Cleartext logocleartext_
week in review

Cleartext Week in Review – May 30, 2026

Saturday, May 30, 2026·11:42

Cleartext Week in Review – May 30, 2026
11:42·7.2 MB
download mp3

Enjoy the show? Subscribe to never miss an episode.

SpotifyApple Podcasts

show notes

Cleartext – May 30, 2026

Daily cybersecurity briefing for CISOs and security leaders.

🎧 Listen to this episode

Episode Summary

Today's episode covers 17 stories across 4 topic areas, including: Russia conducting daily attacks on UK 'from seabed to cyberspace,' spy chief warns; Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks; Iranian Hackers Deploy MiniFast and MiniJunk V2 via Phishing and SEO Poisoning.

Stories Covered

🌍 Geopolitical

Russia conducting daily attacks on UK 'from seabed to cyberspace,' spy chief warns

The Record (Recorded Future) · May 28 · Relevance: █████████░ 9/10

Why it matters to CISOs: The GCHQ director's public warning about daily Russian attacks on critical UK infrastructure—including subsea cables and energy pipelines—signals an escalating threat posture that enterprise CISOs, especially in critical sectors, must factor into their geopolitical threat models and board reporting.

  • GCHQ Director Anne Keast-Butler described Russia conducting daily attacks 'from seabed to cyberspace' targeting UK infrastructure
  • GCHQ is developing an AI-powered cyber shield in response to adversaries deploying AI in warfare
  • Agency is actively defending subsea cables, energy pipelines, and countering Russian sabotage and assassination attempts

📖 Read full article

Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks

Krebs on Security · May 25 · Relevance: ████████░░ 8/10

Why it matters to CISOs: The seizure of 800 servers tied to Stark Industries Solutions—an EU-sanctioned ISP used as staging ground for Russian intelligence cyber operations—demonstrates that bulletproof hosting infrastructure enabling state-sponsored attacks is being actively dismantled, offering CISOs a case study in supply-chain attribution and hosting provider due diligence.

  • Netherlands arrested co-owners of two hosting companies for operating infrastructure used by Russia for cyberattacks, influence operations, and disinformation inside the EU
  • The companies had assumed control of Stark Industries Solutions, sanctioned by the EU for supporting Russian intelligence cyber activity
  • 800 servers seized across the operation

📖 Read full article

Iranian Hackers Deploy MiniFast and MiniJunk V2 via Phishing and SEO Poisoning

The Hacker News · May 26 · Relevance: ████████░░ 8/10

Why it matters to CISOs: Iran's Nimbus Manticore is now deploying AI-built backdoors against US aviation and software sectors following the US-Israeli military campaign against Iran—CISOs in defense, aviation, and critical infrastructure must treat this as an active, escalating threat with fresh TTPs including SEO poisoning as an initial access vector.

  • Nimbus Manticore (UNC1549) attributed to campaign using AI-built MiniFast backdoor targeting aviation and software organizations in the US, Europe, and Middle East
  • Activity follows the joint US-Israeli military campaign against Iran in late February 2026
  • Attack chain combines phishing lures and SEO poisoning for initial access

📖 Read full article

Iranian hackers blamed for breach of Los Angeles transit system that took weeks to recover

TechCrunch Security · May 26 · Relevance: ████████░░ 8/10

Why it matters to CISOs: Attribution of the LA Metro breach to the Iranian government—operating behind a fake hacktivist persona—underscores how state actors use false-flag identities to obscure accountability; CISOs at public-sector and infrastructure organizations must recalibrate threat models to account for state-backed attackers disguised as hacktivists.

  • Israeli firm Gambit Security attributes LA Metro breach to Iranian government, not hacktivist group Ababil of Minab
  • Ababil of Minab is a fake hacktivist persona used to claim a series of breaches following the Iran war
  • Recovery from the breach took several weeks, illustrating operational impact on critical public infrastructure

📖 Read full article

Chinese Hackers Exploit Iran War to Target Maritime and Energy Companies

Infosecurity Magazine · May 29 · Relevance: ████████░░ 8/10

Why it matters to CISOs: ESET's APT Activity Report shows Chinese threat actors are opportunistically exploiting Iran-related geopolitical instability to broaden their targeting of maritime and energy sectors globally—CISOs in these verticals should expect increased Chinese APT activity as a secondary consequence of the Iran conflict.

