Daily cybersecurity briefing for CISOs and security leaders.

🎧 Listen to this episode

Today's episode covers 10 stories across 4 topic areas, including: Hostile states behind three-quarters of attacks on Britain's critical infrastructure, cyber chief warns; EU grants Ukraine access to cybersecurity reserve for major attacks; North Korean Hiring Fraud Runs on AI and US Laptop Farms.

The Record (Recorded Future) · Jun 17 · Relevance: █████████░ 9/10

Why it matters to CISOs: The UK NCSC CEO's public warning that nation-states are pre-positioning inside critical infrastructure — explicitly framing current intrusions as intelligence-gathering for future kinetic conflict — should inform threat modeling and board-level risk conversations for any CISO with CNI exposure.

📖 Read full article

The Record (Recorded Future) · Jun 17 · Relevance: ████████░░ 8/10

Why it matters to CISOs: The EU formally integrating Ukraine into its cyber incident response reserve reflects a significant escalation in collective defense posture — CISOs at multinationals operating in or near conflict-adjacent European markets should factor this into their geopolitical risk assessments.

📖 Read full article

Infosecurity Magazine · Jun 17 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: Nisos' infiltration of a North Korean IT worker fraud cell using AI-generated interview personas and US-based laptop farms underscores the sophistication of insider threat vectors CISOs must now build controls against in hiring and contractor vetting processes.

📖 Read full article

Cybersecurity Dive · Jun 17 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: Iran-linked group Handala claiming an attack on one of the US's largest water utilities is a significant critical infrastructure threat indicator — CISOs in water, energy, and municipal services sectors should elevate threat monitoring and review OT network segmentation posture.

📖 Read full article

CyberScoop · Jun 18 · Relevance: █████████░ 9/10

Why it matters to CISOs: Accenture's $4.18B acquisition of Dragos, runZero, and NetRise signals a major consolidation in OT/ICS security and asset visibility — CISOs at industrial, energy, and critical infrastructure organizations need to reassess vendor relationships and competitive dynamics in this space immediately.

📖 Read full article

BankInfoSecurity · Jun 18 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: The Gentlemen gang's industrialized EDR-killing toolkit — targeting 400+ security processes across 48 products and rapidly incorporating newly disclosed vulnerable drivers — directly threatens the endpoint detection layer most enterprises rely on as a core ransomware defense.

📖 Read full article

Help Net Security · Jun 18 · Relevance: █████████░ 9/10

Why it matters to CISOs: Nearly 74,000 Fortinet firewall and VPN gateway credentials leaked by a Russian-speaking threat group represents an immediate, actionable threat for any enterprise running Fortinet perimeter devices — credential rotation and access audits are urgent.

📖 Read full article

BleepingComputer · Jun 18 · Relevance: ████████░░ 8/10

Why it matters to CISOs: An OAuth compromise at a SaaS vendor (Klue) being weaponized to exfiltrate Salesforce CRM data across multiple organizations illustrates the cascading third-party supply chain risk inherent in SaaS ecosystems — CISOs should audit OAuth app permissions and SaaS-to-SaaS trust chains.

📖 Read full article

BankInfoSecurity · Jun 18 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: A supply-chain attack poisoning a widely used AI agent framework on npm directly targets the AI development pipelines now present in most large enterprises — CISOs need to ensure AI/ML development teams are included in software supply chain security controls.

📖 Read full article

CyberScoop · Jun 17 · Relevance: ████████░░ 8/10

Why it matters to CISOs: Active exploitation of FortiSandbox vulnerabilities disclosed in April — confirmed by multiple firms and originating from multiple threat actors — means unpatched Fortinet environments are under active attack right now, compounding the FortiBleed credential exposure.

📖 Read full article

Alex: Good morning. It's Thursday, June 18th, 2026. Welcome to Cleartext. I'm Alex Chen.

Jordan: And I'm Jordan Reeves.

Alex: We have a dense one today. The UK's cyber chief just said the quiet part loud about nation-state pre-positioning in critical infrastructure. Accenture dropped four billion dollars on OT security in a single morning. Fortinet is having a very bad week — credential leaks, active exploitation, all compounding at once. We've got an OAuth breach cascading through Salesforce environments, a poisoned AI framework on npm, and North Korean hiring fraud that's gotten disturbingly sophisticated. Let's get into it.

