted cloud domains, funneled recipients through fake CAPTCHA gates to evade scanners, and ended on counterfeit Microsoft login pages to harvest credentials. Targets spanned manufacturing, technology, finance, professional services, retail, and additional sectors across multiple regions. Google has blocked this specific abuse path and is taking further steps to limit misuse; for defenders, it highlights how legitimate automation can be turned into credible‑looking lures and why layered link‑inspection and user training still matter.

New observability and data‑handling capabilities may help tighten operations. Detailed monitoring in Clean Rooms now publishes SQL query metrics to CloudWatch, improving visibility into performance and cost. In parallel, Amazon Connect adds support for nested JSON objects and looping arrays inside contact flows, reducing repeated backend calls and simplifying flow logic. Better monitoring and more expressive automation can reduce failure modes and make security‑relevant behavior easier to observe and tune.

Botnet scale and a supply‑chain hit

A rapidly built botnet dubbed Kimwolf has amassed an estimated two million‑plus devices, disproportionately inexpensive, unofficial Android TV boxes and some digital photo frames, according to KrebsOnSecurity. Operators abuse residential proxy services that failed to block DNS records pointing to internal RFC‑1918 ranges, allowing tunneling from rented proxies into private LANs. Many affected devices also ship with Android Debug Bridge enabled by default, providing unauthenticated superuser access on localhost:5555 and enabling easy lateral compromise. Kimwolf monetizes its footprint through ad fraud, credential abuse, mass scraping, app installs, proxy rentals, and DDoS‑for‑hire. Some proxy providers reported mitigations after researcher notifications, but the botnet’s growth shows how low‑cost piracy‑focused hardware and lax proxy controls can circumvent assumed home‑router protections. Practical guidance includes isolating unknown devices on guest networks, avoiding untrusted app stores, and pressing proxy operators to block internal forwarding and risky ports.

In a separate supply‑chain incident, Trust Wallet said a Chrome extension build was trojanized after attackers leveraged exposed GitHub developer secrets to obtain a Chrome Web Store API key, publishing a malicious update that siphoned wallet data and enabled unauthorized transfers. The company links the compromise to the broader Sha1‑Hulud campaign targeting npm to harvest developer secrets at scale. Approximately $8.5 million was stolen from more than 2,500 wallets; release APIs were revoked and reimbursements have begun. The adversary hosted malicious scripts on look‑alike domains later suspended by the registrar. Researchers recommend secret scanning, token rotation, and stricter CI/CD controls as attackers refine credential‑harvesting across developer ecosystems. Trust Wallet also warns of ongoing impersonation and fake compensation scams. See BleepingComputer for details.

Breach fallout and long‑tail credential risk

TRM Labs linked ongoing cryptocurrency thefts to encrypted vault backups stolen in the 2022 LastPass breach, finding actors appear to have cracked weak or reused master passwords offline and drained wallets in waves months or years later. The analysis shows consistent transaction patterns, rapid conversion to Bitcoin, and laundering through Wasabi Wallet CoinJoin, with clustering techniques used to trace flows. Estimated thefts included more than $28 million in late 2024 and early 2025 and a further $7 million tied to a September 2025 wave, while separate enforcement actions seized over $23 million. The findings reinforce vendor guidance to reset master passwords and review vault contents after exposures, especially when private keys or seed phrases were stored. Reporting via BleepingComputer.

Covenant Health revised its breach impact to 478,188 individuals after a May 2025 intrusion later claimed by the Qilin ransomware group, which alleged theft of 852 GB and about 1.35 million files. Exposed data may include names, addresses, dates of birth, medical record numbers, Social Security numbers, insurance details, and treatment information. Notifications began December 31 with 12 months of complimentary identity protection for those affected. Forensic review is ongoing without a firm completion timeline, and the organization did not disclose whether any ransom was paid. The widened scope underscores the privacy and regulatory risks when clinical and administrative records are exfiltrated. Coverage via BleepingComputer.

Espionage and commodity theftware

Transparent Tribe (APT36) resurfaced with spear‑phishing against Indian government and academic targets, delivering ZIP archives whose weaponized Windows shortcuts (.LNK) launch obfuscated HTA scripts via mshta.exe. The malware decrypts a RAT in memory while showing a decoy PDF, profiles the environment via ActiveX objects, and adapts its persistence if certain antivirus products are present. A related MSI‑based chain wrote DLLs and an executable into ProgramData, created Registry‑start persistence, and used hard‑coded C2 infrastructure. Capabilities include command execution, file exfiltration, screenshots, clipboard access, and process control—tools for long‑term intelligence collection. Analysis via The Hacker News. Why it matters: modular implants with AV‑aware persistence complicate detection and containment, increasing the risk of prolonged exposure.

Unit 42 detailed VVS stealer, a Python‑based infostealer protected with Pyarmor and shipped as PyInstaller packages to hinder static analysis and signatures. After deobfuscation, VVS targets Discord by decrypting tokens from local storage using DPAPI‑derived keys, harvesting account metadata and payment/MFA details, injecting obfuscated JavaScript into the Electron client, and persisting via startup folders. It also collects browser credentials and cookies across Chromium‑based and Firefox variants, packages data into a _vault.zip, displays a fake fatal error to mask activity, and includes a built‑in expiration. Indicators include specific SHA‑256 hashes, Pyarmor runtime artifacts, and observed webhook endpoints. Recommendations emphasize monitoring for credential theft, webhook misuse, and anomalous Electron file changes. Full write‑up from Unit 42.