CyberWire Daily - The Klue is in the data trail.
Episode Date: June 22, 2026Klue supply-chain attack impacts cybersecurity firms. Brand-new Prinz Eugen ransomware is surprisingly polished. ShinyHunters leak exposes sensitive data of 10,000 Council of Europe employees. Securit...y agencies sound alarm over FortiBleed credential harvesting operation. Texas data breach affects hunting and fishing licensees. Microsoft ties Mastra AI supply chain attack to North Korean hackers. Vidar infostealer unveils new technique to defeat Chrome's encryption protections. Brazil investigates suspected hack of emergency alert system. We got your Monday business brief. On today’s Industry Voices, Dave Bittner sits down with Mike Britton, CIO of Abnormal AI, as they discuss "AI-Powered Attacks Are Now a Commodity.” And not the kind of beats you want to drop. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On today’s Industry Voices, we are joined by Mike Britton, CIO of Abnormal AI, discussing "AI-Powered Attacks Are Now a Commodity — And Most Organizations Don't Know It Yet." If you enjoyed this conversation and want to hear the full interview, listen here. Selected Reading Klue OAuth breach victim list grows as Icarus hackers claim attack (BleepingComputer) Prinz Eugen ransomware: a deep dive into a new Go-based encryptor (ThreatDown by Malwarebytes) Council of Europe Data Breach: ShinyHunters Makes 10,000 Employees' Records Permanent (Tech Times) Global cybersecurity agencies warn of credential exposure in FortiBleed campaign targeting Fortinet firewalls, VPN gateways (Industrial Cyber) Everything's bigger and better in Texas – even data breaches (The Register) Microsoft links Mastra AI supply chain attack to North Korean hackers (BleepingComputer) Inside Vidar’s ABE Bypass: From Memory Scanning to APC Injections (Gen Digital) Brazil probes emergency warning system after nationwide rogue alert (The Register) Ent emerges from stealth with $100 million in seed funding. (N2K Pro Business Briefing) Apple patches Beats Studio Buds flaw that could turn earbuds into a wiretap (Malwarebytes) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
AI is making fishing attacks faster, more convincing, and harder for people to spot,
and traditional security awareness and fishing training weren't designed for this level of attack.
Hawkshunt helps security teams prepare employees for the attacks they face every day,
with personalized fishing training that adapts to each employee and reduces risky behavior over time.
For IT and security leaders looking to strengthen their human layer of defense without adding more manual work, visit hoxhunt.com slash cyberwire to learn more.
That's hoxhunt.com slash cyberwire.
Blue supply chain attack impact cybersecurity firms.
Brand new Prince UGen ransomware is surprisingly polished.
Shiny Hunter's leak exposes sensitive data of 10,000 Council of Europe employees.
security agencies sound alarm over fordib lead credential harvesting operation.
Texas data breach affects hunting and fishing licenses.
Microsoft ties Mastra AI supply chain attack to North Korean hackers.
VDAR Info-Stealer unveils new technique to defeat Chrome's encryption protections.
Brazil investigates suspected hack of emergency alert system.
We've got your Monday business brief.
And on today's industry voices, Dave Bittner sits down with Mike Britton,
CIO of abnormal AI, as they discuss AI-powered attacks are now a commodity.
And not the kind of beats you want to drop.
Today is Monday, June 22nd, 2026.
I'm Maria Varmazes, infraday Fitner today, and this is your Cyberwire Intel briefing.
Thanks for joining me today. Let's get into it.
First up, Market Intelligence Platform Clue has confirmed a breach of its integration infrastructure,
leading to supply chain attacks affecting its enterprise customers.
Multiple cybersecurity firms were impacted by the incident,
including Huntress, recorded future, tanyum and jamp.
An increasing number of other organizations are disclosing that they were also affected,
including social media management tool sprout social,
sales intelligence platform gong, and insurance software provider insurity.
Clue stated,
Our investigation determined that an attacker gained access
through a compromised legacy credential associated with an integration service.
