Confidential · 24 Jun 2026
🛡️ Daily Cybersecurity Briefing — 2026-06-24 (Wednesday)¶
Window: last 24–48h. Severity: 🔴 CRITICAL · 🟡 HIGH · 🟢 MEDIUM.
Threat level HIGHVictims L30D 221Top actor LockBitM&A L30D $4.17B
💼 M&A ACTIVITY¶
Accenture's $4.17B OT-security play still anchors the monthCriticalAccenture is taking a majority stake in Dragos (valued $3.25B) and acquiring runZero (asset discovery / exposure management) and NetRise (firmware & supply-chain security) outright, moving from OT services into OT software. Dragos stays standalone; runZero and NetRise fold under it. Combined ~$208M ARR, +53% YoY; expected to close Aug–Sep 2026. The largest pure-play OT-security deal of the year. SecurityWeek · Industrial Cyber
Cisco buys WideField Security to give Splunk an identity layerHighWideField builds tooling that tracks identity and credential activity across sessions and maps how far a compromised account could reach (its "blast radius"). Cisco is folding it into Splunk's SOC automation, where identity context was the missing piece. Undisclosed; announced June. SecurityWeek
Identity consolidation rolls on: 1Password→Apono, Quest→Anetac, A10→TrojAIHighThree June identity/AI-security tuck-ins firm up as the June roundup names start landing. 1Password bought Israeli Apono (~$250–300M est.) for just-in-time access governance — granting and revoking least-privilege cloud permissions on demand for human, machine and AI-agent identities, extending 1Password from credential storage into runtime access control (its first Israel deal, ~80 staff). Quest Software (Clearlake) bought Anetac, which continuously discovers and risk-scores human, machine and agentic identities across Microsoft/AD/Entra. A10 Networks bought Canada's TrojAI (undisclosed; ex-Rapid7 exec Lee Weiner) — build-time AI red-teaming plus a runtime AI firewall (incl. MCP-agent protection) to pair with A10's hardware AI firewall for "sovereign AI security." The through-line: identity and AI-application security are the two capabilities every platform is racing to own. SecurityWeek
Cycurion buys MDR provider Secuvant for $2.875MMediumSecuvant runs a co-managed SOC whose Panoptic platform does continuous threat-and-vulnerability monitoring with risk-based prioritisation. Cycurion (NASDAQ CYCU), a small cyber/IT-services firm, is buying the recurring MDR revenue to move up-market into subscription SOC services for enterprise and government. $875K cash + ~$2.0M preferred stock, earn-outs through 2028; closed Jun 2, announced Jun 9. A micro-cap tuck-in, but a verified June name while the monthly roundup stays unpublished. GlobeNewswire · StockTitan
L30D summary (May 25 – Jun 24):6 named deals, ~$4.42B+ disclosed (the Accenture OT play dominates; the rest are undisclosed-to-micro-cap). Theme: two capabilities now drive almost every deal — identity (1Password→Apono, Quest→Anetac, Cisco→WideField) and AI-application security (A10→TrojAI), both increasingly framed around non-human and AI-agent identities; OT/ICS software consolidation (Accenture) and MDR recurring-revenue tuck-ins (Cycurion) fill out the rest. June names are now firming up as the roundup lands. SecurityWeek
⚠️ CRITICAL BREACHES & INCIDENTS¶
Icarus publishes Klue victim data after deadline lapses — Huntress and others now leakedHighIcarus (extortion group active since April 28, 2026) publicly claimed the Klue supply-chain breach on June 19 and, after its June 22 ransom deadline passed, began publishing stolen Salesforce CRM data on its leak site — Huntress is named among the first published sets. The breach traces to a dormant-but-active prototype-integration credential at Klue (Canadian market-intelligence platform); attackers pushed a malicious code update June 11-12 to harvest customer OAuth tokens and query connected Salesforce orgs directly. Confirmed downstream victims now total 12+: LastPass (disclosed today), Huntress, Recorded Future, Tanium, Jamf, HackerOne, OneTrust, Snyk, Kudelski Security, Insurity, Gong, Sprout Social. Data: business contacts, pricing, sales comms, opportunity notes. LastPass stresses vault/credential data is unaffected — only go-to-market CRM/contact records in Salesforce. Klue revoked tokens June 12; Salesforce disabled the Klue Battlecards app June 17; CrowdStrike engaged for IR. Move from "deadline passed" (yesterday) to active publication today, with LastPass the highest-profile name to confirm. BleepingComputer · CyberInsider · BleepingComputer