Jordan: I want to start with Richard Horne at RUSI yesterday. The NCSC CEO stood up and said that seventy-five percent of consequential cyberattacks on UK critical infrastructure are attributed to nation-state actors. That number alone is worth pausing on. But the real substance was in how he framed the threat. He said, and I'm paraphrasing closely here, that kinetic targeting in any future conflict will be based on intelligence being gathered today. He's explicitly telling operators that what looks like espionage right now is battlefield preparation.

Alex: And the framing matters enormously for how you carry this into a board conversation. This is not "we might get hit by ransomware." This is a senior government official saying adversary nations are inside your infrastructure right now, mapping it, understanding it, and planning to use that knowledge in a future conflict scenario. If you're a CISO at a utility, a telco, a transportation company, a port operator — this is the threat model you should be presenting to your board. Not theoretical. Active. Ongoing.

Jordan: He also reframed cyber defense explicitly as a contest against a shifting opponent, not as a manageable risk. That's a meaningful rhetorical shift from a Five Eyes national cyber authority. He's telling CISOs: stop treating this like a compliance exercise. Your adversary is adapting faster than your control framework.

Alex: And if you pair that with the California water utility story — Handala, an Iran-linked group, claiming an attack on one of the largest water companies in the United States — you see the pattern Horne is describing playing out in real time. Handala has a track record of destructive and disruptive attacks against Israeli and Western infrastructure. The utility says it's investigating. But the fact that an Iranian proxy group is even credibly claiming access to a major US water system should be a five-alarm signal for every OT-heavy CISO in the country.

Jordan: OT network segmentation, visibility into east-west traffic in your industrial control environments, and honest assessment of whether your IT-OT boundary is actually a boundary — those are the immediate action items. If you haven't pressure-tested your OT segmentation in the last six months, this week is your prompt.

Alex: Which brings us neatly to the Accenture story, because the market just moved. Accenture announced this morning it's acquiring Dragos, runZero, and NetRise for a combined four point one eight billion dollars. This is Accenture's first major push into operational technology security software. Dragos for ICS threat detection, runZero for asset discovery, NetRise for firmware and software supply chain analysis. Together, that's a full-stack OT security play.

Jordan: This is a consolidation event. Full stop. If you're a CISO who has contracts with any of these three companies, you need to be on the phone with your account team today. Not because the products are going to disappear overnight, but because the incentive structures just changed. Accenture is a services company. They will integrate these tools into managed offerings. Your standalone deployment model may not be the priority anymore.

Alex: And from a market dynamics perspective, this is Accenture looking at the threat landscape we just discussed — nation-state pre-positioning, critical infrastructure under siege — and placing a four-billion-dollar bet that OT security spend is about to explode. They're probably right. But for buyers, consolidation means fewer independent options. If you were evaluating competitors to Dragos or runZero, your shortlist just got shorter. Plan accordingly.

Jordan: Now let's talk about Fortinet, because they are having a compounding bad week. Story one: a Russian-speaking threat group exfiltrated credentials from the configuration files of nearly seventy-four thousand Fortinet firewalls and VPN gateways worldwide. The data was discovered by researcher Volodymyr Diachenko after the group accidentally exposed it on a server. Affected organizations reportedly include Oracle, Lenovo, FedEx, a NATO contractor, and Fortinet itself.

Alex: Let me be direct. If you run Fortinet perimeter devices, you should be treating this as a confirmed credential compromise until you can prove otherwise. Rotate every credential associated with those devices. Audit every VPN session. Check for anomalous admin access. Do it today.

Jordan: And it gets worse. Multiple security firms have confirmed active exploitation of two critical FortiSandbox vulnerabilities that Fortinet disclosed back in April. These are being hit by multiple unrelated threat actors — this isn't one campaign, it's broad opportunistic exploitation. The timing overlap with the FortiBleed credential leak is not coincidental in terms of risk. You now have attackers with stolen credentials and known unpatched vulnerabilities in the same product family. That's a convergence that leads to breaches.

Alex: If I'm sitting in a CISO chair right now and I have Fortinet in my environment, I'm escalating this to my executive team as an active incident posture, not a vulnerability management ticket. Patch the FortiSandbox boxes. Rotate the credentials. And run a threat hunt specifically looking for indicators tied to both the credential dump and the sandbox exploits. This is the kind of compound risk that slips through when you treat each advisory in isolation.

