Summary4 min read

Cybersecurity Headlines (CISO Series) – May 20, 2026

Host: Rich Stroffolino
Main Theme:
A roundup of critical updates and incidents in cybersecurity, centered around a significant Microsoft-led disruption of a major malware code signing service, urgent vulnerabilities in robotics and web frameworks, and new trends in AI and malware delivery.

Key Discussion Points and Insights

1. Microsoft Disrupts Fox Tempest, a Malware Code-Signing Service

Overview:
Microsoft has taken down Fox Tempest, a criminal service facilitating malware code signing since May 2025.
Details (00:13):
- Clients: Ransomware groups such as Rosida Inc., Quillen, and Akira.
- Scope: Attacks targeted the US, China, France, and India.
- Technique: Abused Microsoft’s artifact signing to issue short-lived certificates, allowing malware to evade Windows defenses.
- Action: Website seized, hundreds of VMs taken offline, and over 1,000 certificates revoked.
Notable Quote (00:23):
“They abused Microsoft’s artifact signing to provide short life certificates to get malware running around typical Windows defenses.” – Rich Stroffolino

2. Critical Flaw in Universal Robots’ Polyscope OS

Overview:
Universal Robots has patched a severe command injection vulnerability in Polyscope 5, its industrial robotics OS.
Technical Details (00:53):
- Could enable unauthorized remote code execution.
- Requires network access (internet-facing dashboard or physical ethernet).
- Flat, unsegmented industrial networks increase risk.
Insight:
The lack of network segmentation in most industrial robot deployments lowers the barrier for attackers.

3. CISA Administrator Leaks Sensitive Cloud Keys

Incident (01:39):
Researchers at GitGuardian discovered AWS GovCloud credentials exposed in a public GitHub repository ironically named “Private CISA.”
Highlights:
- Repo included plaintext tokens, passwords, CISA, and DHS assets.
- Owner ignored GitGuardian notifications and disabled GitHub’s secret-scanning feature.
- Credentials were valid for 48 hours after discovery.
- CISA acknowledged the incident but claimed no sensitive data was compromised.
Notable Quote (01:53):
“The GitHub repository was ironically named Private CISA and contained cloud keys, tokens, passwords in plaintext, and other sensitive CISA and DHS assets.” – Rich Stroffolino

4. Urgent Drupal Core Security Patch

Alert (02:29):
- Drupal security team released a PSA for an urgent patch affecting Drupal Core (not Drupal CMS).
- Critical vulnerability is easy to leverage, doesn’t require elevated privileges, and could expose non-public data.
- Applies to unusual module configurations; patches released even for out-of-support versions.
- Exploits could surface within hours or days.
Recommendation:
Patch is a high priority for all Drupal Steward customers and Drupal Core users.

5. AI-Assisted Formal Verification in Ethereum

Commentary (04:15):
Ethereum’s Vitalik Buterin highlights new uses of AI in formal verification for software security.
Notes:
- AI advances make mathematical proof-based verification more practical.
- Especially valuable when implementation is complex but the security goal is simple.
- Not a “panacea”—it’s effective but not foolproof or suitable for all scenarios.
Notable Quote (04:32):
“Buterin said this approach is particularly well suited for situations where the goal is much simpler than the implementation, but cautioned that this was not a panacea.” – Rich Stroffolino

6. Patching Errors in Restricted Windows Networks

Update (04:50):
Microsoft warns of Windows update failures in restricted or air-gapped networks after the January 2026 update.
- Caused by a change in download timeout settings.
- Affects isolated systems; workaround is available for IT admins via group policies.

7. Google Launches Codemender AI Tool

Announcement (05:15):
Google’s AI-powered Codemender is now available to select groups.
- Functions like Anthropic’s Mythos: AI-assisted vulnerability and bug fixing.
- All patches reviewed by human researchers.
- DeepMind CTO confirms government and enterprise auditing; cautious rollout for reliability.

8. Abuse of Microsoft HTML Applications (MSHTA) on the Rise

Research Spotlight (05:45):
- MSHTA, legacy tech from IE5 era, is increasingly abused for malware delivery.
- Allows VBScript execution in memory—hard to detect.
- Recent malwares: Luma, Amatera, clipbanker, PurpleFox—often in phishing campaigns.
Notable Quote (05:56):
“Researchers at Bitdefender warn that abuse is on the rise. That’s because an HTML application file can be manipulated to run VBScript in memory, where it’s harder to see malicious activity.” – Rich Stroffolino

Memorable Moments & Quotes

On Fox Tempest's takedown:
“Website seized, hundreds of virtual machines taken offline, and over 1,000 certificates revoked.” (00:31)
On leaking sensitive data:
“The account owner also disabled a default GitHub feature to prevent sharing secrets.” (02:00)
AI & security:
“Verification uses mathematical proofs to ensure software is operating correctly. ... Not a panacea.” (04:26–04:35)
On legacy tech abuse:
“Windows 11 maintains support for these through Edge’s IE mode. While legitimate use of MSHTA has fallen ... abuse is on the rise.” (05:48)

Timestamps for Important Segments

00:13 – Microsoft disrupts Fox Tempest code-signing service
00:53 – Critical flaw in industrial robot OS (Universal Robots)
01:39 – GitHub credential leak affecting CISA
02:29 – Urgent Drupal Core vulnerability and patch
04:15 – Ethereum and AI-assisted formal verification
04:50 – Windows update failures in restricted networks
05:15 – Google announces Codemender AI tool
05:45 – Surge in abuse of Microsoft HTML Applications (MSHTA)

