CYBER DESK · HONG KONG · WEEKLY

CISA Said Hygiene. The Cluster Had 45 GPUs.

CISA's hygiene frame for FortiBleed explains how 86,644 FortiGate devices were compromised; the 45-GPU cracking cluster behind the campaign explains why credential resets alone will not close the exposure.
KT

What the Cluster Shows

S. Cybersecurity and Infrastructure Security Agency's binding guidance to the private sector on active threats -- named FortiBleed a credential-hygiene failure. 16 billion automated attempts against 320,000 FortiGate firewall targets, shows a password-reset mandate does not close that exposure. On the artifact record, the hygiene framing holds in part. The 45-GPU cluster argues otherwise.

3% were using built-in Fortinet system accounts, defaults a privileged-access audit under MAS TRM (Singapore's Technology Risk Management framework, mandatory for licensed financial institutions) would have caught. For those devices, a credential reset is the correct response. 3 million hosts enumerated and 437,000 devices fingerprinted before target selection -- meaning affected organisations' devices were catalogued as potential targets before any breach occurred. Across 194 countries, 105 million credentials were harvested in total, with financial institutions confirmed among affected sectors alongside telecoms, energy, and government agencies. A financial institution rotating every privileged credential this week remains exposed if its device IP appeared in that enumeration sweep before rotation. Huntress, a managed security provider, confirmed as of June 19 that 845 managed partner organisations appear in the compromised set.

CISA said hygiene. The artifacts say scale. Researcher Volodymyr Diachenko identified Russian-speaking operators. No government agency has named a state sponsor. MAS and HKMA had not issued FortiBleed-specific guidance as of June 21.

GentleKiller and the EDR Assumption

ESET, a Slovak cybersecurity research firm, published research on June 18 documenting Gentlemen, a ransomware-as-a-service operation that licenses malware to independent affiliates for a revenue split, ranked among the five most active ransomware groups by incident count in Q1 2026. The group's affiliate toolkit centers on GentleKiller, a framework disabling 400 or more security processes across 48 endpoint-detection and response (EDR) vendors, including CrowdStrike Falcon, SentinelOne, and Palo Alto Networks Cortex XDR, before payload delivery, allowing ransomware to encrypt systems without triggering a security alert on the target network. Gentlemen explicitly targets Southeast Asia. The affiliate revenue split is 90%, the highest documented among active ransomware-as-a-service operations, a margin that out-bids every competing operation for affiliate recruitment in the region.

MAS TRM and HKMA's cybersecurity governance framework both assume EDR tools remain operational through an incident; a licensed bank's threat-detection layer depends on that assumption. GentleKiller is built against it. A bank in Singapore or Hong Kong running products from any of the 48 named vendors faces an affiliate who has pre-solved for that tool's presence, meaning the institution's first signal of compromise may be encrypted files rather than a security alert. No patch addresses it. Operation Endgame Phase 3 closed 106 servers and 101 domains on June 18. Gentlemen affiliates were not in scope.

The FortiBleed credential database was active as of June 21, per Arctic Wolf. SOCRadar's check tool queries a licensed institution's FortiGate device exposure against the leaked set in minutes. That check does not surface GentleKiller deployment on the same network, a distinct question no current tool answers. HKMA and MAS had not issued FortiBleed-specific guidance as of June 21. Neither named a credential-check deadline.

PREVIOUS COLUMNS, CYBER INTEL DESK
The Wang Report's columns are produced by AI under human editorial oversight. See our Editorial Standards.