Podcasts
CyberWire Daily
Ep 2577
The CyberWire Daily Podcast 6.22.26
Ep 2577 | 6.22.26

The Klue is in the data trail.

Show Notes
Transcript

Klue supply-chain attack impacts cybersecurity firms. Brand-new Prinz Eugen ransomware is surprisingly polished. ShinyHunters leak exposes sensitive data of 10,000 Council of Europe employees. Security agencies sound alarm over FortiBleed credential harvesting operation. Texas data breach affects hunting and fishing licensees. Microsoft ties Mastra AI supply chain attack to North Korean hackers. Vidar infostealer unveils new technique to defeat Chrome's encryption protections. Brazil investigates suspected hack of emergency alert system. We got your Monday business brief. On today’s Industry Voices, Dave Bittner sits down with Mike Britton, CIO of Abnormal AI, as they discuss "AI-Powered Attacks Are Now a Commodity.” And not the kind of beats you want to drop.

Today is Monday, Jun 22, 2026. I’m Maria Varmazis, in for Dave Bittner. And this is your CyberWire Intel Briefing.

Klue supply-chain attack impacts cybersecurity firms.

Market intelligence platform Klue has confirmed a breach of its integration infrastructure, leading to supply-chain attacks affecting its enterprise customers. Multiple cybersecurity firms were impacted by the incident, including Huntress, Recorded Future, Tanium, and Jamf. An increasing number of other organizations are disclosing that they were affected, including social media management tool Sprout Social, sales intelligence platform Gong, and insurance software provider Insurity.

Klue stated, "Our investigation determined that an attacker gained access through a compromised legacy credential associated with an integration service. The attacker used that access to obtain OAuth tokens used to connect Klue with certain third-party platforms, including Salesforce, and subsequently accessed data within a number of connected customer environments."

ReliaQuest, which discovered the attack, said in its analysis, "The attacker authenticated to targets’ Klue integration service accounts, generated OAuth tokens, and ran what appear to be automated scripts to pull large volumes of CRM records through the Salesforce REST API over roughly 24 hours, including a concentrated burst of nearly a thousand queries in 15 minutes and sustained extraction windows lasting over 6 hours."

BleepingComputer reported late last week that the Icarus extortion group was behind the attack, and the gang has since claimed responsibility on its leak site. Huntress identified technical evidence indicating with "high confidence" that Icarus's claims are legitimate.

Brand-new Prinz Eugen ransomware is surprisingly polished.

Researchers at ThreatDown are tracking a new Go-based ransomware family called "Prinz Eugen" that's unusually sophisticated for a nascent strain of ransomware. ThreatDown says the encryptor is "built with enough care to prioritize high-pressure files, verify encrypted output, remove originals when instructed, and reduce forensic recovery opportunities before exiting." The malware doesn't drop a ransom note on the infected system, and instead moves ransom negotiations to a separate channel in order to minimize forensic evidence.

Notably, the ransomware prioritizes recently modified files, which ThreatDown says are "most likely to be in active use (open documents, current databases, recently saved project files, fresh email archives) and the least likely to have a recent backup."

ShinyHunters leak exposes sensitive data of 10,000 Council of Europe employees.

The Council of Europe is investigating a major breach claimed by the ShinyHunters extortion group, which says it stole nearly 300 gigabytes of sensitive employee data. The leaked information reportedly includes payroll records, bank account details, tax documents, personnel files, and medical information belonging to more than 10,000 current and former staff members. After an apparent ransom deadline passed without payment, the attackers published the data and threatened wider distribution through torrent networks. Researchers have linked the incident to a broader campaign exploiting a zero-day vulnerability in Oracle PeopleSoft, highlighting the lasting risks posed by breaches of HR systems.

Security agencies sound alarm over FortiBleed credential harvesting operation.

Cybersecurity agencies in the United States, Canada, Australia, and New Zealand are warning organizations about an ongoing credential-theft campaign known as FortiBleed, which is targeting Fortinet firewalls and VPN gateways. Researchers uncovered a database containing credentials associated with roughly 74,000 internet-facing FortiGate devices across 194 countries. Investigators say attackers used large-scale brute-force attacks, harvested VPN authentication data, and cracked password hashes to gain access to corporate networks, in some cases moving deeper into Active Directory environments. Fortinet maintains the exposed data stems largely from previous compromises rather than a new vulnerability, but security experts are urging organizations to rotate credentials, enable multi-factor authentication, review logs for suspicious activity, and assume potential compromise if affected.

Texas data breach affects hunting and fishing licensees.

The Texas Parks and Wildlife Department (TPWD) has disclosed that one of its vendors sustained a data breach affecting more than 3 million Texans. The unnamed vendor handles the state's sale of hunting and fishing licenses, and the breach affected customers who obtained licenses through the vendor. A Kroll webpage on the incident states, "The investigation indicates that an unauthorized actor may have obtained driver license information, passport numbers (if provided), email addresses, phone numbers and residential addresses."

