{"id":8806,"date":"2026-07-17T14:59:58","date_gmt":"2026-07-17T14:59:58","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8806"},"modified":"2026-07-17T14:59:58","modified_gmt":"2026-07-17T14:59:58","slug":"2026-cybersecurity-forecast-mid-year-review-and-h2-threat-predictions","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8806","title":{"rendered":"2026 Cybersecurity Forecast: Mid-Year Review and H2 Threat Predictions"},"content":{"rendered":"<div class=\"elementor elementor-41122\">\n<div class=\"elementor-element elementor-element-60d7825e e-ecs-flex e-flex e-con-boxed wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no wpr-column-slider-no wpr-equal-height-no e-con e-parent\">\n<div class=\"e-con-inner\">\n<div class=\"elementor-element elementor-element-44657c6a ha-has-bg-overlay elementor-widget elementor-widget-heading\">\n<div class=\"elementor-widget-container\">\n<h2 class=\"elementor-heading-title elementor-size-default\">Key Takeaways<\/h2>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-76daa6bd elementor-icon-list--layout-traditional elementor-list-item-link-full_width elementor-widget elementor-widget-icon-list\">\n<div class=\"elementor-widget-container\">\n<p>\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-icon\"><br \/>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span><br \/>\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">Ransomware concentrated hard: top 10 groups now claim 71% of victims, up from 57%.<\/span><\/p>\n<p>\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-icon\"><br \/>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span><br \/>\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">Supply chain attacks shifted to stolen OAuth tokens instead of network breaches.<\/span><\/p>\n<p>\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-icon\"><br \/>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span><br \/>\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">AI-enabled fraud hit $893M in the US, inside a record $20.877B cybercrime year.<\/span><\/p>\n<p>\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-icon\"><br \/>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span><br \/>\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">Manufacturing stays the top industrial target; ransomware reach grew 49% year over year.<\/span><\/p>\n<p>\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-icon\"><br \/>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span><br \/>\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">New this year: AI infrastructure supply chain attacks and mass edge-device credential theft.<\/span><\/p><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-a2af68c e-ecs-flex e-flex e-con-boxed wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no wpr-column-slider-no wpr-equal-height-no e-con e-parent\">\n<div class=\"e-con-inner\">\n<div class=\"elementor-element elementor-element-d49adb1 elementor-widget elementor-widget-text-editor\">\n<div class=\"elementor-widget-container\">\n<p><em><strong>Back in January 2026, our Cybersecurity Forecast 2026:<\/strong><\/em> What to Expect report laid out six risk themes for the year ahead: ransomware and data-theft extortion, supply chain and third-party compromise, AI-enabled social engineering, virtualization and hypervisor attacks, cloud and machine identity abuse, and industrial and critical infrastructure targeting.<\/p>\n<p>Six months in, this review checks those forecasts against what actually happened, using publicly reported incidents, government advisories, and threat intelligence published between January and June 2026. Sourcing leans on US and Western European material: CISA, the FBI, the UK\u2019s National Cyber Security Centre, primary vendor disclosures, and independent security journalism. Put together, the picture that emerges says a lot about where 2026 cybersecurity trends are actually headed, and it sets up a fresh set of cyber threat predictions for the back half of the year.