Executive Overview

The week’s channel intelligence points to a concentrated risk pattern: widely deployed enterprise platforms are being actively exploited or exposed through credentials, ransomware operators are refining pre-encryption defense evasion, SaaS integrations are becoming data-theft routes, and state-aligned actors continue to mature kernel-level stealth. The AI thread is also moving from theoretical governance concern to operational exposure, with attackers targeting developer AI API keys through marketplace plugins. 

Key Articles & Threat Summaries

1.  CISA: Splunk Enterprise flaw actively exploited, patch by Sunday

Source: Bleeping Computer

CISA confirmed active exploitation of CVE-2026-20253, a critical Splunk Enterprise flaw affecting versions 10.2.0 to 10.2.3 and 10.0.0 to 10.0.6 that allows unauthenticated remote attackers to create or truncate files through a PostgreSQL sidecar endpoint.

Why It Matters

Security operations platforms are high-value targets. A compromise affecting SIEM or log infrastructure can erode detection, investigation, and response capacity at the same moment defenders need those systems most. 

2. CISA warns Fortinet users to secure devices after FortiBleed leak

Source: Bleeping Computer

CISA warned Fortinet customers after leaked credentials associated with roughly 74,000 Fortinet devices, including firewalls and VPN gateways, were tied to malicious targeting of government and private-sector organizations.

Why It Matters

Perimeter credentials remain a direct route to remote access, lateral movement, and ransomware staging. Organizations should treat exposed VPN and administrative credentials as active incident response triggers, not routine password reset events.

3. Gentlemen ransomware uses multiple EDR killers to disable defenses

Source: Bleeping Computer

The Gentlemen ransomware as a service operation is maintaining a suite of EDR killing tools, including GentleKiller variants that use vulnerable drivers and target more than 400 security related processes across roughly 48 vendors.

Why It Matters

Ransomware crews continue to industrialize defense evasion before encryption. Driver governance, attack surface reduction, tamper protection, and early stage telemetry are now board relevant ransomware controls.

4. Salesforce Data Thefts Continue via Klue App Compromise

Source: Dark Reading

Attackers abused compromised Klue Battlecards integration credentials and OAuth tokens to access Salesforce instances, automate REST API data theft, and support an extortion campaign attributed in reporting to the emerging Icarus group.

Why It Matters

SaaS integrations are functioning as supply chain pathways into sensitive business data. OAuth grants, dormant credentials, connected app permissions, and abnormal API volume need the same executive attention as endpoint and cloud controls.

5. SprySOCKS Windows Variant Abuses Kernel Drivers to Evade Detection

Source: Dark Reading

FishMonger, a China nexus threat group, expanded SprySOCKS with a Windows variant using malicious kernel drivers for stealth, with reporting tying deployments to government targets in Honduras, Taiwan, Thailand, and Pakistan.

Why It Matters

State aligned operators are continuing to expand cross platform and kernel level evasion capabilities. That shifts driver control, code integrity, and public facing application hygiene into strategic cyber resilience priorities.

6. Malicious JetBrains Marketplace plugins steal AI API keys from developers

Source: Bleeping Computer

At least 15 malicious JetBrains Marketplace plugins posed as AI coding assistants, code review tools, and Git utilities while exfiltrating AI provider API keys from developer settings, with the campaign reportedly nearing 70,000 installs.

Why It Matters

AI tooling creates new credential exposure and data governance risk inside developer workflows. Security teams should extend marketplace vetting, secrets scanning, and API key governance to AI coding assistants and adjacent plugins.

Bottom Line Conclusion Summary

Cyber risk this week is less about isolated exploits and more about control plane trust: identity, credentials, integrations, endpoint protection, and developer tooling are all being targeted as force multipliers. Executives should prioritize exposed access paths, verify SaaS trust relationships, and test whether ransomware era defense evasion can be detected before business disruption begins.

For immediate assistance with securing AI, network intrusion, ransomware
attack, or BEC, please contact: IrongateResponse@irongatesecurity.com