Daily cybersecurity briefing for CISOs and security leaders.

🎧 Listen to this episode

Today's episode covers 17 stories across 4 topic areas, including: Russia conducting daily attacks on UK 'from seabed to cyberspace,' spy chief warns; Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks; Iranian Hackers Deploy MiniFast and MiniJunk V2 via Phishing and SEO Poisoning.

The Record (Recorded Future) · May 28 · Relevance: █████████░ 9/10

Why it matters to CISOs: The GCHQ director's public warning about daily Russian attacks on critical UK infrastructure—including subsea cables and energy pipelines—signals an escalating threat posture that enterprise CISOs, especially in critical sectors, must factor into their geopolitical threat models and board reporting.

📖 Read full article

Krebs on Security · May 25 · Relevance: ████████░░ 8/10

Why it matters to CISOs: The seizure of 800 servers tied to Stark Industries Solutions—an EU-sanctioned ISP used as staging ground for Russian intelligence cyber operations—demonstrates that bulletproof hosting infrastructure enabling state-sponsored attacks is being actively dismantled, offering CISOs a case study in supply-chain attribution and hosting provider due diligence.

📖 Read full article

The Hacker News · May 26 · Relevance: ████████░░ 8/10

Why it matters to CISOs: Iran's Nimbus Manticore is now deploying AI-built backdoors against US aviation and software sectors following the US-Israeli military campaign against Iran—CISOs in defense, aviation, and critical infrastructure must treat this as an active, escalating threat with fresh TTPs including SEO poisoning as an initial access vector.

📖 Read full article

TechCrunch Security · May 26 · Relevance: ████████░░ 8/10

Why it matters to CISOs: Attribution of the LA Metro breach to the Iranian government—operating behind a fake hacktivist persona—underscores how state actors use false-flag identities to obscure accountability; CISOs at public-sector and infrastructure organizations must recalibrate threat models to account for state-backed attackers disguised as hacktivists.

📖 Read full article

Infosecurity Magazine · May 29 · Relevance: ████████░░ 8/10

Why it matters to CISOs: ESET's APT Activity Report shows Chinese threat actors are opportunistically exploiting Iran-related geopolitical instability to broaden their targeting of maritime and energy sectors globally—CISOs in these verticals should expect increased Chinese APT activity as a secondary consequence of the Iran conflict.

📖 Read full article

CyberScoop · May 27 · Relevance: ████████░░ 8/10

Why it matters to CISOs: The Glassworm takedown—a coordinated CrowdStrike, Google, and Shadowserver operation—removed infrastructure that had been systematically injecting malware into open-source packages since early 2025; CISOs relying on OSS in their software supply chains should audit for Glassworm-related indicators and reassess third-party package vetting controls.

📖 Read full article

VentureBeat Security · May 26 · Relevance: █████████░ 9/10

Why it matters to CISOs: CrowdStrike's 2026 Financial Services Threat Landscape Report identifies Mutant Spider as the dominant threat actor in financial services, using voice phishing over Microsoft Teams to trick IT support into resetting MFA—a technique that defeats properly functioning security controls, demanding CISOs reconsider help desk authentication policies and out-of-band verification procedures.

📖 Read full article

CyberScoop · May 27 · Relevance: ████████░░ 8/10

Why it matters to CISOs: Silent Ransom Group's escalation to in-person impersonation of IT staff at victim workstations represents a significant evolution in social engineering that no technical control can stop alone—CISOs must ensure physical security protocols, visitor management, and help desk identity verification are treated as security controls, not administrative procedures.

📖 Read full article

BankInfoSecurity · May 30 · Relevance: ████████░░ 8/10

Why it matters to CISOs: California's AG lawsuit against 23andMe alleges the company ignored multiple red flags over five months of undetected attacker access—a landmark enforcement action that signals regulators will pursue legal liability for failure to detect breaches in progress, raising the bar for CISO-level detection and response obligations.

📖 Read full article

BleepingComputer · May 29 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: ShinyHunters' compromise of Charter Communications via a single employee account, resulting in 4.9 million records stolen, reinforces the persistent risk of credential-based initial access at scale—CISOs at large consumer-facing organizations should review privileged account access controls and third-party breach monitoring.

📖 Read full article

BankInfoSecurity · May 30 · Relevance: ████████░░ 8/10

Why it matters to CISOs: As AI agents gain autonomous access to sensitive data and execute multi-step workflows with minimal oversight, CISOs face a governance gap: existing insider threat programs are designed for humans, not digital agents that can exfiltrate data at machine speed without malicious intent.

