Friday, June 19, 2026 | By Jonathan Brown bordercybergroup.com

Pattern of the Day: Trust Boundaries Keep Moving

Four of today's nine stories share the same underlying failure mode: organizations increasingly depend on software, integrations, chip vendors, and service providers they neither control nor fully understand. Splunk's authentication gap sat inside a sidecar component most admins didn't know was internet-reachable. Klue's customers were breached through a dormant credential and a token-trust relationship they never audited. Nintendo's exposure ran through an HR survey vendor holding a decade of employee financial records outside Nintendo's own perimeter entirely. A dozen consumer audio brands inherited the same Bluetooth chip flaw and are patching it on their own separate timelines, a year apart. The attack surface in each case is no longer the enterprise perimeter. It's the collection of invisible dependencies sitting behind it — and the defenders who own the brand name are rarely the ones who control the code.

───────────────────────────────────────────────────

Splunk's First-Ever KEV Entry Took Eight Days From Patch to Active Exploitation

CISA added CVE-2026-20253 to its Known Exploited Vulnerabilities catalog on June 18 — the first Splunk flaw ever to make the list — and gave federal agencies until this Sunday to patch under BOD 26-04. The bug is a missing-authentication flaw (CVSS 9.8) in a PostgreSQL sidecar service that Splunk Enterprise uses for data management; an unauthenticated, network-reachable attacker can create or truncate arbitrary files with no credentials at all. Splunk shipped patches on June 10 (fixed in 10.4.0, 10.2.4, and 10.0.7), and watchTowr published a technical writeup with working PoC just two days later, mocking the design choice outright: why, the firm asked, does the sidecar "appear to accept literally any username in the Authorization header." Splunk itself disclosed "limited exploitation" before CISA's KEV addition went up. Splunk Cloud is not affected — the sidecar is Enterprise-only — but Shadowserver counts more than 1,400 internet-exposed Splunk Enterprise instances, the bulk of them in North America. The eight-day patch-to-exploitation window is the headline number, but the more uncomfortable one is structural: this is a SIEM platform, the thing organizations run specifically to detect compromise, sitting on an authentication gap in a component most admins didn't know was internet-reachable.

Watch for: whether any named IR firm confirms a breach where the Splunk compromise itself delayed detection of a separate, larger intrusion — that's the scenario that turns this from a patch story into an incident-response case study.

Sources: Splunk security advisory (June 10–12, 2026); watchTowr (June 12, 2026); CISA KEV catalog (June 18, 2026); SecurityWeek (June 18, 2026); BleepingComputer (June 19, 2026).

───────────────────────────────────────────────────

Microsoft Found a Crypto Clipper That Spreads Like It's 2008, Then Acts Like It's 2026

Microsoft Threat Intelligence disclosed a Windows clipper campaign, internally tracked as Trojan:Win32/CryptoBandits.A, that's been running since February 2026 and propagates the way malware used to before everyone had cloud storage: through infected USB drives carrying malicious .lnk shortcut files. Once a device is hit, the malware deploys two components — a worm that creates additional malicious shortcuts from legitimate files it finds on the system, and a clipper/stealer that polls the clipboard roughly every 500 milliseconds for Bitcoin, Ethereum, Tron, and Monero wallet strings and seed phrases, then silently swaps in attacker-controlled addresses. What pushes this past a standard clipper is the C2 design: it bundles a portable Tor client, routes everything through a local SOCKS5 proxy to a hidden-service server, and uses that channel for both exfiltration (clipboard data plus periodic screenshots) and remote code execution — turning a financially motivated theft tool into a standing backdoor. Microsoft is explicit that static signatures won't catch this reliably; the actionable detection signal is behavioral — localhost:9050 proxy traffic, script interpreters spawning unexpected child processes, scheduled-task persistence tied to .lnk execution.

Watch for: whether researchers identify a second-stage payload being delivered over the Tor backdoor channel in live incidents — so far Microsoft has described the RCE capability but not a confirmed case of it being used for something beyond wallet theft.

Sources: Microsoft Security Blog (June 17, 2026); Microsoft Threat Intelligence, X/Twitter (June 17, 2026); BleepingComputer coverage (June 18–19, 2026).

