Summary5 min read

Cybersecurity Today: May 19, 2026

Host: David Shipley
Episode Theme:
The episode covers the increasing discipline of ransomware groups, a new Exchange Server zero-day, the consequences of slow access revocation in insider threats, and two more critical Fortinet vulnerabilities. The focus is on actionable threat intelligence and organizational security response in a rapidly evolving risk landscape.

Key Discussion Points & Insights

1. Ransomware Gangs Adopt Nation-State Discipline

[00:24 - 04:55]

Main Insight:
Recent ransomware affiliates are displaying operational discipline comparable to state-sponsored actors.
Research Highlight:
Marcus Hutchins’ latest investigation reveals a ransomware affiliate deploying a custom-built EDR (Endpoint Detection and Response) killer tailored specifically for SentinelOne, rather than using generic tools.
Technique:
Utilization of a legitimate, but vulnerable, third-party driver, signed for older Windows machines, to evade modern defenses and minimize forensic footprint.
Strategic Behavior:
Attackers deliberately use only the minimal force necessary to accomplish their objective, echoing strategies typical of nation-state APTs.
Notable Quote:

“Deploying only the minimum capability needed for a specific job, keeping the better tools in reserve, and deliberately narrowing the forensic footprint ... these are all behaviors he sees all the time in highly sophisticated state sponsored actors ... But this wasn’t a state actor. This was a ransomware affiliate working for a known ransomware group.”
— David Shipley citing Marcus Hutchins [03:01]
Industry Implication:
The terminology “Advanced Persistent Threat” (APT) is blurring as financially motivated cybercriminal groups become as sophisticated as nation-state actors.
Suggested Shift:
Move from broad descriptors like “APT” to clarifying attacker motivation and sophistication: e.g., “financially motivated criminal group” vs. “nation-state espionage team.”
Memorable Moment:
The history and redemption of Marcus Hutchins, noting his stopping WannaCry in 2017 and subsequent career rebuilding. [02:08]

2. Microsoft Exchange Server Zero-Day Actively Exploited

[04:55 - 08:35]

Vulnerability Details:
- CVE-2026-42897: A zero-day Cross-Site Scripting (XSS) flaw in Exchange Server 2016, 2019, and Subscription Edition, exploited via specially crafted emails.
- Exploitable if a user opens the malicious email in Outlook on the Web and interacts with it under certain conditions.
Mitigation & Challenges:
- No patch available as of the episode’s recording.
- Temporary mitigation delivered via the Exchange Emergency Mitigation Service for servers updated post–March 2023.
- Manual mitigation required for older servers; automation unavailable.
- Side Effects: Features like Print Calendar, inline images, and OWA Lite may break post-mitigation.
Long-Term Impact:
- Full patches will only be available to Exchange Server 2016/2019 customers who are enrolled in Microsoft’s Extended Security Updates (ESU) program.
- Tens of thousands of outdated, vulnerable Exchange servers remain exposed.
Broader Context:
- 19 Exchange vulnerabilities added to CISA’s Known Exploited Vulnerabilities (KEV) catalog over the past five years.
- 14 of these exploited in ransomware attacks.
Notable Quote:

“Exchange has been one of the most consistently exploited corporate platforms on the Internet.”
— David Shipley [08:00]

3. Insider Threat: Fired Contractors Recorded Their Own Crime

[08:35 - 10:07]

Incident:
Two federal IT contractors, Muneeb and Sohab Akhtar, deleted 96 US government databases post-termination—unwittingly recording their entire act on a Microsoft Teams call.
Key Error:
Neither ended the Teams recording after their HR dismissal; the recording captured the deletion and their discussion of the crime.
Access Control Failure:
Timely revocation of privileged access did not happen—the VPN session remained valid for hours after termination.
Notable Quote:

“The Notification of Employment termination is often done in organizations by HR. Revoking access is executed by the IT team. When these two timelines don’t run in lockstep, you get exactly what happened here. A window opens ... That window is when damage happens.”
— David Shipley [09:40]
Consequence:
Both brothers are now in federal prison. Impacted federal agencies are still recovering from the loss of data.

4. Fortinet Critical Vulnerabilities: FortiAuthenticator & FortiSandbox

[10:07 - 11:10]

Vulnerabilities:
- FortiAuthenticator (CVE-2026-44277):
  - Improper access control issue, critical severity (9.8/10).
- FortiSandbox (CVE-2026-26083):
  - Authorization weakness, allows remote code execution, also critical (9.8/10).
Attack Surface:
Both can be exploited by unauthenticated attackers to run arbitrary code via crafted HTTP requests.
Recent History:
- Third major Fortinet vulnerability story in six weeks: previous issues in FortiClient EMS (April) and another critical SQL injection flaw (March).
- 24 Fortinet vulnerabilities now in CISA’s KEV catalog; 13 linked to ransomware attacks.
Host’s Note:

“Good job, Fortinet. Ongoing 34 days between critical vulnerability stories. Let’s try for a full quarter next time.”
— David Shipley [11:05]