  • China-backed APTs are using regional instability from the Iran war to target maritime and energy companies
  • ESET's 2026 APT Activity Report documents the opportunistic targeting pattern
  • Activity extends to organizations globally, not just those in the conflict region

📖 Read full article

CrowdStrike disrupts Glassworm botnet that preyed on open-source supply chain

CyberScoop · May 27 · Relevance: ████████░░ 8/10

Why it matters to CISOs: The Glassworm takedown—a coordinated CrowdStrike, Google, and Shadowserver operation—removed infrastructure that had been systematically injecting malware into open-source packages since early 2025; CISOs relying on OSS in their software supply chains should audit for Glassworm-related indicators and reassess third-party package vetting controls.

  • CrowdStrike, Google, and Shadowserver simultaneously took down all four Glassworm C2 servers
  • Glassworm operators had been infecting open-source software packages and developer tools since at least early 2025
  • The botnet was used to target software developers as the entry point for downstream supply chain attacks

📖 Read full article

🔓 Data Breach

The attack dominating financial services doesn't steal passwords. It resets MFA and steals the token.

VentureBeat Security · May 26 · Relevance: █████████░ 9/10

Why it matters to CISOs: CrowdStrike's 2026 Financial Services Threat Landscape Report identifies Mutant Spider as the dominant threat actor in financial services, using voice phishing over Microsoft Teams to trick IT support into resetting MFA—a technique that defeats properly functioning security controls, demanding CISOs reconsider help desk authentication policies and out-of-band verification procedures.

  • Mutant Spider is the single most active threat to financial services, using Microsoft Teams voice phishing to impersonate internal IT support
  • The primary technique involves convincing employees to reset MFA credentials, then registering attacker-controlled devices on corporate networks
  • The attack succeeds because MFA reset controls work as designed—meaning the attack vector is the human process, not the technology

📖 Read full article

FBI warns US-based law firms to be on the lookout for cybercrime group that steals data in person

CyberScoop · May 27 · Relevance: ████████░░ 8/10

Why it matters to CISOs: Silent Ransom Group's escalation to in-person impersonation of IT staff at victim workstations represents a significant evolution in social engineering that no technical control can stop alone—CISOs must ensure physical security protocols, visitor management, and help desk identity verification are treated as security controls, not administrative procedures.

  • FBI issued a warning to US law firms about Silent Ransom Group (aka Luna Moth) physically impersonating IT staff
  • Threat actors are calling victims and showing up in person to gain direct physical access to systems
  • The group has a demonstrated pattern of targeting the legal services sector with combined phone and in-person social engineering

📖 Read full article

23andMe Failed to Stop Months-Long Hack, State Alleges

BankInfoSecurity · May 30 · Relevance: ████████░░ 8/10

Why it matters to CISOs: California's AG lawsuit against 23andMe alleges the company ignored multiple red flags over five months of undetected attacker access—a landmark enforcement action that signals regulators will pursue legal liability for failure to detect breaches in progress, raising the bar for CISO-level detection and response obligations.

  • California AG sued 23andMe alleging hackers went undetected for five months despite multiple warning signs starting in April 2023
  • Attackers used compromised credentials to access systems, with the breach ultimately exposing sensitive genetic and health data
  • The lawsuit frames the failure to act on red flags as actionable negligence, not just a breach notification issue

📖 Read full article

Charter Communications data breach affects 4.9 million accounts

BleepingComputer · May 29 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: ShinyHunters' compromise of Charter Communications via a single employee account, resulting in 4.9 million records stolen, reinforces the persistent risk of credential-based initial access at scale—CISOs at large consumer-facing organizations should review privileged account access controls and third-party breach monitoring.