───────────────────────────────────────────────────

Accenture Just Bought Its Way Into Owning a Third of the Independent OT Security Market

Accenture announced Thursday it's taking a majority stake in Dragos at a $3.25 billion valuation and acquiring runZero and HD Moore's asset-discovery firm and NetRise's firmware-analysis shop outright, for a combined deal value of roughly $4.175 billion — the largest transaction in OT cybersecurity to date. Dragos CEO Robert Lee says the company "will remain an independent and vendor-neutral company as always," and the runZero and NetRise teams will operate under Dragos rather than being absorbed into Accenture proper. The three companies together generated about $208 million in annual recurring revenue as of June 2026, growing 53% year-over-year — modest next to the price tag, which is the point: Accenture is buying a platform position in critical infrastructure security, not current revenue, in a market it estimates will grow from $27 billion to nearly $59 billion by 2031. This is worth flagging on the merits, not the conspiracy version of it. Dragos has spent a decade building credibility as the OT vendor that doesn't sell to the highest bidder and doesn't get folded into a parent company's broader interests. "Independent and vendor-neutral" is now a claim being made about a company in which a $70-billion consulting and outsourcing giant holds a controlling stake. Nothing in the public record so far suggests Accenture is interfering with Dragos's research output or client relationships — Lee's continued leadership and the stated intent to keep the brand separate are real commitments, not just messaging. But governance structure is a leading indicator, not a lagging one: the arrangement can hold for years and still face pressure the first time a Dragos finding is inconvenient for an Accenture consulting client. That's a risk worth watching, not a verdict to render eighteen hours after the deal was announced.

Watch for: how Dragos's public vulnerability research and advisory output — historically a credibility anchor for the brand — is positioned relative to Accenture's existing OT consulting clients, and whether any conflict-of-interest disclosure framework accompanies the close.

Sources: SecurityWeek (June 18, 2026); CyberScoop (June 18, 2026); Industrial Cyber (June 18–19, 2026); ChannelE2E (June 19, 2026).

───────────────────────────────────────────────────

A Group Calling Itself Icarus Used a Dead Integration to Breach Live Salesforce Orgs, and a Cybersecurity Firm Was Among the Victims

Salesforce disabled the Klue Battlecards app integration platform-wide on June 17 after an extortion group identified as Icarus exploited it to pull CRM data from connected customer orgs — including Huntress, the managed security provider, which published its own incident timeline. The attack chain breaks cleanly into three stages, and each one is a separate lesson:

Entry: a long-dormant Klue service credential, originally created years ago for a third-party integration prototype Klue had since abandoned, was never deactivated. That's the door nobody remembered to lock.

Pivot: per ReliaQuest's analysis, Icarus used that stale credential to get into Klue's own infrastructure, then stole the OAuth tokens Klue's customers use to connect their CRM systems to the platform. That's the move from "we broke into a vendor" to "we now hold the keys to every one of that vendor's customers."

Impact: Icarus used the stolen tokens to query customer Salesforce instances directly via REST API — object enumeration, then sustained paginated queries over several hours, with one burst hitting nearly a thousand queries in fifteen minutes. Huntress says extortion emails citing "your Salesforce data has been downloaded" arrived within days, with a 48-hour negotiation deadline.

Klue has since revoked tokens across its full integration stack — Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, Slack — not just the compromised one. This is an analytical inference from the public record, not a confirmed finding, but the pattern matches the OAuth-token-abuse playbook ShinyHunters ran against Salesforce throughout 2025: the weak point isn't Salesforce's platform security, it's the long tail of third-party app connections nobody audits until something breaks.

Watch for: whether other Klue customers beyond Huntress confirm data theft, and whether Icarus is publicly tied to existing extortion infrastructure (SLH, Vect, or another named group) rather than operating as a standalone brand.

Sources: The Hacker News (June 18, 2026); SecurityWeek (June 18, 2026); GovInfoSecurity (June 18, 2026); Dark Reading (June 18–19, 2026); Cyber Security News (June 19, 2026).

