QR Phishing Explodes, Ubuntu Under Attack, CISA Warns Critical Infrastructure Prepare for Isolation - Cybersecurity Today

Summary5 min read

Cybersecurity Today – Episode Summary

Episode Title: QR Phishing Explodes, Ubuntu Under Attack, CISA Warns Critical Infrastructure Prepare for Isolation
Host: David Shipley (guest hosting)
Release Date: May 6, 2026
Main Theme:
This episode dives into the explosive rise of QR code phishing, critical vulnerabilities affecting widely used software, targeted attacks on open-source infrastructure, and new government guidance aimed at protecting critical infrastructure from cyber-enabled isolation during geopolitical crises.

Key Discussion Points & Insights

1. QR Code Phishing: Fastest Growing Attack Vector

Phishing Surge: Microsoft’s Q1 report cited a jaw-dropping 8.3 billion email-based phishing attacks from January to March 2026.
QR Codes Outpacing Traditional Attacks
- January: 7.6 million QR code phishing attacks
- March: 18.7 million (146% rise in three months)
- “That makes QR code phishing the fastest growing attack vector of the quarter.” (David Shipley, 01:30)
Why QR Codes Work:
- Corporate defenses filter text-based links but are blind to QR codes as they are embedded images.
- Once scanned with a personal phone—often unmanaged—the user leaves the security of corporate tools and enters a threat environment alone.
- “Most phones are unmanaged. No proxy, no URL rewrite, no EDR. The user is alone with the attacker.” (03:11)
Phishing as Social Engineering:
- The myth that QR code phishing isn’t “serious” is dispelled by current data: “QR code phishes are a real threat, and they’re hacker Fact.” (05:07)
Additional Phishing Trends:
- Rising use of CAPTCHA-gated phishing pages.
- The takedown of one Phishing-as-a-Service platform (Tycoon2FA) has not slowed the trend—attack techniques proliferate once proven.
- 94% of March email phishing aimed to steal credentials.

2. Apache HTTP Server – Urgent Patch Required

CVE-2026-23918:
- Double free vulnerability in HTTP/2 protocol (CVSS 8.8).
- Easy denial of service: “One TCP connection, two HTTP/2 frames, no authentication required, and a worker process crashes.” (06:15)
- Potential for remote code execution—already demonstrated by researchers on x86_64.
- Systems at risk: Apache servers with HTTP/2 enabled, particularly default settings on Debian-based systems and official Docker images.
- “Everything else with HTTP/2 enabled is – patch fast. The DDoS is trivial enough that opportunistic attackers will start using it within days.” (08:05)

3. Ubuntu Under Attack: Supply Chain Resilience

Canonical’s Websites Targeted:
- Ongoing DDoS since Thursday evening (past five days).
- Attackers: Islamic Cyber Resistance (313 Team), a pro-Iran hacktivist/extortion group.
- Extortion: Attackers sent Canonical a session/contact ID—“That’s not hacktivism anymore, that’s just plain old extortion.” (09:33)
Supply Chain Impact:
- The attack disrupted Canonical infrastructure just as a critical privilege escalation (Linux “Copy Fail” vuln, CVE-2026-31431) required urgent patching.
- “The supply chain that delivers your patches is itself often now a target. When you plan your incident response—plan for the day the patch you need may be on the other side of an attack you didn’t see coming.” (11:41)

4. Wireless Attack on Taiwan High-Speed Rail

Incident Details:
- A 23-year-old university student in Taiwan bought radio equipment online and triggered a fake emergency stop, halting four high-speed trains for 48 minutes (April 5, 2026).
- Used software-defined radio to intercept and duplicate parameters from the 19-year-old TETRA communications system used by the rail operator.
- The static credentials (never rotated for 19 years!) allowed easy bypass of all seven recovery layers.
- "None of those layers mattered, because the secret they were verifying against had never changed.” (13:15)
Broader Implications:
- TETRA is used worldwide in transport and emergency services.
- The lesson: “The technology was secure when it shipped. The deployment got insecure as time passed and the secrets stayed the same.” (14:03)

5. Government Guidance: CI Fortify – Preparing for Isolation Scenarios

CISA’s New Guidance for Critical Infrastructure:
- CI Fortify: Guidance for operating in near-complete isolation in the event of major cyber or geopolitical attack.
- Two-pronged approach:
  - Isolation: Identify essential customers/assets, especially military bases; plan for operating offline.
  - Recovery: Document actual (not theoretical) system operations. Back up critical data and practice restoring operations—even manually.
- “Operators should assume in a conflict scenario that third party connections … will be unreliable, and that threat actors will already have some access to the OT network.” (17:03)
Geopolitical Context:
- Prompted by warnings of “pre-positioned” Chinese state threat activity (Vault Typhoon) in Western utilities, possibly in preparation for Taiwan-related hostilities.
- Canada notably has no critical cyber infrastructure law—last G7 country without one.
Canadian Listeners:
- “This is not just an American story. Canada’s critical infrastructure operates in the exact same threat environment.” (17:40)

