In partnership with
👋 Welcome to The CyberSignal Weekly Briefing.
This was the week critical infrastructure ran out of margin. Polish water plants, a Mexican municipal utility, a Palo Alto zero-day exploited for a month before disclosure, a third Ivanti EPMM zero-day this year, and a chained MOVEit flaw that lands in the same product family Cl0p used to breach 2,100 organizations in 2023. Five edge-and-OT events in seven days. None of them are theoretical.
The other story is happening in real time. ShinyHunters defaced Canvas login pages worldwide on May 7 — during finals week — and is now telling individual schools to negotiate ransoms directly by May 12. Instructure had declared the May 1 incident contained. Days later the group escalated, splitting the corporate-vendor extortion model in two: the SaaS provider and every customer, in parallel. Other extortion crews will copy it.
The good news lives in the prosecution column. A federal jury convicted Sohaib Akhter for wiping 96 government databases at Opexus the day he was fired by video call. The first U.S. Karakurt sentencing ever. Sentence #7 and #8 for North Korean laptop-farm operators. The arrests are real. They're just not arriving fast enough to close the velocity gap.
Let's get into it.
🔎 Overview: What Shifted in Cyber Since Last Week
Poland's ABW broke a 12-year silence — confirmed hackers reached ICS at five water treatment plants, attributed to Russian special services
Dragos documented LLM-assisted OT attack — Claude and GPT used to plan operations against Monterrey municipal water utility
Palo Alto PAN-OS zero-day exploited since April 9 — CVE-2026-0300 (CVSS 9.3) under active exploitation; patches don't ship until May 13
Ivanti EPMM hit its third zero-day of 2026 — CISA gave federal agencies three days to patch CVE-2026-6973
MOVEit Automation chained 9.8 + 7.7 disclosed — same product family Cl0p used to breach 2,100 organizations in 2023
ShinyHunters defaced Canvas globally during finals week — claims 275M records from 9,000 schools, May 12 deadline for individual school negotiations
Akhter brothers convicted — federal jury found them guilty of wiping 96 government databases at Opexus the day they were fired
First-ever U.S. Karakurt sentencing — Latvian negotiator Deniss Zolotarjovs got 102 months for $56M extortion campaign
Daemon Tools served signed-but-trojanized installers for a month — valid AVB Disc Soft developer certificates, thousands of machines across 100 countries
Trellix breach wider than disclosed — RansomHouse screenshots show internal VMware, Rubrik, and Dell EMC dashboards
✨ Our Partner
Go from AI overwhelmed to AI savvy professional
AI will eliminate 300 million jobs in the next 5 years.
Yours doesn't have to be one of them.
Here's how to future-proof your career:
Join the Superhuman AI newsletter - read by 1M+ professionals
Learn AI skills in 3 mins a day
Become the AI expert on your team
🔥 Top Stories
01 — Poland's ABW Confirms Hackers Reached ICS at Five Water Plants
Critical Infrastructure
Poland's Internal Security Agency published its first public activity report in 12 years specifically to flag this: hackers reached industrial control systems at five Polish municipal water treatment plants and, in some cases, developed the capability to alter technical parameters before being stopped. ABW tied the activity to Russian special services. The disclosure landed two days after Dragos published a separate intelligence brief documenting an attack against Servicios de Agua y Drenaje de Monterrey in northern Mexico, in which the operators used Claude and GPT to plan operations against the utility's OT network.
Why it matters: The historical assumption that ICS attacks require rare expertise no longer protects mid-sized municipal utilities — and mid-sized municipal utilities are where most U.S. water infrastructure lives. ABW going public after 12 years is itself a signal.
