A

You're listening to the Cyberwire Network powered by N2K.

B

AI is making phishing attacks faster, more convincing and harder for people to spot, and traditional security awareness and phishing training weren't designed for this level of attack. HOX Hunt helps security teams prepare employees for the attacks they face every day with personalized phishing training that adapts to each employee and reduces risky behavior over time for IT and security leaders looking to strengthen their human layer of defense without adding more manual work. Visit hoxhunt.com cyberwire to learn more. That's H O X h u n t.com cyberwire.

A

Blue Supply chain attack impacts cybersecurity firms Brand new Prinz Eugen ransomware is surprisingly polished. Shiny Hunters leak exposes Sensitive data of 10,000 Council of Europe employees Security agencies sound alarm over fortibly credential harvesting operation Texas data breach affects hunting and fishing licenses Microsoft ties Mastra AI supply chain attack to North Korean hackers VDAR InfoStealer unveils new technique to defeat Chrome's encryption protections Brazil investigates suspected hack of Emergency alert system We've got your Monday business brief and on today's Industry voices, Dave Bittner sits down with Mike Britton, CIO of Abnormal AI, as they discuss AI powered attacks are now a commodity and not the kind of beats you want to drop. Today is Monday, June 22, 2026. I'm Maria Varmazes in for Day Bittner today and this is your Cyberwire Intel Briefing. Thanks for joining me today. Let's get into it. First up, market intelligence platform Clue has confirmed a breach of its integration infrastructure leading to supply chain attacks affecting its enterprise customers. Multiple cybersecurity firms were impacted by the incident, including Reliaquest, Huntress, Recorded, Future Tanium and jamf. An increasing number of other organizations are also disclosing that they were affected, including social media management tool Sprout, Social sales intelligence platform Gong, and insurance software provider Insurity. Clue stated, Our investigation determined that an attacker gained access through a compromised legacy credential associated with an integration service. The attacker used that Access to obtain OAuth tokens used to connect clue with certain third party platforms, including Salesforce, and subsequently accessed data within a number of connected customer environments, ReliaQuest said in its analysis of the attack. Quote the attacker authenticated to Target's Clue integration service accounts, generated OAuth tokens and ran what appear to be automated scripts to pull large volumes of CRM records through the Salesforce Rest API over roughly 24 hours, including a concentrated burst of nearly 1,000 queries in 15 minutes and sustained extraction windows lasting over six hours. Bleeping computer reported late last week that the Icarus extortion group was behind this attack and that the gang has since claimed responsibility on its leak site. Huntress identified technical evidence indicating with high confidence that Icarus claims are legitimate. Researchers at Threat down are tracking a new Go based ransomware family called Prins Eugen that's unusually sophisticated for a nascent strain of ransomware. Threat down says the encryptor is built with enough care to prioritize high pressure files, verify encrypted output, remove originals when instructed, and reduce forensic recovery opportunities before exiting. The malware doesn't drop a ransom note on the infected system and instead moves ransom negotiations to a separate channel in order to minimize forensic evidence. Notably, the ransomware prioritizes recently modified files, which threatdown says are most likely to be in active use. Think of open documents, current databases, recently saved project files, fresh email archives, and they are the least likely to have a recent backup. The Council of Europe is investigating a major breach claimed by the Shiny Hunters extortion group, which says it stole nearly 300 gigabytes of sensitive employee data. The leaked information reportedly includes payroll records, bank account details, tax documents, personnel files and medical information belonging to more than 10,000 current and former staff members. After an apparent ransom deadline passed without payment, the attackers published the data and threatened wider distribution through torrent networks. Researchers have linked the incident to a broader campaign exploiting a zero day vulnerability in Oracle PeopleSoft, highlighting the lasting risks posed by breaches of HR systems. Cybersecurity agencies in the United States, Canada, Australia and New Zealand are warning organizations about an ongoing credential theft campaign known as for fortibleed, which is targeting Fortinet firewalls and VPN gateways. Researchers uncovered a database containing credentials associated with roughly 74,000 Internet facing FortiGate devices across 194 countries. Investigators say that attackers used large scale brute force attacks, harvested VPN authentication data and cracked password hashes to gain access to corporate networks, in some cases moving deeper into active directory environments. Fortinet maintains the exposed data stems largely from previous compromises rather than a new vulnerability. But security experts are urging organizations to rotate credentials, enable multi factor authentication, review logs for suspicious activity, and assume potential compromise if affected. The Texas Parks and Wildlife Department, or tpwd, has disclosed that one of its vendors the sustained a data breach affecting more than 3 million Texans. The unnamed vendor handles the state's sale of hunting and fishing licenses, and the breach affected customers who obtained licenses through the vendor. A Kroll web page on the incident states, the investigation indicates that an unauthorized actor may have obtained driver's license information, passport numbers if provided, email addresses, phone numbers and residential addresses. It's unclear, though, when the unauthorized access began. The TPWD says that it was notified by Texas Cyber Command on May 13, 2026. The TPWD is offering one year of free credit monitoring for victims, noting that many of its own staff were affected by this breach. Microsoft says a recent supply chain attack targeting the Mastra AI development framework was carried out by Sapphire Sleet, which is a North Korean threat group also known as Blue Noroff. According to Microsoft's investigation, the attackers compromised an NPM maintainer account and used it to push malicious updates to more than 140 software packages used by developers who are building AI applications. The malware was designed to steal credentials, authentication tokens and cryptocurrency wallet data from infected systems. Microsoft also linked a separate NPM compromise earlier this year to the same group, suggesting a broader campaign targeting software supply chains and developer ecosystems. Researchers at Gendigital have uncovered a new browser theft technique used by the VDAR info stealer to bypass Google's application bound encryption, or abe, a security feature designed to protect cookies, passwords and authentication tokens in Chrome and other chromium based browsers. Rather than attacking encrypted data stored on disk, VDAR creates a snapshot of a running browser, scans memory for Chrome's master decryption key, and then uses code injection techniques to decrypt it inside the browser's own process. The result is access to sensitive browser data without breaking Chrome's encryption directly. Brazilian authorities are investigating a suspected hack of the nation's emergency alert system after an unauthorized alert was sent to users across five states, including residents of Sao Paulo, Rio de Janeiro and Brasilia, according to a report from from the Register. The messages, which were sent through the DEFESA Civil Nacional's platform for severe weather alerts, contain the single word misantropia, a leet speak version of the Portuguese word for misanthropy.

