- Cloud Security Newsletter
- Posts
- π¨ The Klue OAuth Token Breach: Why Stolen Credentials Now Get Used in Seconds, Not Days
π¨ The Klue OAuth Token Breach: Why Stolen Credentials Now Get Used in Seconds, Not Days
A forgotten OAuth token at Klue exposed Salesforce CRM data across a string of security vendors this week, while AI models surfaced a 29-year-old Squid proxy bug and OpenAI shipped a model built to find and patch vulnerabilities. Varonis incident responder Simon Biggs explains why automated post-compromise activity now lands seconds after a token is stolen, why attacks have flipped from encryption-first to data-first, and why the only durable defense is logging and classification done before the breach.
Ashish Rajan
June 24, 2026
Hello from the Cloud-verse!
This weekβs Cloud Security Newsletter topic: Data-first attacks break forensic assumption and logging is the only fix that scales(continue reading)
This image was generated by AI. It's still experimental, so it might not be a perfect match!
Incase, this is your 1st Cloud Security Newsletter! You are in good company!
You are reading this issue along with your friends and colleagues from companies like Netflix, Citi, JP Morgan, Linkedin, Reddit, Github, Gitlab, CapitalOne, Robinhood, HSBC, British Airways, Airbnb, Block, Booking Inc & more who subscribe to this newsletter, who like you want to learn whatβs new with Cloud Security each week from their industry peers like many others who listen to Cloud Security Podcast & AI Security Podcast every week.
Welcome to this weekβs Cloud Security Newsletter
The pattern across this week's incidents is hard to miss: bug discovery is moving at AI speed while the damage still runs through old, ordinary plumbing β an abandoned OAuth token, a decades-old C bug, stolen RDP credentials. That gap is exactly where Simon Biggs spends his time. Biggs is a cyber incident response specialist on the forensics team at Varonis, with roughly 15 years in the field, starting in UK cyber law enforcement and later doing consultancy IR at NCC Group. Ashish Rajan sat down with him at Infosecurity Europe to ask the question on everyone's mind this year: is there actually a wave of sophisticated AI attacks, and what does forensics look like when the attacker is automating?
His answer is more useful than the hype. AI is not unlocking the impossible β it is lowering the barrier to entry and compressing the timeline. The defensive consequence is concrete and unglamorous: if you can't trace a clear path from your data back to an endpoint, and you haven't classified your data in advance, you won't be able to tell a customer, a regulator, or a contractually-armed third party what was taken.[Listen to the episode]
β‘ TL;DR for Busy Readers
Klue OAuth breach β Salesforce CRM theft: A forgotten, never-revoked OAuth token let attackers exfiltrate CRM data from Klue's customers, with extortion group "Icarus" claiming the theft. Pull your Salesforce Connected Apps OAuth usage and revoke any integration without an owner.
AI is finding old bugs faster than you can patch them: "Squidbleed" (a 1997 Squid proxy flaw) was surfaced with help from Anthropic's Mythos model the same week OpenAI shipped GPT-5.5-Cyber. Treat disclosure-to-exploit windows as effectively zero for perimeter assets.
PixelSmash (CVE-2026-8461) puts RCE in your media-processing tier: Any service that transcodes or thumbnails uploaded media via FFmpeg/libavcodec is exposed pre-auth. Inventory what links libavcodec and patch to 8.1.2.
Attacks are now data-first, not encryption-first: Biggs sees crafted SQL queries pulling credentials and PII within minutes of access. Without database and egress logging, forensics can't tell you what left.
Prepare before the breach: Data classification and a clean audit path from data to endpoint are the difference between "your data is out of scope" and "we don't know." Run a dry-run IR exercise on one critical data store this week.
π° THIS WEEK'S TOP 5 SECURITY HEADLINES
Each story includes why it matters and what to do next β no vendor fluff.
1. Klue OAuth breach feeds 'Icarus' extortion across multiple security vendors
Primary source: BleepingComputer
Reporting: TechCrunch, The Hacker News, CSO Online
What Happened
Competitive-intelligence vendor Klue was compromised through a long-lived OAuth credential created years earlier for an abandoned integration and never revoked. The attacker pivoted into Klue's infrastructure, harvested the OAuth tokens Klue used to connect to customers' Salesforce tenants, and ran automated REST API queries to enumerate and exfiltrate CRM records. Salesforce disabled the Klue Battlecards integration on June 11. By June 22, reported victims included Huntress, Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity [VERIFY β victim names from secondary reporting]. A group calling itself Icarus, active since late April, claimed the theft and sent 48-hour extortion emails.