02 — Palo Alto PAN-OS Zero-Day Exploited Since April 9 — Patches Don't Land Until May 13
Vulnerabilities
CVE-2026-0300 is a CVSS 9.3 buffer overflow in PAN-OS that lets unauthenticated attackers execute code as root on internet-exposed PA-Series and VM-Series firewalls. Unit 42 has tracked exploitation by a likely state-sponsored cluster (CL-STA-1132) since April 9. CISA added it to KEV. The catch: patches don't ship until May 13. Until then, the official guidance is to restrict management interface exposure and apply Threat Prevention signatures.
Why it matters: A month-long window between confirmed active exploitation and patch availability is brutal. Treat any internet-facing PAN-OS device as potentially compromised and audit accordingly until the patch arrives.
03 — Canvas Defaced Globally During Finals — ShinyHunters Tells Schools to Pay Up by May 12
Ransomware
ShinyHunters defaced Canvas login pages worldwide on May 7, disrupting finals week at Harvard, Penn, Duke, and Virginia Tech. Instructure had publicly declared the May 1 incident contained. The group claims 275 million records from 9,000 schools and is now demanding individual schools negotiate ransom payments by May 12 — bypassing the SaaS vendor entirely. The tactical innovation is that pricing leverage at the customer level builds a model that doesn't depend on the vendor paying. Every customer becomes its own negotiation.
Why it matters: This parallel-negotiation tactic is genuinely new and will be copied. If you work with a Canvas-using institution, brief general counsel today — that deadline is four days away.
04 — Ivanti EPMM Zero-Day #3 — Federal Agencies Have Three Days to Patch
Vulnerabilities
CVE-2026-6973, disclosed May 7, is the third Ivanti EPMM zero-day of 2026. CVSS 7.2, under active exploitation, with a CISA federal patch deadline of May 10 — three days. Ivanti has hinted that attackers are reusing credentials stolen during the January 2026 EPMM campaign, meaning patching alone may not close the door.
Why it matters: Three EPMM zero-days in five months is a pattern, not bad luck. If Ivanti is right that the credentials are January-stolen, rotation is mandatory — patching is not enough.
05 — Patch MOVEit Now Before It Becomes 2023 All Over Again
Vulnerabilities
A 9.8 unauthenticated authentication bypass and a 7.7 privilege escalation in MOVEit Automation chain to full administrative control. Same product family Cl0p exploited in 2023 to breach 2,100 organizations. There is no workaround — the only fix is a full installer upgrade.
Why it matters: Managed file transfer products sit between trust boundaries by design, which is why ransomware crews keep coming back to them. The 2023 Cl0p campaign is the case study. Don't let this be the second.
06 — Federal Jury Convicts Akhter Brother for Wiping 96 Government Databases After Video-Call Firing
Cyber Crime
A federal jury in Alexandria, Virginia convicted Sohaib Akhter on May 7 for his role in deleting roughly 96 U.S. government databases at federal contractor Opexus on the day he and his twin brother were fired. The unprecedented detail: the firing happened by video call, and the destruction began immediately after the meeting ended.
Why it matters: Insider threat programs that focus on data exfiltration miss the destructive insider. Off-boarding workflows need to revoke privileged access at the moment of termination notification, not after — especially for remote employees being terminated remotely.
07 — Daemon Tools Distributed Trojanized Installers — Signed With Valid Certificates — for a Month
Software Supply Chain
Kaspersky disclosed on May 5 that the official Daemon Tools website distributed trojanized installers from April 8 through early May. The compromised binaries were signed with valid AVB Disc Soft developer certificates. Thousands of machines across roughly 100 countries received a backdoor delivered through the legitimate update channel.
Why it matters: Code signing is a control that depends on the vendor's signing infrastructure being uncompromised. When it isn't, signature verification confirms the malware. Application allowlisting based purely on signatures is no longer sufficient — pair it with behavioral monitoring.