The attacker used that access to obtain OOF tokens,
used to connect Clue with certain third-party platforms, including Salesforce,
and subsequently accessed data within a number of connected customer environments.
RelyAquest, which discovered the attack, said in its analysis,
the attacker authenticated to Target's Clue Integration Service accounts,
generated Oath tokens, and ran what appear to be automated scripts,
to pull large volumes of CRM records through the Salesforce Rest API over roughly 24 hours,
including a concentrated burst of nearly 1,000 queries in 15 minutes,
and sustained extraction windows lasting over six hours.
Leaping computer reported late last week that the Icarus extortion group was behind the attack,
and the gang has since claimed responsibility on its leak site.
Huntress identified technical evidence,
indicating with high confidence that Icarus' claims are legitimate.
It's legitimate.
Researchers at Threat Down are tracking a new go-based ransomware family called Prins Eugen,
that's unusually sophisticated for a nascent strain of ransomware.
Threatdown says the encryptor is built with enough care to prioritize high-pressure files,
verify encrypted output, remove originals when instructed, and reduce forensic recovery opportunities before exiting.
The malware doesn't drop a ransom note on the infected system,
and instead moves ransom negotiations to a separate channel
in order to minimize forensic evidence.
Notably, the ransomware prioritizes recently modified files,
which Threatdown says are most likely to be in active use.
Think of open documents, current databases,
recently saved project files, fresh email archives,
and they are the least likely to have a recent backup.
The Council of Europe is investigating a major breach
claimed by the shiny hunters extortion group, which says it stole nearly 300 gigabytes of sensitive employee data.
The leaked information reportedly includes payroll records, bank account details, tax documents,
personnel files, and medical information belonging to more than 10,000 current and former staff members.
After an apparent ransom deadline passed without payment, the attackers published the data and threatened wider distribution through Torrent networks.
Researchers have linked the incident to a broader campaign exploiting a zero-day vulnerability in Oracle PeopleSoft,
highlighting the lasting risks posed by breaches of HR systems.
Cybersecurity agencies in the United States, Canada, Australia, and New Zealand are warning organizations
about an ongoing credential theft campaign known as Fortebleed, which is targeting Fortinette firewalls and VPN gateways.
Researchers uncovered a database containing credentials associated with rough,
roughly 74,000 internet-facing Fordigate devices across 194 countries.
Investigators say that attackers used large-scale brute force attacks, harvested VPN
authentication data, and cracked password hashes to gain access to corporate networks,
in some cases moving deeper into active directory environments.
Fortinette maintains the exposed data stems largely from previous compromises, rather than
a new vulnerability, but security experts are urging organizations,
to rotate credentials, enable multi-factor authentication,
review logs for suspicious activity,
and assume potential compromise if affected.
The Texas Parks and Wildlife Department, or TPWD,
has disclosed that one of its vendors
sustained a data breach affecting more than 3 million Texans.
The unnamed vendor handles the state's sale
of hunting and fishing licenses,
and the breach affected customers who obtained licenses through the vendor.
A scroll web page on the incident states
the investigation indicates that an unauthorized actor may have obtained driver's license information,
passport numbers if provided, email addresses, phone numbers, and residential addresses.
It's unclear, though, when the unauthorized access began.
The TPWD says that it was notified by Texas Cyber Command on May 13, 26.
The TPWD is offering one year of free credit monitoring for victims,
noting that many of its own staff were affected by this breach.
Microsoft says a recent supply chain attack targeting the Mastra AI development framework was carried out by Sapphire Sleet,
which is a North Korean threat group, also known as Blue Noroff.
According to Microsoft's investigation, the attackers compromised an NPM maintainer account
and used it to push malicious updates to more than 140 software packages used by developers who are building AI applications.
The malware was designed to steal credentials, authentication tokens,
and cryptocurrency wallet data from infected systems.