Why It Matters
Initial access was not a zero-day or a phished password β it was a forgotten OAuth token with no expiry. The detection surface is your third-party integration inventory, not your endpoint telemetry. A Salesforce-connected app holds standing API access to CRM data, so one compromised vendor becomes direct CRM exfiltration across its entire customer base without ever touching a customer's perimeter. That several reported victims are themselves security vendors makes the point: blast radius follows the integration graph, not the maturity of the target.
Action for defenders: Pull the full list of authorized connected apps in Salesforce (Setup β Connected Apps OAuth Usage), revoke tokens for any integration without an active business owner, and apply token expiry and IP restrictions to the rest.
2. PixelSmash: FFmpeg decoder flaw (CVE-2026-8461) turns one video file into RCE
Primary source: JFrog Vulnerability Research
Reporting: SecurityWeek
What Happened
JFrog disclosed a heap out-of-bounds write in FFmpeg's MagicYUV decoder, CVE-2026-8461 (CVSS 8.8). A crafted AVI, MKV, or MOV file processed by any application linked against libavcodec can corrupt heap metadata and hijack an internal FFmpeg callback pointer. JFrog demonstrated a full chain overwriting the AVBuffer.free pointer with system() to run arbitrary commands, including RCE against Jellyfin. Confirmed-affected software includes Kodi, mpv, ffmpegthumbnailer (used by GNOME, KDE, XFCE), Jellyfin, Emby, Nextcloud, Immich, PhotoPrism, and OBS Studio. FFmpeg shipped the fix in version 8.1.2 on June 17.
Why It Matters
The vulnerable path runs wherever media gets transcoded or thumbnailed automatically β upload pipelines, NAS appliances, and self-hosted apps like Nextcloud and Immich that decode user-supplied files with no human in the loop. Exploitation is pre-authentication and server-side for any service ingesting media, so the exposure sits in your file-processing tier, not on user desktops. FFmpeg is a transitive dependency most teams don't track, so the question is "which of my running services link libavcodec," not "do we use FFmpeg."
Action for defenders: Inventory services that decode or thumbnail uploaded media, confirm the bundled libavcodec/FFmpeg version, and apply 8.1.2 or your distro's backport. Where immediate patching isn't possible, restrict the decoders and container formats FFmpeg will accept.
π If you only do one thing this week: Run a 30-minute inventory of where stolen credentials or user-supplied files get standing access in your environment β Salesforce Connected Apps and any media-decoding service that links libavcodec. Revoke ownerless OAuth tokens and confirm your FFmpeg builds are at 8.1.2. Both of this week's worst stories (Klue, PixelSmash) start in places most teams never inventory.
βοΈ 3. 'Squidbleed' (CVE-2026-47729): a 1997 Squid proxy bug, surfaced by an AI model
Primary source: Calif.io research blog
Reporting: The Hacker News, SecurityWeek
What Happened
Calif.io publicly disclosed a heap over-read in Squid's FTP gateway, CVE-2026-47729, that returns raw heap memory to a requester including other users' Authorization headers, cookies, and API keys. The bug traces to a 1997 commit. Calif credits Anthropic's Claude Mythos Preview model with flagging the root-cause quirk. PoC code is public; as of June 22 no in-the-wild exploitation had been reported. Reporting on the fixed version conflicts: some coverage cites Squid 7.6, other coverage points to 7.7
Why It Matters
Squid sits as a shared egress and caching proxy in front of many enterprise and cloud networks, so a memory disclosure here crosses user and tenant boundaries β one user's request can leak another's session token inside the component meant to broker trust. The Heartbleed comparison is about shape, not scale: passive, hard-to-detect leakage with no crash and no log entry. The discovery method is the second story a 29-year-old bug that survived decades of human review was surfaced by a model.
Action for defenders
Inventory FortiSandbox appliances and confirm a fixed build, restrict WEB UI and management access to an admin segment, and hunt for the vendor/Defused indicators across the June window.