📈 Data & Research Corner
Metric | Figure |
|---|---|
Polish water plants where hackers reached ICS | 5 |
Days between PAN-OS exploitation start and patch | ~34 (April 9 → May 13) |
ShinyHunters claimed Canvas records | 275 million |
Schools facing direct ransom demands by May 12 | 9,000 |
U.S. government databases wiped at Opexus | ~96 |
Karakurt negotiator's federal sentence (months) | 102 |
Vibe-coded apps leaking corporate data (RedAccess) | ~5,000 |
North Korean laptop farm operators sentenced in 2026 | 8 |
Cryptocurrency restrained by DOJ Scam Center Strike Force | $701.96M |
Files World Leaks published from Mediaworks | ~15 million |
⭐️ Publication Spotlight
Tech moves fast, but you're still playing catch-up?
That's exactly why 200K+ engineers working at Google, Meta, and Apple read The Code twice a week.
Here's what you get:
Curated tech news that shapes your career - Filtered from thousands of sources so you know what's coming 6 months early.
Practical resources you can use immediately - Real tutorials and tools that solve actual engineering problems.
Research papers and insights decoded - We break down complex tech so you understand what matters.
All delivered twice a week in just 2 short emails.
🔍 Also On Our Radar
WIRED finds 5,000 vibe-coded apps leaking corporate data. RedAccess identified roughly 380,000 publicly accessible web assets built on Lovable, Base44, Replit, and Netlify, of which approximately 5,000 were exposing sensitive corporate data. The pattern: business users build internal tools, the platform defaults to public, the platform doesn't enforce auth, the data sits indexed.
404 Media tested realtime deepfake software live on Microsoft Teams. Joseph Cox obtained Haotian AI — Chinese realtime deepfake software marketed to scammers — and watched a Cambodia-based operator's face shapeshift into his own during a live Teams call. "Confirm sensitive actions with a video call" is no longer a control.
Trellix breach wider than disclosed: RansomHouse claims VMware, Rubrik, Dell EMC dashboards. RansomHouse claimed responsibility on May 7. Cybernews researchers say screenshots show internal dashboards far beyond the "portion of source code" Trellix disclosed. Customers should ask their account team specifically what was accessed.
VENOMOUS#HELPER hit 80+ orgs via dual-RMM. Securonix tracked a Social Security Administration-themed phishing campaign that drops both SimpleHelp and ConnectWise ScreenConnect — when defenders kill one, the other persists. Legitimate RMM tools need application-control policies that don't trust them by default.
State health exchanges leaked applicant data to ad platforms. Bloomberg found nearly all 20 state-run health insurance exchanges plus D.C. were sending applicant citizenship, race, ZIP codes, prescriptions, and disclosures about incarcerated family members to TikTok, Meta, Google, Snap, and LinkedIn via misconfigured tracking pixels. More than 7M Americans use these exchanges.
Australia builds the cyber review board the U.S. disbanded. On May 1, Australia announced the Cyber Incident Review Board — a seven-member statutory body modeled on the U.S. Cyber Safety Review Board the Trump administration disbanded in January 2025. Australia's version has statutory authority the U.S. version never had.
DOJ executes first-ever federal seizure of a Telegram channel. Six days before last week's 276-arrest pig-butchering takedown, the Scam Center Strike Force restrained $701.96M in cryptocurrency, seized 503 fake investment websites, and pulled off the first-ever federal seizure of a Telegram channel. The Telegram precedent is what will outlast this news cycle.
ACSC warns of fake CAPTCHAs on real Australian sites pushing Vidar Stealer. Compromised legitimate Australian WordPress sites are presenting fake Cloudflare CAPTCHAs to deliver Vidar Stealer via clipboard-paste social engineering. The lure works because the underlying domain is real.
🛡️ Actionable Playbook for CISOs & IT Leaders
Treat your PAN-OS firewalls as compromised until May 13. Restrict management interface exposure, apply Threat Prevention signatures, audit logs for CL-STA-1132 IOCs, and prepare for a same-day patch window when the fix ships.
Rotate Ivanti EPMM credentials, don't just patch. Ivanti has hinted attackers are reusing credentials stolen during January 2026's EPMM campaign. Patching CVE-2026-6973 by May 10 closes one door — credential rotation closes the other.
