Bharat Threat FeedGlobal threats, decoded for Indian defenders
Nirad Bharat Threat Feed

India-first threat intelligence

Global threats, decoded for Indian defenders — weekly briefs, sector editions, and AI Threat Watch. Every claim source-attributed.

Weekly Latest Weekly Brief 26 June 2026 Open issue →

Weekly Brief — 26 June 2026

India's manufacturing sector suffered two confirmed incidents in a single week — one ransomware, one extortion — while government-deployed Fortinet gateways appear at the top of the FortiBleed exposure list and three more perimeter products face active exploitation. This issue covers verified developments from 8–26 June 2026.
1

FortiBleed: Up to 86,644 FortiGate Credentials Compromised — India Government Sector Leads All Nations

India exposureSOCRadar research published 16 June identified up to 86,644 compromised FortiGate administrator and VPN credentials across 194 countries. India and the US together account for roughly one-third of all entries; India specifically represents over 60% of government-sector entries in the dataset. The campaign — active since February 2026 and attributed to Russian-speaking threat actors — is not a new vulnerability. It exploits SHA-256 password hashes that persist on FortiOS devices upgraded from versions earlier than 7.2.11, 7.4.8, or 7.6.1, combined with credential reuse from earlier FortiOS exploitation. CISA issued a hardening advisory on 18 June. There is no firmware patch that cancels credentials already in attacker possession.
ActionRotate all FortiGate administrator and SSL-VPN credentials immediately. Enable MFA on every remote-access account. Restrict management interfaces to internal networks. Upgrade firmware to FortiOS 7.2.11, 7.4.8, or 7.6.1 or later — the upgrade alone does not convert existing password hashes; every administrator must log in post-upgrade to force PBKDF2 migration.
SourceSOCRadar (16 Jun 2026); Arctic Wolf (16 Jun 2026); CISA Alert (18 Jun 2026) Treat this as an active credential-compromise incident rather than a patching advisory.
2

Tata Electronics Confirms Cyberattack; World Leaks Claims 630 GB of Apple and Tesla Supply-Chain Files

No CVE | Data extortion — no encryption

India exposureTata Electronics — a Tata Group subsidiary assembling approximately one-third of Apple's iPhone production in India — confirmed a cyberattack on 22 June. World Leaks, considered a rebrand of the Hunters International ransomware group, claims 204,300 files totalling over 630 GB, including Apple supplier quality-inspection specifications, Tesla manufacturing schematics, employee passport copies, and multi-year SAP event logs. Unlike encryption-based ransomware, World Leaks operates as a pure extortion operation: it exfiltrates data and threatens publication without disrupting systems.
ActionIndian electronics manufacturers and their tier-2 suppliers should segment engineering repositories from corporate IT environments, review third-party data-sharing arrangements, and confirm incident-notification obligations with OEM customers. Any organisation that has shared engineering specifications with Tata Electronics should assess its own supply-chain confidentiality exposure and alert relevant OEM security contacts.
SourceTechCrunch (22 Jun 2026); BleepingComputer (23 Jun 2026) The breach's blast radius extends to every organisation whose proprietary specifications are stored in Tata Electronics systems.
3

Bajaj Auto Hit by Ransomware; CERT-In and SEBI Notified on 23 June

No CVE | Ransomware — no public attribution

India exposureBajaj Auto, India's largest two-wheeler manufacturer, detected a ransomware attack at 8:00 AM IST on 23 June affecting systems at the parent company and its wholly owned technology subsidiary, Bajaj Auto Technology Ltd. The company notified CERT-In under the Information Technology Act 2000 and SEBI under Regulation 30 of LODR. Bajaj Auto stated that containment protocols were initiated and that operations are continuing. No threat-actor group has been publicly attributed, and data impact details have not been disclosed.
ActionIndian automotive and industrial organisations should confirm ransomware playbooks are current, verify that offline backup copies are intact and tested, and review EDR coverage on engineering endpoints and OT-adjacent systems. The mandatory six-hour CERT-In notification requirement under the IT Act applies to any sector facing a comparable intrusion.
SourceMedianama (23 Jun 2026); Economic Times (23 Jun 2026); BusinessToday (24 Jun 2026) The Bajaj Auto incident and the Tata Electronics extortion case in the same week reflect sustained ransomware pressure on India's manufacturing and technology sectors.
4CriticalCVSS 9.3

