Confidential · 22 Jun 2026
🛡️ Daily Cybersecurity Briefing — 2026-06-22 (Monday)¶
Window: last 24–48h. Severity: 🔴 CRITICAL · 🟡 HIGH · 🟢 MEDIUM.
Threat level HIGHVictims L30D 196Top actor LockBitM&A L30D $4.17B
💼 M&A ACTIVITY¶
Cisco→WideField remains the latest named deal; board quiet through June 21-22MediumCisco's acquisition of WideField Security (undisclosed; identity and credential telemetry folded into Splunk's SOC automation) still anchors the June board. The monthly roundup has not yet published (month open), so more June names should surface as it closes. SecurityWeek
L30D summary (May 23 – Jun 22):2 named deals tracked; ~$4.17B+ in disclosed value.
Biggest🔴 Accenture→Dragos (majority) + runZero + NetRise — ~$4.17B (Jun 18); ~$208M ARR, +53% YoY; closes Aug–Sep. OT security software at enterprise scale. SecurityWeek
Cisco→WideField Securityundisclosed (Jun); identity/credential telemetry for agentic SOC. SecurityWeek
ThemeOT/ICS software consolidation (Accenture→Dragos mirrors ServiceNow→Armis dynamic) + identity as the Agentic SOC's binding layer. Platforms are acquiring depth, not adjacent capabilities.
⚠️ CRITICAL BREACHES & INCIDENTS¶
Texas Parks & Wildlife Dept. — 3.09M records via vendor breachHighThird-party hunting/fishing licensing vendor exposed driver's licence numbers, passport numbers, email addresses, phone numbers, and residential addresses of 3,087,721 Texas hunters and anglers. No SSNs, DOB, or financial data. Breach detected May 13; formal notification June 12; public disclosure June 18-21. Attack vector, duration, and actor are unattributed. Largest government data breach in Texas in 2026. TechTimes · SC Media
Splunk CVE-2026-20253 — active exploitation confirmedCriticalUnauthenticated RCE via the PostgreSQL Sidecar service in Splunk Enterprise 10.x (CVSS 9.8). PoC published June 12; active exploitation observed from ~June 15. CISA KEV deadline: June 21 (today). Federal agencies that have not patched are in BOD 22-01 breach. Affects AWS-hosted Splunk deployments where the sidecar is pre-installed. SecurityWeek · The Hacker News
🔓 CRITICAL VULNERABILITIES¶
CVE-2026-20253 · Splunk Enterprise · CVSS 9.8CriticalPre-auth RCE, no credentials required. Affects versions 10.0.0–10.0.6 (fix: 10.0.7) and 10.2.0–10.2.3 (fix: 10.2.4). CISA KEV, federal deadline June 21. Patch or isolate the PostgreSQL Sidecar port immediately. SecurityWeek · CISA KEV
CVE-2026-54420 · LiteSpeed cPanel Plugin · CVSS 8.5HighSymlink following allows FTP/web-shell users to escalate to root on shared-hosting servers (CloudLinux/CageFS). KEV added June 15-16; federal deadline June 18 (past). Fix: upgrade to WHM Plugin v5.3.2.1. Shared-hosting providers and resellers at highest risk. The Hacker News · BleepingComputer
June 9 KEV trio — federal deadline June 23 (tomorrow)HighThree vulnerabilities with active exploitation; BOD 22-01 agencies must patch by end of day June 23:
CVE-2026-7473 · Arista EOS · incomplete comparison → tunnel-traffic bypass
CVE-2026-11645 · Chrome V8 · OOB R/W → sandbox RCE via crafted page
CVE-2026-20245 · Cisco Catalyst SD-WAN Manager · output-encoding flaw → local RCE as root
🚨 INTELLIGENCE AGENCY ALERTS & POLICY¶
CISA KEV deadline today (Jun 21): CVE-2026-20253 (Splunk RCE).Agencies that missed this are now overdue; non-remediation must be escalated per BOD 22-01 reporting requirements.
CISA KEV deadline tomorrow (Jun 23): June 9 trio(Arista EOS, Chrome V8, Cisco SD-WAN). Patch or apply mitigations by end of business.
