1. Sector snapshot
2. Threats targeting BFSI
1CriticalCVSS 9.3
Check Point VPN authentication-bypass zero-day, exploited and ransomware-linked — CVE-2026-50751 (CVSS 9.3)
A certificate-validation flaw in IKEv1 lets unauthenticated attackers open VPN sessions on Check Point Remote Access VPN, Mobile Access and Spark; CISA added it to KEV on 9 June, and at least one intrusion is tied to a Qilin ransomware affiliate.
ExposureIndian banks, NBFCs and insurers running Check Point gateways with legacy IKEv1 for branch/remote access.
Actionapply the hotfix, force IKEv2-only with machine-certificate auth, and hunt for unauthenticated VPN sessions since 7 May.
SourceRapid7 (8 Jun 2026); CISA KEV (9 Jun 2026).
2
FortiBleed — mass Fortinet credential exposure, India among the worst-affected
A dataset of working credentials for tens of thousands of internet-facing FortiGate / SSL-VPN devices across 194 countries circulated, with India ranked among the most-affected countries and financial services named among exposed sectors.
Exposurebanks, NBFCs and insurers running internet-facing FortiGate / SSL VPN.
Actiontreat Fortinet VPN and admin credentials as compromised — rotate, enforce phishing-resistant MFA, restrict management access, and review for rogue accounts.
SourceCISA (18 Jun 2026); Dark Reading, BleepingComputer (June 2026).
3
Rokarolla Android banking trojan — built for UPI/OTP fraud (217 apps)
Zimperium zLabs detailed (16 June) a device-takeover Android trojan with 137 commands: overlay credential theft, SMS/OTP interception, alert muting and clipboard crypto-address swapping, spread via fake TikTok/Chrome sites and a Play Protect-killing dropper. The capability set maps directly onto India's UPI/OTP-driven payments.
Exposureretail mobile-banking and UPI customers; accessibility-permission abuse defeats SMS-OTP.
Actiondeploy in-app overlay/accessibility-abuse and sideload detection; brief fraud teams on OTP-interception and micro-drain patterns; reinforce "never grant accessibility access to unknown apps."
SourceZimperium zLabs; Infosecurity Magazine, BleepingComputer (16–17 Jun 2026).
4CriticalCVSS 9.8
MOVEit Automation critical authentication bypass — CVE-2026-4670 (CVSS 9.8)
Progress patched an unauthenticated auth-bypass (with a companion privilege-escalation flaw) that grants full admin control of MOVEit Automation and access to stored transfer credentials. No in-the-wild exploitation reported yet, but 1,400+ instances are internet-exposed and MFT is a repeat BFSI breach vector.
Exposureinternet-facing MOVEit / MFT nodes moving statements, KYC, reconciliation and settlement files across banks and their vendors.
Actionupgrade immediately, restrict MFT admin interfaces to allow-listed IPs, and review file-access logs for anomalous bulk retrieval.
SourceProgress; Help Net Security, BleepingComputer (4 May 2026).
3. Sector tech & exposures
- Edge/VPN is the live battleground — beyond Check Point, Palo Alto GlobalProtect (CVE-2026-0257) is under active exploitation (CISA KEV, 29 May); inventory and patch all internet-facing gateways. - Managed file transfer (MOVEit) remains a recurring breach vector — treat any exposed MFT as priority-patch. - Core banking / ERP: CERT-In flagged June Oracle (incl. PeopleSoft, E-Business Suite, MySQL) and SAP (NetWeaver, S/4HANA) critical updates — prioritise where reconciliation/settlement middleware depends on these stacks. - Supply chain: CERT-In's "Mini Shai-Hulud" advisory warns of npm/PyPI compromise and CI/CD secret theft — a fourth-party risk for fintech-dependent BFSI.
4. Regulatory & compliance watch
- RBI — data-protection advisory (April) directing regulated entities to align customer-data protection with the DPDP Act; reporting also indicates RBI is weighing added "frictions" against authorised push-payment fraud. - SEBI — AI vulnerability-detection advisory (5 May) under the CSCRF; the next half-yearly cyber-audit / action-taken cycle is due 30 June 2026. - IRDAI — Information & Cybersecurity Guidelines 2026 remain the live insurance-sector baseline. - CERT-In — AI-assisted-exploitation blueprint (25 May) plus critical Oracle/SAP and supply-chain advisories. - NPCI — BHIM-UPI guidelines updated 4 June (UPI-ID display, safety warnings, transaction-screen controls).
5. Actor in focus
Qilin (alias Agenda) — financially-motivated ransomware-as-a-service. Confidence: HIGH that Qilin is a leading finance-sector ransomware actor (Black Kite); MEDIUM on the specific affiliate link to CVE-2026-50751 (Rapid7). Qilin runs double extortion and is shifting toward edge-appliance initial access over phishing alone. Public victimology this period skews North America / Europe with no confirmed Indian BFSI victim — but the affiliate model and shared technology stacks make any exposed Check Point or MFT estate a credible target. Akira and Kill Security round out the top finance-focused crews.
6. IOC & detection pack
Only public, attributed indicators; no leaked data reproduced.
- Check Point CVE-2026-50751: Rapid7's advisory publishes attacker IPs and post-exploitation file hashes — pull the exact values from the primary source and defang on import (do not rely on second-hand copies). - Rokarolla (Android): distribution domain infocontablidades.it[.]com (Zimperium); detect behaviourally — accessibility-service abuse, overlay creation, SMS-read + alert-mute, clipboard crypto-address rewriting. - MOVEit CVE-2026-4670: alert on unauthenticated admin-API calls and bulk file enumeration on MFT hosts.
7. Recommended actions
Board: treat edge-appliance and vendor-CVE exposure as enterprise risk; confirm DPDP-aligned data protection and that the 30 June SEBI/CSCRF audit cycle is met where applicable.
CISO: emergency-patch CVE-2026-50751, CVE-2026-0257 and CVE-2026-4670; enforce IKEv2-only with machine-certificate auth; rotate all Fortinet and Check Point VPN credentials; run a fourth-party exposure review against the ~50% vendor-CVE baseline.
SOC: hunt unauthenticated VPN sessions and anomalous MFT access since 7 May; deploy behavioural detection for accessibility-abusing mobile trojans with fraud-team coordination on OTP-interception; tabletop a Qilin-style edge-to-ransomware intrusion end to end.
8. Source index
Black Kite, 2026 State of Financial Services (3 Jun) · Rapid7, Check Point CVE-2026-50751 (8 Jun) + CISA KEV (9 Jun) · CISA / Dark Reading, FortiBleed (18 Jun) · Zimperium zLabs / Infosecurity, Rokarolla (16 Jun) · Help Net Security, MOVEit CVE-2026-4670 (4 May) · Unit 42 / CISA, PAN-OS CVE-2026-0257 (KEV 29 May) · CERT-In AI blueprint (25 May) + Oracle/SAP/Mini-Shai-Hulud advisories · SEBI (5 May) · IRDAI Guidelines 2026 · NPCI BHIM-UPI (4 Jun).
Nirad Bharat Threat Feed — BFSI Edition | Bharat-first threat intelligence
