Free practical cybersecurity guidance for organisations without a security team.
hello@actionsoncyber.com

Daily SMB Cyber Intelligence Brief

SMB Cyber Brief (Thu 02 July 2026): Ransomware groups using stolen Fortinet logins + fake software download sites spreading remote access malware

What small and medium-sized businesses should look out for today.

High Thursday 02 July 2026, 11:15 UK time
Today’s look-out: Credential theft feeding ransomware + poisoned download sites and “trusted platform” lures

What to look out for today

Three themes SMEs should treat as “today risks”:

  • Stolen Fortinet (FortiGate) credentials being used to fuel ransomware intrusions (reporting links the “FortiBleed” credential theft to ransomware groups).
  • SEO-poisoned / spoofed software download sites that look legitimate in search results and deliver malware installers, including remote-access tools used for follow-on fraud and ransomware.
  • Social-engineering chains using trusted platforms (e.g., Blogger pages) to host or redirect victims to credential-stealing malware.

Why this matters to smaller businesses

These attacks don’t rely on “high profile” targeting. They scale well and hit organisations that:

  • Use perimeter devices (like firewalls/VPNs) managed by an MSP or a small internal IT team.
  • Regularly download utilities (screen recording, device tools, drivers) from the web to “get a job done”.
  • Depend on browser-based logins for email, accounting, payroll, CRM and remote access—making credential theft especially damaging.

If an attacker gets a valid VPN/firewall login or installs a remote-access trojan, the next step is often ransomware, invoice fraud, payroll diversion, or data theft.

Warning signs

  • Unexpected login prompts or repeated MFA pushes (“Approve sign-in?”) when no-one is trying to log in.
  • New admin users or configuration changes on firewall/VPN/remote access tooling that your team didn’t request.
  • Staff report downloading software from “a site that was top of Google” rather than the vendor’s known download page.
  • Security tools flagging ScreenConnect/remote tool activity that wasn’t installed by your IT provider.
  • Browsers showing odd redirects to blog-style pages or “instructions” pages before a download starts.

How attackers may exploit the situation

  • Credential replay: using already-stolen firewall/VPN credentials to get an initial foothold, then moving quickly to disruption and extortion.
  • Search-result traps: registering lookalike domains and pushing them up search rankings so staff download trojanised installers.
  • Trust hijacking: hosting lures on well-known platforms (e.g., Blogger) to reduce suspicion and bypass basic link filtering.

What to do today

  • Tell staff: “Don’t download ‘free tools’ from search results. Use our approved sources or ask IT.”
  • Check remote access hygiene: confirm who is allowed to install remote support tools (including ScreenConnect) and alert on new installs.
  • Review firewall/VPN access: remove unused accounts, enforce MFA where possible, and ensure admin access is tightly limited.
  • Be ready for containment: make sure you know how to quickly disable VPN access and rotate credentials if suspicious activity appears.

Ask your IT provider

  • Have you checked whether our Fortinet/FortiGate credentials could have been exposed in the wider credential-theft activity, and what’s our plan if they were?
  • Do we have alerting for unusual VPN/firewall logins (new countries, impossible travel, out-of-hours) and repeated MFA prompts?
  • Can you confirm which remote support tools are authorised in our environment and how we detect unauthorised installs?
  • Do we block or warn on newly registered/lookalike domains and common malware download patterns?

Patch watch - only one short paragraph, and only if relevant

Today’s reporting is more about stolen credentials and fake downloads than a single new software flaw. Treat this as a reminder to keep edge devices (firewalls/VPNs) on supported versions and ensure your MSP has a routine for urgent vendor advisories—because credential theft and rapid follow-on intrusions often go hand-in-hand.

One action today

Send a same-day staff note: only install software from approved/vendor sources (not search ads/results) and report any unexpected MFA prompts or new remote-support pop-ups immediately.

Related Actions On Cyber resource

Actions On Cyber checklist: “Stop invoice fraud & account takeover” (staff warning signs + MFA push fatigue + urgent reporting steps)

Sources

This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.