Summary5 min read

Cybersecurity Headlines – May 25, 2026

Host: Steve Prentiss
Main Theme:
A rapid-fire update on critical cybersecurity developments including the latest KEV vulnerability in Drupal, resurgence of domain fronting attacks (Underminer), a major botnet operator arrest in Canada, hospital data breaches in Germany, an inventive supply chain attack on Laravel’s ecosystem, Italian crackdown on piracy, a fast-growing AI-based Microsoft 365 phishing kit, and Anthropic's sweeping disclosure of high-severity software flaws.

Key Discussion Points & Insights

1. CISA Adds Drupal Core Flaw to KEV List

[00:08 – 01:15]

Issue: CISA adds a major SQL Injection vulnerability in Drupal Core to the Known Exploited Vulnerabilities (KEV) catalog.
Severity: The vulnerability, featuring a CVSS score of 9.8, allows unauthenticated attackers to compromise Drupal sites using PostgreSQL databases.
Attack Trends:
- As soon as the vulnerability was disclosed, thousands of attacks began, primarily targeting gaming and financial services sites.
- Quote:
  
  "Exploitation attempts started almost immediately, with thousands of attacks in the wild…attacks are primarily targeting gaming and financial services sites."
  – Steve Prentiss [00:22]
Urgency: Federal agencies must patch by May 27.

2. Domain Fronting Revival: The Underminer Attack

[01:16 – 02:33]

Technique: Resurfaces the “domain fronting” attack technique, now referred to as Underminer.
Mechanism: Attackers place a legitimate (allowed) domain in SNI and TLS certificate validation fields while embedding the real target in the encrypted HTTP Host header, allowing requests to appear as if going to a reputable domain but actually reaching the attacker’s destination.
Targets/Vector:
- Uses TCP connections on port 443; notably, SNI exposes intended TLS hostname.
Quote:

"Underminer is a variant of a technique called domain fronting...enabled threat actors to place a legitimate allowed domain in the SNI and TLS certificate validation fields...while embedding a different target domain in the TTL's tunnel's encrypted HTTP host header."
– Steve Prentiss [01:40]

3. Canadian Arrest: KimWolf DDoS Botnet

[02:34 – 03:21]

Person: Jacob Butler, 23, arrested in Ottawa.
Charges: Operating the KimWolf botnet, one of the world’s most significant DDoS platforms.
Development: Initially identified as “Dort” by Brian Krebs, Butler denied the connection. Now faces U.S. charges for aiding and abetting computer intrusion, with a possible 10-year sentence.
Quote:

"Jacob Butler was arrested...after the U.S. Justice Department filed an extradition warrant tied to his operation of the KimWolf botnet, one of the largest and most damaging distributed denial of service platforms in the world."
– Steve Prentiss [02:36]

4. Large-Scale German Hospital Data Breach via Third-Party Provider

[03:22 – 04:02]

Incident: Breach traced to Unimed, a billing service provider used by numerous German hospitals.
Impact: Patient data of thousands affected, but no disruption to clinical services or direct hospital systems.
Scope: Centers across at least six German cities involved.
Quote:

"The breach did not compromise their own clinical infrastructure or disrupt patient treatment, but did affect the data and records of many thousands of patients…"
– Steve Prentiss [03:48]

5. Supply Chain Attack: Laravel Lang Package Hijack

[05:04 – 05:48]

Vector: Attackers abused GitHub version tags to distribute credential-stealing malware through third-party Laravel Lang localization packages.
Method: Malicious code not added to project source but injected via tags pointing to commits in forks.
Quote:

"Attackers abused a GitHub feature that allows tags to point to commits in forks of the same repository."
– Steve Prentiss [05:33]

6. Italian Authorities Disrupt Cinemagoal Piracy Ecosystem

[05:49 – 06:31]

Target: Cinemagoal app, a system enabling unauthorized access to platforms like Netflix, Disney, and Spotify.
Technique: Used Italian virtual machines to capture and redistribute authentication and decryption codes from legitimate subscriptions in near real time.
Financial Impact: Operators made millions via piracy, computer fraud, and unauthorized acess.
Quote:

"The system used virtual machines in Italy to capture valid authentication and decryption codes...and then redistribute them to customers."
– Steve Prentiss [06:24]