π₯ 4. OpenAI ships GPT-5.5-Cyber for automated vulnerability finding and patching
Primary source: OpenAI
Reporting: Infosecurity Magazine
What Happened
OpenAI released GPT-5.5-Cyber under its Daybreak program, a model tuned to find vulnerabilities, validate exploitability, and generate patches in one workflow. OpenAI reported benchmark scores of 85.6% on CyberGym, 39.5% on ExploitGym, and 69.8% on SEC-bench Pro [VERIFY β vendor-reported]. Access is restricted to vetted defenders under added monitoring. OpenAI also updated its Codex Security plugin, which it says has scanned over 30 million commits across more than 30,000 codebases since March.
Why It Matters
This lands the same week Squidbleed showed a competing model finding a real 29-year-old bug, so the "AI finds and fixes vulnerabilities" claim now has production data points on both ends of the lifecycle. The consequence is asymmetry: the same exploit-generation capability that speeds your triage also lowers the cost of weaponizing a fresh disclosure, which compresses patch windows.
Action for defenders
Treat disclosure-to-exploit windows as shorter by default in your patch SLAs. If you run an AppSec program, evaluate gated defensive models against your current SAST and triage baseline rather than assuming parity.
π‘οΈ 5. Accenture takes majority stake in Dragos, buys runZero and NetRise in ~$4.1B OT push
Primary source: Accenture Newsroom
Reporting: SecurityWeek, Industrial Cyber
What Happened
Accenture announced it will take a majority stake in OT security firm Dragos (valued around $3.25B) and acquire runZero and NetRise outright, for a combined enterprise value near $4.1B [VERIFY β combined figure varies across sources]. The three together generate roughly $208M in annual recurring revenue, with the transactions expected to close in August or September 2026. Announced June 18, just outside the strict window, but included as the period's structurally significant M&A.
Why It Matters
A systems integrator buying its way to a majority stake in the leading independent OT threat-intel vendor changes the buying calculus for asset owners. OT security shifts from a best-of-breed product decision toward a bundled integrator engagement β a procurement-structure change, not a logo swap. For cloud security leads with IT/OT convergence in scope, the open question is whether Dragos's roadmap and vendor neutrality survive inside a services firm.
Action for defenders:
If you run Dragos, runZero, or NetRise, get contract-renewal and roadmap-continuity questions to your account team now. If you're evaluating OT monitoring, weigh integrator lock-in in the decision.
6. New 'Prinz Eugen' ransomware encrypts newest files first and skips the ransom note
Primary source: BleepingComputer
Reporting: SC Media
What happened: BleepingComputer reported a new Go-based ransomware, Prinz Eugen, that prioritizes the most recently modified files for encryption (alphabetical order on timestamp ties) and leaves no ransom note on the host. ThreatDown found hands-on-keyboard operators using legitimate RMM tooling and living-off-the-land binaries, with likely initial access through stolen RDP credentials and manual execution of a payload named servertool.exe. It uses ChaCha20-Poly1305 with Argon2id-derived keys and is not run as ransomware-as-a-service. At least five victims were identified, including Standard Bank, which refused a 1-BTC demand.
Why it matters: Encrypting recently modified files first inverts the usual recovery assumption: high-value in-flight working data is hit before bulk archives, so an early detect-and-kill response that would normally cap damage can still lose the data that matters most. No ransom note and no affiliate model means the usual leak-site and negotiation-portal indicators are absent, so detection has to come from RMM and LOLbin behavior. The RDP-credential entry point and living-off-the-land tradecraft are exactly the "acting like users" pattern Biggs describes as the new normal.
Action for defenders: Audit external RDP exposure and remote-access MFA, add detection for unexpected RMM tools and for servertool.exe executed by non-admin processes, and confirm backups capture active working directories at a tight enough interval to survive recent-files-first encryption.
π― Cloud Security Topic of the Week:
Data-first attacks broke the forensic assumption
The throughline of this week's news is the throughline of the episode: attackers don't need new capabilities, they need speed and reach, and AI gives them both. Biggs's sharpest observation is that the goal of the attack has changed. "Attacks predominantly used to be... encryption first, right?... Now it's data first, practically no encryption." That single shift rewrites the incident response playbook. When the objective is exfiltration rather than encryption, the question your lawyers, regulators, and contractually-armed partners will ask is not "is it back up?" but "what left, and whose was it?"
