2026年6月20日の
セキュリティ情報

Subject: [Alert] Massive Credential-Spraying Campaign (FortiBleed) targeting FortiGate/Sophos

Dear IT/Security Team,

We are sharing information regarding a large-scale credential-spraying operation known as 'FortiBleed'.

■ Overview
Attackers are using a custom tool called 'forticheck' to perform billions of automated login attempts against FortiGate SSL VPNs and Sophos user portals. Once access is gained, network sniffers are deployed to capture sensitive traffic.

■ Scope
- Fortinet FortiGate SSL VPN
- Sophos User Portal

■ Recommended Actions
1. Ensure Multi-Factor Authentication (MFA) is strictly enforced for all VPN access.
2. Review authentication logs for patterns of high-volume login failures from single or distributed sources.
3. Update and strengthen passwords for administrative and privileged accounts.

■ Reference
- SecurityDiscovery.com / Ransomnews reports

Priority: High
Deadline: Immediate

Subject: [Security Advisory] Gravity SMTP Vulnerability (CVE-2026-4020)

Dear IT/Security Team,

We are sharing information regarding a critical information disclosure vulnerability in the Gravity SMTP WordPress plugin.

■ Overview
An unauthenticated information disclosure vulnerability (CVE-2026-4020) has been identified in Gravity SMTP. Attackers can exploit an exposed REST API endpoint to retrieve a comprehensive 'System Report' containing sensitive API keys, OAuth tokens, and credentials for third-party email services. Over 17 million attack attempts have already been blocked by Wordfence.

■ Scope
- Product: Gravity SMTP (WordPress Plugin)
- Affected Versions: All versions 2.1.4 and older

■ Remediation Steps
1. Immediately update the Gravity SMTP plugin to version 2.1.5 or later.
2. If the plugin was running a vulnerable version, it is highly recommended to rotate all API keys and secrets for configured email integrations (e.g., Amazon SES, Google, Mailjet, Resend, Zoho) as they may have been compromised.

■ Reference
- CVE-2026-4020

Priority: High
Deadline: Immediate

Subject: [Threat Intel] EDR-Killer Tool 'GentleKiller' used by The Gentlemen

Dear Team,

We are sharing information regarding 'GentleKiller', an EDR-disabling suite used by the ransomware group 'The Gentlemen'.

■ Overview
GentleKiller employs BYOVD (Bring Your Own Vulnerable Driver) exploits to load vulnerable drivers into the kernel, allowing the attackers to disable security tools and EDRs before deploying ransomware payloads.

■ Scope
- Windows environments utilizing EDR/Endpoint Security products.

■ Recommended Actions
1. Ensure Windows Driver Signature Enforcement is active to prevent the loading of unsigned/malicious drivers.
2. Enable 'Tamper Protection' features within your EDR/AV solutions to prevent unauthorized service termination.
3. Enhance monitoring for the loading of known vulnerable drivers via system logs (e.g., Sysmon).

■ Reference
- ESET Technical Report (Published June 18, 2026)

Priority: High
Deadline: Immediate review

Subject: [Technical Alert] Apple A12/A13 SecureROM Vulnerability (usbliter8)

Dear Team,

We are sharing information regarding a critical hardware vulnerability in Apple's SecureROM.

■ Overview
An exploit named 'usbliter8' has been released that achieves arbitrary code execution in the SecureROM of Apple A12 and A13 chips. Since SecureROM is burned into the silicon, this vulnerability cannot be patched via software updates.

■ Affected Scope
- iPhone, iPad, and Apple Watch devices equipped with A12 and A13 chips.

■ Recommended Actions
1. Note that no software patch is available for this hardware-level flaw.
2. Enforce strict physical security for devices, as the exploit typically requires physical access to put the device into DFU mode.
3. Consider accelerating the lifecycle replacement of affected legacy hardware.

■ Reference
- PoC published by Paradigm Shift

Priority: Medium (Requires physical access)
Deadline: Ongoing monitoring