C

Ooh.

A

The country's national telecommunications agency, Anatel, said in a statement, there is currently no reason for concern on the part of the population as a result of the messages received. The government has taken the alert system offline in the meantime to investigate the incident, and it is Monday, so that means it's time for our Monday business brief. Now, last week's business breakdown highlights just over $700 million raised in eight investments and five acquisitions for investments Ninja 1, the US based IT visibility and management platform raised over $400 million in Series C extensions. With this expansion funding, Ninja 1 is looking to further accelerate how the company builds and scales its products for its partners as they continue to incorporate AI into its platform roadmap and market expansion efforts. In Acquisitions Rubrik, the US based security and data intelligence firm, acquired Strata by acquiring the identity orchestration firm. Rubrik is looking to expand its identity resilience offerings to ensure that authentication can still continue even during recovery processes. And that wraps up this week's business breakdown. For a deeper analysis on major business moves shaping the cybersecurity landscape, make sure to subscribe to N2K Pro and check out TheCyberWire.com every Wednesday for the latest updates. Now stick around. After the break in our Industry Voices segment, Dave Bittner sits down with Mike Britton, CIO of Abnormal AI, to discuss why AI powered attacks have become a commodity and why many organizations still don't realize just how accessible these threats have become. And that's not the kind of beats you want dropping. Stay with us. Foreign.