Check Point VPN Authentication Bypass Linked to Qilin Ransomware Affiliate — CISA KEV June 8

CVE-2026-50751 | CVSS 9.3

India exposureCVE-2026-50751 is an authentication bypass in the IKEv1 key-exchange implementation on Check Point Security Gateways. A remote, unauthenticated attacker can establish a full VPN session by exploiting a logic flaw in certificate validation — no valid password is required. Exploitation was first observed on 7 May; Check Point published its advisory on 8 June; CISA added the CVE to KEV the same day with a federal remediation deadline of 11 June. Post-exploitation activity linked to a Qilin ransomware affiliate has been confirmed in at least one case globally. Check Point gateways are deployed across Indian banking, insurance, and government-sector networks.
ActionApply the Check Point hotfix for affected releases (R80.40 through R82.10, Spark R80.20.X–R82.00.X). If the patch is not yet deployed, disable IKEv1 remote-access and mobile-access VPN, or enforce mandatory machine-certificate requirements to close the bypass. Review VPN session logs from 7 May onward for anomalous initiations.
SourceCheck Point Security Advisory (8 Jun 2026); Rapid7 ETR (8 Jun 2026); Help Net Security (8 Jun 2026) Qilin ransomware has disrupted healthcare and critical-infrastructure targets internationally; any Check Point gateway still accepting IKEv1 connections warrants immediate remediation.
5

Ubiquiti UniFi OS Three-Vulnerability Chain Enables Unauthenticated Root Access — CISA Deadline Passes Today

CVE-2026-34908, CVE-2026-34909, CVE-2026-34910 | CISA KEV 23 Jun 2026

India exposureThree vulnerabilities in Ubiquiti UniFi OS — improper access control (CVE-2026-34908), path traversal (CVE-2026-34909), and command injection (CVE-2026-34910) — form a chain that delivers unauthenticated root-level code execution against the management interface of UniFi OS Server 5.0.6 and earlier. CISA added all three to its KEV catalogue on 23 June with a federal remediation deadline of today, 26 June. Bishop Fox validated the full exploit chain; PwnDefend observed live attacks within days of Ubiquiti's advisory, with Mirai-family botnet malware deployed on compromised devices. Ubiquiti UniFi OS devices are widely used in Indian SME, campus, and hospitality network environments.
ActionUpdate UniFi OS Server to version 5.0.7 or later immediately. Disable remote management access if it is not operationally required. Review connected devices and network traffic for Mirai botnet indicators: unexpected outbound connections, scanning behaviour, or abnormal CPU utilisation on network appliances.
SourceCISA KEV (23 Jun 2026); BleepingComputer; SecurityWeek; Bishop Fox; PwnDefend This is a publicly confirmed, actively weaponised exploit chain; the CISA federal deadline passes today.

Takeaway

Two direct India incidents — Tata Electronics and Bajaj Auto — alongside India's outsized exposure in the FortiBleed government dataset make this week's brief unusual in its concentration of India-specific risk. The connecting thread across all five items is the same: network perimeters with legacy protocol configurations, delayed firmware updates, or unchanged default credentials are the consistent attacker entry point. Patch management note: Microsoft's June 2026 Patch Tuesday (10 Jun) addressed 200 CVEs including six zero-days; prioritise CVE-2026-45586 (Windows privilege escalation to System) on internet-facing servers and privileged workstations where the June update cycle has not yet been completed.

Nirad Threat Research

Sector Latest Sector Edition June 2026 Open issue →

BFSI Sector Edition — June 2026

Black Kite's 2026 State of Financial Services Report (3 June) frames a two-front year: Q1 2026 direct ransomware attacks on financial institutions rose 76% year-on-year (65 incidents), while roughly half of financial-sector vendor ecosystems carry critical vulnerabilities — and 48 distinct threat groups now target finance, led by Qilin, Akira and Kill Security after the LockBit/ALPHV takedowns. For Indian BFSI, the soft entry point is increasingly the edge appliance and the third party, not the core.

1. Sector snapshot

2. Threats targeting BFSI

1CriticalCVSS 9.3

Check Point VPN authentication-bypass zero-day, exploited and ransomware-linked — CVE-2026-50751 (CVSS 9.3)

A certificate-validation flaw in IKEv1 lets unauthenticated attackers open VPN sessions on Check Point Remote Access VPN, Mobile Access and Spark; CISA added it to KEV on 9 June, and at least one intrusion is tied to a Qilin ransomware affiliate.

