💼 M&A ACTIVITY
SailPoint buys Entro Security to own the non-human-identity layer of its Agentic FabricHighEntro (Tel Aviv, founded 2022) builds non-human-identity (NHI) security: agentless discovery and protection of secrets, API keys, tokens, certificates and service/agent identities across 70+ cloud, CI/CD and SaaS sources, tying each credential back to its human owner and blast radius, with real-time anomaly detection (NHIDR). SailPoint (Nasdaq SAIL) is folding it into its March-2026 Agentic Fabric to extend identity governance from human accounts into the machine and AI-agent identities that now outnumber them. ~$200M est. (undisclosed; per Calcalist); SailPoint's second Israeli buy after Savvy; close expected Q3 FY2027. Landed the same day as 1Password→Apono, underscoring an NHI land-grab where Oasis, Astrix (Cisco) and Apono are the contested ground. SecurityWeek · SiliconANGLE L30D summary (May 26 – Jun 25):7 named deals, ~$4.62B+ disclosed — the Accenture→Dragos/runZero/NetRise $4.17B OT play (Jun 18) still dominates the dollar total; everything else is undisclosed-to-micro-cap. Theme unchanged and hardening: two capabilities now drive almost every deal — identity (SailPoint→Entro, 1Password→Apono, Quest→Anetac, Cisco→WideField) and AI-application security (A10→TrojAI) — and within identity the centre of gravity has shifted decisively to non-human and AI-agent identities. OT/ICS software (Accenture) and MDR recurring-revenue tuck-ins (Cycurion→Secuvant) fill out the rest. SecurityWeek ⚠️ CRITICAL BREACHES & INCIDENTS
KDDI ISP email breach exposes up to 14.2M credentials across six Japanese providersCriticalJapanese telecom KDDI disclosed June 23 that a managed-email platform it runs for six ISPs — STNet, JCOM, Chubu Telecommunications, Nifty, BIGLOBE and KDDI Web Communications — was breached, potentially leaking up to 14,220,000 email addresses and passwords (some hashed/encrypted, some not). The attacker exploited a vulnerability in third-party software in the platform; KDDI detected and contained it June 17 and reported to Japan's Personal Information Protection Commission and the Ministry of Internal Affairs. KDDI's own core email runs separately and was unaffected. No actor named and not confirmed as ransomware; Nifty begins invalidating unverified passwords June 26. The mailbox-loggable exposure raises immediate phishing and account-takeover risk for millions of subscribers. The Register · Infosecurity Magazine One Medical (Amazon) confirms breach of legacy senior-patient records; ShinyHunters claims 8.8 TBHighAmazon-owned One Medical disclosed (June 17) unauthorized access to a third-party legacy file-storage system holding archived One Medical Seniors / Iora Health patient data — demographic and clinical records across nine US metros (Atlanta, Cape Cod, Charlotte, Piedmont Triad, Denver, Houston, Phoenix, Tucson, Seattle). Access occurred June 8-11, discovered June 13; the company deactivated the system, revoked access and rotated credentials, and will notify by mail. ShinyHunters listed One Medical on its leak site June 18 claiming 8.8 TB exfiltrated with a June 22 deadline — 🟥 unverified, no proof samples, and the FBI has flagged the group for inflating claims. The affected-individual count is still undisclosed (Iora served ~39,000 patients in 2021). Healthcare data inherited through M&A on un-decommissioned legacy systems is the recurring theme. HIPAA Journal · BankInfoSecurity Icarus / Klue supply-chain breach: LastPass confirmed, leak site naming ~200 firmsHighThe Icarus extortion of Klue (Canadian market-intelligence SaaS) continues to widen. After its June 22 deadline lapsed, Icarus began publishing stolen Salesforce CRM data; LastPass confirmed June 24 that go-to-market contact records were exposed (vault/credential data unaffected). Confirmed downstream victims now total 12+ (LastPass, Huntress, Recorded Future, Tanium, Jamf, HackerOne, Snyk, Kudelski Security, Insurity, Gong, Sprout Social, OneTrust), and the Icarus leak site reportedly names ~200 companies with threatened daily releases. Root cause: a dormant prototype-integration credential at Klue let attackers push malicious code, harvest OAuth tokens, and query connected Salesforce orgs via the REST API (QueryMore to defeat the 2,000-record limit). New battle card today: [actors/icarus.md](./actors/icarus.md). BleepingComputer · SecurityWeek Bajaj Auto ransomware still developing; no actor, scale or leak-site listing 48h onHighIndia's largest two- and three-wheeler maker Bajaj Auto disclosed a ransomware attack that began ~08:00 IST June 23 (filed to CERT-In and SEBI). As of today there is still no named threat actor, ransom figure, exfiltration confirmation or DLS listing, and the company maintains containment was "successful" — so this remains a developing item, not a confirmed data breach. It lands days after Tata Electronics (WorldLeaks, 630+ GB), reinforcing Indian manufacturing as a sustained ransomware target. Economic Times · MediaNama 🔓 CRITICAL VULNERABILITIES
