☕ Good Morning Security Gang,
Good Morning Security Gang — James Azar here, host of the CyberHub Podcast and a CISO practitioner in the trenches. It’s Wednesday, May 20th, 2026, and today’s episode was one of the most important shows we’ve done all year because the data finally confirms what many security teams have been experiencing in the trenches for months now:
👉 The era of vulnerability-driven compromise has officially overtaken credential theft.
The Verizon DBIR dropped yesterday, and it wasn’t just another annual report—it was a warning flare for the entire industry. Pair that with an AI vector database sitting vulnerable with no patch, CISA leaking its own GovCloud keys to GitHub, North Korean phishing campaigns scaling at industrial levels, and ransomware groups evolving faster than most organizations can track, and the picture becomes painfully clear.
Double espresso in hand, let’s get into it.
🧭 Executive Summary
Today’s threat landscape demonstrates a major shift in how modern breaches occur. According to Verizon’s 2026 DBIR, vulnerability exploitation has officially overtaken credential theft as the leading initial access vector for the first time in the report’s history. Attackers are increasingly prioritizing edge devices, VPN appliances, exposed services, and unpatched infrastructure because those attack paths are faster, quieter, and often more scalable than phishing alone.
At the same time, AI infrastructure, software signing systems, government cloud environments, and telecom networks are all under pressure from increasingly organized and technically mature adversaries. The environment is no longer defined by isolated attacks—it is now shaped by continuous exploitation of operational trust across infrastructure, identity, automation, and supply chains simultaneously.
📰 Top Stories & Deep Dive Analysis
📊 Verizon 2026 DBIR – Vulnerabilities Become the #1 Breach Vector
The Verizon Data Breach Investigations Report officially confirmed what many practitioners have been seeing operationally for over a year:
"For the first time since Verizon started publishing this report, vulnerability exploitation has officially overtaken credential theft as the number one initial access vector. If your security program is still over-indexed on identity and MFA relative to patch management, the 2026 DBIR is the data you need to make the case for rebalancing. The irony is that vulnerabilities beating credentials means many organizations still have not solved the basics, even nineteen years after this report started." James Azar
The numbers are staggering:
Over 31,000 incidents analyzed
22,000 confirmed breaches
145 countries represented
84 contributing organizations
Vulnerability exploitation now accounts for 22% of breach entry points, with edge devices and VPN infrastructure repeatedly identified as primary targets. Ivanti, Palo Alto, Fortinet, and Cisco appliances were all specifically highlighted in the report.
Even more concerning:
System intrusion patterns rose to 61% of breaches
Ransomware appeared in 44% of incidents
Third-party involvement doubled to 30%
AI-assisted phishing and malware appeared in nearly 15% of social engineering cases
The DBIR also dedicated an entire section to North Korean fake IT worker infiltration campaigns, showing just how operationally significant that threat has become.
The broader message from the report is brutally simple:
👉 Organizations still have not mastered the fundamentals.
🦊 Microsoft Dismantles “Fox Tempest” Malware Signing Operation
Microsoft’s Digital Crimes Unit dismantled a malware-signing-as-a-service operation known as “Fox Tempest,” which had been issuing fraudulent Microsoft-signed binaries to ransomware affiliates since at least May 2025.
The operation abused fraudulent Azure tenants to obtain short-lived Microsoft Artifact Signing certificates, which were then used to sign malware families including:
Lumma Stealer
Vidar
RansomHub affiliates
Over 1,000 signing certificates and hundreds of malicious virtual machines were revoked or seized.
This story matters because it completely undermines one of the most common assumptions in enterprise security:
👉 Signed software is not automatically trustworthy anymore.
Attackers are increasingly abusing legitimate signing ecosystems because many organizations still allow signed binaries to bypass deeper scrutiny inside EDR and application control environments.
🤖 ChromaDB “Chroma Toast” Vulnerability – No Patch Available
A critical pre-authentication remote code execution vulnerability dubbed “Chroma Toast” was disclosed in ChromaDB, one of the most widely used open-source vector databases powering AI infrastructure globally.
Affected organizations may include deployments tied to:
LangChain environments
AI copilots
Retrieval-augmented generation systems
Developer AI tooling stacks
The flaw allows unauthenticated attackers to:
Spawn remote shells
Read environment variables
Steal mounted secrets
Access API keys
And here’s the really uncomfortable part:
👉 There is currently no patch available.
With over 13 million monthly downloads and broad adoption across AI infrastructure, this is one of the largest unresolved AI platform exposures we’ve seen so far.
🏛️ CISA Contractor Leaks AWS GovCloud Credentials to GitHub
In one of the more embarrassing stories of the week, a contractor associated with CISA accidentally committed plaintext AWS GovCloud credentials into a public GitHub repository.
The exposed spreadsheet reportedly contained:
AWS access keys
Passwords
Internal cloud references
The leak was discovered by GitGuardian researchers and reported through Brian Krebs.
This incident lands at a particularly sensitive moment for CISA, which has:
Operated without a confirmed director since early 2025
Lost roughly one-third of its workforce
Faced increasing operational strain amid political gridlock
The bigger issue here is not just the mistake—it’s what it represents:
👉 Even the organizations responsible for securing government infrastructure are struggling with basic operational hygiene under staffing and leadership pressure.