B

When it comes to mobile application security, good enough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com. What's the one thing in business that's spreading as fast as AI? AI risk. Every new tool your team signs up for. Every vendor that turns on AI features, every new integration, each one creates another opportunity for something to go wrong. And most security programs just weren't built for AI's pace of growth. Enter Vanta. Vanta is the number one agentic trust platform used by more than 16,000 fast moving companies like Ramp, Cursor and Harvey to help ensure they're always audit ready. And now Vanta is helping companies watch for the risks that show up between audits across vendors, AI tools and their entire environment. The Vanta agent works like a 24.7grc engineer in the background finding issues, drafting fixes and cutting vendor assessment time by up to 50%. Whether you're a fast growing startup or a global enterprise, Vanta is here to help you automate your security and compliance and earn and prove trust. Get started today@vanta.com cyber that's V A N T A dot com cyber.

A

In our Industry Voices segment, Dave Bittner sits down with Mike Britton, CIO of Abnormal AI, to discuss why AI powered attacks have become a commodity and why many organizations still don't realize just how accessible these threats have become. Here's their conversation.

C

There's a big hype machine. So you hear things around, oh, there's a deep fake video or attackers are using AI. And I think part of the problem is a lot of security leaders continue to see the non AI stuff and it's very pervasive. I like to say that if I'm a bad guy or even a good guy, if something simple works, why do I need to be more complicated? So you still see the broad breadth of attacks are still largely unsophisticated, largely traditional things that we've seen. But it's easy to make the assumption because I see a lot of something that I've seen for years and years that that's everything. And I think that's, that can sometimes be a misconception. I think part of it is the newer, more sophisticated attacks and techniques that are leveraging AI. They may be slipping through the current control set.

B

I've seen people describe today's ATT and CK ecosystem as being productized. I'm curious, do you agree with that label and why is that distinction important?

C

Yeah, and I think if you zoom out a little bit and just talk in general about where we are technology wise, especially in this age of AI. One of the interesting things, and one of the reasons I believe things are moving so much faster and things like Moore's Law are really not relevant anymore is most of the new technology, the frontier models, things like that, they've all been, it essentially doesn't require any level of skill or knowledge or understanding. It's very much at your fingerprint tips. It's, you know, natural language, plain, plain language gets great results. The attackers are doing the same thing. It's, it's, it's like anything else. They run a business, they want more customers, to have a bigger set of customers. I need to make it easy. We're seeing some of that with phishing as a service. There's a phishing as a service threat actor that we've seen, we've talked about it. Evil tokens. It's also known as Kali365 and they've rebranded again. But essentially they provide a SaaS platform to their customers, which are people that want to do bad things. So much so that they have subscription models, they have a marketplace, they have affiliate program. If you want to do referrals, you can get credits. They make it really easy. It really looks like a legitimate SaaS product that somebody might use for marketing or leads for legitimate purposes.

B

You know, reading through your research on these groups like Venom and as you say, Evil Tokens, one of the things that caught my eye was you pointed out their capability to do things like bypass MFA and automate parts of business email compromise. What does that tell us about where the innovation is focused today from the attacker's point of view? What sort of things are they really centered on working through?

C

You know, if you go back and look at the, how things were done from an attacker's perspective, it was largely spray and pray. I'm going to send out a single type of attack and I'm going to hit a broad audience and you know, if I get one in a million, then that's, that's a good roi. And the other aspect of AI that's really helpful is I can target, I can comb through mountains of data and find the right targets and I can do it effortlessly. So in the old days if I wanted to find CFOs or account payable for certain types of industries and companies, I would have to go do a lot of manual searching. I would use Google, I would use LinkedIn. Now with LLMs, I can largely automate that. I can do that at scale. I can find my, my, my victims. I mean we've talked about for years spear phishing. It's, it's dangerous because it's targeted. It's not just a broad. If I know your role within the organization, I know people that you engage with, I know your history, I can easily correlate and collate things from the Internet in seconds. Then that allows me to put some very powerful phishing emails out there. It allows me to really tailor my attacks to increase the likelihood that you'll be social engineered.

B

Is it fair to say that accessibility is really a big part of the story here? That, you know, it's, it's not so much the sophistication of the technology, it's that anyone willing to pay for it has access to these tools.