<\/p>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-02f1e70 elementor-widget elementor-widget-heading\">\n<div class=\"elementor-widget-container\">\n<h2 class=\"elementor-heading-title elementor-size-default\">2026 Forecast Scorecard<\/h2>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-eb01013 elementor-widget elementor-widget-Table\">\n<div class=\"elementor-widget-container\">\n<p>\t\t\t\t\tOriginal ForecastStatusConfidence\t\t\t\t<\/p>\n<p>\t\t\t\t\tRansomware &amp; Data-Theft ExtortionConfirmedHighSupply Chain &amp; Third-Party CompromiseConfirmedHighAI-Enabled Social EngineeringAcceleratingHighIndustrial &amp; Critical Infrastructure TargetingConfirmedHighVirtualization &amp; Hypervisor AttacksEmergingMediumCloud &amp; Machine Identity AbuseEmergingMedium\t\t\t\t<\/p><\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-392482f8 e-con-full e-ecs-flex e-flex wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no wpr-column-slider-no wpr-equal-height-no e-con e-child\">\n<div class=\"elementor-element elementor-element-65e8c52b e-con-full e-ecs-flex e-flex wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no wpr-column-slider-no wpr-equal-height-no e-con e-child\">\n<div class=\"elementor-element elementor-element-295e6abf elementor-widget elementor-widget-heading\">\n<div class=\"elementor-widget-container\">\n<div class=\"elementor-heading-title elementor-size-default\">Before These Threats Became Headlines, They Were Predictions.<\/div>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-2af6275e elementor-icon-list--layout-traditional elementor-list-item-link-full_width elementor-widget elementor-widget-icon-list\">\n<div class=\"elementor-widget-container\">\n<p>\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-icon\"><br \/>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span><br \/>\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">See the six expert predictions that shaped 2026 and the threats still expected to define the rest of the year.<\/span><\/p><\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-19121298 elementor-widget elementor-widget-button\">\n<div class=\"elementor-widget-container\">\n<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-sm\" href=\"https:\/\/fidelissecurity.com\/resource\/report\/cybersecurity-forecast-2026-what-to-expect\/\"><br \/>\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\"><br \/>\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Download the 2026 Cybersecurity Forecast Report<\/span><br \/>\n\t\t\t\t\t<\/span><br \/>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-2bac2116 e-con-full elementor-hidden-tablet elementor-hidden-mobile e-ecs-flex e-flex wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no wpr-column-slider-no wpr-equal-height-no e-con e-child\">\n<div class=\"elementor-element elementor-element-34397f84 elementor-widget elementor-widget-image\">\n<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/fidelissecurity.com\/resource\/report\/cybersecurity-forecast-2026-what-to-expect\/\"><br \/>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-e04d46d elementor-widget elementor-widget-heading\">\n<div class=\"elementor-widget-container\">\n<h2 class=\"elementor-heading-title elementor-size-default\">What Came True<\/h2>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-4961b86 elementor-widget elementor-widget-heading\">\n<div class=\"elementor-widget-container\">\n<h3 class=\"elementor-heading-title elementor-size-default\">1. Ransomware &amp; Data-Theft Extortion<\/h3>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-e717a8a elementor-widget elementor-widget-text-editor\">\n<div class=\"elementor-widget-container\">\n<p>The original forecast said ransomware crews would keep leaning into pure data-theft extortion instead of encryption, building off the 2,302-victim Q1 2025 leak-site baseline.<\/p>\n<p>That held up, though the more interesting story is concentration. Check Point Research counted 2,122 organizations listed on ransomware leak sites in Q1 2026, the second-highest Q1 on record. But the top 10 groups alone claimed 71% of those victims, up from 57% just two quarters prior, and a handful of independent trackers flagged the exact same pattern<a href=\"https:\/\/fidelissecurity.com\/#citeref1\">[1]<\/a>. Breachsense, using a different counting method entirely, logged 808 victims in March alone, putting 2026 on pace roughly 18.5% above 2025\u2019s full-year total<a href=\"https:\/\/fidelissecurity.com\/#citeref2\">[2]<\/a>.<\/p>\n<p>A few names stood out. Qilin held the top spot for a third straight quarter with 338 victims. The Gentlemen, a newer outfit started by a former Qilin affiliate late in 2025, jumped from just 40 victims in Q4 to 166 in Q1, quite a climb for a group that barely existed six months earlier. LockBit came back too, 163 victims, after law enforcement had supposedly dismantled it back in 2024. And ShinyHunters didn\u2019t even bother with an encryptor: the group hit Salesforce Experience Cloud misconfigurations directly and still generated outsized damage<a href=\"https:\/\/fidelissecurity.com\/#citeref1\">[1]<\/a>.