Bajaj Auto hit by ransomware; second major Indian manufacturer in daysHighIndia's largest two- and three-wheeler maker Bajaj Auto (and subsidiary Bajaj Auto Technology Ltd) disclosed a ransomware attack that began ~08:00 IST June 23, filed to CERT-In and to SEBI/BSE under Regulation 30. The company says containment "has so far been successful"; no threat actor, ransom demand, data-exfiltration confirmation, or production impact has been disclosed, and no leak-site listing has surfaced yet — so scale is unknown and this is a developing item, not a confirmed data breach. Shares fell ~2% on June 24, the record date for its ₹5,632-crore buyback. Lands days after Tata Electronics (WorldLeaks, 630+ GB), underscoring that Indian manufacturing is now a sustained ransomware target. Economic Times · MediaNama
June 23 DLS batch resolves into named victims across five groupsHighYesterday's high-volume leak-site activity now maps to specific organisations: Aerospace & Advanced Composites GmbH (Austrian aerospace materials maker — Aur0ra), Belpointe Asset Management (US wealth management — INC Ransom), Canada Wide Media and GIA Partners LLC (The Gentlemen), BITS Pilani (Indian university — DragonForce), and Central Bank of Libya (Qilin). All are 🟥 unverified DLS claims — verify before treating as confirmed breaches. The spread across aerospace, finance, education, media, IT services and a national central bank illustrates the indiscriminate, sector-agnostic posture of mid-2026 extortion. Breachsense · ransomware.live
24 billion credential records found in a single 8.3 TB open databaseHighCybernews researchers disclosed (June 24) a publicly exposed, unsecured database holding ~24 billion records — usernames, passwords and other account data aggregated from 36 sources: Telegram channels, prior breach compilations, infostealer-log collections, and some datasets apparently exported directly from live servers. It is largely a recompilation of existing leaks rather than a single new breach, but the consolidation makes credential-stuffing and account-takeover at scale trivial. The server was taken offline; ownership is unconfirmed. Net effect: another step-change in the cheap, bulk credential supply already noted below. Malwarebytes · Cybernews
Aflac intrusion notification climbs to 22.7M peopleHighThe June 2025 Aflac social-engineering intrusion (attributed to Scattered Spider's insurance-sector campaign) now stands at ~22.7 million customers, beneficiaries, employees, and agents notified, with ≥13.9M records containing PHI — a modest upward revision as notification scope finalises. Remains one of the largest US insurance-sector exposures on record. TechCrunch
🟥 Watch / do-not-recycle: Brightspeed / Crimson Collective — A roundup item resurfaced the Crimson Collective claim of 1M+ Brightspeed customer records. This is a January 2026 claim, not new (Telegram post Jan 4; Brightspeed never confirmed exfiltration of production data). Logged here only to prevent re-reporting it as a June event. Malwarebytes · The Register
🔓 CRITICAL VULNERABILITIES¶
CVE-2026-47729 "Squidbleed" · Squid proxy · CVSS 6.5 — 29-year-old heap over-read leaks cleartext HTTP requestsHighResearchers at Calif.io disclosed (June 22-23) a heap over-read in the Squid web proxy that lets a client already permitted to use the proxy read another user's cleartext HTTP request — including Authorization headers, API keys, session tokens, and cookies. The bug lives in Squid's FTP directory-listing parser and traces to a 1997 NetWare fix; a whitespace-skipping loop walks past a string's null terminator. It is exploitable by a trusted client (low privilege, confidentiality-only impact) — the relevant exposure is shared-network deployments (schools, offices, public Wi-Fi). Fix merged to v7 in May; the cleaner mitigation is to disable FTP support, which removes the attack surface for free. No in-the-wild exploitation reported as of June 22. The Hacker News · Calif.io · SecurityOnline
CVE-2026-35273 · Oracle PeopleSoft PeopleTools · CVSS 9.8 — exploited zero-day, now the engine of a ShinyHunters extortion spreeCriticalContext-correction (campaign ran May 27–Jun 9, predating Oracle's June 10 out-of-band advisory; not previously in this briefing): unauthenticated RCE in the PeopleSoft Environment Management component (`/PSEMHUB/hub`, `/PSIGW/HttpListeningConnector`). Mandiant/GTIG attribute active exploitation to ShinyHunters (UNC6240) and notified 100+ organisations with vulnerable endpoints — 68% higher education, mostly US; University of Nottingham is the first confirmed victim. TTPs: MeshCentral RAT (`azurenetfiles.net`), a `_fanout.sh` SSH-spray/defacement script, `zstd` exfiltration to the ShinyHunters DLS. This is the exploited* PeopleSoft flaw — distinct from CVE-2026-46850 below (CPU-patched, no confirmed ITW yet). Patch immediately; treat exposed PeopleSoft as presumed-compromised. New battle card: [actors/shinyhunters.md](./actors/shinyhunters.md). Google Threat Intelligence · SecurityWeek · Rapid7