📖 Read full article

CyberScoop · May 29 · Relevance: ████████░░ 8/10

Why it matters to CISOs: A Commerce IG audit exposing a 27,000-vulnerability backlog at NIST's NVD and duplicated work with CISA is a direct operational problem for CISOs whose vulnerability management programs depend on NVD enrichment data—patch prioritization processes built on NVD metadata are running on an increasingly unreliable foundation.

📖 Read full article

Cybersecurity Dive · May 28 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: An Okta report shows executives and employees are actively clashing over AI usage policies, with enterprise data flowing into unapproved AI tools—CISOs need to move beyond policy drafting to enforced technical controls and real-time visibility into AI tool usage before a data exposure event forces the issue.

📖 Read full article

The Hacker News · May 26 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: India's CERT-In is recommending a 12-hour patching window for critical internet-facing vulnerabilities, citing AI-accelerated exploitation timelines—a signal that global regulators are moving toward operationally demanding patching standards that will challenge even mature enterprise vulnerability management programs.

📖 Read full article

BleepingComputer · May 28 · Relevance: █████████░ 9/10

Why it matters to CISOs: Threat actors are actively exploiting CVE-2026-35616 in FortiClient EMS—trusted endpoint management infrastructure—to deliver an undocumented credential stealer disguised as a legitimate Fortinet update; this living-off-trusted-tools technique means organizations using Fortinet management infrastructure should patch immediately and audit VPN scripting workflows for signs of compromise.

📖 Read full article

The Hacker News · May 30 · Relevance: █████████░ 9/10

Why it matters to CISOs: An actively exploited authentication bypass in PAN-OS GlobalProtect allows attackers to establish unauthorized VPN connections—organizations running Palo Alto VPN infrastructure must treat this as an emergency patch given the direct network access it can provide adversaries.

📖 Read full article

Ars Technica Security · May 26 · Relevance: ████████░░ 8/10

Why it matters to CISOs: The 'BadHost' vulnerability in Starlette—downloaded 325 million times weekly and foundational to many AI agent frameworks—creates a massive attack surface for any organization deploying agentic AI applications, making this a critical patching and inventory priority for CISOs accelerating AI adoption.

📖 Read full article

Jordan: If I had to put one label on this week, it's this: the humans are the infrastructure now. From voice phishing that defeats perfectly functioning MFA, to threat actors literally walking into law firms pretending to be IT support, to AI agents operating as autonomous insiders nobody's watching — the perimeter isn't a firewall anymore. It's a person. And every adversary on the planet figured that out this week.

Alex: Welcome to Cleartext. I'm Alex Chen, alongside Jordan Reeves. This is your Saturday Week in Review — the episode for CISOs who were too busy fighting fires all week to track every headline. If you couldn't keep up, here's what mattered and what it means. We've got four big themes to walk through. First, the geopolitical threat landscape is intensifying on multiple fronts — Russia, Iran, and China are all escalating, and they're starting to feed off each other's chaos. Second, the attack techniques dominating this week all share a common thread: they exploit trust, not vulnerabilities. Third, governance is cracking under pressure, from the NVD backlog to shadow AI to regulators demanding twelve-hour patching windows. And fourth, we've got critical vulnerabilities in the exact infrastructure you trust most — your VPN concentrators and endpoint management servers. Let's get into it.

Jordan: So let's start with the geopolitical picture because it was a busy week on that front, and the stories are more connected than they appear on the surface. The headline grabber was GCHQ Director Anne Keast-Butler going public — unusually public — about Russia conducting daily attacks on UK infrastructure, and I'm quoting her here, "from seabed to cyberspace." She's talking about subsea cables, energy pipelines, sabotage, assassination attempts. And GCHQ is building what they're calling an AI-powered cyber shield in response.

Alex: What struck me about that briefing is the word "daily." This isn't a warning about potential future activity. This is a spy chief describing an ongoing operational tempo. For CISOs in critical infrastructure — energy, telecom, maritime — this is your threat environment right now, not a scenario in a tabletop exercise. And if you're briefing your board, this is the kind of authoritative sourcing that makes the case for sustained investment in detection capabilities for operational technology environments.