Here is the uncomfortable part, and the thing senior teams most often get wrong: forensics frequently cannot answer that question on its own. Windows artifacts show where an attacker moved and what they touched on a box, but they rarely prove what data went out the door. Without database query logging, without firewall egress that ties back to a specific endpoint, and without data classification done in advance, the honest answer to "was my data taken?" becomes "we don't know" β and that is the answer that ends customer relationships. The fix isn't a new product category. It's the unglamorous preparation work: a clean audit path from data to endpoint, and a first-pass classification of your CRMs and cloud storage so you can rule data in or out fast.[Listen to the full episode β]
Featured Experts This Week π€
Simon Biggs β Cyber Incident Response Specialist, Varonis
Ashish Rajan - CISO | Co-Host AI Security Podcast , Host of Cloud Security Podcast
Definitions and Core Concepts π
Before diving into our insights, let's clarify some key terms:
OAuth token (standing API access): A long-lived credential that grants an integration ongoing API access without re-authentication. In the Klue breach, a token created for an abandoned integration and never revoked became the initial access path into customer Salesforce tenants.
Data-first attack: An exfiltration-led intrusion with "practically no encryption," replacing the older encryption-first ransomware model (Biggs).
Living off the land (LOLbins): Attackers acting like legitimate users β using compromised credentials and built-in/legitimate tooling instead of dropping malware β which shrinks the detection opportunity. Seen this week in the Prinz Eugen ransomware tradecraft.
BloodHound / Metasploit / Kali Linux: Prepackaged offensive tool sets that historically lowered the barrier to entry. BloodHound maps Active Directory attack paths; Biggs uses these as the analogy for what AI now does on the fly.
Shadow AI: Users routing around sanctioned, locked-down models to less-secure alternatives β "a massive risk" (Biggs).
Prompt injection: Crafted input that makes an AI assistant carry out an unintended instruction. Varonis Threat Labs found a prompt-injection flaw in Microsoft Copilot.
Mythos: Anthropic's Claude Mythos Preview model, credited this week with helping surface the Squidbleed Squid proxy bug; named by Biggs as a strong example of AI-assisted vulnerability research.
Heap out-of-bounds write / over-read: Memory-safety bugs underlying both PixelSmash (write β RCE) and Squidbleed (over-read β secret disclosure).
This week's issue is sponsored by Varonis
AI Security Requires More Than Visibility. It Requires Control.
Security leaders are under pressure to enable AI innovation while managing a rapidly expanding attack surface across cloud, identity, and data layers. AI agents and copilots can introduce new access paths, automated high-impact actions, and accelerate threat timelines.
Varonis Atlas helps organizations secure AI end-to-end - from understanding usage and enforcing guardrails to detecting suspicious activity and reducing risk dynamically. watch the recording to learn how Varonis Atlas can help security teams operationalize AI security at scale.
π‘Our Insights from this Practitioner π
A single-guest conversation that doubles as a field report from someone who works real breaches. The throughline: AI changes the speed and reach of attacks, not their fundamental nature β and the defensive answer is preparation, not a new control category.
1: AI lowers the barrier and raises the speed β it is not a new class of attack
Biggs's front-line read cuts against the year's loudest marketing. AI increases scale and volume and lowers the skill required, but he is not seeing goals that were previously unachievable.
"But is AI driving something that's completely unseen? No, that's not what I'm seeing on the front line... I just think that it's lowering that technical barrier to entry. They're getting quicker. They're able to achieve better outcomes quicker during an attack." β Simon Biggs
Existing layered controls still work, and they matter more, because they slow attackers moving faster through the same paths.
2: Post-compromise automation now happens with no hands on the keyboard
The clearest AI signal Biggs sees is timing β automated action arrives in seconds.
"We're seeing sort of Microsoft Graph queries coming in like minutes, seconds after that token's been r- stolen via relay. That is unusual. Like that suggests there's no hands on the keyboard and, these AI kits are out there and are being used en masse, which is a big sea change..." β Simon Biggs
This is the practitioner mirror of the Klue story above: a stolen token is exercised almost immediately. Signature-based detection fails against ephemeral, briefly-lived phishing infrastructure on cloud and containerized platforms.