───────────────────────────────────────────────────

Nintendo Confirmed the TinyPulse Breach, Refused the Ransom, and the Real Story Is Who Else TinyPulse Touches

Nintendo of America confirmed Thursday that the extortion group SHADOWBYT3$ did steal employee data through TinyPulse, the WebMD Health Services-owned employee survey platform — closing the loop on a claim BCG flagged as developing on June 17. Nintendo's statement draws a sharp line: its own systems were never compromised, no customer or financial data was touched, and the exposed material is "limited to internal survey content comprising a small subset of our employees," most of it several years old. SHADOWBYT3$ disputes the scope, maintaining the dataset runs to roughly 859 MB spanning 2016–2026 and includes bank statements and W-9 forms, and has continued publishing data after Nintendo declined to pay the $2 million demand. Both things can be true at once — Nintendo's perimeter held, and a vendor holding a decade of its employees' financial paperwork did not. That's the part worth sitting with: TinyPulse serves a broad corporate client base from what appears to be shared infrastructure, meaning every other organization using the platform for "anonymous" internal surveys is exposed to the same compromise regardless of whether their name has surfaced yet. Nintendo is, so far, the only confirmed named victim.

Watch for: whether any regulated-industry clients — healthcare, finance, government — emerge among TinyPulse's other corporate customers. A confirmed HIPAA- or GLBA-covered victim would convert this from a Nintendo embarrassment into a notification-obligation story with teeth.

Sources: BleepingComputer (June 18–19, 2026); SC Media (June 19, 2026); TechNadu (June 19, 2026); TechTimes (June 19, 2026); Nintendo of America official statement, via Nintendo Life (June 18, 2026).

───────────────────────────────────────────────────

INC Ransomware Hit 830 Victims by Doing Nothing Clever

Acronis's Threat Research Unit published a profile of INC, the ransomware-as-a-service operation that's quietly become one of 2026's most prolific groups — more than 830 claimed victims since launching in August 2023, with US organizations accounting for over 65% of them. Acronis researcher Darrel Virtusio attributes the growth directly to competitor collapse: "the disruption of LockBit and the shutdown of BlackCat created opportunities for INC to expand as affiliates migrated to alternative ransomware operations." The tooling has matured — both the Windows and Linux/ESXi encryptors were rewritten in Rust for cross-platform builds and reverse-engineering resistance, and a recent credential dumper variant adds support for Veeam's newer salted DPAPI encryption, meaning INC affiliates are actively keeping pace with backup-vendor hardening rather than getting locked out by it. Acronis's own threat lead, Santiago Pontiroli, put the real takeaway bluntly to Dark Reading: INC's edge isn't novel malware, it's "a focus on proven intrusion methods that maximize volume rather than technical innovation" — initial access via spear-phishing, purchased IAB credentials, and known Citrix, Fortinet, and SimpleHelp RMM CVEs, then native tooling and commercial RMM software for lateral movement. INC also prints ransom notes to office printers as a pressure tactic, which is either a clever psychological touch or a sign the group understands its targets — healthcare, legal services, manufacturing, construction — have people walking past those printers all day.

Watch for: whether INC's NHS Dumfries & Galloway and Alder Hey Children's Hospital incidents draw the kind of UK regulatory attention that LockBit's healthcare-sector hits eventually did, or whether the group's lower public profile lets it keep operating under that threshold.

Sources: Acronis Threat Research Unit (June 18, 2026); The Hacker News (June 18, 2026); Dark Reading (June 17, 2026); GBHackers (June 19, 2026).

curl Is Taking July Off Because AI Slop Broke Its Bug Bounty, and More Projects May Follow

The curl project will not accept any vulnerability reports — HackerOne or email — for the entire month of July 2026, resuming August 3. Maintainer Daniel Stenberg is calling it the "summer of bliss," and the framing is only half a joke. curl ended its paid HackerOne bounty entirely back in January after its confirmed-vulnerability rate collapsed from a historical 15% to under 5%, with Stenberg estimating 20% of all 2025 submissions were AI-generated reports describing vulnerabilities that don't exist, code paths curl doesn't have, or bugs patched years ago. The volume didn't drop after the bounty money disappeared — one stretch saw seven invalid HackerOne submissions arrive within sixteen hours — which is the detail that matters here: removing the financial incentive didn't fix the problem, because the reports were never optimized for the bounty. They were optimized for nothing, generated by people running an LLM against a target without reading the output, at zero marginal cost to the submitter and real cost to a volunteer security team. Enterprises with paid curl support contracts keep coverage during the blackout; everyone else's reports go into a queue that doesn't open until August. The line in this story worth tracking isn't curl-specific. Stenberg explicitly said other open-source maintainers are facing the same pattern, and curl — widely used, well-resourced by open-source standards, with a maintainer willing to publicly name the problem — is the project with the visibility to make this a community conversation rather than a quiet, individual burnout story.