Notable Quotes & Moments

On the evolving sophistication of ransomware groups:
“This is a ransomware actor that now operates with the discipline of a nation state. They have the elite capability. They’re deliberately choosing not to deploy it when they don’t need to.”
— David Shipley [03:45]
On insider threat and IT process gaps:
“When these two timelines don’t run in lockstep, you get exactly what happened here. A window opens between we’re letting you go and your sessions are killed. That window is when damage happens.”
— David Shipley [09:45]
On Fortinet’s recent run of bad security headlines:
“Let’s try for a full quarter next time.”
— David Shipley [11:10]

Timestamps for Important Segments

| Segment | Timestamp | |-------------------------------------------------|:----------:| | Ransomware affiliates mimicking nation states | 00:24–04:55| | Microsoft Exchange Server zero-day | 04:55–08:35| | Insider threat: Fired contractors | 08:35–10:07| | Fortinet critical vulnerabilities | 10:07–11:10|

Conclusion

David Shipley’s episode delivers a sobering survey of the cybersecurity landscape for businesses and IT leaders: ransomware crews are leveling up their discipline, Exchange Server remains a top target with a new zero-day, insider threats can slip through small procedural cracks, and major vendors like Fortinet keep struggling with critical vulnerabilities. The host closes with calls to patch rapidly, coordinate HR and IT on terminations, and to rethink how we classify cyber threats in an era where sophistication is no longer limited to governments.

