Carnival 6M Breach Lands as FortiClient Exploit Returns

Summary

Today's picture split between bulk data hoards moving across the forum boards and a sharper reminder that the developer and IT toolchain remains the attacker's preferred neighbourhood. The week's pattern reads less as novel offensive engineering than as the systematic abuse of trusted credentials and trusted infrastructure -- a public-facing enterprise account on one end, a managed-endpoint server and a software-forge container store on the other. Defenders are pushed back into patch-and-rotate posture across the developer supply chain even as their corporate-strategy budgets pivot toward AI-vs-AI defence.

Today's developments

The criminal forum side ran broad. "The BlackH4t MD-Ghost" advertised alleged breaches of HSBC in the UK and U.S. Bank, and posted what it described as a leak from a Ukrainian government ministry. The actor "deb163" posted an "850M India Nationwide Identity Dataset" weighing 109 GB; "0xLei" advertised Philippine citizen identification data and a separate Philippine government-ID dump; "S82 ETHX" claimed biometric data from Mexico; "RanzXZ" claimed the Bekasi City population data service in Indonesia; and "noszicasrebenica" posted alleged "Government Mails" attributed to France. On the corporate side, "qVyntra" claimed an oil-and-gas industry database of 29,000-plus records, "SALDIRGAN" advertised 681,000 records from ibm.com and "'AGGRESSIVE" posted a separate alleged IBM data set, "KrolikHacking" posted two batches against US software firm IdeaBrowser, "bacen" claimed iFood Brazil twice, "AplaGroup" posted Apogas Immobilier real-estate data from France, "distrub" claimed the Kleinanzeigen classifieds platform in Germany, and "mosad" posted what it described as classified FSB intelligence reports from Russia. "betway" advertised a 372,000-record Canadian corporate dataset and an India-manufacturing leak; "EagleGodSEC" posted Paññāsāstra University of Cambodia; "JAX7" posted alleged KomInfo Indonesia data; and "Akasha" posted twice against the Indonesian Persaudaraan Setia Hati Terate organisation. All of these remain unverified actor claims drawn from forum posts.

External analysis ran in two directions. Cruise operator Carnival confirmed that nearly six million people were affected by a data breach traced to an April compromise of an employee account, The Record and SecurityWeek reported; the attacker copied personal information before being detected. Fortinet rolled out hotfixes for a FortiClient Endpoint Management Server flaw that had been exploited in the wild as a zero-day in April; SecurityWeek and The Hacker News reported the campaign was now using trusted endpoint-management infrastructure to deliver credential-stealing malware across managed endpoints. SecurityWeek separately reported a Gitea vulnerability that exposed roughly 30,000 deployments to unauthenticated pulls of private container images -- source code, credentials and infrastructure all at risk. CyberScoop reported Zapier had patched a five-step flaw chain that researchers said could have let a single attacker act as any signed-in user across thousands of connected apps.

Microsoft Threat Intelligence published a dissection of "The Gentlemen," a Go-based ransomware deployed by Storm-2697 affiliates that combines per-file ephemeral key encryption with an aggressive self-propagation module designed to deploy itself simultaneously across a network. SecurityWeek reported a new Android malware family, BTMOB, delivered via phishing lures and combining financial theft, data exfiltration and remote-access takeover. The Hacker News described JINX-0164, a previously undocumented actor targeting cryptocurrency firms with recruitment-themed social engineering and bespoke macOS malware. Securelist tracked a cybercrime gang that has spent years infecting consumers of pirated books, movies and TV shows; its miner has now added a RAT module.

On the defender and policy side, IBM and Red Hat committed $5 billion to securing open-source supply chains under "Project Lightwell," and Google unveiled an AI Threat Defense platform combining capabilities from Mandiant, Wiz and Gemini to fight AI-driven attacks. France-based startup Edamame launched a runtime verification platform aimed at detecting AI coding agents that drift off intent, steal secrets or kick off supply-chain attacks in real time. Microsoft pressed publicly for Coordinated Vulnerability Disclosure after a researcher's account was removed from GitHub over a public zero-day. GCHQ director Anne Keast-Butler warned that Russia was running daily attacks on the UK "from seabed to cyberspace," prompting the agency to defend subsea cables and energy pipelines and to disrupt Russian sanctioned-technology smuggling. Two pieces of fraud reporting underscored the consumer cost: Unit 42 mapped the 2026 World Cup's broad attack surface, while The Record reported an organised fraud network had registered more than 4,300 domains impersonating FIFA's official web presence since August 2025; separately, a Canadian man received a 33-year US sentence for using fake online identities to coerce children into sending sexually explicit content.

Threat landscape signals

Concentration at the top was modest. NoName057(16) (13 events), Keymous Plus (11) and Everest (7) together accounted for roughly 19 percent of the day's 159 events, with the first two driving most of the day's DDoS volume. Data breaches and leaks made up 53 of those events, ahead of 36 distributed-denial-of-service claims and 32 ransomware posts. Victims clustered in the United States (24 incidents), Indonesia (12), Morocco (11) and Italy (10), and the most exposed sectors were government administration (20) and education (14) -- the recurring soft underbelly of the data-theft economy.

The defender signal is sharper. Active exploitation of a managed-endpoint product (FortiClient EMS), a software-forge container-leak flaw (Gitea), an automation-platform takeover chain (Zapier) and a credential-stealing Android trojan (BTMOB) all hit the same beat: trust boundaries inside developer and IT infrastructure. The practical priority for the coming week is patch and credential rotation across FortiClient EMS, Gitea and Zapier, along with treating any AI coding-agent or recruitment-themed macOS file with the same suspicion as an unsigned installer.