CVE-2026-20245 · Cisco Catalyst SD-WAN Manager · command injection → root — 7th exploited SD-WAN zero-day of 2026CriticalMandiant detailed (June 24) an in-the-wild campaign against a communications service provider: the actor chained authentication-bypass zero-days (CVE-2026-20127 / CVE-2026-20182) to establish rogue "peering" connections, then exploited CVE-2026-20245 — insufficient input validation in the Manager/vManage CLI — by uploading a crafted file (`evil_tenant.csv`) to execute arbitrary commands and create a hidden root account named "troot." Attackers deleted files and restored configs to cover tracks. No workaround; fix lands in a future SD-WAN Manager release. This is the seventh actively exploited SD-WAN zero-day Cisco has reported in 2026 — SD-WAN management planes are now a standing nation-state-grade target. Google Threat Intelligence / Mandiant · The Hacker News CVE-2026-20230 · Cisco Unified CM · SSRF → root — webshells persist after patchingHighA server-side request forgery flaw in the Unified CM WebDialer service (CVSS 8.6, rated Critical by Cisco for its root-access outcome). Threat-intel firm Defused confirmed (around June 24) automated Tor-routed sweeps deploying three-stage webshells. A patch has existed since June 3, but webshells survive the patch — any host exposed before remediation needs active compromise-assessment, not just an update. SecurityWeek · Cisco PSIRT CVE-2026-35273 · Oracle PeopleSoft PeopleTools · CVSS 9.8 — KEV-listed, ShinyHunters mass-extortion engineCriticalCarry-context: unauthenticated RCE exploited as a zero-day May 27–Jun 9 (predating Oracle's June 10 advisory), now in CISA KEV (added Jun 12, ransomware-flagged). Mandiant attributes active exploitation to ShinyHunters (UNC6240) and notified 100+ orgs (68% higher education, mostly US; University of Nottingham first confirmed). Treat any internet-exposed PeopleSoft `PSEMHUB`/integration gateway as presumed-compromised; patch on emergency timelines. See [actors/shinyhunters.md](./actors/shinyhunters.md). Google Threat Intelligence · Rapid7 CVE-2026-45185 · Exim (GnuTLS builds) · CVSS 9.8 — unauthenticated RCE, still un-KEV'dCriticalUse-after-free in Exim 4.97–4.99.2 compiled with GnuTLS (STARTTLS + CHUNKING) allows unauthenticated RCE. Exim is the most-deployed MTA on the internet and vulnerable GnuTLS builds are common on Debian/Ubuntu. Fix: Exim 4.99.3; OpenSSL builds unaffected. Still warrants emergency patching given the zero-auth bar. BleepingComputer · XBOW 🚨 INTELLIGENCE AGENCY ALERTS & POLICY
CISA KEV June 23 quad hits its remediation deadline tomorrow (June 26)HighThe three Ubiquiti UniFi OS flaws (CVE-2026-34908/909/910, all CVSS 10.0, chainable to full RCE per Bishop Fox) and the Lantronix EDS5000 OS-command-injection bug (CVE-2025-67038, CVSS 9.8, root) carry a June 26 federal deadline under BOD 26-04. UniFi fixes shipped May 2026 (Advisory 064); Lantronix fix is firmware 2.2.0.0R1. No new KEV additions June 24-25. CISA KEV · BleepingComputer CISA BOD 26-04 (Risk-Based Vulnerability Management)Criticalremains the operative directive — four-factor risk matrix (Asset Exposure + KEV + Exploit Automation + Post-Exploitation Impact); the highest-risk combination requires remediation within 3 days plus forensic triage. The same matrix is best practice for private-sector patch prioritisation. CISA BOD 26-04 Overdue KEV items still openCVE-2026-20262 (Cisco Catalyst SD-WAN Manager, deadline Jun 29 — still in window), CVE-2026-20253 (Splunk, CVSS 9.8, deadline Jun 21) and CVE-2026-28318 (SolarWinds Serv-U DoS, deadline Jun 19) — the latter two past deadline; non-compliant agencies in BOD 26-04 escalation. Help Net Security 🌐 THREAT ACTOR & CAMPAIGN ACTIVITY
DLS activity — June 24-25 (last 24-48h, ransomware.live RSS window):