Loading summary

Transcript3 lines

[00:00]
A
Cybersecurity Today we'd like to thank Material Security for sponsoring this podcast. Material Security provides faster, more complete detection and response for email identity and data threats inside Google Workspace and Microsoft 365. You can contact them at Material Security
[00:25]
B
Ransomware Crews act with Nation State Discipline Another exchange zero day mitigation only for now fired contractors recorded their own crimes and two more fortinet critical vulnerabilities. This is Cybersecurity Today and I'm your host David Shipley. Let's get started. Ransomware affiliates are showing signs of operating with the same discipline as nation state actors, according to a new analysis from cybersecurity researcher Marcus Hutchinson. In a LinkedIn post, Hutchins documented what he found while investigating a recent ransomware attack. The attackers had deployed an EDR killer, a piece of malware designed to disable endpoint detection and response software, the modern replacement for classic antivirus. EDR killers typically work by loading a legitimate digitally signed third party driver into the Windows kernel, a driver that happens to have a known vulnerability. The attacker exploits the vulnerability to get kernel level code execution and shuts down the EDR's processes. The technique itself has been mainstream ransomware tradecraft for years. Hutchins is best known as the researcher who stopped the WannaCry ransomware outbreak in May 2017, finding and registering a kill switch domain that halted the global attack. He was later arrested in the United States on charges related to banking malware he wrote as a teenager, pleaded guilty and was sentenced to time served. He has since rebuilt his career as a respected ransomware researcher. Hutchins noted that what was different about this new case was the discipline around the EDR killer used in the attack. The EDR killer was a custom built one for the specific EDR product the victim was running, Sentinel One. Most ransomware affiliates ship a one size fits all tool that detects whatever EDR is present and terminates it. Writing one targeted only at SentinelOne takes the same effort as writing a generic version, but it produces a narrower artifact for defenders to study. The vulnerable driver they used was also signed for older Windows systems, the kind that wouldn't work on a modern Windows machine with WHQL driver signature enforcement enabled, Hutchins noted The affiliate almost certainly had access to WHQL sign vulnerable drivers that would work everywhere they chose not to deploy them. On this engagement, deploying only the minimum capability needed for a specific job, keeping the better tools in reserve, and deliberately narrowing the forensic footprint, Hutchins says these are all behaviors he sees all the time in highly sophisticated state sponsored actors they deploy only what's explicitly needed keeping their other digital gunpowder dry. But this wasn't a state actor. This was a ransomware affiliate working for a known ransomware group. For years ransomware was all about high volume, low discipline. This is a ransomware actor that now operates with the discipline of a nation state. They have the elite capability. They're deliberately choosing not to deploy it when they don't need to. All of this further supports a notion we reported on at RSAC this year that the term advanced persistent threat is increasingly useless as a descriptor only for nation state hacking crews and that we should be moving towards motivation sophistication descriptions like financially motivated criminal group or espionage and disruption motivated nation state hacking team Microsoft is warning of a high severity Exchange Server zero day vulnerability that's already being exploited in attacks and there is no patch available yet. Worse yet, all it takes is an Outlook on the Web user opening a maliciously coded email. According to Bleeping Computer, the flaw, tracked as CVE202642 897, affects up to date versions of Exchange Server 2016, 2019 and and subscription Edition. It's a cross site scripting vulnerability that lets an attacker execute arbitrary JavaScript in a victim's browser by sending a specially crafted email. If the recipient opens the email in Outlook on the web and meets a few interaction conditions, Microsoft is not publicly detailing the malicious script runs in the context of their session. Microsoft has has not released a patch. What it has released is a mitigation delivered through the Exchange Emergency Mitigation Service. That's the automated mitigation system that Microsoft built into Exchange after the proxy logon and proxy shell disasters of 2021, where attackers compromised tens of thousands of Exchange servers before patches and mitigations were available. There are a few catches. First, the Emergency Mitigation service only checks for new mitigations on Exchange servers running a version newer than March 2023. Anything older than that has no automated path and administrators have to apply the fix manually through Microsoft's Exchange On Premises mitigation tool. Second, applying the mitigation breaks some Outlook on the Web features. The Print Calendar function may stop working. Inline images in the reading pane may not render. The deprecated OWA Lite interface stops working entirely. Third, and most consequential, when full patches do arrive, they will only be available For Exchange Server 2016 and 2019 customers enrolled in Microsoft's Period 2 Extended Security Updates program. According to the Shadow Server foundation. Scans show there are still tens of thousands of Exchange servers out there running older, vulnerable versions. Over the last five years, CISA has added 19 Microsoft Exchange Server vulnerabilities to its known exploited vulnerabilities catalog. Fourteen of those were used in ransomware attacks. Exchange has been one of the most consistently exploited corporate platforms on the Internet. Two contractors who deleted 96 US government databases after being fired by a federal IT contractor were caught because they forgot to stop the Microsoft Team's recording of the meeting at which they were fired. That detail, now public in a court filing, helps explain how prosecutors obtained a verbatim transcript of the brothers committing their crimes. According to Ars Technica, the brothers are muneeb and sohab akhtar, 34 year old twins from arlington, virginia. They worked for opex, a federal it contractor whose customers include the Office of the Inspector General at the U.S. department of Veterans affairs, the Department of Education, and the Department of Homeland Security. The two were fired on February 18, 2025, after the company discovered that they had prior convictions for cyber fraud. So Habe started the recording of the teams meeting at which they were terminated. HR personnel left the meeting about two and a half minutes into the call. Neither brother thought to end the recording for the next hour. The recording captured them deleting government databases and discussing what to do next. So Habe was found guilty at trial last week. Muneeb pled guilty in April and has been writing handwritten letters to the judge trying to withdraw his plea ever since. Both are in federal prison. According to the prosecutor's filing, Muneeb told his brother that he had connected to the company's VPN about 10 minutes before the termination meeting started. So Habe responded that the VPN session would probably stay valid for another six hours. That's how they had access to what they needed to delete the databases. Their privileged access wasn't terminated in a timely fashion along with their employment. The Notification of Employment termination is often done in organizations by hr. Revoking access is executed by the IT team. When these two timelines don't run in lockstep, you get exactly what happened here. A window opens between we're letting you go and your sessions are killed. That window is when damage happens. The federal agencies whose data was deleted are still cleaning up. And finally, we're back with another edition of Fortawatch. That's where we talk about the latest critical vulnerabilities in Fortinet products. Fortinet has released security updates for two critical vulnerabilities in 40 authenticator and 40 sandbox. Both of which can be exploited by unauthenticated attackers to run arbitrary code on unpatched systems. According to bleeping computer, the 40 authenticator flawless tracked as CVE2026 44 27. 7 is an improper access control issue affecting the company's identity and access management product. IT scores a 9.8 out of 10 on the critical Vulnerability Severity Scale. The fortinet sandbox flaw CVE2026 26083 is a missing authorization weakness that allows remote code execution through crafted HTTP requests against the platform's web interface. It's another 9.8 for context. This is the third critical Fortinet vulnerability story we've covered on the show in roughly six weeks. In early April, we covered an Emergency patch for 40 client EMS authentication Bypass that was already being exploited. In March, we covered an actively exploited SQL injection flaw in that same product. CISA has now added 24 Fortinet vulnerabilities to its known Exploited Vulnerabilities catalog. In recent years, 13 of those were used in ransomware attacks. If you're running Fortisator or Fortisandbox, the patches are out now. Good job, Fortinet. Ongoing 34 days between critical vulnerability stories. Let's try for a full quarter next time. That's Cybersecurity today for Tuesday, May 19, 2026. We appreciate all of your feedback. Feel free to leave a comment under the YouTube video or to drop by tech newsday.com or CA and send us a note thank you to everyone who's left a rating or review on their favorite podcast platform. It does really help us reach more people, and it makes our day. I'll be back tomorrow with more of the latest cybersecurity headlines.
[11:38]
A
Here's a question worth what happens after a phishing email slips past your filters? Most email security tools only guard the front door, but attackers are already inside. Material security is different. It's a unified detection and response platform per purpose, built for Google Workspace and Microsoft 365, protecting email files and accounts all in one place. We're talking automated phishing, remediation, account takeover containment and sensitive data protection without alert fatigue. Find out why companies like Figma, Reddit, and Lyft trust material to stop the threats. Other tools Ms. See workspace security in action at Material Security. That's Material Security. And if you do contact them, take a second and say thanks for sponsoring Cybersecurity Today.