  • ShinyHunters extortion gang stole personal information from 4.9 million Charter Communications accounts
  • Initial access was gained by compromising a single employee account in early April
  • Breach confirmed via Have I Been Pwned notification service

📖 Read full article

⚖️ Governance & Policy

AI Agents Are the New Insiders

BankInfoSecurity · May 30 · Relevance: ████████░░ 8/10

Why it matters to CISOs: As AI agents gain autonomous access to sensitive data and execute multi-step workflows with minimal oversight, CISOs face a governance gap: existing insider threat programs are designed for humans, not digital agents that can exfiltrate data at machine speed without malicious intent.

  • AI agents are now making decisions, executing multi-step workflows, and accessing sensitive data repositories with minimal human intervention
  • Existing insider risk frameworks are ill-equipped to detect or manage autonomous AI systems acting as de facto insiders
  • The risk profile of AI agents mirrors insider threats but operates at machine scale and speed

📖 Read full article

Federal audit reveals NIST’s NVD is plagued by poor planning and duplication

CyberScoop · May 29 · Relevance: ████████░░ 8/10

Why it matters to CISOs: A Commerce IG audit exposing a 27,000-vulnerability backlog at NIST's NVD and duplicated work with CISA is a direct operational problem for CISOs whose vulnerability management programs depend on NVD enrichment data—patch prioritization processes built on NVD metadata are running on an increasingly unreliable foundation.

  • Commerce Department Inspector General audit found NIST's NVD has a backlog of 27,000 unprocessed security flaws
  • Mismanagement allowed the backlog to grow unchecked, with the agency also duplicating work already performed by a parallel CISA program
  • NVD enrichment data underpins vulnerability management and patch prioritization tools used across enterprise security programs

📖 Read full article

Enterprise data is creeping its way into shadow AI tools

Cybersecurity Dive · May 28 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: An Okta report shows executives and employees are actively clashing over AI usage policies, with enterprise data flowing into unapproved AI tools—CISOs need to move beyond policy drafting to enforced technical controls and real-time visibility into AI tool usage before a data exposure event forces the issue.

  • Okta research reveals growing tension between executives and employees over AI usage policies
  • Enterprise data is flowing into shadow AI tools outside approved channels
  • 63.6% of vendors advertising AI capabilities do not disclose third-party AI subprocessors in their legal documentation, per DataGrail

📖 Read full article

CERT-In Recommends 12-Hour Patching for Internet-Facing Flaws Amid AI-Assisted Attacks

The Hacker News · May 26 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: India's CERT-In is recommending a 12-hour patching window for critical internet-facing vulnerabilities, citing AI-accelerated exploitation timelines—a signal that global regulators are moving toward operationally demanding patching standards that will challenge even mature enterprise vulnerability management programs.

  • CERT-In issued guidelines recommending critical internet-facing vulnerabilities be patched within 12 hours where feasible
  • The guidance is explicitly motivated by threat actors using AI and LLMs to automate vulnerability exploitation at speed
  • The standard represents a significant compression of previously accepted patching windows and may foreshadow similar guidance from other national CERTs

📖 Read full article

🚨 Critical Vulnerability

Hackers exploit FortiClient EMS flaw to push infostealer malware

BleepingComputer · May 28 · Relevance: █████████░ 9/10

Why it matters to CISOs: Threat actors are actively exploiting CVE-2026-35616 in FortiClient EMS—trusted endpoint management infrastructure—to deliver an undocumented credential stealer disguised as a legitimate Fortinet update; this living-off-trusted-tools technique means organizations using Fortinet management infrastructure should patch immediately and audit VPN scripting workflows for signs of compromise.

  • CVE-2026-35616 is an improper access control vulnerability in FortiClient Enterprise Management Server under active exploitation
  • Attackers delivered the infostealer 'EKZ' disguised as a Fortinet endpoint update, executed via FortiClient-managed VPN scripting workflows
  • The campaign abused trusted endpoint management infrastructure to spread malware across all managed endpoints

📖 Read full article

PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation

The Hacker News · May 30 · Relevance: █████████░ 9/10

Why it matters to CISOs: An actively exploited authentication bypass in PAN-OS GlobalProtect allows attackers to establish unauthorized VPN connections—organizations running Palo Alto VPN infrastructure must treat this as an emergency patch given the direct network access it can provide adversaries.