7. FBI Warns About the Kali365 AI Phishing Kit

[06:32 – 07:16]

Threat: Kali365, an AI-driven phishing-as-a-service toolkit, targets Microsoft 365 by retrieving access tokens and bypassing multi-factor authentication.
Tactics: Abuses OAuth device code flows and impersonates enterprise services, allowing attackers to gain persistent access.
Trend: Growing prevalence and sophistication of AI-generated phishing tools.
Quote:

"Kali365 is one of many rapidly emerging AI generated, AI driven device code phishing tools…a more effective means for cyber criminals to circumvent security controls."
– Steve Prentiss [07:05]

8. Anthropic’s Project Glasswing Uncovers 10,000+ High-Severity Vulnerabilities

[07:17 – 08:00]

Project: Anthropic’s "Project Glasswing."
Findings: Over 10,000 high or critical severity vulnerabilities across vital global software discovered within a month of launch.
Example: Critical flaw in WolfSSL (CVE, CVSS 9.1) allowing certificate forgery.
Insight:

"The relative ease of finding vulnerabilities compared with the difficulty of fixing them amounts to a major challenge for cybersecurity."
– Steve Prentiss [07:54]

Notable Quotes & Moments

Drupal attacks happening "almost immediately" after disclosure, with thousands of attempts tracked ([00:22])
Domain fronting technique's creative use in Underminer ([01:40])
Canadian botnet administrator's denial and arrest ([02:36])
Sophisticated GitHub tag abuse making supply chain attack on Laravel uniquely difficult to detect ([05:33])
Rise of AI-driven phishing kits as a game-changer against MFA ([07:05])
Anthropic’s mass vulnerability scan underscores an industry-wide "fixing gap" ([07:54])

Timestamps for Important Segments

| Segment | Timestamp | |--------------------------------------------------------------|------------| | Drupal Core flaw & KEV update | 00:08-01:15| | Underminer/Domain fronting attack | 01:16-02:33| | KimWolf Botnet Operator Arrest | 02:34-03:21| | German Hospital Data Breach via Unimed | 03:22-04:02| | Supply Chain Attack: Laravel Lang packages | 05:04-05:48| | Italian Piracy: Cinemagoal app takedown | 05:49-06:31| | FBI Warns: Kali365 AI phishing kit | 06:32-07:16| | Anthropic: 10,000 high-severity software vulnerabilities | 07:17-08:00|

Summary in the Host’s Natural Tone

Steve Prentiss delivers today’s headlines with urgency and directness, noting:

The “critical” and “immediate” exploit landscape of the Drupal flaw.
The “revival” of advanced, stealthy domain fronting (Underminer).
The law enforcement momentum with cybercriminals (KimWolf).
Growing risks from third-party providers (hospital breach) and developer supply chains (Laravel).
The acceleration of phishing threats through AI innovation.
The sobering reality that “the relative ease of finding vulnerabilities compared with the difficulty of fixing them amounts to a major challenge for cybersecurity.”

