This Week in Cybersecurity: Cybersecurity Vendors Breached via Klue's OAuth, Russia Hijacks Officials' Signal Accounts, and DirtyClone Exploit Grants Linux Root with No Trace

Explore this content with AI:

ChatGPT | Perplexity | Claude | Google AI Mode

Icarus breaches Klue's OAuth integrations, exposing Salesforce CRM data at HackerOne, Huntress, Snyk, and hundreds of other companies

On June 11, 2026, threat actors gained unauthorized access to Klue's integration infrastructure by compromising a legacy service account credential — one that had never been rotated despite being tied to production OAuth integrations across multiple third-party platforms. The attackers used that foothold to push a malicious code update that harvested OAuth tokens, the authorization keys that allow Klue to connect with customers' Salesforce instances. With those tokens in hand, the group — which calls itself Icarus and has been active since at least April 28, 2026 — exfiltrated CRM data from Klue's customer base. Klue detected the intrusion the following day and immediately revoked affected credentials and disabled integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Google Drive, and Slack, but the data was already gone.

The scope of the downstream exposure became clearer as Icarus began posting victims on its leak site and sending extortion messages. Among the hundreds of affected organizations confirmed or self-disclosed are HackerOne, Huntress, Recorded Future, Tanium, Jamf, Gong, Kudelski Security, Snyk, Insurity, and Sprout Social. The stolen data varies by customer but includes business names, contact information (names, work emails, job titles, phone numbers), subscription and pricing details, sales notes, opportunity records, and internal sales communications — the kind of relationship intelligence that underpins targeted phishing, competitive intelligence theft, and business email compromise. Huntress published its own breach notice on its blog, including the full text of the extortion email — subject line "top secret email," sender "mr bean" — giving security teams a concrete indicator to watch for.

Why it matters: The Icarus campaign follows the same structural logic as the 2025 Scattered Spider attacks on Salesforce-connected SaaS vendors: find a single integration provider with broad OAuth access to many customers' CRM instances, compromise that provider's credential hygiene, and cash out the entire downstream. The lesson isn't specific to Klue — it's that any vendor with a Salesforce integration in your environment holds a key to your CRM data. Audit your connected app authorizations now, enforce rotation policies on integration service accounts, and limit the Salesforce object permissions granted to third-party tools to only what each integration strictly requires.

Read more at SecurityWeek

Ubiquiti patches three CVSS 10.0 UniFi OS flaws that let unauthenticated attackers take full root control — CISA adds all three to KEV

On May 21, 2026, Ubiquiti released UniFi OS Server version 5.0.8 alongside Security Advisory Bulletin 064 (SAB-064), patching three critical vulnerabilities in UniFi OS: CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910, each carrying the maximum CVSS base score of 10.0. On June 23, more than a month after the patch was available, CISA added all three to its Known Exploited Vulnerabilities catalog, confirming that threat actors are actively targeting unpatched devices in the wild.

The three flaws are individually serious but most dangerous in combination. CVE-2026-34908 is an improper access control issue allowing remote attackers to make unauthorized changes to UniFi OS devices without authentication. CVE-2026-34909 is a path traversal defect enabling an attacker to read and write arbitrary files on the underlying operating system, including files used to manage system accounts. CVE-2026-34910 is an improper input validation flaw that allows command injection over the network. Chained in sequence, the three constitute a complete unauthenticated root takeover: bypass access controls, traverse to account-management files, inject and execute OS commands. The patch has been available since May 21; the CISA KEV addition means federal agencies must remediate under mandatory timelines, and any organization running an unpatched UniFi console should treat this as an emergency.

Why it matters: UniFi OS powers Ubiquiti's Dream Machine series, Cloud Gateways, and Network Video Recorders — hardware deployed across a large share of small- to midsize enterprise and distributed-office networks. A CVSS 10.0 RCE chain on network infrastructure means an attacker who finds an unpatched console on your perimeter owns the network segment. Update to UniFi OS Server 5.0.8 immediately; if you're running a console that hasn't received that update, prioritize it above the rest of your patch queue this week.

Read more at CISA

Mustang Panda deploys ZOHOMURK implant against Indian government and hydropower targets, hiding C2 inside Zoho WorkDrive

Between June 12 and June 22, 2026, Acronis Threat Research Unit tracked two concurrent espionage campaigns orchestrated by Mustang Panda, the China-aligned advanced persistent threat group, targeting Indian government networks and India's hydropower sector. The campaigns were disclosed jointly with CERT-In, which assisted in notification and cleanup. The initial vector in both campaigns was DLL sideloading: one campaign used a trojanized Solid PDF Creator executable; the other abused a Citrix Receiver binary. The loader, which Acronis designates SHARDLOADER, drops MINIRECON — a reworked variant of the group's Toneshell backdoor — along with a newly identified implant called ZOHOMURK.

ZOHOMURK is what makes this campaign operationally notable. The implant uses Zoho WorkDrive — a cloud storage platform common in India's public-sector IT environment — for command-and-control, victim registration, tasking, and data exfiltration, with traffic designed to blend into normal cloud storage activity. The lures were precisely targeted: one campaign used a hydropower cooperation proposal as its document decoy, the other used a memorandum of understanding between Indian and Taiwanese government institutions. Acronis found active beaconing from machines belonging to senior Indian government administrative staff, suggesting the access extended well beyond initial-stage footholds.

