Jordan: A critical remote code execution zero-day in PAN-OS firewalls. Actively exploited by suspected state-sponsored actors since April 9th. No patch. If you're running Palo Alto on your perimeter — and a lot of you are — that's your first call this morning.

Alex: Welcome to Cleartext. It's Thursday, May 7th, 2026. I'm Alex Chen.

Jordan: And I'm Jordan Reeves. Today we're covering a lot of ground — that PAN-OS zero-day, Polish water treatment systems under attack, a DOJ revelation that reframes how we think about the Russian criminal-state nexus, Iran running a false-flag ransomware operation through Microsoft Teams, a supply chain hit on Daemon Tools, a breach at an AI tooling startup, and CISA's new CI Fortify initiative. Plus we'll get into what the post-Mythos AI regulation push means for how you're building your governance programs right now.

Alex: Let's start where we have to. Palo Alto, PAN-OS, unpatched RCE zero-day. Jordan, walk us through the exposure.

Jordan: Here's what we know. The vulnerability is critical severity. Remote code execution. It's been in active exploitation since approximately April 9th — that's nearly four weeks of adversary runway before public disclosure. Attribution points to suspected state-sponsored actors, which tells you this wasn't opportunistic. This was deliberate, targeted, and quiet. Palo Alto has not released a patch as of this morning.

Alex: The business risk here is straightforward and serious. Your firewall is not a secondary system. It is the perimeter. If you're running PAN-OS, you need compensating controls in place today — threat hunt your edge environments, review logs going back to April 9th, restrict management plane access if you haven't already. And brief your board. A state actor on your firewall for a month is a material risk conversation, not a technical footnote.

Jordan: Palo Alto will have guidance on mitigations. Implement them. Don't wait for the patch.

Alex: Now let's talk about what's happening in the OT and critical infrastructure space, because two stories this week connect in important ways. Polish intelligence confirmed attacks on water treatment control systems — SCADA environments — attributed broadly to intensified hostile cyber activity with specific emphasis on Russian Federation special services. This was happening across 2024 and 2025.

Jordan: Poland is a NATO frontline state. Attacks on water treatment infrastructure aren't just about disruption — they're about signaling. They're about demonstrating reach and creating psychological pressure on allied governments. The fact that attribution is hedged publicly doesn't mean the intelligence community doesn't know exactly who did this. It means they're managing escalation.

Alex: For CISOs with OT environments — and that includes utilities, manufacturing, healthcare systems with embedded industrial controls — this is a forcing function. ICS segmentation, OT-specific monitoring, and incident response playbooks that account for physical consequences. If your OT security posture is still basically "it's airgapped, we're fine," you are behind.

Jordan: And directly connected to that — CISA launched CI Fortify this week. The core premise is that critical infrastructure organizations need to be able to operate offline. Disconnected from third-party dependencies. No reliable telecom, no reliable internet. Proactively plan for that scenario.

Alex: This is a significant policy signal. CISA is essentially telling critical infrastructure operators: you cannot assume connectivity. Build for isolation. What this means practically is that resilience planning has to move from a theoretical tabletop exercise to an operational capability. And compliance obligations will follow. If you're in a critical infrastructure sector and you don't have an offline operational mode, start building the roadmap now before it becomes a mandate.

Jordan: The timing is not coincidental. You have the Polish water system attacks, ongoing OT targeting across NATO allies, and now a federal initiative explicitly designed to harden against exactly that threat vector. The policy is catching up to the threat.

Alex: Let's shift to the state-criminal nexus story, because the DOJ dropped something this week that deserves more attention than it's getting. US prosecutors revealed that a ransomware gang had access to Russian government databases — and used that access to help gang leaders dodge taxes and avoid military conscription.

Jordan: I want to be precise about what this tells us, because it's important for threat modeling. This isn't just "Russia tolerates cybercriminals." This is a documented, transactional, mutually beneficial relationship. The gang gets state protection and access to government systems. The state gets deniable offensive cyber capability and presumably a cut of the proceeds somewhere upstream. What it means for attribution is that when you're hit by a ransomware gang with Russian ties, you cannot cleanly separate criminal motivation from state interest. They are the same ecosystem.