Summary

This episode delivers a concise, up-to-date snapshot of pressing cyber threats and patches, spotlighting Microsoft’s disruption of a global malware infrastructure, severe robotics vulnerabilities, and the risks of lax cloud credential management. It discusses innovative uses of AI in cybersecurity and ongoing threats from legacy technologies, offering actionable insights for IT and security professionals.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines
[00:07]
B
these are the cybersecurity headlines for Wednesday, May 20, 2026. I'm Rich Stroffelino. Microsoft Disrupts malware Signing as a Service According to unsealed court documents, Microsoft said it took down Fox Tempest, a malware code signing service in operation since May 2025. FOXTempest was used by several prominent ransomware groups, including including Rosida Inc. Quillen and Akira, for attacks across the U.S. china, France and India. They abused Microsoft's artifact signing to provide short life certificates to get malware running around typical Windows defenses. The takedown saw Fox Tempest's website seized, hundreds of virtual machines taken offline and over 1000 certificates revoked. Critical flaw found in industrial robot OS the Danish company Universal Robots released a patch for a critical command injection vulnerability in its Polyscope 5 operating system. This could allow an unauthorized user with network access to perform remote code execution on robotics controllers. This would require that the robot's dashboard server be directly accessible over the Internet, or an attacker to have access to an ethernet port on a control box. Generally, these industrial robots run on a flat, unsegmented network, which could make accessing the vulnerable dashboards significantly less challenging. CISA admin leaks keys Security reporter Brian Krebs was contacted by researchers at GitGuardian warning that a GitHub repository repository exposed credentials for several AWS GovCloud accounts. GitGuardian routinely scans for exposed secrets and notifies account holders. In this case, the owner didn't respond to their notification. The GitHub repository was ironically named Private CISA and contained cloud keys, tokens, passwords in plaintext, and other sensitive CISA and DHS assets. The account owner also Disabled A default GitHub feature to prevent sharing secrets. While the repo eventually was set to private, researchers at Soralis confirmed the credentials were working up to 48 hours later. CISA said it was aware of the exposed assets, but said there was no indication that any sensitive data was compromised. Urgent patch announced for Drupal Core the Drupal security team issued a PSA about an upcoming Urgent patch set to be released on May 20th. This patch only impacts Drupal Core, not DrupalCMS. Drupal Steward customers are recommended to install the patch as well. The PSA urged users to install the patch quickly after release, saying that exploits might be developed within hours or days. The flaw applies to using uncommon module configurations, but the PSA said it was easy to leverage, doesn't require elevated privileges, and could expose non public data. Drupal also released patches for all impacted versions, including out of support versions 8.9 and 9.5. And now a huge thanks to our sponsor for today. ThreatLocker ThreatLocker is extending zero trust beyond endpoint control with their recent release of zero trust network access and zero trust cloud access. Access isn't based on credentials alone. It requires the right user, the right device and the right conditions because as we've seen in recent large scale CRM breaches, stolen credentials and misconfigurations can expose massive amounts of data. With ThreatLocker, nothing is exposed and access is limited to exactly what's needed. Learn more and start your free trial today@threatlocker.com CISO Ethereum looking at AI Assisted Formal Verification Everyone is trying to deal with the increase in AI assisted cyber attacks, and cryptocurrency is no different. In a blog post this week, Ethereum co founder Vitalik Buterin said AI has advanced the possibilities of using formal verification to better secure blockchain networks against software flaws. In the most general sense, verification uses mathematical proofs to ensure software is operating correctly. Buterin said this approach is particularly well suited for situations where the goal is much simpler than the implementation, but cautioned that this was not a panacea Patching errors in restricted Windows networks In a service alert, Microsoft said that customers in restricted network environments may see Windows Update failures after installing the January 2026 update. Optional Non Security Preview update Catchy name guys. This would apply to isolated or air gapped systems. This issue stems from a change in Windows download timeout requirements. Microsoft is working on a fix, but released a set of group policies in its known issue rollback feature for IT admins to use as a workaround. Google wants people to remember Codemender. At its I O conference, Google announced it's making its Codemender tool available to select groups of experts. Google initially announced codemender in October 2025, an AI agent similar to Anthropic's mythos that can debug and fix software vulnerabilities. At the initial announcement, Google said it was taking a cautious approach, focusing on reliability with Codemender with all patches reviewed by human researchers. Google DeepMind CTO Corey Kavukolu confirmed that they have been in discussions with governments and enterprises to audit systems with Codemender. Abuse of Microsoft HTML applications on the rise. Microsoft HTML Applications, or MSHTA, came out first in 1999 as part of the release of Internet Explorer 5.0. Windows 11 maintains support for these through Edge's IE mode. While legitimate use of MSHTA has fallen over its more than quarter century of life, researchers at Bitdefender warn that abuse is on the rise. That's because an HTML application file can be manipulated to run VBScript in memory, where it's harder to see malicious activity. Bitdefender saw this used to deliver Luma, Amatera, clipbanker, and purplefox malware, usually paired with phishing campaigns. Remember to subscribe to the CISO series on YouTube. We've got new shorts videos posting daily and it's where we stream our Department of no show every Friday at 4pm Eastern. And if you have some thoughts about the news from today or about the show in general, be sure to reach out to us. FeedbackSo we'd love to hear from you. Reporting for the CISO series, I'm Rich Strofolino reminding you to have a super sparkly day.
[06:16]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.