<\/p>\n<p>Track the top 10 operators\u2019 tactics rather than every new leak-site name that pops up. And stretch \u201cassume data will be stolen\u201d planning to cover SaaS platforms too, since there\u2019s no encryption event there to trip an alert.<\/p>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-5156534 elementor-widget elementor-widget-heading\">\n<div class=\"elementor-widget-container\">\n<h3 class=\"elementor-heading-title elementor-size-default\">2. Supply Chain &amp; Third-Party Compromise<\/h3>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-766987a elementor-widget elementor-widget-text-editor\">\n<div class=\"elementor-widget-container\">\n<p><em><strong>The forecast here was straightforward:<\/strong><\/em> one compromised vendor keeps cascading across many downstream organizations.<\/p>\n<p>What actually happened diverged a bit from that script. Several of this year\u2019s biggest incidents ran through stolen OAuth tokens rather than a direct network breach at the vendor itself, a real change from the pattern that defined 2025.<\/p>\n<p>Take Vercel. Vercel\u2019s own security bulletin describes how an employee\u2019s Google Workspace OAuth token was compromised after a third-party AI tool called Context.ai was infected with Lumma Stealer malware back in February 2026. Attackers used that token to pivot into Vercel\u2019s internal systems and pull environment variables for a subset of customer projects<a href=\"https:\/\/fidelissecurity.com\/#citeref3\">[3]<\/a>.<\/p>\n<p>Then in June, a breach at SaaS provider Klue traced back to something almost embarrassingly mundane: a four-year-old prototype credential nobody had ever revoked. Klue\u2019s own incident disclosure explains how attackers used it to harvest OAuth tokens linking Klue\u2019s customers to Salesforce<a href=\"https:\/\/fidelissecurity.com\/#citeref4\">[4]<\/a>.<\/p>\n<p>The named victims read like a who\u2019s-who of cybersecurity vendors, Huntress, Recorded Future, Tanium, Jamf, and each confirmed on its own that business contact and sales data had been exposed. Huntress\u2019s own account of its investigation adds specifics Klue\u2019s post doesn\u2019t cover, naming the root cause as a long dormant credential Klue had created to prototype a third-party integration it later abandoned<a href=\"https:\/\/fidelissecurity.com\/#citeref5\">[5]<\/a>.<\/p>\n<p>Neither incident started with a network breach. Both started with a credential nobody remembered to kill. Every third-party app with access to core systems needs an owner, an expiration date, and periodic re-authorization, not indefinite standing access.<\/p>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-42abdbc elementor-widget elementor-widget-heading\">\n<div class=\"elementor-widget-container\">\n<h3 class=\"elementor-heading-title elementor-size-default\">3. AI-Enabled Social Engineering<\/h3>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-1a5b735 elementor-widget elementor-widget-text-editor\">\n<div class=\"elementor-widget-container\">\n<p>The forecast expected AI voice cloning and generative phishing to push <a href=\"https:\/\/fidelissecurity.com\/cybersecurity-101\/cyberattacks\/business-email-compromise-bec\/\">BEC<\/a> losses higher.<\/p>\n<p>It did, and the FBI\u2019s own numbers make the case better than any vendor report could. The 2025 Internet Crime Report put total US cybercrime losses at $20.877 billion, up 26% year over year. Business email compromise losses climbed to $3.046 billion across 24,768 complaints, up from $2.77 billion in 2024, which is a strange combination: fewer people reporting attacks, but far more money lost per incident. This was also the first year in the IC3\u2019s 25-year history that AI-enabled fraud got its own line item: 22,364 complaints, $893 million in losses<a href=\"https:\/\/fidelissecurity.com\/#citeref6\">[6]<\/a><a href=\"https:\/\/fidelissecurity.com\/#citeref7\">[7]<\/a>.<\/p>\n<p>AI-assisted fraud isn\u2019t some future risk anymore. It\u2019s already here, and payment verification, identity validation, and basic user awareness need to function as hard controls, not nice-to-haves.<\/p>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-4b01b2a elementor-widget elementor-widget-heading\">\n<div class=\"elementor-widget-container\">\n<h3 class=\"elementor-heading-title elementor-size-default\">4. Industrial &amp; Critical Infrastructure Targeting<\/h3>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-7e3631f elementor-widget elementor-widget-text-editor\">\n<div class=\"elementor-widget-container\">\n<p>The forecast held that manufacturing would stay the top industrial target, with ransomware increasingly hitting the enterprise systems that support operational technology (OT).