INC Ransomware, DragonForce in Teams, and a Splunk Zero-Day: Your UK SMB Threat Briefing for 19 June 2026
Three stories dropped in the last 24 hours. One is being actively exploited right now, confirmed by CISA. The other two represent a pattern that should worry anyone running a small business in the UK.
This is the threat briefing for 19 June 2026.
Story One: Splunk Has an Actively Exploited Zero-Day. Patch It Today.
CISA added CVE-2026-20253 to its Known Exploited Vulnerabilities catalogue yesterday. That is the list of vulnerabilities that are not theoretical. They are being used against real targets, right now.
The vulnerability is in Splunk Enterprise. Splunk is a platform used to aggregate and analyse log data: it is the kind of tool that sits at the centre of a security monitoring setup. The flaw allows an unauthenticated attacker to create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. No login required. No credentials to steal first.
If you run Splunk in your environment, or if your managed service provider does, this is not a “schedule a patch for next cycle” situation. CISA’s guidance is explicit: apply mitigations in accordance with vendor instructions, or discontinue use if mitigations are unavailable.
For most small businesses, Splunk is not a tool you run directly. But if your MSP or IT provider uses it to monitor your environment, the question to ask them today is simple: have you patched CVE-2026-20253?
If they do not know what you are talking about, that is a problem worth understanding.
Story Two: INC Ransomware Has Hit 830+ Victims. It Is a Franchise Operation.
Researchers published a detailed analysis of INC ransomware this week. The numbers are stark. Since launching in 2023, INC has claimed more than 830 victims. In 2026, it has become one of the most prolific criminal operations active anywhere.
INC operates as a ransomware-as-a-service platform: a criminal franchise. The developers build and maintain the ransomware tooling. Affiliates rent access, identify targets, execute attacks, and split the ransom proceeds with the developers. It is an industrialised model.
The sectors in the crosshairs include healthcare, manufacturing, and professional services. The attack vectors used by INC affiliates have included exploitation of known vulnerabilities in remote access tools, including CVE-2023-48788 in Fortinet FortiClient EMS and CVE-2023-3519 in Citrix NetScaler.
The relevance for UK small businesses is straightforward. You are not too small to be a target. You are the right size to be a target: large enough to have data worth encrypting, small enough to have gaps in your defences that an affiliate will find and exploit.
And the older CVEs in INC’s playbook are a signal. Unpatched systems are the entry point. That is a solvable problem.
Story Three: DragonForce Is Hiding Inside Microsoft Teams
DragonForce is a ransomware group that has been linked to attacks on UK retail targets. This week, researchers disclosed that DragonForce-affiliated actors have been observed using a custom remote access trojan called Backdoor.Turn to conceal their command-and-control traffic inside Microsoft Teams relay infrastructure.
Let that sit for a moment. The traffic between the attacker’s systems and the compromised machine is being routed through Microsoft’s own relay servers. To a network monitoring tool looking at traffic flows, it appears to be legitimate Microsoft Teams communication.
This is not an amateur technique. It is deliberate and effective. Standard firewall rules that block unknown external destinations will not catch this, because the destination is a Microsoft server.
For UK small businesses that rely on Microsoft 365 and Teams as core infrastructure, this matters for one specific reason: it demonstrates that attackers are actively investing in techniques that bypass the controls most small organisations have in place.
The question is not whether your firewall blocks suspicious IP addresses. The question is whether you have endpoint detection in place that can identify malicious behaviour on the device itself, regardless of where the traffic goes.
What This Pattern Actually Means
These three stories are not unconnected. They illustrate the same underlying dynamic.
Attackers are moving their malicious activity inside trusted infrastructure. Splunk is a security tool. Microsoft Teams is a collaboration tool. Trusted platforms, turned into attack vectors.
The implication for UK small businesses is that perimeter-based thinking, the idea that you can draw a line around your network and stop bad things crossing it, is increasingly inadequate on its own. When the malicious traffic looks identical to legitimate Microsoft traffic, the perimeter cannot distinguish them.
This does not mean the perimeter is worthless. It means it cannot be the only control you rely on.
Why This Gives You an Edge
Knowing this before your competitors do has practical value.
If you are a professional services firm, a healthcare provider, or a manufacturer, you operate in sectors that INC ransomware has explicitly targeted. Being able to demonstrate to clients and partners that you understand the current threat environment and have taken specific steps to address it is a differentiator.
Cyber Essentials certification covers five foundational controls. It will not stop a sophisticated DragonForce affiliate. But it closes the unpatched-system, default-credential, and uncontrolled-access gaps that INC affiliates exploit routinely. That certification, held and current, is a verifiable signal that you are not the easiest target on the street.
The businesses that understand the distinction between compliance and actual security are the ones that make genuinely informed decisions about where to invest.
Making the Business Case
If you need to have a conversation with a director or budget holder, three arguments carry weight right now.
First, the Splunk vulnerability is a CISA-confirmed active exploit. That is not a vendor warning. That is a government agency saying this is being used against real organisations today. If your monitoring tooling is unpatched, your visibility into your own environment is potentially compromised.
Second, INC ransomware’s attack vectors include vulnerabilities from 2023 that remain unpatched in many environments. A patch management programme that closes known vulnerabilities within a defined window directly reduces your probability of appearing on an affiliate’s target list.
Third, the Teams relay technique illustrates why endpoint detection matters alongside perimeter controls. A business that invests only in firewall rules and antivirus is defending against yesterday’s techniques. Endpoint detection and response, even in a basic managed form, gives you visibility at the device level where these attacks ultimately land.
What to Do Before Friday
-
If your MSP or IT provider runs Splunk: Contact them today. Ask specifically whether CVE-2026-20253 has been patched. Do not accept a vague reassurance. Get a confirmation in writing.
-
Check your patch currency: INC affiliates are exploiting CVEs from 2023. If your systems have outstanding patches older than 30 days, understand which ones, why they are outstanding, and what the plan is to close them.
-
Ask about endpoint detection: If your current security setup is antivirus plus firewall, ask your IT provider whether you have any endpoint detection and response capability. The Teams relay technique bypasses network-level controls. Endpoint visibility is what catches it.
-
Review your Microsoft 365 external access settings: DragonForce’s Teams abuse exploits the ability to communicate with external Teams tenants. If your organisation does not need external Teams federation, consider whether it should be disabled. Your IT provider can advise.
-
Follow the show: If this briefing was useful, subscribe wherever you listen, leave a rating or review, drop a comment with your questions, and share it with someone running a business who needs to hear it. That is how this reaches the people it is actually for.