  • CVE-2026-0257 (CVSS 7.8) is an authentication bypass in PAN-OS and Prisma Access under active exploitation
  • Exploitation allows bad actors to set up VPN connections without valid credentials
  • Palo Alto Networks has issued an active exploitation warning

📖 Read full article

Millions of AI agents imperiled by critical vulnerability in open source package

Ars Technica Security · May 26 · Relevance: ████████░░ 8/10

Why it matters to CISOs: The 'BadHost' vulnerability in Starlette—downloaded 325 million times weekly and foundational to many AI agent frameworks—creates a massive attack surface for any organization deploying agentic AI applications, making this a critical patching and inventory priority for CISOs accelerating AI adoption.

  • Critical 'BadHost' vulnerability discovered in Starlette, an open-source Python package with 325 million weekly downloads
  • The flaw imperils millions of AI agent deployments that depend on Starlette as infrastructure
  • Attackers can exploit the vulnerability to bypass authentication on AI infrastructure

📖 Read full article

Further Reading

Full Transcript

Click to expand full episode transcript

Jordan: If I had to put one label on this week, it's this: the humans are the infrastructure now. From voice phishing that defeats perfectly functioning MFA, to threat actors literally walking into law firms pretending to be IT support, to AI agents operating as autonomous insiders nobody's watching — the perimeter isn't a firewall anymore. It's a person. And every adversary on the planet figured that out this week.

Alex: Welcome to Cleartext. I'm Alex Chen, alongside Jordan Reeves. This is your Saturday Week in Review — the episode for CISOs who were too busy fighting fires all week to track every headline. If you couldn't keep up, here's what mattered and what it means. We've got four big themes to walk through. First, the geopolitical threat landscape is intensifying on multiple fronts — Russia, Iran, and China are all escalating, and they're starting to feed off each other's chaos. Second, the attack techniques dominating this week all share a common thread: they exploit trust, not vulnerabilities. Third, governance is cracking under pressure, from the NVD backlog to shadow AI to regulators demanding twelve-hour patching windows. And fourth, we've got critical vulnerabilities in the exact infrastructure you trust most — your VPN concentrators and endpoint management servers. Let's get into it.

Jordan: So let's start with the geopolitical picture because it was a busy week on that front, and the stories are more connected than they appear on the surface. The headline grabber was GCHQ Director Anne Keast-Butler going public — unusually public — about Russia conducting daily attacks on UK infrastructure, and I'm quoting her here, "from seabed to cyberspace." She's talking about subsea cables, energy pipelines, sabotage, assassination attempts. And GCHQ is building what they're calling an AI-powered cyber shield in response.

Alex: What struck me about that briefing is the word "daily." This isn't a warning about potential future activity. This is a spy chief describing an ongoing operational tempo. For CISOs in critical infrastructure — energy, telecom, maritime — this is your threat environment right now, not a scenario in a tabletop exercise. And if you're briefing your board, this is the kind of authoritative sourcing that makes the case for sustained investment in detection capabilities for operational technology environments.

Jordan: And it's not just rhetoric. The Dutch operation that took down eight hundred servers tied to Stark Industries Solutions is proof that the infrastructure underpinning Russian cyber operations is real, it's substantial, and it's being hosted inside the EU. These weren't servers in some far-flung jurisdiction. Two hosting company co-owners arrested in the Netherlands for running infrastructure directly supporting Russian intelligence. CISOs should be asking their threat intelligence teams: did any of our traffic ever touch Stark Industries IP ranges? Do we have indicators from that infrastructure in our logs?

Alex: Now pivot to Iran, because the post-war cyber retaliation campaign is fully underway. We had two major stories this week. Nimbus Manticore — that's the Iranian state group also tracked as UNC1549 — is deploying AI-built backdoors called MiniFast against U.S. aviation and software companies. And they're using SEO poisoning as an initial access vector, which is a meaningful TTP evolution.