CVE-2026-46850 · Oracle PeopleSoft · CVSS 9.9 — patch now, strong KEV candidateCriticalFrom Oracle's June CPU (245 patches, 100 unauthenticated-RCE): the PeopleSoft RCE remains the standout. Not yet in CISA KEV but a prime candidate; prioritise rather than wait. SecurityWeek · Tenable
CVE-2026-45185 · Exim (GnuTLS builds) · CVSS 9.8 — unauthenticated RCE, still un-KEV'dCriticalUse-after-free in Exim 4.97–4.99.2 compiled with GnuTLS (STARTTLS + CHUNKING) allows unauthenticated RCE. Exim is the most-deployed MTA on the internet; vulnerable GnuTLS builds are common on Debian/Ubuntu. Fix: Exim 4.99.3. OpenSSL builds unaffected. Carry-over from June 23 — still warrants emergency patching given the zero-auth bar. BleepingComputer · XBOW
CVE-2026-50656 "RoguePlanet" · Microsoft Defender · CVSS 7.8 — still no patch a week after Microsoft confirmed itHighA race-condition flaw in Microsoft Defender lets a low-privileged local attacker spawn a SYSTEM-level command prompt on fully-updated Windows 10/11, reportedly even with real-time protection enabled — the security control itself becomes the privilege-escalation surface. Microsoft published the advisory June 17 and says a patch is still in development; it states it has not detected in-the-wild exploitation, though a public exploit by researcher "Chaotic Eclipse" (Nightmare-Eclipse) is circulating. No CVE fix yet — monitor for the out-of-band update and treat Defender hosts as having an open local-EoP path. Carry-context, not new today, but unpatched and therefore actionable. Help Net Security · BleepingComputer
Credential-harvesting telemetry: 110M+ credentials captured since February 2026HighOpen reporting around the June 23 news cycle flags a single threat actor that has amassed 110M+ credentials since at least February via infostealer/credential-attack infrastructure. Sits alongside the FortiBleed exposure (~86,644 FortiGate devices) as evidence that bulk credential supply, not novel exploits, is the dominant enabling layer for downstream intrusion. Treat exposed-credential hygiene (rotation, phishing-resistant MFA) as a frontline control. The Hacker News
🚨 INTELLIGENCE AGENCY ALERTS & POLICY¶
CISA adds four KEV entries June 23 as the June 9 trio hits its deadlineHighThe June 23 catalog update added three Ubiquiti UniFi OS flaws (CVE-2026-34908/909/910) and a Lantronix EDS5000 OS-command-injection bug (CVE-2025-67038), all carrying a June 26 federal remediation deadline. Separately, the June 9 trio — CVE-2026-20245 (Cisco Catalyst SD-WAN Manager), CVE-2026-11645 (Chrome V8), CVE-2026-7473 (Arista EOS) — reached its deadline June 23; non-remediated agencies now escalate under BOD 26-04. The Cisco SD-WAN flaw is the seventh SD-WAN zero-day of 2026 in the KEV. CISA KEV · The Hacker News · TechTimes
CISA BOD 26-04 (Risk-Based Vulnerability Management)Criticalremains the operative directive — supersedes BOD 22-01. Four-factor risk matrix (Asset Exposure + KEV + Exploit Automation + Post-Exploitation Impact); highest-risk combination requires remediation within 3 days plus forensic triage. The same matrix is best practice for private-sector patch prioritisation. CISA BOD 26-04
Overdue KEV items still openCVE-2026-20253 (Splunk, CVSS 9.8, deadline Jun 21) and CVE-2026-28318 (SolarWinds Serv-U DoS, deadline Jun 19) — both past deadline; non-compliant agencies in BOD 26-04 escalation. Help Net Security
OpenAI Daybreak / "Patch the Planet" continuesMedium(carry-over from Jun 22-23): GPT-5.5-Cyber released to 30 vendors; AI-plus-human review found 5 exploitable Chrome V8 and 10+ Safari/WebKit bugs in week one across 19 open-source projects. The AI-assisted vuln-discovery trend (Squidbleed via Calif, Exim via XBOW, 21 FFmpeg zero-days via Depthfirst) is now a structural feature of the disclosure pipeline. OpenAI · Trail of Bits
🌐 THREAT ACTOR & CAMPAIGN ACTIVITY¶
DLS activity — June 23-24 (last 24-48h):