If you work with higher ed, brief general counsel today. ShinyHunters is moving to direct-to-school ransom demands by May 12. University legal teams need to know the parallel-negotiation tactic exists before the call comes in. Pull Canvas API and SSO logs for the April 25 – May 1 access window now.
Audit application-control policies for legitimate RMM tools. The VENOMOUS#HELPER campaign weaponized SimpleHelp and ConnectWise ScreenConnect via SSA-themed phishing. Don't trust signed RMM binaries by default — pair signature verification with behavioral monitoring on first execution.
Tighten off-boarding for remote terminations. The Akhter conviction is a reminder that destructive insiders are an under-modeled threat. Privileged access revocation needs to happen at the moment of termination notification, not after — especially for remote employees being fired remotely.
⚡ The Signal
There is a number worth sitting with from this week: 34.
That is roughly how many days have passed between the start of confirmed active exploitation of Palo Alto's PAN-OS zero-day (CVE-2026-0300) and the date Palo Alto's patch is scheduled to ship. April 9 to May 13. A full month in which a state-sponsored cluster has had unauthenticated root-level code execution against internet-exposed PA-Series and VM-Series firewalls — devices specifically designed to be the trust boundary.
That number is not unusual. It is representative. CVE-2026-6973 in Ivanti EPMM was disclosed May 7 and is already under active exploitation — the third EPMM zero-day this year, with attackers reusing credentials stolen four months ago. Daemon Tools shipped trojanized installers for a month before Kaspersky disclosed it. Trellix's breach is wider than Trellix said. Instructure's "contained" Canvas incident wasn't.
The throughline is that the systems we depend on for verification — vendor disclosures, code signatures, "contained" SaaS incidents, identity controls, edge devices — are all leaking integrity at the same time. Defenders who built their programs on "the vendor will tell us" or "the signature will tell us" or "the firewall will hold" are running on assumptions that adversaries have stopped honoring.
Two water utilities had operational technology environments reached this week. One via a state intelligence service in Poland. One via attackers using frontier LLMs to plan the operation against Monterrey. Different actors, different motives, same direction of travel: the threshold of capability required to attack OT is dropping, and it is dropping fastest at the same moment that the verification controls protecting OT are leaking integrity.
The prosecution column gives reason for measured optimism. Akhter, Zolotarjovs, Ferro, Knoot, Prince — these are real wins, with real sentences, and they accumulate. But the velocity gap Europol named in last week's IOCTA report is widening faster than the courts can close it. Defense has to assume the gap is structural for now, and verify the things it used to be able to trust by default.
The question worth asking before next week's briefing: of the controls in your environment that depend on a vendor's integrity — code signing, EDR signature feeds, MDM policy, SaaS audit logs — which would you bet on if you found out the vendor was breached and didn't tell you?
🔭 What to Watch Next Week
May 12 — Canvas ransom deadline. Watch whether any named institutions confirm direct contact from ShinyHunters and how university general counsel offices respond. The first school that publicly capitulates sets the precedent.
May 13 — Palo Alto patches drop. Expect a spike in compromise disclosures the following week as organizations finally have the patch and start running compromise assessments against the April 9 – May 13 window.
Copycat parallel-negotiation extortion. ShinyHunters' direct-to-customer model decouples the ransom from the breached vendor. Expect at least one other extortion crew to test the playbook within 30 days.
Trellix scope clarification. The RansomHouse screenshots showing VMware, Rubrik, and Dell EMC dashboards put pressure on Trellix to update its disclosure. Watch for an amended statement or a customer notification within 7-14 days.
Until next time,
Stay sharp. Stay ahead.
The CyberSignal Team
📩 Share this briefing with a colleague who needs to stay ahead.
📰 Full coverage at thecybersignal.com
☀️ Daily briefing at daily.thecybersignal.com