<\/p>\n<p>Dragos put real numbers behind how much worse this got. Ransomware groups with reach into industrial organizations grew to 119 in 2025, up 49% from 80 the year before, hitting more than 3,300 organizations. Manufacturing absorbed more than two-thirds of that, again. But the number worth remembering is the dwell-time gap: organizations with real OT visibility caught and contained incidents in an average of 5 days. The industry-wide average was 42 days<a href=\"https:\/\/fidelissecurity.com\/#citeref8\">[8]<\/a>.<\/p>\n<p><em>(Note: Dragos is itself a competitor in the OT security space, so this is a direct link to a competitor\u2019s own report rather than third-party coverage of it. Flagging that trade-off explicitly since primary sourcing was the priority here.)<\/em><\/p>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-4e8492f elementor-widget elementor-widget-text-editor\">\n<div class=\"elementor-widget-container\">\n<p>Three genuinely new threat groups showed up in 2025: SYLVANITE, PYROXENE, and AZURITE. SYLVANITE hands off established footholds to a separate, older group called VOLTZITE for deeper OT work. PYROXENE goes after aviation, aerospace, defense, and maritime targets. AZURITE focuses on long-term OT data theft. VOLTZITE itself, meanwhile, got promoted to Stage 2 of the ICS <a href=\"https:\/\/fidelissecurity.com\/cybersecurity-101\/threat-detection-response\/what-is-a-cyber-kill-chain\/\">Cyber Kill Chain<\/a> after Dragos caught it manipulating engineering workstation software, pulling configuration files and probing what conditions would actually trigger a shutdown. KAMACITE spent the year mapping control loops across US infrastructure. ELECTRUM targeted distributed energy systems in Poland with what looked like deliberate attempts to affect real operational assets<a href=\"https:\/\/fidelissecurity.com\/#citeref8\">[8]<\/a>.<\/p>\n<p>Stop treating OT ransomware incidents as \u201cIT-only\u201d just because the compromised box happens to run Windows. Five days versus 42 is about as clean an ROI argument for OT visibility as you\u2019ll ever get.<\/p>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-1b7ea38 elementor-widget elementor-widget-heading\">\n<div class=\"elementor-widget-container\">\n<h2 class=\"elementor-heading-title elementor-size-default\">Trends Still Developing<\/h2>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-097ec97 elementor-widget elementor-widget-heading\">\n<div class=\"elementor-widget-container\">\n<h3 class=\"elementor-heading-title elementor-size-default\">1. Virtualization &amp; Hypervisor Attacks<\/h3>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-79f7278 elementor-widget elementor-widget-text-editor\">\n<div class=\"elementor-widget-container\">\n<p>Exploitation of virtualization platforms kept going through the first half of 2026, though it\u2019s still more of a post-compromise escalation move than a way attackers first break in.<\/p>\n<p>Broadcom\u2019s own VMware security advisory, VMSA-2025-0004, disclosed <a href=\"https:\/\/fidelissecurity.com\/vulnerabilities\/cve-2025-22225\/\">CVE-2025-22225<\/a> in March 2025, an arbitrary-write flaw in ESXi that Broadcom said it had information suggesting was already being exploited as a zero-day.<\/p>\n<p>CISA later confirmed, by updating its Known Exploited Vulnerabilities catalog in February 2026, that ransomware groups were actively chaining this bug with related ESXi vulnerabilities to seize full control of hypervisors and encrypt everything they host in one shot, frequently getting in through a compromised VPN first. A related VMware vCenter vulnerability, CVE-2026-22719, made it onto CISA\u2019s catalog this year too<a href=\"https:\/\/fidelissecurity.com\/#citeref9\">[9]<\/a><a href=\"https:\/\/fidelissecurity.com\/#citeref10\">[10]<\/a>.<\/p>\n<p><em><strong>Worth watching:<\/strong><\/em> whether organizations actually start adopting vSphere\u2019s stricter execution-control and lockdown settings, and whether new VM-escape bugs keep surfacing at this same pace.<\/p>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-f8e41c4 elementor-widget elementor-widget-heading\">\n<div class=\"elementor-widget-container\">\n<h3 class=\"elementor-heading-title elementor-size-default\">2. Cloud &amp; Machine Identity Abuse<\/h3>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-31533eb elementor-widget elementor-widget-text-editor\">\n<div class=\"elementor-widget-container\">\n<p>Machine identity abuse kept building momentum as organizations expanded their cloud footprint, automation, and AI workloads. It\u2019s shaping up to be one of the defining identity security problems of the year.