Jordan: The SEO poisoning piece is important because it changes who's at risk. Phishing requires targeting specific individuals. SEO poisoning casts a much wider net — you're compromising search results so that anyone researching certain aviation or defense topics lands on an attacker-controlled page. That's a fundamentally different threat model. And simultaneously, we got attribution on the LA Metro breach. Israeli firm Gambit Security traced it back to the Iranian government operating behind a fake hacktivist persona called Ababil of Minab. Recovery took weeks. This is a transit system serving millions of people, and Iran knocked it offline using a false-flag identity designed to create plausible deniability.

Alex: And then layer in the China angle. ESET's APT Activity Report this week showed Chinese threat actors are opportunistically exploiting the Iran conflict to expand targeting against maritime and energy companies globally. They're not involved in the conflict — they're just taking advantage of the fact that everyone's watching Iran while China quietly broadens its collection operations. For CISOs in maritime and energy, you now have both Iranian and Chinese APTs actively interested in your sector for different reasons, and you need your threat model to reflect both.

Jordan: And I want to connect one more dot here. The Glassworm botnet takedown — CrowdStrike, Google, and Shadowserver coordinating to simultaneously take down all four C2 servers. Glassworm had been systematically injecting malware into open-source packages and developer tools since early 2025. We don't have public attribution to a nation-state yet, but the sophistication of targeting developers as the entry point for downstream supply chain compromise — that's a playbook we've seen from state-level actors. CISOs with any open-source dependencies, which is everyone, should be running Glassworm indicators against their software bill of materials immediately.

Alex: Let's shift to our second theme, which Jordan set up perfectly in the cold open: the exploitation of human trust as a primary attack vector. The CrowdStrike Financial Services Threat Landscape Report landed this week, and the headline finding is that Mutant Spider is the single most active threat group hitting financial services — and their primary technique isn't technical at all. They call IT support lines over Microsoft Teams, impersonate internal IT staff, convince a help desk analyst to reset someone's MFA, and then register their own device on the corporate network. MFA is working perfectly. The reset process is working perfectly. That's the problem.

Jordan: This is the attack that should keep CISOs up at night because there's no CVE to patch. The vulnerability is your help desk procedure. How does your IT support team verify that the person asking for an MFA reset is who they claim to be? If the answer is "they called from a Teams account that looked internal," you are vulnerable to Mutant Spider right now. Out-of-band verification — callback to a registered phone number, in-person confirmation, manager approval workflows — these aren't nice-to-haves anymore. They're controls.

Alex: And then take that concept and escalate it physically. The FBI warning about Silent Ransom Group targeting law firms. These actors are calling victims and then showing up in person, impersonating IT staff, and gaining direct physical access to workstations. No exploit. No malware delivery mechanism. They walk in the door. CISOs in legal, financial services, anywhere with high-value data — your visitor management process, your badge access policies, your receptionist's ability to verify a contractor's identity, those are security controls now and need to be tested like security controls.

Jordan: The 23andMe lawsuit adds the detection failure dimension to this theme. California's AG is suing because attackers were inside 23andMe's systems for five months — from April to September 2023 — and the company allegedly ignored multiple red flags. This isn't a breach notification lawsuit. It's a negligence claim for failure to detect an active intrusion. That's a new legal standard that every CISO needs to internalize. Your detection capability is now a potential liability exposure.

Alex: And Charter Communications rounds out the breach picture. ShinyHunters compromised a single employee account and extracted 4.9 million records. A single credential. One account. Nearly five million people's data. The math is brutal and it's the same math every week.

Jordan: Let's talk governance, because the foundation that enterprise security programs are built on showed some serious cracks this week. The Commerce Department Inspector General audited NIST's National Vulnerability Database and found a backlog of twenty-seven thousand unprocessed security flaws. Twenty-seven thousand. And NIST was duplicating work that CISA was already doing through a parallel program. If your vulnerability management program depends on NVD enrichment data for prioritization — and most do — you're making risk decisions on an increasingly unreliable data source.