ExposureIndian banks, NBFCs and insurers running Check Point gateways with legacy IKEv1 for branch/remote access.
Actionapply the hotfix, force IKEv2-only with machine-certificate auth, and hunt for unauthenticated VPN sessions since 7 May.
SourceRapid7 (8 Jun 2026); CISA KEV (9 Jun 2026).
2

FortiBleed — mass Fortinet credential exposure, India among the worst-affected

A dataset of working credentials for tens of thousands of internet-facing FortiGate / SSL-VPN devices across 194 countries circulated, with India ranked among the most-affected countries and financial services named among exposed sectors.

Exposurebanks, NBFCs and insurers running internet-facing FortiGate / SSL VPN.
Actiontreat Fortinet VPN and admin credentials as compromised — rotate, enforce phishing-resistant MFA, restrict management access, and review for rogue accounts.
SourceCISA (18 Jun 2026); Dark Reading, BleepingComputer (June 2026).
3

Rokarolla Android banking trojan — built for UPI/OTP fraud (217 apps)

Zimperium zLabs detailed (16 June) a device-takeover Android trojan with 137 commands: overlay credential theft, SMS/OTP interception, alert muting and clipboard crypto-address swapping, spread via fake TikTok/Chrome sites and a Play Protect-killing dropper. The capability set maps directly onto India's UPI/OTP-driven payments.

Exposureretail mobile-banking and UPI customers; accessibility-permission abuse defeats SMS-OTP.
Actiondeploy in-app overlay/accessibility-abuse and sideload detection; brief fraud teams on OTP-interception and micro-drain patterns; reinforce "never grant accessibility access to unknown apps."
SourceZimperium zLabs; Infosecurity Magazine, BleepingComputer (16–17 Jun 2026).
4CriticalCVSS 9.8

MOVEit Automation critical authentication bypass — CVE-2026-4670 (CVSS 9.8)

Progress patched an unauthenticated auth-bypass (with a companion privilege-escalation flaw) that grants full admin control of MOVEit Automation and access to stored transfer credentials. No in-the-wild exploitation reported yet, but 1,400+ instances are internet-exposed and MFT is a repeat BFSI breach vector.

Exposureinternet-facing MOVEit / MFT nodes moving statements, KYC, reconciliation and settlement files across banks and their vendors.
Actionupgrade immediately, restrict MFT admin interfaces to allow-listed IPs, and review file-access logs for anomalous bulk retrieval.
SourceProgress; Help Net Security, BleepingComputer (4 May 2026).

3. Sector tech & exposures

- Edge/VPN is the live battleground — beyond Check Point, Palo Alto GlobalProtect (CVE-2026-0257) is under active exploitation (CISA KEV, 29 May); inventory and patch all internet-facing gateways. - Managed file transfer (MOVEit) remains a recurring breach vector — treat any exposed MFT as priority-patch. - Core banking / ERP: CERT-In flagged June Oracle (incl. PeopleSoft, E-Business Suite, MySQL) and SAP (NetWeaver, S/4HANA) critical updates — prioritise where reconciliation/settlement middleware depends on these stacks. - Supply chain: CERT-In's "Mini Shai-Hulud" advisory warns of npm/PyPI compromise and CI/CD secret theft — a fourth-party risk for fintech-dependent BFSI.

4. Regulatory & compliance watch

- RBI — data-protection advisory (April) directing regulated entities to align customer-data protection with the DPDP Act; reporting also indicates RBI is weighing added "frictions" against authorised push-payment fraud. - SEBI — AI vulnerability-detection advisory (5 May) under the CSCRF; the next half-yearly cyber-audit / action-taken cycle is due 30 June 2026. - IRDAI — Information & Cybersecurity Guidelines 2026 remain the live insurance-sector baseline. - CERT-In — AI-assisted-exploitation blueprint (25 May) plus critical Oracle/SAP and supply-chain advisories. - NPCI — BHIM-UPI guidelines updated 4 June (UPI-ID display, safety warnings, transaction-screen controls).

5. Actor in focus

Qilin (alias Agenda) — financially-motivated ransomware-as-a-service. Confidence: HIGH that Qilin is a leading finance-sector ransomware actor (Black Kite); MEDIUM on the specific affiliate link to CVE-2026-50751 (Rapid7). Qilin runs double extortion and is shifting toward edge-appliance initial access over phishing alone. Public victimology this period skews North America / Europe with no confirmed Indian BFSI victim — but the affiliate model and shared technology stacks make any exposed Check Point or MFT estate a credible target. Akira and Kill Security round out the top finance-focused crews.