<\/p>\n<p>SpyCloud\u2019s own 2026 Identity Exposure Report, released through the company\u2019s newsroom, recaptured 18.1 million exposed API keys and tokens from 2025 alone, spread across payment platforms, cloud infrastructure, developer ecosystems, and AI services, plus another 6.2 million credentials tied specifically to AI tools. Its recaptured identity dataset grew 23% year over year to 65.7 billion distinct records<a href=\"https:\/\/fidelissecurity.com\/#citeref14\">[14]<\/a>. The same report noted Europol\u2019s March 4, 2026 takedown of the Tycoon 2FA phishing-as-a-service platform, which had been enabling MFA-bypass attacks at scale, an operation SpyCloud says it supported with its own victim identity intelligence <a href=\"https:\/\/fidelissecurity.com\/#citeref14\">[14]<\/a>.<\/p>\n<p><em><strong>Worth watching here too:<\/strong><\/em><\/p>\n<p>whether AI agents start getting the same lifecycle governance as service accounts, and whether the CA\/Browser Forum\u2019s plan to shrink TLS certificate validity from 398 days down to 47 by 2029 actually forces broader automation of credential rotation, rather than just more manual busywork.<\/p>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-d08cbaa elementor-widget elementor-widget-heading\">\n<div class=\"elementor-widget-container\">\n<h2 class=\"elementor-heading-title elementor-size-default\">New Threat Trends That Emerged During H1 2026<\/h2>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-5ebee5f elementor-widget elementor-widget-text-editor\">\n<div class=\"elementor-widget-container\">\n<p>Two developments sit entirely outside the original six-theme forecast.<\/p>\n<p>AI infrastructure became a supply chain target in its own right. LiteLLM\u2019s own security bulletin lays it out: a threat actor group tracked as TeamPCP compromised the CI\/CD pipeline of the Trivy security scanner, which cascaded into maintainer credentials for LiteLLM itself, an AI gateway package used across a lot of agent frameworks and MCP servers. Two malicious package versions hit PyPI on March 24, 2026, and were pulled within roughly three hours. That\u2019s fast, but not fast enough; the payload had already grabbed cloud credentials, SSH keys, and Kubernetes secrets<a href=\"https:\/\/fidelissecurity.com\/#citeref12\">[12]<\/a>.<\/p>\n<p>Edge network appliances took a mass credential-harvesting hit. CISA\u2019s June 2026 advisory on the campaign now called FortiBleed describes large-scale credential theft against internet-facing Fortinet firewalls, putting the confirmed number at roughly 74,000 devices<a href=\"https:\/\/fidelissecurity.com\/#citeref13\">[13]<\/a>.<\/p>\n<p>Fortinet\u2019s own PSIRT team, in its June 19 blog post responding to the campaign, did not publish its own device count, but was explicit about the mechanism: the activity involved threat actors reusing credentials from earlier incidents and brute-forcing devices with weak password hygiene and no MFA enabled, not a new vulnerability<a href=\"https:\/\/fidelissecurity.com\/#citeref15\">[15]<\/a>.<\/p>\n<p>Independent researcher tracking, cited in third-party coverage of the campaign, put the device count higher than CISA\u2019s figure, though that number does not come from Fortinet itself. CISA and the UK\u2019s National Cyber Security Centre both issued guidance within days of disclosure.<\/p>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-64e63b5 elementor-widget elementor-widget-heading\">\n<div class=\"elementor-widget-container\">\n<h2 class=\"elementor-heading-title elementor-size-default\">H2 2026 Predictions<\/h2>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-a8d23ed elementor-icon-list--layout-traditional elementor-list-item-link-full_width elementor-widget elementor-widget-icon-list\">\n<div class=\"elementor-widget-container\">\n<p>\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-icon\"><br \/>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span><br \/>\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">Edge and perimeter appliances stay a leading ransomware entry point. FortiBleed made the case on its own: credential reuse and exposed management interfaces on perimeter devices remain exploitable at enormous scale without a single <a href=\"https:\/\/fidelissecurity.com\/vulnerabilities\/\">new