Jordan: And it's not just rhetoric. The Dutch operation that took down eight hundred servers tied to Stark Industries Solutions is proof that the infrastructure underpinning Russian cyber operations is real, it's substantial, and it's being hosted inside the EU. These weren't servers in some far-flung jurisdiction. Two hosting company co-owners arrested in the Netherlands for running infrastructure directly supporting Russian intelligence. CISOs should be asking their threat intelligence teams: did any of our traffic ever touch Stark Industries IP ranges? Do we have indicators from that infrastructure in our logs?

Alex: Now pivot to Iran, because the post-war cyber retaliation campaign is fully underway. We had two major stories this week. Nimbus Manticore — that's the Iranian state group also tracked as UNC1549 — is deploying AI-built backdoors called MiniFast against U.S. aviation and software companies. And they're using SEO poisoning as an initial access vector, which is a meaningful TTP evolution.

Jordan: The SEO poisoning piece is important because it changes who's at risk. Phishing requires targeting specific individuals. SEO poisoning casts a much wider net — you're compromising search results so that anyone researching certain aviation or defense topics lands on an attacker-controlled page. That's a fundamentally different threat model. And simultaneously, we got attribution on the LA Metro breach. Israeli firm Gambit Security traced it back to the Iranian government operating behind a fake hacktivist persona called Ababil of Minab. Recovery took weeks. This is a transit system serving millions of people, and Iran knocked it offline using a false-flag identity designed to create plausible deniability.

Alex: And then layer in the China angle. ESET's APT Activity Report this week showed Chinese threat actors are opportunistically exploiting the Iran conflict to expand targeting against maritime and energy companies globally. They're not involved in the conflict — they're just taking advantage of the fact that everyone's watching Iran while China quietly broadens its collection operations. For CISOs in maritime and energy, you now have both Iranian and Chinese APTs actively interested in your sector for different reasons, and you need your threat model to reflect both.

Jordan: And I want to connect one more dot here. The Glassworm botnet takedown — CrowdStrike, Google, and Shadowserver coordinating to simultaneously take down all four C2 servers. Glassworm had been systematically injecting malware into open-source packages and developer tools since early 2025. We don't have public attribution to a nation-state yet, but the sophistication of targeting developers as the entry point for downstream supply chain compromise — that's a playbook we've seen from state-level actors. CISOs with any open-source dependencies, which is everyone, should be running Glassworm indicators against their software bill of materials immediately.

Alex: Let's shift to our second theme, which Jordan set up perfectly in the cold open: the exploitation of human trust as a primary attack vector. The CrowdStrike Financial Services Threat Landscape Report landed this week, and the headline finding is that Mutant Spider is the single most active threat group hitting financial services — and their primary technique isn't technical at all. They call IT support lines over Microsoft Teams, impersonate internal IT staff, convince a help desk analyst to reset someone's MFA, and then register their own device on the corporate network. MFA is working perfectly. The reset process is working perfectly. That's the problem.

Jordan: This is the attack that should keep CISOs up at night because there's no CVE to patch. The vulnerability is your help desk procedure. How does your IT support team verify that the person asking for an MFA reset is who they claim to be? If the answer is "they called from a Teams account that looked internal," you are vulnerable to Mutant Spider right now. Out-of-band verification — callback to a registered phone number, in-person confirmation, manager approval workflows — these aren't nice-to-haves anymore. They're controls.

Alex: And then take that concept and escalate it physically. The FBI warning about Silent Ransom Group targeting law firms. These actors are calling victims and then showing up in person, impersonating IT staff, and gaining direct physical access to workstations. No exploit. No malware delivery mechanism. They walk in the door. CISOs in legal, financial services, anywhere with high-value data — your visitor management process, your badge access policies, your receptionist's ability to verify a contractor's identity, those are security controls now and need to be tested like security controls.

Jordan: The 23andMe lawsuit adds the detection failure dimension to this theme. California's AG is suing because attackers were inside 23andMe's systems for five months — from April to September 2023 — and the company allegedly ignored multiple red flags. This isn't a breach notification lawsuit. It's a negligence claim for failure to detect an active intrusion. That's a new legal standard that every CISO needs to internalize. Your detection capability is now a potential liability exposure.

Alex: And Charter Communications rounds out the breach picture. ShinyHunters compromised a single employee account and extracted 4.9 million records. A single credential. One account. Nearly five million people's data. The math is brutal and it's the same math every week.