LockBit 5.0Highmost active group in the overnight ransomware.live feed (33 fresh postings), consistent with its Q1 rebuild to a global top-tier rank. Individual names mostly unverified; treat as claims. ransomware.live
The GentlemenHighcontinued high tempo; June 23 batch now includes named victims Canada Wide Media (publishing/Canada) and GIA Partners LLC (IT services/US). Group total tracked at 504 YTD; admin attributed to Alexander Andreevich Yapaev (Krebs/Check Point, Jun). See [actors/the-gentlemen.md](./actors/the-gentlemen.md). Breachsense
Aur0raHighemerging Tier-2 group; Aerospace & Advanced Composites GmbH (Austrian aerospace materials) added to the June 23 batch, joining Sumitomo Electric Bordnetze and Allan Brothers earlier this month. ~10 postings in the latest feed. ransomware.live
DragonForceHighBITS Pilani (Indian university) claimed June 23; continues opportunistic global targeting. See [actors/dragonforce.md](./actors/dragonforce.md). Breachsense
Qilin / INC RansomMediumQilin posted Central Bank of Libya; INC Ransom posted Belpointe Asset Management (US wealth management). Both 🟥 unverified DLS claims. ransomware.live
APT / nation-state:
Salt TyphoonHigh(PRC) — continues telecom-network expansion into South America, fielding new implants (TernDoor, PeerTime, BruteEntry); part of the broader Chinese campaign that has touched 50+ telecoms across 42 countries in 2026. Authoritative tracking via Recorded Future / vendor TI. SecurityWeek
AI-operated intrusion (GTG-1002, PRC)Highthe disrupted China-attributed espionage campaign that manipulated an AI coding agent to automate 80-90% of attack steps remains the reference case for agentic-offense risk as defenders deploy the same class of tooling (Daybreak above). SecurityWeek
🌍 GEOPOLITICS¶
Analyst lens: how this week's cyber activity maps to state strategy. Defense · cyber · economics.
AI is now on both sides of the vulnerability pipeline, and the West is industrialising the defensive half.HighOpenAI's Daybreak/Patch-the-Planet and the wave of AI-found bugs (Squidbleed, Exim, 21 FFmpeg zero-days) show allied vendors converting AI into a defensive force multiplier, while PRC's GTG-1002 shows the same tooling automating offense. The structural read: vulnerability discovery is shifting from a scarce human-expert input to a compute-bound one, which favors whoever has the most compute and the best models. For a multi-portfolio executive, this means patch windows will keep compressing and the half-life of any internet-exposed service shortens — budget for emergency-patch operations as a standing cost, not an exception.
Chinese telecom penetration is becoming a permanent feature of the global comms backbone, now reaching South America.HighSalt Typhoon's expansion with new implants extends a campaign that has touched 50+ carriers across 42 countries. This is pre-positioning, not theft: persistent access to telecom infrastructure is strategic optionality for a future crisis. The "so what" for executives with LATAM operations or supply chains: assume carrier-level interception is plausible and push sensitive traffic to end-to-end-encrypted, provider-independent channels.
Aerospace and central-bank names in a single day's ransomware batch blur the line between crime and strategic targeting.HighA national central bank (Libya) and an aerospace-materials manufacturer (Austria) appearing alongside dentists and home builders in the same DLS cycle shows financially motivated crews now routinely touch assets with national-security weight — often without the geopolitical intent. The risk for boards is attribution ambiguity: an extortion hit on critical infrastructure can trigger state-level response dynamics the attacker never intended. Treat critical-sector incident response as a geopolitical, not just an IT, scenario.
Bulk credential supply, not exploits, is the cheapest lever of state and criminal power alike.MediumA 24-billion-record, 8.3 TB credential dump surfaced today on top of 110M+ credentials harvested since February and ~86,644 FortiGate devices with live creds (FortiBleed) — together meaning both criminal affiliates and state actors can buy or scrape their way to initial access without burning a zero-day. Economically, this depresses the price of intrusion and shifts defender ROI toward identity hardening (phishing-resistant MFA, credential rotation, egress monitoring) over perimeter patching alone.
M&A activity
Accenture → Dragos (majority) + runZero + NetRise$4.17B
Quest Software → Anetac—
SailPoint → Entro Security$200M
1Password → Apono—