vulnerability<\/a> entering the picture <a href=\"https:\/\/fidelissecurity.com\/#citeref13\">[13]<\/a><a href=\"https:\/\/fidelissecurity.com\/#citeref15\">[15]<\/a>. Patching doesn&#8217;t actually solve this, since credentials stolen before a patch stay valid after it. Rotate credentials after every patch as a mandatory step, enforce MFA on every VPN and admin account, and pull management interfaces off the public internet entirely. <\/span><\/p>\n<p>\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-icon\"><br \/>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span><br \/>\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">Encryption-less SaaS extortion keeps growing as its own category, separate from traditional ransomware. Klue and the ShinyHunters Salesforce campaign both proved enterprise-scale damage doesn&#8217;t need an encryptor <a href=\"https:\/\/fidelissecurity.com\/#citeref1\">[1]<\/a><a href=\"https:\/\/fidelissecurity.com\/#citeref4\">[4]<\/a>. Backup-and-restore playbooks won&#8217;t help here; the exposure is stolen data moving through a trusted OAuth integration, not a locked-down system. Build a SaaS-specific incident response plan, and specifically go hunting for dormant, never-revoked integration credentials, the exact thing that sank Klue. <\/span><\/p>\n<p>\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-icon\"><br \/>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span><br \/>\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">More AI infrastructure compromises will follow the LiteLLM pattern. <br \/> Why: The same threat actor group had already hit other widely used developer tools in the days before the LiteLLM compromise. That&#8217;s a repeatable playbook, not a one-off.<a href=\"https:\/\/fidelissecurity.com\/#citeref12\">[12]<\/a> <br \/>Impact: AI gateway and agent-framework libraries concentrate API keys and cloud credentials, making them high-value targets even in attacks that have nothing to do with AI specifically. <br \/>Do this: Pin dependencies to exact, hash-verified versions, and start treating AI gateway libraries as high-privilege infrastructure that needs the same change controls as production secrets.<\/span><\/p>\n<p>\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-icon\"><br \/>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span><br \/>\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">Ransomware keeps consolidating into fewer, more capable brands. The top 10 groups&#8217; share of victims climbed from 57% to 71% in two quarters, with newcomers like The Gentlemen scaling fast by absorbing affiliates displaced from disrupted operations<a href=\"https:\/\/fidelissecurity.com\/#citeref1\">[1]<\/a>. <br \/>Fewer distinct attackers doesn&#8217;t mean less risk. Each one left standing tends to be more operationally mature and more likely to deliver working decryption, which can perversely push ransom payment rates up instead of down. Shift threat-intel spending away from chasing group names and toward the shared initial-access techniques, stolen VPN credentials and vishing chief among them, that feed the entire top-10 cohort.<\/span><\/p>\n<p>\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-icon\"><br \/>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span><br \/>\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">OAuth token governance becomes a named factor in a major breach disclosure. <br \/> Why: Two of this year&#8217;s largest incidents, Vercel\/Context.ai and Klue, both traced back to OAuth token compromise, not network intrusion<a href=\"https:\/\/fidelissecurity.com\/#citeref3\">[3]<\/a><a href=\"https:\/\/fidelissecurity.com\/#citeref4\">[4]<\/a>. <br \/>Impact: Expect future disclosures to name specific dormant or over-permissioned OAuth grants as root cause, which will pull more scrutiny toward SaaS app marketplaces and integration review generally. <br \/> Do this: Build a full inventory of every OAuth grant across the SaaS estate, revoke anything with no API traffic in the past 90 days, and require periodic re-authorization for high-scope grants instead of letting them sit indefinitely. <\/span><\/p><\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-726178a elementor-widget elementor-widget-heading\">\n<div class=\"elementor-widget-container\">\n<h2 class=\"elementor-heading-title elementor-size-default\">Enterprise Priorities for H2 2026<\/h2>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-a988945 elementor-widget elementor-widget-text-editor\">\n<div class=\"elementor-widget-container\">\n<p>If there\u2019s one thread running through enterprise cybersecurity trends this year, it\u2019s that identity, not the perimeter, is now the control point that matters.