It's unclear when the unauthorized access began; the TPWD says it was notified by Texas Cyber Command on May 13, 2026. The TPWD is offering one year of free credit monitoring for victims, noting that many of its own staff were affected by the breach.

Microsoft ties Mastra AI supply chain attack to North Korean hackers.

Microsoft says a recent supply chain attack targeting the Mastra AI development framework was carried out by Sapphire Sleet, a North Korean threat group also known as BlueNoroff. According to Microsoft's investigation, the attackers compromised an npm maintainer account and used it to push malicious updates to more than 140 software packages used by developers building AI applications. The malware was designed to steal credentials, authentication tokens, and cryptocurrency wallet data from infected systems. Microsoft also linked a separate npm compromise earlier this year to the same group, suggesting a broader campaign targeting software supply chains and developer ecosystems.

Vidar infostealer unveils new technique to defeat Chrome's encryption protections.

Researchers at Gen Digital have uncovered a new browser-theft technique used by the Vidar infostealer to bypass Google's Application-Bound Encryption, or ABE, a security feature designed to protect cookies, passwords, and authentication tokens in Chrome and other Chromium-based browsers. Rather than attacking encrypted data stored on disk, Vidar creates a snapshot of a running browser, scans memory for Chrome's master decryption key, and then uses code injection techniques to decrypt it inside the browser's own process. The result is access to sensitive browser data without breaking Chrome's encryption directly. 

Brazil investigates suspected hack of emergency alert system.

Brazilian authorities are investigating a suspected hack of the nation's emergency alert system after an unauthorized alert was sent to users across five states, including residents of São Paulo, Rio de Janeiro, and Brasilia, the Register reports. The messages, which were sent through the Defesa Civil Nacional's platform for severe weather alerts, contained the single word "misantropi4," a leetspeak version of the Portuguese word for "misanthropy."

The country's National Telecommunications Agency, Anatel, said in a statement, "There is currently no reason for concern on the part of the population as a result of the messages received." The government has taken the alert system offline to investigate the incident.

Monday business brief.

Last week’s Business Breakdown highlights just over $700 million raised in 8  investments and 5 acquisitions.

For investments, NinjaOne, the US-based IT visibility and management platform, raised over $400 million in Series C extensions. With this expansion funding, NinjaOne is looking to further accelerate how the company builds and scales its products for its partners as they continue to incorporate AI into its platform roadmap and market expansion efforts.

In acquisitions, Rubrik, the US-based security and data intelligence firm, acquired Strata. By acquiring the identity orchestration firm, Rubrik is looking to expand its Identity Resilience offerings to ensure that authentication can still continue even during recovery processes.

And that wraps up this week’s Business Breakdown. For deeper analysis on major business moves shaping the cybersecurity landscape, subscribe to N2K Pro and check out TheCyberWire.com every Wednesday for the latest updates.

 

Stick around after the break. In our Industry Voices segment, Dave Bittner sits down with Mike Britton, CIO of Abnormal AI, to discuss why AI-powered attacks have become a commodity—and why many organizations still don't realize just how accessible these threats have become. And that's not the kind of Beats you want dropping. Stay with us.

In our Industry Voices segment, Dave Bittner sits down with Mike Britton, CIO of Abnormal AI, to discuss why AI-powered attacks have become a commodity—and why many organizations still don't realize just how accessible these threats have become. Here's their conversation. 

That was Mike Britton, CIO of Abnormal AI, speaking with Dave Bittner about why AI-powered attacks have become a commodity. To hear the full conversation, head to our show notes to find the link to the Abnormal AI Knowledge Partner page where you'll find the complete interview.

Not the kind of beats you want to drop.

And finally, if you've ever worried that your earbuds were listening to you... well, for a brief moment, that concern wasn't entirely fictional.

Apple has patched a vulnerability in its Beats Studio Buds that could have allowed a nearby attacker to listen through the earbuds' microphone. The flaw affected devices that were actively in Bluetooth pairing mode, allowing an attacker within range to potentially impersonate a legitimate device and connect before the pairing process was complete.

The vulnerability, tracked as CVE-2025-20701, was tied to Bluetooth chips made by Airoha. Researchers showed that, when combined with other flaws in the same component, an attacker could potentially eavesdrop through headphone microphones, extract pairing keys, impersonate trusted headphones, and even enable additional attacks against a connected phone.

Before you toss your earbuds in the nearest lake, there's some good news: the attack wasn't easy. It required specialized hardware, software, technical expertise, and close physical proximity to the target.

Apple has already released a firmware update to fix the issue. Still, it's a fun reminder that in 2026, even your earbuds occasionally need a security patch—because apparently the only thing scarier than hearing someone else's playlist is someone else hearing yours.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m your host Maria Varmazis, in for Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.
ADVERTISEMENT
Sponsored by Abnormal AI
Sponsored by Abnormal AI

Abnormal Security is an AI-powered email security platform that stops advanced threats like phishing, business email compromise, and supply chain attacks. It protects enterprises with behavioral AI that detects and remediates attacks in real time. Learn more.