Alex: From a threat modeling perspective, this should inform how you're scoping your adversary profiles. The line between financially motivated ransomware and state-sponsored espionage is genuinely blurred in the Russian context. Your IR retainer needs to know how to handle both, simultaneously.

Jordan: Now to Iran. MuddyWater — which is Iran's Ministry of Intelligence-linked APT — was caught this week running espionage operations disguised as Chaos ransomware attacks, targeting US organizations. Initial access was through Microsoft Teams social engineering.

Alex: Let's unpack the strategic intent here. The ransomware deployment is a false flag. The goal isn't ransom. The goal is intelligence collection — and making it look like criminal activity so that responders focus on containment and recovery instead of asking what was exfiltrated and by whom. That distinction matters enormously for your IR playbook.

Jordan: The Teams vector is worth flagging separately. Social engineering through Teams is increasingly effective because users treat it as a trusted internal channel. If your Teams environment allows external message initiation without friction, that's a control gap. Verify who external contacts are before they get any foothold. And make sure your IR team's initial triage includes the question: is this actually ransomware, or does it look like ransomware?

Alex: Supply chain story next — Daemon Tools. Kaspersky attributed a China-linked threat actor behind the compromise of the Daemon Tools official website, where trojanized installers were distributed. Thousands of users potentially backdoored.

Jordan: This is textbook supply chain tradecraft. You compromise the official distribution channel so that the software integrity question never gets asked. Users downloaded directly from the vendor site. The lesson is not that you should distrust every software vendor. The lesson is that your software procurement process needs integrity verification — hash checks, SBOM tracking — even for tools you've been using for years.

Alex: Especially for utility software that your IT and security teams use internally. Those tools run with elevated privileges and rarely get the same scrutiny as production systems. That's a gap adversaries understand well.

Jordan: Quick hit on the Braintrust breach. AI evaluation startup, Amazon cloud environment compromised, all customers told to rotate API keys immediately. The specific risk here is that Braintrust sits in AI development pipelines — which means the keys exposed potentially touch production AI systems and the data flowing through them.

Alex: This is the third-party AI supply chain risk materializing in real time. If your engineering teams are using AI dev tooling — evaluation platforms, fine-tuning infrastructure, anything in that stack — you need visibility into what credentials those platforms hold and a rotation policy that doesn't depend on the vendor telling you there's been a breach. Assume breach, rotate proactively.

Jordan: Now the AI governance picture. Two stories tie together here. NIST announced it will test frontier AI models from three major tech firms for cybersecurity risks, specifically spurred by Anthropic's Claude Mythos capabilities. And separately, the Risky Business team reported that the US government is actively weighing regulation of new AI model releases because of security implications.

Alex: Here's my read on this for CISOs. The policy environment around AI is moving fast, and it's moving specifically because of cybersecurity concerns — the ability of frontier models to assist with offensive operations. The debate about whether restricting frontier models actually achieves much when open models can do comparable things is legitimate. But that debate doesn't pause the regulatory process.

Jordan: What matters for enterprise AI governance right now is that the compliance landscape is in active formation. The frameworks you're building today — around AI procurement, acceptable use, access controls on AI systems — those need to be documented and auditable, because standards are coming and they will look backward at what you had in place.

Alex: The NIST testing program could become the basis for procurement benchmarks. Watch that closely.

Jordan: This week's theme is straightforward: your perimeter is under deliberate, sustained pressure from state and state-adjacent actors who are patient, well-resourced, and increasingly creative about initial access vectors — whether that's a Teams message, a trojanized installer, or an unpatched firewall sitting on your edge for four weeks.

Alex: And the policy response is accelerating — CI Fortify, NIST AI testing, AI regulation discussions. The compliance and resilience requirements coming out of this threat environment are going to be significant. The CISOs who are building those capabilities now, before the mandates land, are the ones who won't be scrambling when they do.

Jordan: Watch for PAN-OS patch release and indicators of compromise from Palo Alto. That's your immediate action item. Everything else is a planning conversation.

Alex: That's Cleartext for Thursday, May 7th. Show notes and links to every story we covered today are at cleartext.fm. If you find this useful, share it with a peer. We'll see you tomorrow.