What to look out for today
Three themes SMEs should treat as “today risks”:
- Stolen Fortinet (FortiGate) credentials being used to fuel ransomware intrusions (reporting links the “FortiBleed” credential theft to ransomware groups).
- SEO-poisoned / spoofed software download sites that look legitimate in search results and deliver malware installers, including remote-access tools used for follow-on fraud and ransomware.
- Social-engineering chains using trusted platforms (e.g., Blogger pages) to host or redirect victims to credential-stealing malware.
Why this matters to smaller businesses
These attacks don’t rely on “high profile” targeting. They scale well and hit organisations that:
- Use perimeter devices (like firewalls/VPNs) managed by an MSP or a small internal IT team.
- Regularly download utilities (screen recording, device tools, drivers) from the web to “get a job done”.
- Depend on browser-based logins for email, accounting, payroll, CRM and remote access—making credential theft especially damaging.
If an attacker gets a valid VPN/firewall login or installs a remote-access trojan, the next step is often ransomware, invoice fraud, payroll diversion, or data theft.
Warning signs
- Unexpected login prompts or repeated MFA pushes (“Approve sign-in?”) when no-one is trying to log in.
- New admin users or configuration changes on firewall/VPN/remote access tooling that your team didn’t request.
- Staff report downloading software from “a site that was top of Google” rather than the vendor’s known download page.
- Security tools flagging ScreenConnect/remote tool activity that wasn’t installed by your IT provider.
- Browsers showing odd redirects to blog-style pages or “instructions” pages before a download starts.
How attackers may exploit the situation
- Credential replay: using already-stolen firewall/VPN credentials to get an initial foothold, then moving quickly to disruption and extortion.
- Search-result traps: registering lookalike domains and pushing them up search rankings so staff download trojanised installers.
- Trust hijacking: hosting lures on well-known platforms (e.g., Blogger) to reduce suspicion and bypass basic link filtering.
What to do today
- Tell staff: “Don’t download ‘free tools’ from search results. Use our approved sources or ask IT.”
- Check remote access hygiene: confirm who is allowed to install remote support tools (including ScreenConnect) and alert on new installs.
- Review firewall/VPN access: remove unused accounts, enforce MFA where possible, and ensure admin access is tightly limited.
- Be ready for containment: make sure you know how to quickly disable VPN access and rotate credentials if suspicious activity appears.
Ask your IT provider
- Have you checked whether our Fortinet/FortiGate credentials could have been exposed in the wider credential-theft activity, and what’s our plan if they were?
- Do we have alerting for unusual VPN/firewall logins (new countries, impossible travel, out-of-hours) and repeated MFA prompts?
- Can you confirm which remote support tools are authorised in our environment and how we detect unauthorised installs?
- Do we block or warn on newly registered/lookalike domains and common malware download patterns?
Patch watch - only one short paragraph, and only if relevant
Today’s reporting is more about stolen credentials and fake downloads than a single new software flaw. Treat this as a reminder to keep edge devices (firewalls/VPNs) on supported versions and ensure your MSP has a routine for urgent vendor advisories—because credential theft and rapid follow-on intrusions often go hand-in-hand.
One action today
Send a same-day staff note: only install software from approved/vendor sources (not search ads/results) and report any unexpected MFA prompts or new remote-support pop-ups immediately.
Related Actions On Cyber resource
Actions On Cyber checklist: “Stop invoice fraud & account takeover” (staff warning signs + MFA push fatigue + urgent reporting steps)
Sources
- FortiBleed credential-theft campaign linked to Lynx ransomware (BleepingComputer)
- FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations (The Hacker News)
- SEO-Poisoned Software Sites Abuse ScreenConnect to Deploy AsyncRAT (The Hacker News)
- VEIL#DROP Malware Chain Uses Blogger Platform to Deliver PureLogs Stealer (The Hacker News)
This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.