LockBit 5.0Highremains the most active group in the overnight feed (33 fresh postings in the rolling window), consistent with its Q1 rebuild to global top-tier rank. Names mostly unverified; treat as claims. ransomware.live QilinHighsecond-most active (19 recent / 1,947 all-time, still #1 by lifetime volume); posted ISOPLUS (Greece) today. ransomware.live AkiraHighhigh tempo (10 recent / 1,531 all-time); JMS Southeast and Padget Technologies added to the June 25 batch. See [actors/akira.md](./actors/akira.md). ransomware.live NovaHigh(ex-RALord) — 15 recent postings, sustaining its May top-10 break. See [actors/nova.md](./actors/nova.md). ransomware.live Aur0ra / Stormous / KrybitMediummid-tier crews each adding several claims this window (Krybit posted Peru higher-ed `sansilvestre.edu.pe`); 🟥 unverified DLS claims, verify before treating as breaches. ransomware.live APT / nation-state:
Cisco SD-WAN intrusion (CVE-2026-20245, "troot")CriticalMandiant's June 24 report on the seventh exploited SD-WAN zero-day of 2026 describes operator-grade tradecraft (rogue peering, hidden root account, anti-forensic config restoration) against a communications service provider — consistent with the persistent nation-state interest in carrier and SD-WAN management planes. Google Threat Intelligence / Mandiant Salt TyphoonHigh(PRC) — continues telecom-network expansion into South America with new implants (TernDoor, PeerTime, BruteEntry); part of the Chinese campaign that has touched 50+ telecoms across 42 countries in 2026. SecurityWeek 🌍 GEOPOLITICS
Analyst lens: how this week's cyber activity maps to state strategy. Defense · cyber · economics.
The SD-WAN management plane has become a standing nation-state objective, not an occasional target.CriticalCisco's seventh exploited SD-WAN zero-day of 2026 — used here to plant a hidden "troot" account inside a telecom carrier with anti-forensic cleanup — shows adversaries treating network-orchestration software as durable infrastructure to own, the same pre-positioning logic behind Salt Typhoon's carrier campaign. The structural read: whoever controls the SD-WAN controller controls routing, peering and interception for everything behind it. For executives with multi-region connectivity, assume the management plane is a primary target, segment it off the general network, and demand carrier attestations on SD-WAN patch cadence.
A single ISP-platform breach can hand an adversary 14 million credentials without a zero-day.HighKDDI's loss of up to 14.2M email/password pairs across six Japanese ISPs — via a flaw in third-party software, not a novel exploit — is a reminder that telecom and ISP middleware concentrates national-scale identity data behind one vendor's security posture. The economic point for a multi-portfolio executive: credential-rich consumer platforms are now strategic targets whose compromise feeds the same bulk-credential economy that powers downstream state and criminal intrusion. Vendor concentration in identity-bearing services is a systemic risk worth pricing.
SaaS supply-chain trust is the soft underbelly of the identity-security boom.HighIcarus turned one dormant Klue integration credential into Salesforce access at ~200 firms — the same week the M&A market poured capital into non-human-identity tooling (SailPoint→Entro, 1Password→Apono). The contradiction is the story: enterprises are buying NHI governance while their actual exposure runs through un-inventoried third-party OAuth grants they don't control. The "so what": board-level third-party-risk programs must treat every connected SaaS integration as attack surface, and the NHI vendors winning consolidation dollars will be the ones that can actually discover and revoke these dormant grants at scale.
AI-found bugs and AI-driven defense keep compressing the patch window on both sides of the alliance line.MediumThe steady cadence of AI-assisted vulnerability discovery (Squidbleed, Exim, FFmpeg) and OpenAI's Patch-the-Planet defensive program continues to shorten the half-life of any internet-exposed service, while PRC's earlier GTG-1002 shows the offensive mirror. The economic consequence for executives is unchanged but intensifying: budget emergency-patch operations as a standing line item, because vulnerability discovery is now compute-bound and favors whoever fields the most models — a capability that tracks national AI-compute capacity. OpenAI