6. IOC & detection pack

Only public, attributed indicators; no leaked data reproduced.

- Check Point CVE-2026-50751: Rapid7's advisory publishes attacker IPs and post-exploitation file hashes — pull the exact values from the primary source and defang on import (do not rely on second-hand copies). - Rokarolla (Android): distribution domain infocontablidades.it[.]com (Zimperium); detect behaviourally — accessibility-service abuse, overlay creation, SMS-read + alert-mute, clipboard crypto-address rewriting. - MOVEit CVE-2026-4670: alert on unauthenticated admin-API calls and bulk file enumeration on MFT hosts.

7. Recommended actions

Board: treat edge-appliance and vendor-CVE exposure as enterprise risk; confirm DPDP-aligned data protection and that the 30 June SEBI/CSCRF audit cycle is met where applicable.

CISO: emergency-patch CVE-2026-50751, CVE-2026-0257 and CVE-2026-4670; enforce IKEv2-only with machine-certificate auth; rotate all Fortinet and Check Point VPN credentials; run a fourth-party exposure review against the ~50% vendor-CVE baseline.

SOC: hunt unauthenticated VPN sessions and anomalous MFT access since 7 May; deploy behavioural detection for accessibility-abusing mobile trojans with fraud-team coordination on OTP-interception; tabletop a Qilin-style edge-to-ransomware intrusion end to end.

8. Source index

Black Kite, 2026 State of Financial Services (3 Jun) · Rapid7, Check Point CVE-2026-50751 (8 Jun) + CISA KEV (9 Jun) · CISA / Dark Reading, FortiBleed (18 Jun) · Zimperium zLabs / Infosecurity, Rokarolla (16 Jun) · Help Net Security, MOVEit CVE-2026-4670 (4 May) · Unit 42 / CISA, PAN-OS CVE-2026-0257 (KEV 29 May) · CERT-In AI blueprint (25 May) + Oracle/SAP/Mini-Shai-Hulud advisories · SEBI (5 May) · IRDAI Guidelines 2026 · NPCI BHIM-UPI (4 Jun).

Nirad Bharat Threat Feed — BFSI Edition | Bharat-first threat intelligence
AI Watch Latest AI Threat Watch 1 July 2026 Open issue →

AI Threat Watch — 1 July 2026

Two government advisories and a maximum-severity CVE in AI-agent infrastructure set the agenda this issue. Five Eyes intelligence agencies have placed a specific timeline on frontier AI reaching offensive capability. India's I4C has named and dissected a malware-enabled WhatsApp attack chain now targeting Indian executives and finance teams. And a freshly tracked CVSS 10.0 vulnerability exposes Apache Pinot databases to unauthenticated access through any network-visible MCP endpoint — with no credentials required on the attacker's side.
1

Five Eyes intelligence agencies warn that frontier AI capable of autonomous cyberattacks is months away, not years — board-level action required now

The intelligence agencies of the United States (NSA and CISA), United Kingdom, Canada, Australia, and New Zealand issued a joint statement on 22 June 2026 stating that frontier AI models capable of autonomously breaching government and enterprise defences will become broadly available within months, not years. The statement cites four structural vulnerabilities making organisations unprepared: legacy systems, slow patch velocity, unnecessary internet exposure, and weak identity controls. Officials named upcoming frontier model releases as the reference point for when adversary access to such capability becomes routine.

Why it matters for IndiaIndian critical infrastructure operators, PSUs, large enterprises, and government agencies share the same structural weaknesses the advisory names. This warning, read alongside CERT-In's AI Vulnerability Blueprint (May 2026) — which mandates 12-hour patching for known-exploited internet-facing systems — defines the minimum baseline Indian organisations should measure themselves against. The risk is not hypothetical: adversaries who today use AI to accelerate phishing and reconnaissance will within months potentially have access to fully autonomous exploitation tooling.
ActionConduct an internet-facing asset review and close or harden all unnecessary exposure; enforce MFA for privileged and administrative accounts; shorten patch SLAs for critical internet-facing systems to meet CERT-In timelines; develop and test an incident response plan for AI-assisted intrusion; escalate AI-enabled cyber risk to board level with specific reference to this advisory.
SourceNSA / CISA / Five Eyes joint statement, via CyberScoop (22 June 2026).
2