3: AI is the new "Metasploit/BloodHound" β it removes the operator's expertise
Ashish Rajan framed the shift directly: "it's almost like what Metasploit did for Script Kiddies. Is this something similar?" β Ashish Rajan
Biggs agreed, and took it further. Where chaining BloodHound output into Metasploit once required real expertise, models now pull the whole workflow together.
"So you don't actually have to be able to code, you don't actually have to really understand Active Directory... you can kinda get there without really any major technical skill, which is quite scary b- because that used to be, like a red team capability." β Simon Biggs
4: Attacks flipped from encryption-first to data-first
"Attacks predominantly used to be... encryption first, right?... Now it's data first, practically no encryption." β Simon Biggs
Response planning has to center on what data left, not what got encrypted. Biggs describes attackers taking a database schema, returning, and running a crafted query within minutes to pull credentials, payment contracts, and PII β behavior that used to be the preserve of nation-states and now shows up in ordinary ransom breaches.
5: Forensics can rarely tell you what was taken β and most teams overestimate it
"something I think people overestimate the ability of forensics to do is forensics to tell you what data's been taken... there's not many forensic artifacts that... will definitively tell you." β Simon Biggs
Windows forensics shows movement, not egress. Without database logging and per-endpoint firewall attribution, the answer to a lawyer's "did it leave?" is a hunch and lawyers don't notify on hunches. As Biggs puts it, "it's part of the incident response lifecycle, the preparation stage. That's where the battle is, is won or lost."
6: The defensive playbook is the same fundamentals β run the attacker's models against yourself
There are no magic new controls. Shadow-AI discovery, permissions hygiene, inventory and auditing, and automated response are the same problems as shadow IT and excessive permissions, extended to a new platform. The agent "is just an extension of the user" and should be audited as one.
"I'm an advocate of saying run BloodHound or run Metasploit. So... come from the point of view of the attacker and see what you find. I think it's the same. Like, run the same models, do the same thing to your environment and see what it finds." β Simon Biggs
7: AI-driven research widens the target surface, and same-day PoCs collapse patch windows
"from something getting released in the patch, people have working proof of concepts the same day. In a lot of cases we're seeing proof of concepts for things that aren't even patched yet or aren't even announced as vulnerabilities." β Simon Biggs
The economics have shifted with it: "You're not necessarily buying zero days for $50,000, $100,000. Somebody could get that in their bedroom. If they can afford the tokens." For perimeter assets, treat the disclosure-to-exploit window as effectively zero. PixelSmash and Squidbleed this week are the live examples.
8: Stolen data will be weaponized in new ways because AI lets attackers post-process at scale
"this information that's taken is gonna be weaponized in new and novel ways... what AI allows attackers to do is post-process data. So getting 10 terabytes of data is overwhelming... But now with AI, actually, they could be post-processing that data and... finding new and novel ways of monetizing it." β Simon Biggs
The liability follows. Third-party contracts increasingly require breach notification inside tight windows (often 72 hours, ahead of regulators like the ICO), and bigger partners "will come down heavy." An up-front classification pass on CRMs and cloud storage β which Biggs calls an "easy win" β lets you rule a terabyte out of scope instead of notifying everyone on a hunch.
Practical Takeaways for Cloud Security Leaders
Three things a senior team can act on: get a clean, queryable audit path from each critical data store back to an endpoint (logs that resolve to a real entity, not just an aggregator IP); do a first-pass data classification on CRMs and cloud storage so breach scope is answerable in minutes, not weeks; and run a dry-run IR exercise with someone offensive plus your blue team to find where the forensic trail dead-ends before an attacker does.
AppSec & DevSecOps Guidance
Podcast Episode
Question for you? (Reply to this email)
π€ If you were breached today, could you prove what data left β or would the honest answer be "we don't know"?
Next week, we'll explore another critical aspect of cloud security. Stay tuned!
π¬ Want weekly expert takes on AI & Cloud Security? [Subscribe here]β
We would love to hear from youπ’ for a feature or topic request or if you would like to sponsor an edition of Cloud Security Newsletter.
Thank you for continuing to subscribe and Welcome to the new members in tis newsletter communityπ
Peace!
Was this forwarded to you? You can Sign up here, to join our growing readership.
Want to sponsor the next newsletter edition! Lets make it happen
Have you joined our FREE Monthly Cloud Security Bootcamp yet?
checkout our sister podcast AI Security Podcast