CISA's FortiBleed hardening guidance remains the active directiveHighThe June 18 guidance still stands: 86,644 FortiGate devices compromised with credentials exposed across 194 countries; treat any unhardened device as compromised. No new top-tier CISA/FBI/NSA advisory issued in the June 20-22 window. BleepingComputer
🌐 THREAT ACTOR & CAMPAIGN ACTIVITY¶
DLS activity — June 21 (last 24h):
Stormous+1: jaggroup.com — full corporate database (emails, AD domain logins) claimed; attack est. Jun 20. 🟥 Verify before treating as confirmed.
INC Ransom+1: jktornel — client data and proprietary files claimed Jun 21. 🟥 Unverified.
Nova+1: Lockers IT (Bangladesh IT company). 🟥 Unverified.
World_Leakswas the most active group in the prior 24h period (6 new victims); PEAR posted 4 new victims. Healthcare sector remains disproportionately targeted.
PEAR claim — Expert MRI (California):PEAR alleges 617GB exfiltrated from a California radiology provider; 209,560 patients' PHI (diagnoses, SSNs, DOB). 🟥 Attack dates to Aug 2025 — this is a resurfaced old incident, not a new breach. The PEAR DLS claim is recent; verify attribution before treating as a PEAR breach. Hookphish
Capability intelligence — The Gentlemen GentleKiller (ESET, Jun 17):
ESET published a detailed breakdown of GentleKiller, The Gentlemen's centrally maintained BYOVD EDR-killer suite. Eight variants; each abuses a different vulnerable/malicious driver (Kaspersky `eb.sys`, FACEIT Anti-Cheat, Valorant, Zemana WatchDog, Qihoo 360, IObit, PoisonX rootkit). Targets 400+ processes across 48 security products: CrowdStrike, SentinelOne, ESET, Microsoft Defender, Palo Alto, Sophos, Trend Micro, Bitdefender, Kaspersky. The group can operationalize newly published BYOVD PoCs within days of public GitHub release. This is a tier-1 threat capability; if The Gentlemen (currently #2 globally, 335 YTD claimed victims) is in your sector, assume EDR bypass is the default pre-encryption step. The Hacker News · ESET WeLiveSecurity
Leaderboard (unchanged — June still incomplete):
Qilin #1 (546 YTD, 335 L3M), The Gentlemen #2 (335 YTD), Akira #3 (184 L3M). May 2026 total: 646 victims (lowest of year; 61 groups). June monthly report pending.
🌍 GEOPOLITICS¶
Analyst lens: how this week's cyber activity maps to state strategy. Defense · cyber · economics.
China is buying persistent reach, not just secrets.CriticalSalt Typhoon's expansion into South American telecom backbones (TernDoor, PeerTime, BruteEntry) is infrastructure positioning, not smash-and-grab espionage. Owning provider-edge routers gives Beijing durable signals access across the Global South at the same moment those states are weighing their next-generation telecom contracts. Treat it as pre-positioning for a contested decade, and assume allied carrier traffic transiting the region is exposed.
Russia is degraded, not deterred.HighThe DOJ/FBI takedown of APT28's SOHO-router network removes capacity, not intent. GRU tradecraft migrates to the next disposable infrastructure within weeks. The lesson for Western firms: enforcement raises the attacker's cost at the margin, it does not change your exposure.
OT security has become statecraft.HighAccenture's $4.17B move on Dragos, runZero and NetRise is the private-sector echo of a policy shift. Post-Ukraine, critical-infrastructure resilience is treated as national security, and the primes are consolidating the capability. Expect procurement to follow, and OT due diligence to become a condition of capital rather than a nice-to-have.
Iran keeps buying asymmetric leverage cheaply.HighContinued targeting of internet-exposed PLCs in US critical infrastructure is low-cost pressure calibrated to stay below the threshold of a kinetic response. It is a bargaining chip held in reserve, and it costs Tehran almost nothing to maintain.
The economic vector: exposure is repricing.MediumFortiBleed-scale credential exposure and 3-million-record breaches feed a tightening cycle in cyber-insurance and regulatory liability. For boards sitting across a portfolio, the question is moving from "are we compliant" to "what is our aggregate, correlated exposure when one edge vendor fails everywhere at once."
M&A activity
Accenture → Dragos (majority) + runZero + NetRise$4.17B
Quest Software → Anetac—
SailPoint → Entro Security$200M
1Password → Apono—