May 20's Top Cyber News NOW! - Ep 1136

At a glance

Microsoft disrupted a major malware signing-as-a-service operation, Drupal and Universal Robots both shipped critical patches, and a CISA admin's credential leak exposed the dangers of plain-text secrets in public repos. The episode covered defense-in-depth lessons, living-off-the-land binary abuse, and the persistent risk of legacy Windows tools in active attacks.

Stories covered

How did Microsoft disrupt the Fox Tempest malware signing service?

What happened: Microsoft took down Fox Tempest, a malware code-signing service operating since May 2025 that provided short-lived certificates to ransomware groups including Rosida, Inc., Quillin, and Akira. The operation seized the website, took hundreds of VMs offline, and revoked over 10,000 certificates.

Why it matters: Code-signed malware bypasses Windows security controls that trust signed binaries. Threat actors paid thousands monthly for this service. Takedown was confirmed when cyber criminals complained about the service being unavailable.

What to do: Monitor your EDR and signing infrastructure for suspicious certificate activity. This is a good reminder that Microsoft's threat intelligence capabilities—powered by Azure and Defender telemetry—make them an effective disruptor even without law enforcement.

What's the critical vulnerability in Universal Robots Polycope 5?

What happened: Universal Robots released a patch for a command injection flaw in Polycope 5 that allows unauthenticated remote code execution on robotics controllers if the dashboard is accessible over the network.

Why it matters: Impact is severe—arbitrary code execution on manufacturing control systems. Likelihood is lower than headlines suggest: industrial networks are typically segmented, dashboards rarely internet-facing, and impacted organizations have dedicated manufacturing IT staff.

What to do: Verify whether you run Polycope 5 in your environment. If yes, locate the dashboard interface and confirm it's not internet-routable. Patch after validation. Apply risk calculation: likelihood + impact.

How did a CISA admin expose AWS GovCloud credentials in plain text?

What happened: A GitHub repository named "private_CISA" was left public, containing AWS GovCloud keys, tokens, and passwords in plain-text CSV files. The admin disabled GitHub's default secret-blocking feature. GitGuardian notified the owner; credentials remained valid for 48+ hours after disclosure.

Why it matters: Defense-in-depth failure. Plaintext secrets + disabled security controls + public repo = complete credential compromise. Researchers thought the leak was fake—it was so egregious.

What to do: Rotate all exposed credentials immediately—they are burned. Document the incident in the admin's personnel file. Enforce: (1) never store credentials in plaintext, (2) enable secret-scanning in GitHub/GitLab by default, (3) use credential management tools (vaults, secrets managers). Train your IT staff on the tools they're responsible for.

What urgent patch did Drupal release on May 20?

What happened: Drupal security team released an urgent patch for Drupal Core addressing an unauthenticated, low-complexity vulnerability that exposes non-public data. Patch covers all versions including out-of-support 8.9 and 9.5.

Why it matters: Drupal holds only 1% of global CMS market share but dominates the top 10,000 most-visited websites. If you're at an enterprise with high-traffic properties, you likely run it.

What to do: Patch immediately if running Drupal. Reserve maintenance windows for coordinated updates—Drupal recommends first Saturday of each month, 3–6 a.m. ET, or second Sunday.

Why are Microsoft HTML Application (MSHTA) files becoming a malware delivery vector?

What happened: MSHTA, a Windows binary from 1999 (IE 5.0), is being weaponized to execute VBScript in memory, evading detection. Bitdefender documented abuse delivering Lumma, Amatera, Clipbanker, and Purple Fox malware paired with phishing campaigns. Windows 11 maintains support via Edge IE mode.

Why it matters: Living-off-the-land (LOL) binary attacks use legitimate Windows tools to bypass application controls and EDR detection. MSHTA is one of hundreds of pre-installed binaries available for abuse.

What to do: Block MSHTA execution via application allow-listing or GPO where possible. Educate users: 90% of LOL bin attacks succeed through social engineering (convincing users to run commands in PowerShell or download cracked software). Disable IE mode if not required.

What's the risk of Ethereum's formal verification approach to blockchain security?

What happened: Ethereum co-founder Vitalik Buterin proposed using AI-assisted formal verification (mathematical proofs) to secure blockchain networks against software flaws, cautioning it's not a panacea.

Why it matters: For practitioners: mathematical proofs verify intended behavior, but threat actors exploit living-off-the-land binaries whose intended behavior includes downloading and executing payloads. Proof validation ≠ malicious-intent detection. This story targets non-cyber audiences; the cyber angle is being overlooked.

What to do: Monitor for now. AI-assisted security tools on both offense and defense are here; this is not novel. Focus on behavioral detection and sandboxing, not formal proofs alone.

Are Windows update patches failing in restricted network environments?

What happened: Microsoft reported that customers in isolated, air-gapped, or restricted networks may experience Windows Update failures after installing January 2026 optional non-security preview updates due to changed download timeout requirements. Workaround via Group Policy or known-issue rollback available.

Why it matters: Low impact. Four months post-release (May 20), affected organizations already know about this. Patch failures highlight why auto-patching is risky.

What to do: If affected, apply the Group Policy workaround or known-issue rollback. Review your patch testing process—patches break; validation windows matter more than speed.

Will Google's Code Mentor AI tool replace Anthropic Claude for code review?

What happened: Google announced Code Mentor, an AI agent similar to Anthropic's Methos that debugs and fixes software vulnerabilities, is now available to select experts. Google is discussing audits with governments and enterprises before broader rollout.

Why it matters: Specialized AI tools proliferate, but enterprise adoption favors consolidation. If you already pay Anthropic for code review, switching to Code Mentor requires new contracts, retraining, and lost institutional knowledge.

What to do: Monitor for now. Ask: does Code Mentor deliver meaningfully better results than your current AI tooling? If 80% as good, keep your existing contract. Fewer tools that do more reduce operational burden.

Key takeaways

• Defense-in-depth prevents cascading failures. The CISA credential leak succeeded because three controls failed: plaintext storage, disabled GitHub secret-scanning, and open repo visibility. One mitigating control (vault or secrets manager) would have contained the damage.
• Living-off-the-land binary abuse succeeds through social engineering. MSHTA, Bits Admin, and LOL bins are legitimate; threat actors weaponize them via phishing and social engineering. 90% of attacks stop if users stop running untrusted commands.
• Likelihood + impact = risk. The Polycope 5 RCE has severe impact but low likelihood. Know your network topology before panicking. Industrial control systems are typically segmented; dashboards rarely internet-routable.
• Patch testing must account for failure. January 2026 patches failed in restricted networks. Auto-patching is riskier than managed maintenance windows with validation. Vulnerability managers exist because patches break.
• Consolidation beats specialization for enterprises. Code Mentor, newer AI tools, and single-vendor stacks reduce complexity. Fewer contracts, unified training, retained institutional knowledge.

Topics covered

microsoft, malware signing, fox tempest, ransomware, universal robots, polycope 5, command injection, cisa, aws credentials, github, secrets management, drupal, content management system, mshta, living-off-the-land binaries, lol bins, malware delivery, windows security, ethereum, formal verification, google code mentor, patch management, restricted networks, defense-in-depth

Show notes generated from the live transcript using AI on Wed, 20 May 2026 19:37:14 GMT. Errors? Open the YouTube replay for the source of truth.