Microsoft also linked a separate NPM compromise earlier this year to the same group,
suggesting a broader campaign, targeting software supply chains, and developer ecosystems.
Researchers at Gen Digital have uncovered a new browser theft technique used by the VDAR Info-Stealer
to bypass Google's application-bound encryption or ABE,
a security feature designed to protect cookies, passwords, and authentication tokens in Chrome,
and other chromium-based browsers.
Rather than attacking encrypted data stored on disk,
VDAR creates a snapshot of a running browser,
scans memory for Chrome's master decryption key,
and then uses code injection techniques
to decrypt it inside the browser's own process.
The result is access to sensitive browser data
without breaking Chrome's encryption directly.
Brazilian authorities are investigating a suspected hack
of the nation's emergency alert system
after an unauthorized alert was sent to users
across five states, including residents of Sao Polo, Rio de Janeiro, and Brasilia,
according to a report from the Register.
The messages which were sent through the Defeza Civil Nacional's platform for severe weather alerts
contained the single word misanthropia, elite-speak version of the Portuguese word for misanthropy.
The country's national telecommunications agency, Anatole, said in a statement,
there is currently no reason for concern on the part of the population as a result of the messages received.
The government has taken the alert system offline in the meantime to investigate the incident.
And it is Monday, so that means it's time for our Monday Business Brief.
Now last week's business breakdown highlights just over $700 million raised in eight investments and five acquisitions.
For investments, Ninja One, the U.S.-based IT visibility and management platform raised over $400 million.
in Series C extensions.
With this expansion funding,
Ninja One is looking to further accelerate
how the company builds and scales
its products for its partners
as they continue to incorporate AI
into its platform roadmap and market expansion efforts.
In acquisitions, Rubrik,
the U.S.-based security and data intelligence firm
acquired Strata.
By acquiring the identity orchestration firm,
Rubrik is looking to expand its identity resilience offerings
to ensure that authentication can
still continue even during recovery processes.
And that wraps up this week's business breakdown.
For deeper analysis on major business moves shaping the cybersecurity landscape,
make sure to subscribe to N2K Pro and check out thecyberwire.com every Wednesday for the latest updates.
Now, stick around after the break.
In our industry voices segment, Dave Bittner sits down with Mike Britton,
CIO of Abnormal AI, to discuss why AI-powered attacks have become.
a commodity and why many organizations still don't realize just how accessible these threats have become.
And that's not the kind of beat you want dropping. Stay with us.
When it comes to mobile application security, good enough is a risk. A recent survey shows that
72% of organizations reported at least one mobile application security incident last year,
and 92% of responders reported threat levels have increased in the past two years.
Guard Square delivers the highest level of security for your mobile apps
without compromising performance, time to market, or user experience.
Discover how Guard Square provides industry-leading security for your Android and iOS apps
at www.gardsquare.com.
What's the one thing in business that's spreading as fast as AI?
AI risk. Every new tool your team signs up for, every vendor that turns on AI features, every new
integration, each one creates another opportunity for something to go wrong. And most security
programs just weren't built for AI's pace of growth. Enter Vanta. Vanta is the number one
agenetic trust platform, used by more than 16,000 fast-moving companies like RAMP, Cursor, and Harvey
to help ensure they're always audit-ready.
And now, Vanta is helping companies watch for the risks that show up between audits,
across vendors, AI tools, and their entire environment.
The Vanta agent works like a 24-7 GRC engineer in the background,
finding issues, drafting fixes, and cutting vendor assessment time by up to 50%.
Whether you're a fast-growing startup or a global enterprise,
Vanta is here to help you automate your secure.
and compliance and earn and prove trust. Get started today at vanta.com slash cyber. That's v-a-n-ta-com
slash cyber. In our industry voices segment, Dave Bittner sits down with Mike Britton,
C-I-O of abnormal AI to discuss why AI-powered attacks have become a commodity and why many
organizations still don't realize just how accessible these threats have become.
Here's their conversation.
There's a big hype machine.