Watch for: whether other small-team open-source security maintainers announce similar pauses or structural changes to disclosure intake before curl's window reopens August 3 — that would confirm this is an ecosystem-wide reporting-economics problem rather than a curl-specific one.

Sources: curl Vulnerability Disclosure Policy, curl.se (June 2026); BleepingComputer (June 2026); ByteIota (June 15, 2026); ITPro (January 22, 2026); Hacker News discussion thread (June 17, 2026).

───────────────────────────────────────────────────

One Bluetooth Chipmaker's Bug Just Forced Apple, Sony, Bose, JBL, Marshall, and Jabra Into the Same Patch Cycle

Apple shipped firmware 1B211 for Beats Studio Buds this week, closing CVE-2025-20701 (CVSS 8.8) — a missing-authentication flaw in the Airoha Bluetooth audio SDK that lets an attacker within Bluetooth range connect to an unpaired earbud still searching for a pairing request and listen through its microphone. The bug isn't Apple's. Dennis Heinze and Frieder Steinmetz of ERNW GmbH disclosed it — alongside two related flaws, CVE-2025-20700 and CVE-2025-20702 — at the TROOPERS conference back in mid-2025, after finding that Airoha's diagnostic protocol was exposed over Bluetooth Classic without proper pairing enforcement on the chipsets that power audio products across the industry. Chained together, the three flaws let an attacker read currently-playing media, pull call history and contacts, and hijack the Hands-Free Profile to dial arbitrary numbers — not just eavesdrop, but actively command the paired phone. Apple's update lands roughly a year after disclosure, in the same week Jabra shipped its own fix; Sony, Bose, JBL, and Marshall have separately confirmed patched firmware on their affected lines. Apple's advisory describes the flaw only as residing in "open source code" and doesn't name Airoha directly. The interesting failure here isn't the vulnerability — missing-authentication bugs in BLE pairing flows are not new — it's the year-long, vendor-by-vendor patch cascade required to fix one chip vendor's mistake across a dozen consumer brands that each control their own firmware release schedule and, evidently, their own sense of urgency.

Watch for: whether any vendor using Airoha chips in still-unpatched product lines emerges, and whether ERNW or another firm demonstrates the full call-hijacking attack chain against currently shipping hardware rather than the disclosed proof-of-concept.

Sources: ERNW GmbH disclosure (2025, TROOPERS conference); BleepingComputer (June 18, 2026); heise online (June 17, 2026); CyberInsider (June 18, 2026); SC Media (June 18, 2026).

───────────────────────────────────────────────────

ShinyHunters Keeps Getting Taken Down and Keeps Coming Back; Now It's Building Infrastructure That Assumes That's Permanent

Cato Networks researchers published an assessment this week of how the ShinyHunters brand has survived a remarkable run of law enforcement pressure — multiple BreachForums seizures, the 2023 conviction of alleged founder Sébastien Raoult, and last year's arrests of multiple high-profile admins in France — and concluded the brand "consistently reemerged within days or weeks" after each disruption. The operational response to that pattern, per Cato, is new leak infrastructure built explicitly around redundancy: mirrors and torrent distribution designed so stolen data stays online, in the group's own words, "until the end of time." That's a meaningful shift in extortion mechanics. A centralized leak site is a target law enforcement can seize, as the FBI and French authorities did to BreachForums' domains this past year. A torrent swarm with multiple mirrors is not — there's no single point of failure to take down, which means the extortion threat against any future victim becomes less "pay or we publish" and more "pay or this is permanently, unkillably public," even after the group itself gets disrupted again. Cato ties the current ShinyHunters operation to the broader Scattered LAPSUS$ Hunters ecosystem and describes its evolution from straightforward database theft toward business-logic abuse — OAuth-connected app compromise and help-desk social engineering — which lines up with both the Oracle PeopleSoft campaign and the wider 2025–2026 Salesforce extortion wave already in this feed's coverage history.

Watch for: whether the torrent-based leak model gets adopted by other extortion brands as a hedge against takedown — if Icarus, INC, or another group in this edition starts mirroring its leak data the same way, that's confirmation this is becoming standard tradecraft rather than one group's innovation.

Sources: Cato Networks research report (June 2026), via Cybernews (June 19, 2026); Krebs on Security (November 26, 2025); TechRadar (2026).

───────────────────────────────────────────────────

Jonathan Brown | Border Cyber Group bordercybergroup.com | Support independent security reporting