🇰🇵 North Korea’s Kimsuky Group Running Four Simultaneous Campaigns
Researchers documented four concurrent spear-phishing campaigns run by North Korea’s Kimsuky APT group, each targeting different industries simultaneously:
Corporate recruiters
Crypto communities
Defense officials
University admissions offices
The attacks leverage:
LNK payloads
JSC scripts
GitHub raw APIs
VS Code tunnels
Microsoft CDN infrastructure
The use of legitimate developer infrastructure is especially important because it bypasses traditional reputation-based filtering controls.
This is modern APT tradecraft:
👉 Blend malicious operations into trusted cloud services until defenders can no longer distinguish the difference operationally.
💀 “Gentleman” Ransomware Group Emerges as Global Top Operator
A ransomware group many organizations likely haven’t heard of yet “Gentleman” has quietly become the second most active ransomware operator globally by attack volume.
The group has already been linked to:
352 attacks
70 countries
Multi-platform targeting across Windows, Linux, ESXi, NAS, and BSD environments
The operation appears tied to the broader Kaolin ransomware ecosystem and heavily targets:
ESXi hypervisors
Network-attached storage systems
Backup infrastructure
That targeting strategy is deliberate:
👉 Attack recovery systems first, then the rest of the environment becomes exponentially harder to restore.
📡 Huawei Router Vulnerability Caused National Telecom Outage
A denial-of-service vulnerability inside Huawei’s VRP operating system was confirmed as the cause of a nationwide telecom outage in Luxembourg last year.
The vulnerability allowed crafted packets to trigger router restart loops, effectively collapsing connectivity across portions of the country.
What makes this story remarkable is:
The issue was disclosed nearly 10 months ago
No public CVE exists
No confirmed patch exists either
This reinforces ongoing concerns around Huawei infrastructure transparency, patch governance, and operational trust. For organizations still running Huawei networking gear, this should be a serious wake-up call.
💸 FBI Reports $388 Million in Crypto ATM Fraud
The FBI disclosed that crypto ATM scams generated approximately $388 million in losses during 2025, representing a 58% increase year-over-year.
Victims over age 50 accounted for the majority of losses, with scammers commonly coercing victims into:
Depositing cash into crypto kiosks
Transferring funds to attacker-controlled wallets
Believing they were paying fines, taxes, or emergency support fees
Several states have already begun banning crypto kiosks entirely.
This is not just fraud anymore, it’s industrial-scale financial exploitation targeting vulnerable populations.
🤖 Critical Industrial Robot Vulnerability Threatens OT Networks
CVE-2026-8153 affects Universal Robots PolyScope 5 control software used extensively in manufacturing and logistics operations.
The flaw enables OS command injection against collaborative robots (“cobots”) often deployed inside flat OT environments.
That matters because these robots frequently sit directly adjacent to:
Modbus systems
Ethernet/IP infrastructure
PLC environments
Legacy industrial control systems
One compromised robot can quickly become a foothold into the broader operational technology environment.
📶 Major U.S. Telecom Providers Launch Private ISAC
AT&T, Verizon, T-Mobile, Comcast, and other major telecom providers announced the creation of a new private telecom ISAC independent from direct government control.
The move appears heavily influenced by lessons learned following the Salt Typhoon campaign and broader intelligence-sharing friction between industry and government.
Unlike the existing telecom ISAC historically operated through CISA oversight, this new model more closely resembles FS-ISAC and other industry-led sharing organizations.
The message is significant:
👉 Critical industries increasingly want intelligence-sharing autonomy without direct operational government control.
🎯 Key Takeaway
👉 The fundamentals are now the battlefield—and attackers are exploiting organizations faster than defenders are adapting operationally.
"You're never popular on draft day when you take a tackle or a defensive end or a center, he's not going to sell jerseys, but he is going to give your team and your quarterback a solid shot at being able to execute plays. You've got to do the fundamentals well, just like your offensive and defensive line do in football. Basics are the battle." James Azar
🛠️ Action Items for Security Leaders
📊 Reevaluate vulnerability management prioritization using Verizon DBIR data
🦊 Validate real-time certificate revocation checking in application control environments
🤖 Restrict ChromaDB instances to internal trusted networks only
🏛️ Run secret scanning tools like GitLeaks or TruffleHog across all repositories
🇰🇵 Monitor GitHub Raw API and VS Code tunnel usage closely
💀 Prioritize ESXi and NAS hardening against ransomware operators
📡 Audit and phase out unsupported Huawei edge infrastructure where possible
💸 Educate vulnerable populations about crypto ATM fraud scams
🤖 Segment OT robot fleets from broader enterprise networks
📶 Participate actively in industry ISAC intelligence-sharing communities
🧠 James Azar’s CISOs Take
What stood out to me today is how strongly the Verizon DBIR validates what practitioners have been feeling operationally for months. Vulnerabilities overtaking credential theft as the primary breach vector changes how organizations need to think about priorities. We’ve spent years heavily focused on identity, MFA, and phishing resistance—and those still matter—but attackers are increasingly bypassing all of that by simply exploiting unpatched infrastructure directly.
The second takeaway is how operational trust is breaking down everywhere at once. Signed malware, vulnerable AI infrastructure, leaked GovCloud credentials, telecom ISAC fragmentation, and Kimsuky abusing trusted developer platforms all point to the same reality: organizations can no longer assume that “trusted infrastructure” is actually trustworthy. Security programs moving forward have to continuously validate trust across every layer of the stack—not just once, but operationally every single day.
🔥 Stay Cyber Safe.