Jordan: Let's talk governance, because the foundation that enterprise security programs are built on showed some serious cracks this week. The Commerce Department Inspector General audited NIST's National Vulnerability Database and found a backlog of twenty-seven thousand unprocessed security flaws. Twenty-seven thousand. And NIST was duplicating work that CISA was already doing through a parallel program. If your vulnerability management program depends on NVD enrichment data for prioritization — and most do — you're making risk decisions on an increasingly unreliable data source.

Alex: This one hit me hard because I've sat in rooms where we made patch prioritization decisions based on NVD severity scores and enrichment metadata. If that data is stale or missing for twenty-seven thousand vulnerabilities, your risk-based patching program has a blind spot you can't see. CISOs should be evaluating supplementary vulnerability intelligence sources and not treating NVD as a single point of truth.

Jordan: India's CERT-In added an interesting wrinkle by recommending twelve-hour patching windows for critical internet-facing vulnerabilities, explicitly because AI is accelerating exploitation timelines. Twelve hours. Most enterprise change management processes take longer than that to get an approval ticket routed. This is aspirational for now, but it signals where regulators are heading globally, and your patching SLAs may need to get dramatically more aggressive.

Alex: And the shadow AI problem isn't going away. Okta's research shows executives and employees are openly clashing over AI usage policies, and enterprise data is flowing into unapproved tools. Sixty-three percent of vendors advertising AI capabilities don't even disclose their third-party AI subprocessors. You literally cannot do vendor risk assessment on tools you don't know are processing your data through providers they won't name.

Jordan: Which connects directly to the AI agents as insiders story from BankInfoSecurity. These autonomous systems are making decisions, executing workflows, accessing sensitive data — and your insider threat program was designed to watch humans. AI agents don't take lunch breaks, don't have badge access logs, and can exfiltrate data at machine speed without malicious intent. The governance gap is real and it's widening.

Alex: Final theme — critical vulnerabilities in trusted infrastructure. Two nine-out-of-ten severity stories this week, both in perimeter security products. FortiClient EMS, CVE-2026-35616, under active exploitation. Attackers are using it to push an infostealer called EKZ disguised as a legitimate Fortinet update, delivered through FortiClient-managed VPN scripting workflows. They're abusing your endpoint management system to distribute malware to every managed endpoint. That is a nightmare scenario.

Jordan: And PAN-OS GlobalProtect, CVE-2026-0257, authentication bypass under active exploitation. Attackers can establish VPN connections without valid credentials. Your VPN concentrator, the thing that's supposed to be the gate, is letting people through without a key. If you're running Palo Alto VPN infrastructure, this is a drop-everything-and-patch moment.

Alex: The Starlette vulnerability, BadHost, deserves a mention too. Three hundred twenty-five million weekly downloads, foundational to most AI agent frameworks, authentication bypass. If you're deploying agentic AI applications, you need to know if Starlette is in your dependency tree and patch it.

Jordan: So stepping back — what defined this week?

Alex: I'd say it's the week the attack surface became definitively human. Every major story — Mutant Spider's voice phishing, Silent Ransom Group walking into offices, 23andMe's five months of ignored red flags, shadow AI tools employees are using without permission, AI agents acting as unsupervised insiders — they all point to the same conclusion. Technical controls are necessary but insufficient. The organizations that get breached in the second half of 2026 will overwhelmingly be breached through people and process failures, not unpatched software.

Jordan: And the geopolitical overlay makes it worse. Russia, Iran, and China are all escalating simultaneously, for different reasons, using different techniques, and in some cases exploiting each other's conflicts as cover. The threat environment is the most complex I've seen in twenty years. CISOs going into next week should be thinking about three things: audit your help desk identity verification processes, check your FortiClient and PAN-OS deployments against this week's CVEs, and start a serious conversation about how you're governing AI agents in your environment before a regulator or an attacker forces that conversation for you.

Alex: That's your week. The daily show returns Monday. All the stories we discussed today, with links and additional context, are available at cleartext.fm. I'm Alex Chen.

Jordan: I'm Jordan Reeves. Have a good weekend. You've earned it.

Cleartext is an automated daily podcast for CISOs and security leaders. Generated 2026-05-30.

Sources are pulled from: CyberScoop, The Record, SecurityWeek, Krebs on Security, Dark Reading, Cybersecurity Dive, BleepingComputer, Wired, Ars Technica, TechCrunch, Help Net Security, VentureBeat, Risky Business News, The Hacker News, CISA, and BankInfoSecurity.