Notable Quotes & Memorable Moments

On QR Codes as a Threat
- "QR code phishes are a real threat, and they’re hacker Fact." (05:07, David Shipley)
On DDoS and Patch Delivery
- "The supply chain that delivers your patches is itself often now a target. When you plan your incident response plan for the day the patch you need may be on the other side of an attack you didn't see coming." (11:41)
On the Taiwan Train Incident
- "None of those layers mattered because the secret they were verifying against had never changed." (13:43)
On Critical Infrastructure Guidance
- "Operators should assume in a conflict scenario that third party connections, telecoms, Internet vendors, service providers, upstream dependencies will be unreliable and that threat actors will already have some access to the operational technology network." (17:03)
Humorous Close:
- “Is he trying to complete the set by finding an aircraft cyber story so he can say hacks on planes, trains and automobiles? You’d be 100% correct. ... It’s one of John Candy’s best.” (18:06)

Timestamps for Important Segments

QR Phishing Trends & Risks: 00:24–05:07
Apache HTTP Server Vulnerability: 05:08–08:05
Canonical/Ubuntu DDoS and Supply Chain Impact: 08:06–11:41
Taiwan Train Attack: 11:42–14:45
CISA CI Fortify Guidance & Geopolitical Risks: 14:46–17:50
Episode Wrap & Cultural Reference: 17:51–18:26

Summary Conclusion

This episode provides a timely and in-depth exploration of evolving cybersecurity threats, including the explosion of QR code-based phishing (and why organizations must update their awareness and technical controls), the newly disclosed Apache vulnerability with widespread impact, the real-world disruption of Ubuntu’s infrastructure by hacktivists turned extortionists, and a cautionary tale from Taiwan on the dangers of static credentials in critical systems. Finally, it underscores new CISA guidance for operating offline during a major cyber event—a playbook everyone in critical infrastructure should review. The tone is expert, direct, and leavened with a dash of humor—making sobering insights memorable and actionable.

For those seeking further details on practical protective measures discussed in this episode, or more on legal and regional contexts, revisit segments at the timestamps noted above.