C

Oh, 100%. And you know, I like to give the analogy of we always fear the nation states because they are the, you know, they have the means, they have the, the knowledge, they have the capabilities. And, and the reality of it is most organizations aren't going to be targeted by a nation state. But when you look at AI, it almost shifts all the playing field up a degree. So your financial criminals Your, you know, your Eastern European, your Nigerian, the ones that are looking for financial gain, you know, these tools give them the ability to operate like a nation state. And then you look at your, I'll use a very old term, script kiddies. The folks that have some level of knowledge but you know, they're good at executing a script, they don't really understand it. Now those guys are operating to the level of a financial criminal. And then what you've really done is you've opened up this whole marketplace for the bad guys to individuals that didn't have the knowledge, didn't have the technology, didn't have the means. And now all you really need is the intent. All you really need is I, I want to go take advantage of someone and try to make money off of this. And now there's tools and, and SaaS, platforms out there for, want to be criminals, to take advantage of it. And so you know that that population, it's like anything else. If that population was 100 threat actors, you know, in previous years, now it could be 10,000 because there's, there's almost, you know, zero, zero barriers to entry into this space for an attacker. Yeah.

B

I was reading through your 2026 Attack Landscape report and it struck me some of the broader trends around business email compromise and vendor email compromise. Can you take us through some of the things that you all highlighted in

C

the reality of it is, and I think there's a few reasons why email continues to be a major vehicle for having success from a cybercriminal perspective and there's a couple reasons why. One, every organization, regardless of size, whether you're a one person company or you have a million employees, that's the one common denominator that, that folks can, can communicate with other organizations. So you can communicate with your customers, you can communicate with your suppliers, you can communicate with other organizations. It's the least common denominator across every entity. The second factor, and you know, there's probably larger meta type conversations around this, but the reality of it is everybody still transacts through email, everybody still sends an invoice, everybody does processing of invoices and things like that through email. And so it's a great vehicle for an attacker. If I'm sitting in your inbox, I've compromised your account. I see that you pay this vendor or you're, I happen to compromise an AP person, I see that, or an accounts receivable person and they're getting invoices from certain people, it just enables me to go turn around and social Engineer them. And then finally the other problem, or, you know, just the result of how things have always been, is if you think about any sort of system account that you reset or SaaS, platform that you're on, if you do a forgot my password or things like that, almost all of them send that back through email. So, once again, if I'm an attacker and I'm in your mailbox, I could reset passwords and other things and I can get those emails back delivered to me. And that's a. It's a great opportunity for me to have lateral movement. It's also a way for me to fish you, because I, I know that you use certain tools and technologies within your organization. So I send lookalike emails that, that look like a password reset or a, you know, SharePoint link or a DocuSign. And so really, we're seeing these attacks. They're not slowing down. You look at even things that aren't abnormals. You look at IC3, which is the FBI's, and they come out with their annual report every March, and it's. The numbers keep going up and to the right.

B

Are there common things that you and your colleagues are tracking here in terms of where the defenders are coming up short? You know, are they underestimating the scale of automation that the attackers can use? What sort of things are you tracking?

C

I think it's difficult because, you know, there's a lot of good things about the security industry. I think the security industry as a whole does a really good job with information sharing. You know, I've been parts of trust groups through, for, for years. I think there's a lot of valuable collaboration that goes on. But I think fundamentally, two things, I think, one, we're sometimes very slow to innovate. So if I use legacy email security, and it's worked for years, and, you know, it's, it's served me well. I assume it's always going to serve me well. And so I'm very, I'm very slow to ever pivot off of that. I, you know, hey, they've been a trusted provider for me throughout the years, and it's very hard to sometimes take into consideration that the attackers have changed techniques and the playing field has changed. And so sometimes we as an industry are very slow to look at new ways to solve old problems. I think that's part of it. And then I think fundamentally the other problem is, while it is the biggest problem, I think it's also, you know, it's the one that's most likely to cause financial loss. I think we also kind of, and I say we security leaders and CISOs oftentimes look at it and throw their hands up. And I've heard this before of, hey, it stops 90% of the problems. It's an unsolvable problem. So I'm just willing to accept that I'm going to fail 10% of the time and I've got other, other problems to go solve. I've got other risks. And so if that was the only problem in my program, then great, I'd go invest more money or I'd go try something different.