Jordan: Shifting to SaaS supply chain risk. Klue, a market intelligence platform, suffered an OAuth breach that a threat actor called Icarus weaponized to exfiltrate Salesforce CRM data from multiple downstream organizations. This is now an active extortion campaign.

Alex: This is the SaaS-to-SaaS trust chain problem that we've been warning about for years, and it's here in full bloom. An OAuth token from one vendor becomes a skeleton key into your CRM. How many of your SaaS vendors have OAuth integrations with Salesforce, with your HRIS, with your code repos? If you don't have an answer to that question, you have a blind spot that's being actively exploited right now. Audit your OAuth app permissions. Map your SaaS-to-SaaS trust relationships. Revoke anything that's over-permissioned or stale.

Jordan: And on the supply chain theme, the Mastra AI framework — widely used to build AI agents, workflows, and RAG pipelines — was poisoned via a compromised npm package. GitHub, which owns npm, told all developers to downgrade Mastra pending cleanup.

Alex: The AI development pipeline is now a supply chain attack surface, and most security teams haven't extended their software composition analysis to cover it. If your engineering teams are building with AI agent frameworks, they need to be under the same supply chain security controls as every other dependency. If they're not, fix that gap.

Jordan: Let me hit the EU-Ukraine story quickly because it matters for geopolitical context. The EU formally granted Ukraine access to its cybersecurity reserve — a pool of pre-approved incident response firms that can deploy during major attacks. This coincides with Ukraine's formal accession steps toward EU membership.

Alex: For CISOs at multinationals operating in Central or Eastern Europe, this changes the collective defense landscape. The EU is expanding its cyber defense perimeter eastward into an active conflict zone. That means the threat actors targeting Ukraine — Russian state groups, primarily — are now operating against an infrastructure that has formal EU incident response backing. It raises the stakes for everyone in that geography.

Jordan: Two more quick hits. The Gentlemen ransomware gang is industrializing EDR evasion. ESET researchers documented their GentleKiller toolkit — it targets over four hundred security processes across forty-eight endpoint products and rapidly incorporates newly disclosed vulnerable drivers. This isn't novel conceptually, but the speed of integration and the breadth of coverage make it operationally significant. If your ransomware defense depends primarily on your EDR catching everything, you need defense in depth behind it. Assume the EDR layer can be defeated.

Alex: And finally, North Korean IT worker fraud. Nisos infiltrated a fraud cell using AI-generated interview personas and a US-based laptop farm to mask the true locations of North Korean workers. This is both a financial fraud vector and a potential espionage and sabotage risk. Your hiring and contractor vetting processes need to account for this. Identity verification that goes beyond a video call, because the video call might be AI-generated. Geolocation verification of contractor devices. These are controls that didn't exist in most hiring workflows two years ago, and they need to exist now.

Jordan: Looking at the week's emerging theme, Alex, it's convergence. Nation-state pre-positioning is converging with critical infrastructure exposure. Credential leaks are converging with unpatched vulnerabilities. SaaS trust chains are converging with extortion campaigns. AI development pipelines are converging with supply chain attacks. None of these are isolated problems anymore.

Alex: Agreed. And I think the meta-lesson for CISOs this week is that risk compounds faster than most organizations can respond to it in isolation. The Fortinet situation is the clearest example — any one of those stories is serious, but together they're a crisis for affected organizations. The CISOs who are ahead of this are the ones running compound risk scenarios, not just individual vulnerability assessments. That's the capability to build.

Jordan: Watch the Accenture integration closely. Watch for follow-on exploitation tied to the FortiBleed credentials. And if you haven't mapped your SaaS OAuth trust chains, make that your weekend project.

Alex: That's our show for Thursday, June 18th. Show notes and links to every story we covered are at cleartext.fm. We'll be back tomorrow.

Jordan: Stay sharp.

Cleartext is an automated daily podcast for CISOs and security leaders. Generated 2026-06-18.

Sources are pulled from: CyberScoop, The Record, SecurityWeek, Krebs on Security, Dark Reading, Cybersecurity Dive, BleepingComputer, Wired, Ars Technica, TechCrunch, Help Net Security, VentureBeat, Risky Business News, The Hacker News, CISA, and BankInfoSecurity.