Why it matters: The ZOHOMURK technique — using a cloud service already trusted inside the target's environment as a C2 channel — is increasingly common among sophisticated APTs precisely because it is difficult to block without disrupting legitimate business operations. Mustang Panda is also demonstrating an expanding regional focus: his week's targeting of the Indian government and energy sectors follows April's LOTUSLITE variant campaign against India's banking sector and South Korean policy circles. If your organization has any Indian government or hydropower sector partners, treat this as a signal to review shared network access and audit outbound Zoho WorkDrive traffic patterns.

Read more at The Hacker News

Russia impersonates messaging platform support bots to hijack accounts of government officials and military personnel in Ukraine, Europe, and the US

On June 25, 2026, the Security Service of Ukraine (SSU) and the Federal Bureau of Investigation (FBI) jointly disclosed a long-running campaign by multiple Russian Intelligence Services — including FSB officers and Russian military intelligence units — to compromise the messaging accounts of government officials, military personnel, politicians, and civil society activists across Ukraine, Europe, and the United States. The campaign uses two primary techniques. In the first, attackers send SMS messages that masquerade as official support notifications from the messaging platform, urging targets to verify their accounts or confirm suspicious activity. In the second, attackers distribute malicious QR codes — delivered via social engineering or compromise of a target's contact network — that, when scanned, silently link the attacker's device to the victim's account, granting persistent read access to message history and future communications.

The SSU described the campaign as systematic and sustained, with the goal of intercepting sensitive military, political, and economic information exchanged by targeted officials, as well as building a database of personal account data for later targeting. The Hacker News reporting confirmed that the SSU attributed the campaign to multiple RIS groups operating concurrently, with coordination between FSB and military elements suggesting deliberate, interagency intelligence prioritization. No specific messaging platform was identified by name in the joint advisory, though the techniques described — QR-code device-linking and support-bot impersonation — align closely with known attack patterns against Signal and Telegram.

Why it matters: For security leaders who protect executives, board members, government affairs staff, or any employee with access to sensitive communications, this campaign poses a direct operational threat. The QR-code device-linking technique requires no technical exploit — it succeeds when a target scans a code they believe is legitimate. Brief your highest-risk users now: legitimate messaging platforms will not ask you to scan a QR code via SMS. Disable message syncing to unknown devices in your Signal and Telegram settings. Enable Linked Devices notifications so any new device link triggers an alert.

Read more at Security Affairs

JFrog publishes working DirtyClone exploit for unpatched Linux kernel root flaw with no on-disk trace (CVE-2026-43503)

On June 25, 2026, JFrog Security Research published a working exploit walkthrough for DirtyClone (CVE-2026-43503, CVSS 8.8), a local privilege escalation vulnerability in the Linux kernel in the DirtyFrag family. The flaw lives in two kernel helper functions — __pskb_copy_fclone() and skb_shift() — that silently drop the SKBFL_SHARED_FRAG flag when cloning a network packet internally. That single missing flag is the entire vulnerability: without it, the kernel loses track of which memory pages are shared with files on disk, allowing an attacker to overwrite those pages freely.

The exploit technique loads a privileged binary such as /usr/bin/su into memory, wires those pages into a network packet, and forces the kernel to clone it through an attacker-controlled IPsec tunnel. The decryption step during cloning overwrites the binary's access-check logic with attacker-controlled bytes — producing a root shell. The attack leaves no disk artifacts: file-integrity monitoring tools that hash on-disk files will report the binary as clean after compromise, and kernel audit logs show nothing because no file operation occurs. Debian and Fedora are vulnerable in their default configurations due to the presence of enabled unprivileged user namespaces; Ubuntu is also affected. The patch shipped in Linux mainline on May 21 (v7.1-rc5), but most distributions have not yet delivered it to end users, leaving cloud servers, Kubernetes clusters, and CI runners broadly exposed.

Why it matters: A public PoC, widespread distribution exposure, and detection-evading mechanics make DirtyClone a high priority for any organization running Linux in cloud or containerized environments. The no-trace characteristic is particularly dangerous for teams relying on file-integrity monitoring as a compensating control — that tool will not catch this attack. The immediate mitigation is to verify whether your distribution has shipped the kernel patch; if not, disabling unprivileged user namespaces closes the most accessible attack path on Debian and Fedora. Kubernetes and CI runner operators should treat this as urgent regardless of distribution patch status.

Read more at TechTimes

Final thoughts

This week's headlines share an uncomfortable common thread: the attacks that succeeded weren't the loudest or most technical — they were the ones that found something defenders already trusted and used it as the entry point. A sales intelligence vendor's OAuth tokens. A Linux kernel's packet-cloning flaw that roots your system without touching a file on disk. A messaging platform's support notification format. A legitimate cloud storage service's API. And in the case of Ubiquiti, a patch that was available for more than a month while threat actors were actively exploiting the unpatched versions that remained in production.

That pattern — the gap between when a fix or defensive measure exists and when it's actually applied — is where most successful attacks live. The Klue breach didn't require a novel exploit; it required an unrotated service account credential. The Ubiquiti attacks didn't require a new zero-day; they required organizations that hadn't applied a patch from May. Closing that gap — in credential hygiene, patch deployment, kernel patch currency, and user awareness — is the recurring prescription that this week's news reinforces.

Check back next Tuesday.