Loading summary

Transcript3 lines

[00:00]
A
Cybersecurity Today we'd like to thank Material Security for sponsoring this podcast. Material Security provides faster, more complete detection and response for email identity and data threats inside Google Workspace and Microsoft 365. You can contact them at Material Security
[00:24]
B
QR Code Phishing surges New urgent patch out for Apache HTTP Serv Pro Iran Crew shakes down Ubuntu's maintainer Taiwanese student wirelessly triggers the brakes on high speed trains CISA tells critical infrastructure Prepare to disconnect. This is Cybersecurity Today and I'm your host David Shipley. Let's get started. Microsoft Threat Intelligence published its Q1 phishing report last week. The headline number 8.3 billion email based phishing attacks between January and March alone. But the more interesting data is in the trend lines and one in particular deserves more attention than it's been getting. QR Code phishing In January, Microsoft saw 7.6 million phishing attacks and using QR codes. By March that was 18.7 million 146% jump in three months, according to Cybersecurity Dive. That makes QR code phishing the fastest growing attack vector of the quarter. This matters because there's been a current of opinion in some corners of the cybersecurity community that QR codes as a threat are overhyped. They call it hacker lore. It's a neat trick, but it's not a real threat at scale because you can't get infected from it. It's just social engineering. That position is becoming harder to defend. The QR code phishing technique works because corporate defenses are built for text. When a phishing email lands at a managed workstation, it runs a gauntlet. Email security gateways URL rewriting EDR web proxies the defenders have decades of practice at scanning text based links and flagging the ones that lead somewhere bad. And even then, stuff still gets through. A QR code skips the entire gauntlet. The malicious URL is embedded inside an image. Text based scanners can't read it and the moment a user pulls out their phone to scan it, they leave in many cases the corporate controlled environment entirely. Most phones are unmanaged. No proxy, no URL rewrite, no EDR. The user is alone with the attacker. That's what 18.7 million attacks in a single month now look like. The Microsoft report has a few other findings worth flagging. Captcha gated phishing pages Fake security challenges that are designed to filter out automated scanners and only let in real humans through to a malicious site. Also hit a record high in March. The phishing as a service platform Tycoon2FA, which used to dominate that space, has been knocked back hard by a coordinated takedown effort. At the end of 2025, 3/4 of CAPTCHA gated phishing pages ran on Tycoon 2fa. By March it was 41%. That is a real win, but the overall volume is still climbing, which means the technique itself is now being adopted across the broader fishing ecosystem. Platforms come and go. The attack patterns, when they work, grow and persist. And the goal of all this, almost without exception, is the same. Microsoft says 94% of email phishing in March was aimed at stealing login credentials, not delivering malware, not delivering ransomware payloads, just trying to capture those usernames and passwords, the keys that unlock everything else. So if you run a security awareness program, this is a good moment. Make sure you're training people to be wary of QR codes and suspicious links. Same skepticism. Verify the source before you scan. And if you lead an organization that hasn't built QR codes into its phishing training yet, this is the data that says it's time to start QR codes as hacker lore. No, never was. QR code phishes are a real threat, and they're hacker Fact Apache HTTP server users have a new urgent patch to apply the Apache Software foundation released fixes yesterday for CVE2026 23 918, a double free vulnerability in the HTTP 2 protocol handling that scores an 8.8 on the CBSS scale. There are two outcomes here. The first is a denial of service attack that's almost embarrassingly easy to trigger. According to The Hacker News 1 TCP connection, 2 HTTP 2 frames, no authentication required, and a worker process crashes. Apache responds it, but every request on the dead worker is dropped and the attacker can keep the pattern going indefinitely. The second is far more serious remote code execution. The researchers who found these bugs built a working proof of concept on X8664 architecture. The RCE path requires the Apache portable runtime with the MMAP Allocator, and here's the part that matters. That Allocator is the default on Debian derived systems and the official HTTPD docker image. If you're running Apache HTTP Server version 2.4.66 with modhttp2 enabled and given how widely HTTP 2 is turned on in production deployments, that's a lot of you. The fix is in version 2.4.67. Npm pre fork is not affected. Everything else with HTTP 2 enabled is patch fast. The DDoS is trivial enough that opportunistic attackers will start using it within days, even if the RC chain stays in the lab for a little while longer. Canonical, the London based company that develops and supports Ubuntu Linux, has been under sustained DDoS attack since Thursday evening. The main Ubuntu website has been down for stretches, along with a number of subdomains. Users haven't been able to download distributions to the usual channels or log into their Canonical accounts. Some services like the Archive and Discourse pages have stayed up. The attack is at the time of recording ongoing. According to the Register, the group claiming responsibility is the Islamic Cyber Resistance in Iraq, also known as the 313 team. They're a pro Iran hacktivist crew, and they're not subtle about their moves. After taking the Canonical site down, they followed up on Telegram with a direct message to the company. There's a simple way out. We've emailed you a session, contact id, and if you don't respond, the attack continues. That's not hacktivism anymore, that's just plain old extortion. The Register flags the same group as having hit ebay, Japan, eBay, US and blue sky in the past month alone. Now here's where the timing gets a little uncomfortable. Earlier this week we covered the addition of CVE2026.31.4.31, also known as Linux copy fail, to CISA's known exploited vulnerabilities catalog. It's a nine year old Linux kernel privilege escalation flaw that lets an unprivileged user walk out with root access on essentially every major Linux distribution shipped since 2017. Containerized environments are especially exposed. Active exploitation is underway. Federal civilian agencies in the US have been told to Patch by May 15. The register is also reporting that researcher Proof of concept code is being weaponized in the wild as we speak. The patch path for Ubuntu users runs through Canonical's infrastructure, and Canonical's infrastructure has been intermittently unreachable for the better part of five days. The good news? It's not a catastrophic outage. APT mirror networks are distributed and most operational patching pipelines won't depend on the main Ubuntu website. But for administrators working from documentation, looking up advisories or managing Canonical accounts, the timing is rough. A lesson in all this is this. The supply chain that delivers your patches is itself often now a target. When you plan