<\/p>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-6dcd89d elementor-icon-list--layout-traditional elementor-list-item-link-full_width elementor-widget elementor-widget-icon-list\">\n<div class=\"elementor-widget-container\">\n<p>\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-icon\"><br \/>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span><br \/>\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">Inventory every third-party OAuth app authorized against SaaS platforms. A forgotten credential caused two of this year&#8217;s largest breaches.<\/span><\/p>\n<p>\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-icon\"><br \/>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span><br \/>\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">Put internet-facing appliances on a fixed credential-rotation schedule instead of waiting for a CVE to force the issue. FortiBleed ran entirely on reused, never-rotated logins.<\/span><\/p>\n<p>\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-icon\"><br \/>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span><br \/>\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">Pin AI infrastructure dependencies to hashed, exact versions. The CI\/CD-to-package-registry attack pattern has already shown up more than once this year.<\/span><\/p>\n<p>\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-icon\"><br \/>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span><br \/>\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">Fix IT\/OT segmentation now. The five-day-versus-42-day detection gap says everything about whether visibility investment actually pays off.<\/span><\/p>\n<p>\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-icon\"><br \/>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span><br \/>\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">Make out-of-band verification mandatory for payment changes and credential resets. The FBI&#8217;s own data shows AI-enabled fraud losses are real and climbing.<\/span><\/p>\n<p>\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-icon\"><br \/>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span><br \/>\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text\">Build a SaaS-specific breach response plan that doesn&#8217;t assume every extortion event has to involve encryption, because plenty in 2026 didn&#8217;t.<\/span><\/p><\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-60614e1a content-align-cta-default elementor-widget elementor-widget-eael-cta-box\">\n<div class=\"elementor-widget-container\">\n<div class=\"eael-call-to-action cta-basic bg-img cta-preset-1\">\n<p class=\"title eael-cta-heading\"><span class=\"eael-cta-title-text elementor-repeater-item-4182408\">Our customers detect<\/span> <span class=\"eael-cta-title-text elementor-repeater-item-49f9954\">post-breach attacks over<\/span> <span class=\"eael-cta-title-text elementor-repeater-item-bb4e738\">9x Faster<\/span> <\/p>\n<p>Detect Advanced Threats Before Damage Escalates TrustedCybersecurity Leader for 20+ YearsSee why security teams choose us over other solutions<a href=\"https:\/\/fidelissecurity.com\/get-a-demo\/\" class=\"cta-button cta-preset-1  \">Request a Demo<\/a><a href=\"https:\/\/fidelissecurity.com\/resource\/demo\/fidelis-elevate-in-action\/\" class=\"cta-button cta-secondary-button \">See Fidelis in Action<\/a>\t<\/p><\/div>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-e30f71c elementor-widget elementor-widget-heading\">\n<div class=\"elementor-widget-container\">\n<h2 class=\"elementor-heading-title elementor-size-default\">Conclusion<\/h2>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-3cfe7fd elementor-widget elementor-widget-text-editor\">\n<div class=\"elementor-widget-container\">\n<p>Line up the most reliable data points from the first half of 2026, the FBI\u2019s own report, CISA\u2019s advisories, the primary disclosures from Vercel and LiteLLM, and one pattern keeps repeating: some credential, token, or account carried more standing trust than anyone had actually accounted for. Ransomware groups didn\u2019t multiply so much as consolidate into fewer, sharper operations. Supply chain risk stopped being mainly about vendor networks and became mainly about OAuth tokens instead. AI didn\u2019t even need a new technique to make social engineering more expensive per incident; it just made the old ones work better.