I4C / MHA names "Boss Scam" — malware hijacks executive WhatsApp accounts to authorise fraudulent wire transfers at Indian enterprises

India's Cyber Crime Coordination Centre (I4C), operating under the Ministry of Home Affairs, issued an advisory in the week of 22 June 2026 documenting an attack chain it has named the Boss Scam. The sequence: a phishing message delivers a malicious file attachment (ZIP, EXE, or DLL) to a target employee; the malware installs silently and hijacks the victim's active WhatsApp Web session; attackers, now in control of the victim's genuine and authenticated WhatsApp account, message finance or procurement staff impersonating senior executives; because the contact and account are authentic, recipients raise no objections and authorise fraudulent payments. In a more sophisticated variant, the attacker obtains full device control and edits the victim's contact list — saving the attacker's own number under the name of a senior executive — so subsequent messages arrive attributed to that executive even after the original hijack is detected. I4C has issued seven protective measures and directed incidents to cybercrime.gov.in.

Why it matters for IndiaWhatsApp is the dominant channel for business approvals and informal escalation across Indian enterprises, government offices, and finance functions. The attack succeeds precisely because it works within the established communications pattern — no spoofed number or forged email, just a legitimate account under attacker control. The technique bypasses standard email security controls and spear-phishing training.
ActionRemove WhatsApp as an authorised channel for financial approvals — require a separate voice callback or in-person confirmation for any payment or funds-transfer instruction regardless of how it arrives; train finance and procurement staff on this specific attack pattern; review and audit active WhatsApp Web sessions on executive and finance-team devices; log out any unknown or unauthorised sessions; block unexpected archive and executable attachments at the email gateway; report confirmed incidents at cybercrime.gov.in.
SourceI4C / Ministry of Home Affairs advisory, via Economic Times (22 June 2026); India TV News (24 June 2026).
3CriticalCVSS 10.0

CVE-2026-49257 (CVSS 10.0): unauthenticated access to all MCP tools and privileged database credentials in mcp-pinot, fixed in v3.1.0

CVE-2026-49257, rated CVSS 10.0 Critical (CWE-306, Missing Authentication for Critical Function), was published on 18 June 2026 for mcp-pinot — a Python-based Model Context Protocol server for Apache Pinot, the distributed columnar analytics database. The default configuration binds the MCP HTTP server to 0.0.0.0:8080 with no authentication requirement, making all 14 MCP tools available to any network-reachable caller without credentials. These tools include SQL query execution, schema creation, and table mutation. A confused-deputy condition means the unauthenticated caller inherits the server's own Apache Pinot credentials — loaded from environment variables — allowing data exfiltration, schema manipulation, and database corruption. Affected versions: mcp-pinot 2.1.0 through 3.0.1. Fixed in v3.1.0, released 25 May 2026 (deployed before CVE publication).

Why it matters for IndiaIndian GCCs, analytics platforms, and data engineering teams increasingly deploy Apache Pinot as the query layer behind AI dashboards and agent tools. An MCP interface sitting in front of that data store with a CVSS 10.0 exposure is a direct database exfiltration risk — any caller on the same network segment can extract all data the server is authorised to access, without a single credential.
ActionUpgrade mcp-pinot to v3.1.0 or later immediately; audit network exposure of all MCP endpoints — any MCP service bound to 0.0.0.0 or reachable without authentication should be treated as a critical finding; isolate MCP listeners to authenticated, network-segmented environments; inventory every MCP server in production and confirm authentication is enforced before any service is network-reachable.
SourceNVD / CIRCL (CVE-2026-49257, published 18 June 2026); DailyCVE (26 June 2026).
AI defender tip: The common thread across this issue is the assumption that existing controls are adequate — that current defences will hold against more capable adversaries (Five Eyes: they may not), that a familiar WhatsApp contact is trustworthy (Boss Scam: the account may be hijacked), and that an AI-agent endpoint is secured by its deployment context (CVE-2026-49257: it is not, if authentication was never configured). The next quarter's security review should test each of these assumptions explicitly: red-team your patch and response SLAs against CERT-In timelines; audit every messaging channel used for financial approvals; and inventory every AI-agent endpoint for authentication and network exposure before assuming it is not reachable.

Nirad Threat Research

Nirad AI Threat Watch | Bharat-first threat intelligence