Alex: This one hit me hard because I've sat in rooms where we made patch prioritization decisions based on NVD severity scores and enrichment metadata. If that data is stale or missing for twenty-seven thousand vulnerabilities, your risk-based patching program has a blind spot you can't see. CISOs should be evaluating supplementary vulnerability intelligence sources and not treating NVD as a single point of truth.

Jordan: India's CERT-In added an interesting wrinkle by recommending twelve-hour patching windows for critical internet-facing vulnerabilities, explicitly because AI is accelerating exploitation timelines. Twelve hours. Most enterprise change management processes take longer than that to get an approval ticket routed. This is aspirational for now, but it signals where regulators are heading globally, and your patching SLAs may need to get dramatically more aggressive.

Alex: And the shadow AI problem isn't going away. Okta's research shows executives and employees are openly clashing over AI usage policies, and enterprise data is flowing into unapproved tools. Sixty-three percent of vendors advertising AI capabilities don't even disclose their third-party AI subprocessors. You literally cannot do vendor risk assessment on tools you don't know are processing your data through providers they won't name.

Jordan: Which connects directly to the AI agents as insiders story from BankInfoSecurity. These autonomous systems are making decisions, executing workflows, accessing sensitive data — and your insider threat program was designed to watch humans. AI agents don't take lunch breaks, don't have badge access logs, and can exfiltrate data at machine speed without malicious intent. The governance gap is real and it's widening.

Alex: Final theme — critical vulnerabilities in trusted infrastructure. Two nine-out-of-ten severity stories this week, both in perimeter security products. FortiClient EMS, CVE-2026-35616, under active exploitation. Attackers are using it to push an infostealer called EKZ disguised as a legitimate Fortinet update, delivered through FortiClient-managed VPN scripting workflows. They're abusing your endpoint management system to distribute malware to every managed endpoint. That is a nightmare scenario.

Jordan: And PAN-OS GlobalProtect, CVE-2026-0257, authentication bypass under active exploitation. Attackers can establish VPN connections without valid credentials. Your VPN concentrator, the thing that's supposed to be the gate, is letting people through without a key. If you're running Palo Alto VPN infrastructure, this is a drop-everything-and-patch moment.

Alex: The Starlette vulnerability, BadHost, deserves a mention too. Three hundred twenty-five million weekly downloads, foundational to most AI agent frameworks, authentication bypass. If you're deploying agentic AI applications, you need to know if Starlette is in your dependency tree and patch it.

Jordan: So stepping back — what defined this week?

Alex: I'd say it's the week the attack surface became definitively human. Every major story — Mutant Spider's voice phishing, Silent Ransom Group walking into offices, 23andMe's five months of ignored red flags, shadow AI tools employees are using without permission, AI agents acting as unsupervised insiders — they all point to the same conclusion. Technical controls are necessary but insufficient. The organizations that get breached in the second half of 2026 will overwhelmingly be breached through people and process failures, not unpatched software.

Jordan: And the geopolitical overlay makes it worse. Russia, Iran, and China are all escalating simultaneously, for different reasons, using different techniques, and in some cases exploiting each other's conflicts as cover. The threat environment is the most complex I've seen in twenty years. CISOs going into next week should be thinking about three things: audit your help desk identity verification processes, check your FortiClient and PAN-OS deployments against this week's CVEs, and start a serious conversation about how you're governing AI agents in your environment before a regulator or an attacker forces that conversation for you.

Alex: That's your week. The daily show returns Monday. All the stories we discussed today, with links and additional context, are available at cleartext.fm. I'm Alex Chen.

Jordan: I'm Jordan Reeves. Have a good weekend. You've earned it.

Cleartext is an automated daily podcast for CISOs and security leaders. Generated 2026-05-30.

Sources are pulled from: CyberScoop, The Record, SecurityWeek, Krebs on Security, Dark Reading, Cybersecurity Dive, BleepingComputer, Wired, Ars Technica, TechCrunch, Help Net Security, VentureBeat, Risky Business News, The Hacker News, CISA, and BankInfoSecurity.