By the N2K CyberWire staff
Top stories.
- Klue supply-chain attack impacts cybersecurity firms.
- Tata Electronics and Bajaj Auto continue recovery from cyberattacks.
- CISA warns of actively exploited PTC and Cisco vulnerabilities.
- International operation disrupts Amadey and StealC malware infrastructure.
- Cal Water says Handala's hacking claims were overstated.
- Researchers publish a new analysis of FortiBleed.
Klue supply-chain attack impacts cybersecurity firms.
Market intelligence platform Klue has confirmed a breach of its integration infrastructure, leading to supply-chain attacks affecting its enterprise customers. Multiple cybersecurity firms were impacted by the incident, including Huntress, LastPass, Recorded Future, Tanium, and Jamf. An increasing number of other organizations are disclosing that they were affected, including social media management tool Sprout Social, sales intelligence platform Gong, and insurance software provider Insurity.
Klue stated, "Our investigation determined that an attacker gained access through a compromised legacy credential associated with an integration service. The attacker used that access to obtain OAuth tokens used to connect Klue with certain third-party platforms, including Salesforce, and subsequently accessed data within a number of connected customer environments." A Klue spokesperson told TechCrunch that the compromised legacy credential "was originally provided to a third-party in 2022, for a limited pilot."
ReliaQuest, which discovered the attack, said in its analysis, "The attacker authenticated to targets’ Klue integration service accounts, generated OAuth tokens, and ran what appear to be automated scripts to pull large volumes of CRM records through the Salesforce REST API over roughly 24 hours, including a concentrated burst of nearly a thousand queries in 15 minutes and sustained extraction windows lasting over 6 hours."
BleepingComputer reported late last week that the Icarus extortion group was behind the attack, and the gang has since claimed responsibility on its leak site. Huntress identified technical evidence indicating with "high confidence" that Icarus's claims are legitimate.
The research breaks at Black Hat first. Be there this August.
If you follow the research, you already know a lot of it breaks at Black Hat first. Hundreds of peer-reviewed Briefings, more than a hundred hands-on Trainings, and the largest Business Hall in Black Hat's history, across AI, cyber conflict, resilience, and identity. Six days in Las Vegas, August 1–6. Prices increase July 17. Register now with code CYBERWIRE for $200 off your Briefings pass.
Tata Electronics and Bajaj Auto continue recovery from cyberattacks.
Mumbai-headquartered Tata Electronics, a key supplier to Apple, Tesla, and leading chip manufacturers, has tightened internal security controls following a data breach that came to light earlier this week, Reuters reports. The World Leaks ransomware group leaked more than 200,000 files allegedly stolen from the company, including what appear to be internal design papers from Apple and Tesla. The authenticity of this data has not been independently verified, and Tata hasn't commented on the contents of the leak. Reuters says the company has since restricted remote access to sensitive internal tools, and Apple's security team is working with Tata on near- and long-term security measures.
Another Indian manufacturing giant, Bajaj Auto, has resumed operations after sustaining a ransomware attack this week, ET Auto reports. The company says its manufacturing, sales, and service activities are now operating normally.
Your crisis plan exists. But will it work under pressure?
Most organizations have a plan. Fewer have prepared for the decisions, tradeoffs, and uncertainty that come with a real crisis.
In a recent conversation with Dave Bittner, Courtney Guss of Semperis explains why compliance alone doesn't create resilience and how organizations can better prepare for the moments that matter most.
Listen now for practical guidance on strengthening your incident response program.
CISA warns of actively exploited PTC and Cisco vulnerabilities.
The US Cybersecurity and Infrastructure Security Agency's (CISA's) Known Exploited Vulnerabilities (KEV) Catalog has listed a critical vulnerability affecting PTC's product lifecycle management tools Windchill and FlexPLM, SecurityWeek reports. The vulnerability (CVE-2026-12569) is an improper input validation flaw that can lead to remote code execution.
The agency also added a high-severity server-side request forgery (SSRF) vulnerability (CVE-2026-20230) in Cisco Unified Communications Manager that was observed being exploited this past weekend. Cisco released fixes for this flaw on June 3rd.
CISA has ordered Federal agencies to apply patches for both vulnerabilities by Sunday, June 28th.
International operation disrupts Amadey and StealC malware infrastructure.
A major law enforcement and industry operation disrupted infrastructure used by two leading strains of malware, Amadey and StealC, Europol announced this week. The operation focused on the cybercriminal supply chain, as Amadey and StealC are frequently used to stage additional attacks. Microsoft used AI-assisted analysis to determine that the two strains of malware relied on the same infrastructure, then used the RICO Act to obtain legal basis to disrupt more than 200 command-and-control servers.
The effort was also assisted by ESET, BitSight, Lumen, IBM X-Force, Proofpoint, and Mitsui Bussan Secure Directions (MBSD), as well as law enforcement agencies from Canada, Denmark, Germany, the Netherlands, the United Kingdom, and the United States. The operation follows last week's disruption of the SocGolish malware operation by Dutch police.
Researchers publish a new analysis of FortiBleed.
SOCRadar has published an updated analysis of the FortiBleed campaign that has targeted more than 430,000 Fortinet FortiGate devices since February 2026. SOCRadar attributes the operation to a financially motivated Initial Access Broker (IAB), likely based in Russia.
The threat actor first gains administrative access to the FortiGate firewalls via credential stuffing and brute-force attacks, then deploys a tool dubbed "FortigateSniffer" that's designed to collect cleartext and hashed credentials from traffic passing through compromised devices. SOCRadar says this tool "abuses the FortiOS diagnose sniffer packet command across 24 protocols, distributed GPU cracking through Hashtopolis and Hashcat, and session-cookie replay for persistent access."
SOCRadar found that the FortiGuard campaign used FortigateSniffer and other tools to harvest more than 110 million credentials.