<\/p>\n<p>Whatever the back half of 2026 brings, the organizations that come out ahead will be the ones treating every credential, human, machine, OAuth token, or AI agent alike, as something that needs active management rather than indefinite trust.<\/p>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-64bcb39 elementor-widget elementor-widget-heading\">\n<div class=\"elementor-widget-container\">\n<p class=\"elementor-heading-title elementor-size-default\">Citations:<\/p>\n<\/div>\n<\/div>\n<div class=\"elementor-element elementor-element-04b1e36 elementor-widget elementor-widget-text-editor\">\n<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/fidelissecurity.com\/#cite1\">^<\/a><a href=\"https:\/\/research.checkpoint.com\/2026\/the-state-of-ransomware-q1-2026\/\" target=\"_blank\" rel=\"noopener\">https:\/\/research.checkpoint.com\/2026\/the-state-of-ransomware-q1-2026\/<\/a><a href=\"https:\/\/fidelissecurity.com\/#cite2\">^<\/a><a href=\"https:\/\/www.breachsense.com\/ransomware-reports\/march-2026\/\" target=\"_blank\" rel=\"noopener\">https:\/\/www.breachsense.com\/ransomware-reports\/march-2026\/<\/a><a href=\"https:\/\/fidelissecurity.com\/#cite3\">^<\/a><a href=\"https:\/\/vercel.com\/kb\/bulletin\/vercel-april-2026-security-incident\" target=\"_blank\" rel=\"noopener\">https:\/\/vercel.com\/kb\/bulletin\/vercel-april-2026-security-incident<\/a><a href=\"https:\/\/fidelissecurity.com\/#cite4\">^<\/a><a href=\"https:\/\/klue.com\/blog\/an-update-on-recent-klue-security-incident\" target=\"_blank\" rel=\"noopener\">https:\/\/klue.com\/blog\/an-update-on-recent-klue-security-incident<\/a><a href=\"https:\/\/fidelissecurity.com\/#cite5\">^<\/a><a href=\"https:\/\/www.huntress.com\/blog\/klue-breach-investigation\" target=\"_blank\" rel=\"noopener\">https:\/\/www.huntress.com\/blog\/klue-breach-investigation<\/a><a href=\"https:\/\/fidelissecurity.com\/#cite6\">^<\/a><a href=\"https:\/\/www.fbi.gov\/news\/press-releases\/cryptocurrency-and-ai-scams-bilk-americans-of-billions\" target=\"_blank\" rel=\"noopener\">https:\/\/www.fbi.gov\/news\/press-releases\/cryptocurrency-and-ai-scams-bilk-americans-of-billions<\/a><a href=\"https:\/\/fidelissecurity.com\/#cite7\">^<\/a><a href=\"https:\/\/www.ic3.gov\/AnnualReport\/Reports\/2025_IC3Report.pdf\" target=\"_blank\" rel=\"noopener\">https:\/\/www.ic3.gov\/AnnualReport\/Reports\/2025_IC3Report.pdf<\/a><a href=\"https:\/\/fidelissecurity.com\/#cite8\">^<\/a><a href=\"https:\/\/www.dragos.com\/ot-cybersecurity-year-in-review\" target=\"_blank\" rel=\"noopener\">https:\/\/www.dragos.com\/ot-cybersecurity-year-in-review<\/a><a href=\"https:\/\/fidelissecurity.com\/#cite9\">^<\/a><a href=\"https:\/\/support.broadcom.com\/web\/ecx\/support-content-notification\/-\/external\/content\/SecurityAdvisories\/0\/25390\" target=\"_blank\" rel=\"noopener\">https:\/\/support.broadcom.com\/web\/ecx\/support-content-notification\/-\/external\/content\/SecurityAdvisories\/0\/25390<\/a><a href=\"https:\/\/fidelissecurity.com\/#cite10\">^<\/a><a href=\"https:\/\/www.cisa.gov\/known-exploited-vulnerabilities-catalog\" target=\"_blank\" rel=\"noopener\">https:\/\/www.cisa.gov\/known-exploited-vulnerabilities-catalog<\/a>\t\t\t\t\t\t\t\t<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>The post <a href=\"https:\/\/fidelissecurity.com\/threatgeek\/threat-intelligence\/2026-cybersecurity-forecast-mid-year-review\/\">2026 Cybersecurity Forecast: Mid-Year Review and H2 Threat Predictions<\/a> appeared first on <a href=\"https:\/\/fidelissecurity.com\/\">Fidelis Security<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"<p>Key Takeaways Ransomware concentrated hard: top 10 groups now claim 71% of victims, up from 57%. Supply chain attacks shifted to stolen OAuth tokens instead of network breaches. AI-enabled fraud hit $893M in the US, inside a record $20.877B cybercrime year. Manufacturing stays the top industrial target; ransomware reach grew 49% year over year. New [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":8807,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-8806","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8806"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8806"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8806\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8807"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8806"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8806"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8806"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}