So you hear things around, oh, there's a deep fake video or attackers are using AI.
And I think part of the problem is a lot of security leaders continue to see the non-AI stuff
and it's very pervasive.
I like to say that if I'm a bad guy or even a good guy, if something simple works, why do
I need to be more complicated?
So you still see the broad breadth of attacks are still, you know, largely.
unsophisticated, largely
traditional things that we've seen.
But it's easy to
make the assumption because
I see a lot of something that I've seen
for years and years that that's everything.
And I think that can
sometimes be a misconception. I think
part of it is the newer, more sophisticated
attacks and techniques
that are leveraging AI.
They may be slipping through the current control set.
I've seen people describe
today's attack ecosystem.
system is being productized. I'm curious, do you agree with that label and why is that distinction
important? Yeah, and I think if you zoom out a little bit and just talk in general about where we
are technology-wise, especially in this age of AI, one of the interesting things and one of the
reasons I believe things are moving so much faster and things like Moore's law are really
not relevant anymore is most of the new technology, the frontier models, things.
like that. They've, they've all been, it essentially doesn't require any level of skill or
knowledge or understanding. It's, it's very much at your fingertips. It's, you know, natural language,
plain, plain language gets great results. The attackers are doing the same thing. It's, it's,
it's like anything else. They run a business. They want more customers to have a bigger set of
customers. I need to make it easy. We're seeing some of that with fishing as a service.
There's a Fishing as a Service threat actor that we've seen.
We've talked about it, Evil Tokens.
It's also known as Cali 365, and they've rebranded again.
But essentially, they provide a SaaS platform to their customers, which are people that
want to do bad things, so much so that they have subscription models, they have a marketplace,
they have affiliate program.
If you want to do referrals, you can get credits.
They make it really easy.
It really looks like a legitimate SaaS product that somebody might use for marketing or leads for legitimate purposes.
You know, reading through your research on these groups like Venom and, as you say, evil tokens,
one of the things that caught my eye was you pointed out their capability to do things like bypass MFA and automate parts of business email compromise.
what does that tell us about where the innovation is focused today?
From the attacker's point of view,
what sort of things are they really centered on working through?
If you go back and look at the how things were done from an attacker's perspective,
it was largely spray and prey.
I'm going to send out a single type of attack,
and I'm going to hit a broad audience.
And if I get one in a million, then that's a good ROI.
and the other aspect of AI that's really helpful is I can target.
I can comb through mountains of data and find the right targets,
and I can do it effortlessly.
So in the old days, if I wanted to find CFOs or account payable
for certain types of industries and companies,
I would have to go do a lot of manual searching.
I would use Google.
I would use LinkedIn.
Now with LLMs, I can largely automate that.
do that at scale. I can find my my victims. I mean, we've talked about for years spearfishing.
It's dangerous because it's targeted. It's not just a broad brush. And if I know, you know,
your role within the organization, I know people that you engage with, I know your history.
I can easily correlate and collate things from the internet in seconds. Then that allows me to put
some very powerful phishing emails out there. It allows me to really tailor my attacks to
increase the likelihood that you'll be social engineer.
Is it fair to say that accessibility is really a big part of the story here that, you know,
it's not so much the sophistication of the technology.
It's that anyone willing to pay for it has access to these tools.
Oh, 100%.
And I like to give the analogy of we always fear the nation states because they are the, you know,
they have the means, they have the knowledge, they have the capabilities.
and the reality of it is most organizations aren't going to be targeted by a nation state.
But when you look at AI, it almost shifts all the playing field up a degree.
So your financial criminals, you're, you know, you're Eastern European,
your Nigerian, the ones that are looking for financial gain, you know,
these tools give them the ability to operate like a nation state.
And then you look at your, I'll use a very old term, script kiddies,
the folks that have some level of knowledge, but, you know,
they're good at executing a script, they don't really understand it.
Now those guys are operating to the level of a financial criminal.