your incident response plan for the day, the patch you need may be on the other side of an attack. You didn't see coming. A 23 year old university student in Taiwan brought four high speed trains to a halt for 48 minutes by buying radio gear online and broadcasting a fake emergency signal. The incident happened on April 5. The student, identified in local press by his surname, Lynn, was arrested on April 28. According to Bleeping Computer, Lynn used a software defined radio equipment. He ordered online to intercept and decode the radio parameters used by Taiwan High Speed Rails TETRA Communication System. He then programmed those parameters into the handheld radios, configured one to broadcast a high priority general alarm signal and triggered emergency braking on four trains in motion for scale. Taiwan High Speed Rail runs a single 350 kilometer line down the country's western coast. Trains move at up to 300 kilometers an hour. The service carries roughly 82 million passengers a year and is partly state supported. Here's the detail that should stop every OT operator listening in their tracks. The Tetra system had been in service in this rail line for 19 years. Its parameters had never been rotated in that time. Static credentials in a critical infrastructure radio system across again 19 straight years. Authorities say that static design is what allowed Lynn to bypass what they describe as seven verification layers. None of those layers mattered because the secret they were verifying against had never changed. Lynn had an alleged accomplice, a 21 year old reportedly supplied some of the critical THSR parameters. Police seized 11 handheld radios, the SVR and a laptop from his residence. He's now facing up to 10 years in prison under Taiwan's Article 184. He's currently out on bail of about US$3,300. His lawyer's defense is that the emergency signal transmission was accidental. Authorities have, in the polite phrasing of the report, found that allegation unconvincing. The bigger picture beyond Taiwan is that TETRA isn't a one country standard. It's used by police forces, transit systems, utilities and emergency services across Europe, Asia and parts of the Americas. The Taiwan incident is a real world demonstration of what happens when an OT radio standard gets specified once, deployed once and then left alone for a generation. The technology was secure when it shipped. The deployment got insecure as time passed and the secrets stayed the same. CISA on Tuesday released new guidance for critical infrastructure operators urging them to prepare for the day a major cyber attack disconnects them from the world. The new initiative is called CI Fortify. It's international, modeled on the Australian government guidance published last year and aimed at a specific scenario. Not a ransomware incident, not a vendor outage, a geopolitical crisis where operators of water systems, power grids and pipelines need to keep delivering essential services while their digital surroundings turn actively hostile. The trigger isn't theoretical. According to Cybersecurity Dive, Western intelligence agencies have been warning that Beijing may sabotage critical infrastructure in the United States and allied countries to keep them from interfering with a potential invasion of Taiwan. The Vault Typhoon Campaign Chinese State aligned activity caught Pre positioning inside US Critical infrastructure is the loudest signal that the groundwork has already been laid for such an attack. CI Fortify asks operators to do two things. The first is isolation. Identify your critical customers. CISA specifically names nearby military bases as an example. Define what services you need to keep delivering to them. Identify the operational technology assets required. Build the continuity plans that let you operate off the network for weeks to months. The second is recovery. Document how your systems actually run, not how the manual says they run. Backup critical files and the line that matters the most. Practice replacing systems or transitioning to manual operations in case isolation fails and components get destroyed. The framing line to take away from this guidance is direct. Operators should assume in a conflict scenario that third party connections, telecoms, Internet vendors, service providers, upstream dependencies will be unreliable and that threat actors will already have some access to the operational technology network. For Canadian listeners, this is not just an American story. Canada's critical infrastructure operates in the exact same threat environment with many of the same vendor dependencies and many of the same Chinese state aligned actors in the same digital neighborhoods. CI Fortified is also a useful template wherever you operate. It's worth also noting that Canada still has not passed a basic critical Cyber infrastructure law and is the last G7 country to get one on the books. And that's a fitting close for today's episode. Earlier, we talked about a single university student in Taiwan who halted four high speed trains by exploiting parameters that hadn't been rotated in 19 years. CI fortified is the institutional answer to a deeper version of that exact same question. What happens when your adversary isn't a curious kid who bought online radio gear, but a nation state with years of preparation, an active geopolitical motive, and a foothold already in place? The answer this guidance offers is preparation, isolation, recovery, practice. Now, while there's still time. That's Cybersecurity Today for Wednesday, May 6, 2026. If you've been keeping track, I've now reported recently on cybersecurity stories on cars and now on trains. And if you're thinking, is he trying to complete the set by finding an aircraft cyber story so he can say hacks on planes, trains and automobiles, you'd be 100% correct. And I wouldn't be fulfilling my role as Cybersecurity Today's resident culture critic or my Canadian duty without recommending you watch that movie. It'll help stave off the cyber disaster despair you may have felt after our last two stories. It's one of John Candy's best. Also, if you're thinking I probably enjoyed that QR code story a little too much, you'd also be correct. We appreciate all of your feedback. Feel free to leave a comment under the YouTube video or to drop by technewsday.com or CA and send us a note. Thank you to everyone who has left a rating or review on their favorite podcast platform. It really helps us reach more people and it makes our day. Jim Love will be back on the news desk on Friday. I'll be back on Monday with the latest headlines. Stay safe.
[18:26]
A
Here's a question worth asking. What happens after a phishing email slips past your filters? Most email security tools only guard the front door, but attackers are already inside. Material Security is different. It's a unified detection and response platform, purpose built for Google Workspace and Microsoft 365, protecting email files and accounts all in one place. We're talking automated phishing, remediation, account takeover containment and sensitive data protection without alert fatigue. Find out why companies like Figma, Reddit and Lyft trust material to stop the threats. Other tools Ms. See workspace security in action at Material Security. That's Material Security. And if you do contact them. Take a second and say thanks for sponsoring Cybersecurity today.