ThreatsDay Bulletin Summary

The latest ThreatsDay Bulletin on The Hacker News presents a series of modest yet concerning developments. While no single incident dominates the headlines, a collection of smaller issues continues to operate.

Gentlemen Ransomware‑as‑a‑Service

GroupIB reports that The Gentlemen, a nascent Ransomware‑as‑a‑Service (RaaS) operation of roughly 20 members, emerged after a payment dispute on the RAMP cybercrime forum. The dispute involved a claim of $48,000 in unpaid affiliate commissions from the Qilin ransomware group.

The Gentlemen rely heavily on CVE‑2024‑55591, a critical authentication bypass in FortiOS/FortiProxy, to gain initial access. Their internal database lists about 14,700 compromised FortiGate devices worldwide, plus 969 verified brute‑forced VPN credentials ready for exploitation. The group also uses a bring‑your‑own‑vulnerable‑driver (BYOVD) method to terminate security processes at the kernel level.

Since its first activity in July‑August 2025, the operation has impacted roughly 94 organizations.

BMC FootPrints Vulnerabilities

Four new flaws-CVE‑2025‑71257, CVE‑2025‑71258, CVE‑2025‑71259, and CVE‑2025‑71260-have been disclosed in BMC FootPrints, a widely deployed IT service‑management platform. The vulnerabilities can be chained to achieve pre‑authentication remote code execution.

Other Notable Findings

• Continued exploitation of Citrix products despite vendor patches.
• Increased abuse of Microsoft Cloud Partner (MCP) credentials for lateral movement.
• Live‑chat phishing campaigns that mimic legitimate support channels.

The bulletin underscores a shift toward low‑profile, practical attacks that blend into everyday network traffic, making detection more difficult.