And then what you've really done is you've opened up this whole marketplace for the bad guys
to individuals that didn't have the knowledge, didn't have the technology, didn't have the means,
and now all you really need is the intent.
All you really need is I want to go take advantage of someone and try to make money off of this.
and now there's tools and SaaS platforms out there for want to be criminals to take advantage of it.
And so, you know, that population, it's like anything else.
If that population was 100 threat actors, you know, in previous years, now it could be 10,000
because there's almost, you know, zero, zero barriers to entry into this space for an attacker.
Yeah, I was reading through your 26 attack landscape report.
And it struck me, some of the broader trends around business email compromise and vendor email compromise.
Can you take us through some of the things that you all highlighted in that report?
The reality of it is, and I think there's a few reasons why, email continues to be, you know, a major vehicle for having success from a cyber criminal perspective.
And there's a couple reasons why.
One, every organization, regardless of size, whether you're a one-person company or you have a million employees, that's the one common denominator that folks can communicate with other organizations.
So you can communicate with your customers, you can communicate with your suppliers, you can communicate with other organizations.
It's the least common denominator across every entity.
The second factor, and there's probably larger meta-type conversations around this,
but the reality of it is everybody still transacts through email.
Everybody still sends an invoice.
Everybody does processing of invoices and things like that through email.
And so it's a great vehicle for an attacker.
If I'm sitting in your inbox, I've compromised your account,
and I see that you pay this vendor or I happen to compromise.
compromise an AP person, I see that are an accounts receivable person and they're getting invoices
from certain people. It just enables me to go turn around and social engineer them. And then
finally, the other problem or, you know, just the result of how things have always been is
if you think about any sort of system account that you reset or SaaS platform that you're on,
if you do a forgot my password or things like that, almost all of them send that back through
email. So once again, if I'm an attacker and I'm in your mailbox, I could reset passwords and other
things and I can get those emails delivered to me. And that's a great opportunity for me to have
lateral movement. It's also a way for me to fish you because I know that you use certain tools and
technologies within your organization. So I send look-alike emails that look like a password reset or
a, you know, SharePoint link or a docusign. And so really, we're seeing.
these attacks, they're not slowing down. You look at even things that aren't abnormal. You look at
IC3, which is the FBI's and they come out with their annual report every March. And it's the
numbers keep going up and to the right. Are there common things that you and your colleagues are
tracking here in terms of where the defenders are coming up short? Are they underestimating the scale
of automation that the attackers can use? What sort of things are you tracking? I think it's difficult
Because, you know, there's a lot of good things about the security industry.
I think the security industry as a whole does a really good job with information sharing.
You know, I've been parts of trust groups for years.
I think there's a lot of valuable collaboration that goes on.
But I think fundamentally, two things.
I think one, we're sometimes very slow to innovate.
So if I use legacy email security and it's worked for years and, you know, it's served me well,
I assume it's always going to serve me well.
And so I'm very slow to ever pivot off of that.
Hey, they've been a trusted provider for me throughout the years,
and it's very hard to sometimes take into consideration
that the attackers have changed techniques
and the playing field has changed.
So sometimes we as an industry are very slow
to look at new ways to solve old problems.
I think that's part of it.
And then I think fundamentally,
the other problem is, while it is the biggest problem, I think it's also, you know,
it's the one that's most likely to cause financial loss. I think we also kind of, and I say we,
security leaders and CSOs oftentimes look at it and throw their hands up. And I've heard
this before of, hey, it stops 90% of the problems. It's an unsolvable problem. So I'm just willing to
accept that I'm going to fail 10% of the time.
And I've got other problems to go solve.
I've got other risks.
And so if that was the only problem in my program, then great.
I'd go invest more money or I'd go try something different.
Do you have any advice for the security professionals who are trying to plan out their next 12
months or so, trying to look toward the horizon?
Any insights or words of wisdom there?
Yeah, my biggest words of wisdom.
is kind of back to the Moore's Law thing.