Listeners are left with a vivid picture of an escalating, fast-moving threat landscape, demanding swift action and continued vigilance.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines
[00:07]
B
these are the cybersecurity headlines for Monday, May 25, 2026. I'm Steve Prentiss. CISA adds Drupal Core flaw to Kev the CVE numbered flaw in Microsoft Exchange Server has a CVSS score of 9.8. As we reported on May 20th, Drupal issued a critical security patch for the SQL Injection vulnerability that allows unauthenticated attackers to compromise sites running PostgreSQL databases. This is in response to exploitation attempts that had started almost immediately, with thousands of attacks in the wild being tracked. According to Imperva, attacks are primarily targeting gaming and financial services sites. The KEV addition means federal agencies must fix the vulnerability by May 27th. Underminer hides malicious connections behind trusted domains. This is a vulnerability that exists in the shared content delivery infrastructure, spelled underming. It is a variant of a technique called domain fronting. It a now mitigated type of attack that enabled threat actors to place a legitimate allowed domain in the SNI and TLS certificate validation fields of an HTTPs request while embedding a different target domain in the TTLs tunnel's encrypted HTTP host header. This means that an HTTP request reached the hidden destination while traffic would appear to be going to a reputable front domain. According to Zero Trust company Adam Networks Networks, Underminer has been attacks mostly via TCP connections on Port 443, in which SNI exposes the intended TLS host name. Canadian man charged with running Kim Wolf DDoS botnet following up on a story we covered in December and January, Jacob Butler was arrested in Ottawa on Wednesday after the U.S. justice Department filed an extradition warrant tied to his operation of the Kim Wolf botnet, one of the largest and most damaging distributed denial of service plat in the world. The 23 year old was initially identified by Brian Krebs back in February, but denied being the online Persona known as Dort D O R T that ran Kim Wolf Butler has been charged with one count of aiding and abetting computer intrusion. He is facing up to 10 years in prison if convicted. Hackers attack German hospitals through third party provider German university hospitals are dealing with a large scale patient data breach after unknown hackers reportedly targeted an external billing service provider used by medical centers across the country. This according to statements from several affected medical institutions. The third party vendor, Unimed Unimed handles billing services for privately insured and self paying patients on behalf of numerous German hospitals. These hospitals, based in at least six German cities, said the breach did not compromise their own clinical infrastructure or disrupt patient treatment, but did affect the data and records of many thousands of patients from each of the hospitals. Huge thanks to our sponsor, guardsquare. Mobile app security isn't just a tech issue, it's a revenue issue. A recent global study found that 72% of organizations experienced a mobile app security incident last year. Even worse, 65% saw customer churn or uninstalls as a result. Protect your brand and your bottom line with layered mobile app protection. You can learn more@guardsquare.com that is the two words guard square.com creative hijacking of Laravel Lang packages deploys credential stealing malware According to security firms Step Security, Aikido Security and Socket, a supply chain attack targeting the Laravel Lang localization packages has exposed developers to a sophisticated credential stealing malware campaign after attackers abused GitHub version tags to distribute malicious code through composer packages. These Laravel Lang packages are third party localization packages and are not part of the official Laravel project. What made the attack unique is that the actual project's source code was not modified to include malicious code, but instead the attackers abused a GitHub feature that allows tags to point to commits in forks of the same repository. Italy disrupts Cinemagoal piracy app Italian authorities have dismantled a piracy ecosystem that provided access to various streaming platforms including Netflix, Disney and Spotify. The app, named Cinemagoal, is one that customers install on their devices and allow its operators to make millions from audio, visual piracy, unauthorized computer access and computer fraud. The system used virtual machines in Italy to capture valid authentication and decryption codes from legitimate subscriptions every three minutes and then redistribute them to customers. FBI warns about fast growing AI phishing kit targeting Microsoft 365 users this warning focuses on Kali365, I.e. k A L I365, a growing phishing as a service platform that retrieves Microsoft 365 access tokens. In a public service announcement on Thursday, the FBI described this as a toolkit that bypasses multi factor authentication and abuses oauth device code authorizations via phishing lures, impersonating common enterprise services and granting cybercriminal controlled applications access to Microsoft 365 accounts. According to researchers at Proofpoint, Kali365 is one of many rapidly emerging AI generated AI driven device code phishing tools which are gaining popularity as a more effective means for cybercriminals to circumvent security controls while abusing legitimate Microsoft Device Authorization Pages End quote Claude Mythosai finds 10,000 high severity flaws in widely used software in what will likely be an ongoing developing story, Anthropic on Friday disclosed that Project Glasswing has helped uncover more than 10,000 high or critical severity vulnerabilities across some of the most systematically important software across the world. This since the cybersecurity initiative went live last month. Just one of the identified weaknesses is a critical flaw in Wolf SSL, which has a CVE number and a CVS's score of 9.1 that could allow an attacker to forge certificates and masquerade as a legitimate service. Anthropic echoed a now common sentiment stating that the relative ease of finding vulnerabilities compared with the difficult of fixing them amounts to a major challenge for cybersecurity. Join us this Friday for Hacking Pen Testing in the age of agentic AI on Super Cyber Friday. It starts at 1pm Eastern and you can join our chat, play some games and learn how pen testing is evolving and even win some CISO Series swag. So go to the events page@cisoseries.com to register. And if you have some thoughts on the news from today or about this show in general, please be sure to reach out to us@feedbacksoseries.com we would love to hear from you. I'm Steve Prentiss reporting for the CISO Series.
[08:25]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines. It.