B

Do you have any advice for the security professionals who are trying to plan out their next 12 months or so, trying to look toward the horizon? Any insights or words of wisdom there?

C

Yeah, my, my biggest words of wisdom is kind of back to the Moore's Law thing. If you're planning 12 months in advance, we're seeing things move so much faster these days. Just yesterday, Fable came out and, you know, it's been right around six months or so since Opus came out from Anthropic. And so these, these models and capabilities are moving so quickly that I would really encourage, and I know it's probably not in the wheelhouse for most, you know, executives, but I would try to at least do your planning by the quarter. I would make sure you, you know, yes, you probably need something from an annual plan, but I would also be willing to be a little bit more flexible and pivot. I wouldn't lock things in and say, you know, this is set in stone for the next 12 months. I would say this is set in stone for the next quarter and we're going to continue to review and iterate and evolve this as, you know, the technology and the risks change.

A

That was Mike Britton, CIO of Abnormal AI, speaking with Dave Bittner about why AI powered attacks have become a commodity. Hear the full conversation. Head to our Show Notes to find the link to the Abnormal AI Knowledge Partner page where you will find the complete interview. Foreign.

B

Most environments trust far more than they should, and attackers know it. Threat Locker solves that by enforcing default deny at the point of execution. With Threat Locker allow listing, you stop unknown executables cold. With ring Fencing, you control how trusted applications behave. And with Threat Locker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. It's powerful protection that gives CISOs real visibility real control and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today. Thinking about refreshing the carpet in your home?

C

Now's the time to do it for

B

a limited time at the Home Depot, get 10% off installed carpet projects on trusted brands like life proof LifeProof with

C

pet proof technology, home decorators collection and traffic master plus. With installations starting at just $0.49 per

B

square foot, upgrading your space is more affordable than ever at the Home Depot.

C

Offer valid June 11, 2026 through June 28, 2026.

B

Exclusions apply for licenses, see homedepot.com licensenumbers.

A

And finally, if you've ever worried that your earbuds were listening to you, well, for a brief moment, that concern wasn't entirely fictional. Yeah, Apple has patched a vulnerability in its Beats Studio buds that could have allowed a nearby attacker to listen through the earbuds microphone. The flaw affected devices that were actively in Bluetooth pairing mode, allowing an attacker within range to potentially impersonate a legitimate device and connect before the pairing process was complete. The vulnerability was tracked as CVE2025 2701 and was tied to Bluetooth chips made by Airoha. Researchers found that when combined with other flaws in the same component, an attacker could potentially eavesdrop through headphone microphones, extract pairing keys, impersonate trusted headphones, and even enable additional attacks against a connected phone. But before you toss your earbuds in the nearest lake, there is some good news here. The attack wasn't exactly easy. It required specialized hardware, software, technical expertise, and close physical proximity to the target. And Apple has already released a firmware update to fix this issue. Still, it is a fun reminder that in 2026, even your earbuds occasionally need a security patch, because apparently the only thing scarier than hearing someone else's playlist is someone else hearing yours. And that's the Cyberwire Daily, brought to you by N2K CyberWire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of our podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like this show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ivan. Peter Kilpe is our publisher and I'm your host. Maria Varmazes, in for Dave Bittner this week. Thanks for listening. We'll see you tomorrow. Your next chapter in healthcare starts at Carrington College's School of Nursing in Portland. Join us for our open house on Tuesday, January 13th from 4 to 7pm you'll tour our campus, see live demos, meet instructors, and learn about our Associate Degree in Nursing program that prepares you to become a registered nurse. Take the first step toward your nursing career. Save your spot now@carrington.edu events. For information on program outcomes, visit carrington.edu sci.