If you're planning 12 months in advance,
we're seeing things move so much faster these days.
Just yesterday, Fable came out.
It's been right around six months or so
since Opus came out from Anthropic.
And so these models and capabilities
are moving so quickly that I would really encourage,
and I know it's probably not in the wheelhouse
for most executives,
but I would try to at least,
do your planning by the quarter. I would make sure you, you know, yes, you probably need something
from an annual plan, but I would also be willing to be a little bit more flexible and pivot.
I wouldn't lock things in and say, you know, this is set in stone for the next 12 months.
I would say this is set in stone for the next quarter and we're going to continue to review
and iterate and evolve this as, you know, the technology and the risks change.
That was Mike Britton, CIO of Abnormal AI, speaking with Dave Bittner about why AI powered attacks have become a commodity.
We hear the full conversation head to our show notes to find the link to the Abnormal AI Knowledge Partner page, where you will find the complete interview.
Most environments trust far more than they should, and attackers know it.
Threat Locker solves that by enforcing default deny at the point of execution.
With Threat Locker Allow listing, you start.
stop unknown executables cold. With ring fencing, you control how trusted applications behave,
and with Threat Locker, DAC, defense against configurations, you get real assurance that your
environment is free of misconfigurations and clear visibility into whether you meet
compliance standards. Threat Locker is the simplest way to enforce zero-trust principles without the
operational pain. It's powerful protection that gives CISO's real visibility, real control,
and real peace of mind.
Threat Locker make zero trust attainable,
even for small security teams.
See why thousands of organizations
choose Threat Locker to minimize alert fatigue,
stop ransomware at the source,
and regain control over their environments.
Schedule your demo at Threatlocker.com
slash N2K today.
Staples preferred business membership,
built for busy business owners,
because you've got bigger things to think about.
With Staples Preferred, get free delivery.
No minimums.
Staples Preferred unlocks up to 3% back.
Plus 10% savings on print and exclusive wireless offers.
One less thing on your plate.
Actually, a lot less.
Visit staples.ca slash preferred.
That was easy.
And finally, if you've ever worried that your earbuds were listening to you,
well, for a brief moment, that concern wasn't.
entirely fictional. Yeah, Apple has patched a vulnerability in its beats studio buds that could have
allowed a nearby attacker to listen through the earbuds microphone. The flaw affected devices
that were actively in Bluetooth pairing mode, allowing an attacker within range to potentially
impersonate a legitimate device and connect before the pairing process was complete. The vulnerability
was tracked as CVE 2025-2701 and was tied to Bluetooth chips
made by Aeroha.
Researchers found that when combined with other flaws in the same component, an attacker could
potentially eavesdrop through headphone microphones, extract pairing keys, impersonate trusted
headphones, and even enable additional attacks against a connected phone.
But before you toss your earbuds in the nearest lake, there is some good news here.
The attack wasn't exactly easy.
It required specialized hardware, software, technical expertise, and close physical proximity to the
target. And Apple has already released a firmware update to fix this issue. Still, it is a fun reminder
that in 2026, even your earbuds occasionally need a security patch because apparently the only
thing is scarier than hearing someone else's playlist is someone else hearing yours.
And that's The Cyberwire Daily, brought to you by N2K Cyberwire. For links to all of today's stories,
check out our daily briefing at the cyberwire.com.
We'd love to know what you think of our podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like this show, please share a rating and review in your podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at n2K.com.
N2K's lead producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Ivan.
Peter Kilpy is our publisher.
and I'm your host Maria Vermazas
in for Dave Bittner this week.
Thanks for listening. We'll see you tomorrow.
Hey y'all, it's Kelly Clarkson with Wayfair.
Ever order furniture online and wonder what if?
Like, what if it doesn't hold up?
That sofa was four days old.
You should have ordered from Wayfair.
With Wayfair, there's no what if.
Just style you love and quality you can trust.
Visit Wayfair.ca.cair, every style, every home.