FBI Warns of Kali365 phishing service targeting Microsoft 365 accounts

Article Link: https://www.bleepingcomputer.com/news/security/fbi-warns-of-kali365-phishing-service-targeting-microsoft-365-accounts/

• The FBI issued a warning about Kali365, a phishing-as-a-service (Phaas) platform that targets Microsoft 365 and Entra accounts. The service abuses OAuth device-code authentication to steal access tokens and bypass multi-factor authentication (MFA) and is being widely distributed through Telegram channels to cybercriminal affiliates.
• Attackers trick victims into entering a legitimate login code tied to a malicious application. Once the victim completes authentication the attackers receive OAuth access and refresh tokens that give them persistent access to Microsoft 365 and connected applications without additional MFA prompts.
• Device-code phishing is growing due to the ease and speed it can be carried out compared to traditional MFA phishing. Kali365 leverages AI to lower the barrier of entry by automating the creation of phishing lures, templates, and victim-tracking dashboards. This allows low-skill attackers to run more sophisticated campaigns.
• The stolen tokens allow attackers to impersonate users, access email and cloud services, steal data, and deploy ransomware. Initial access also allows the attacker to establish persistent access in the environment.
• Security researchers observed a sharp rise in device-code phishing activity beginning in early 2026, with platforms like Kali365, EvilTokens, and Tycoon2FA driving adoption. The FBI recommends restricting device-code authentication via Conditional Access policies, auditing device-code usage, and blocking authentication transfer between devices.

ChatGPT Share Links Abused to Host Fake Outage Pages to Deliver Malware

Article Link: https://www.bleepingcomputer.com/news/security/chatgpt-share-links-abused-to-host-fake-outage-pages-to-deliver-malware/

• Researchers at Push Security uncovered a campaign they are calling “LLMShare”, in which threat actors abused ChatGPT’s sharing feature to host fake OpenAI outage pages on legitimate ChatGPT.com URLs to distribute malware.
• Attackers used malicious Google ads targeting users searching for ChatGPT. Victims were redirected to a ChatGPT page that displayed a fake outage notice claiming ChatGPT was temporarily unavailable and urging users to download a desktop application instead.
• Unlike traditional phishing attacks hosted on suspicious domains, the fake outage page was rendered directly through ChatGPT’s own content-sharing and HTML rendering features, making the malicious page appear more trustworthy because it was served from a legitimate OpenAI domain.
• Users who clicked the fake download button were redirected to a spoofed OpenAI download site that delivered malware. Researchers observed the Windows sample performing anti-virtual machine checks, while the malicious site also used cloaking techniques to hide its payloads.
• The campaign highlights how attackers are increasingly abusing trusted AI platform features, including ChatGPT and Claude sharing tools, to distribute malware and phishing lures. The use of legitimate AI-hosted URLs makes these attacks harder for users and security tools to detect and block.

Mississippi Governor Launches Statewide AI Education ‘Framework’

Article Link: https://statescoop.com/mississippi-statewide-ai-framework-education/

• Mississippi Governor Tate Reeves announced the Mississippi Statewide AI Framework, a statewide roadmap designed to help learners from K-12 students to working professionals build AI skills aligned with future workforce needs.
• The framework was created by Mississippi’s AI Workforce Readiness Council, AccelerateMS, and the Mississippi Artificial Intelligence Network (MAIN). It provides a flexible guide schools and workforce programs can adapt to local industry demands and evolving AI technologies.
• The framework focuses on 11 core AI skill domains, including foundational AI literacy, ethical reasoning, cybersecurity awareness, and practical AI applications. The inclusion of cybersecurity highlights growing recognition that AI adoption must be paired with secure and responsible use practices.
• The initiative reflects a wider national trend of states investing in AI readiness to stay competitive economically while preparing students and workers for AI-driven changes across both public and private sectors.

Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer

Article Link: https://thehackernews.com/2026/05/threat-actors-exploit-critical.html

• Threat actors exploited a critical Fortinet EMS vulnerability, CVE-2026-35616, to compromise vulnerable FortiClient Endpoint Management Server (EMS) deployments and distribute credential-stealing malware disguised as a legitimate Fortinet update.
• Attackers abused the EMS management infrastructure itself after bypassing authentication and gaining privileged access. They modified EMS configurations and endpoint policies to push malicious PowerShell scripts across managed devices, making the activity appear like normal administrative operations.
• The campaign used the legitimate FortiClient component fortitray.exe to execute a malicious .cmd script, which launched a Base64-encoded PowerShell payload. That script downloaded and executed a fake update file named FortiEndpoint_Patch.exe and exfiltrated stolen data to attacker infrastructure.
• The malware harvested browser-stored credentials, session cookies, autofill data, credit card details, addresses, and phone numbers from Chromium- and Gecko-based browsers. Stolen session cookies could enable follow-on access to cloud services and internal applications, potentially bypassing MFA protections through session reuse.
• By compromising centralized endpoint management infrastructure, attackers gained the ability to execute malicious code across every EMS-managed endpoint without needing separate device-level intrusions. Organizations running unpatched EMS versions faced large-scale enterprise-wide exposure until upgrading to FortiClient EMS 7.4.7 or later.

Carnival Data Breach Exposed 6 Million People

Article Link: https://www.securityweek.com/carnival-data-breach-exposed-6-million-people/

• Carnival Corporation disclosed a data breach affecting nearly 6 million individuals after attackers gained unauthorized access to company systems and stole sensitive personal information.
• Attackers reportedly used social engineering tactics to compromise an employee account, which then provided access to internal systems and files containing customer and loyalty program data. The breach was later claimed by the extortion group ShinyHunters.
• Stolen information varied by individual but included names, addresses, dates of birth, email addresses, phone numbers, government-issued ID numbers, and loyalty program details. Data linked to approximately 7.5 million Mariner Society accounts may also have been included in the leaked dataset.
• The attackers allegedly published the stolen data online in late April, increasing the risk of identity theft, phishing, fraud, and account takeover attacks. Carnival is offering affected individuals 24 months of free credit monitoring services.
• The incident highlights how social engineering remains a highly effective entry point into enterprise environments, especially when combined with weak identity protections. It also adds to a growing history of cybersecurity incidents affecting Carnival since 2019, underscoring ongoing security and resilience challenges within the organization.

Malicious Sites Track Users Through SSD Timing Side-Channel Attacks

Article Link: https://cyberpress.org/sites-ssd-timing-side-channel-attacks/

• Researchers from Graz University of Technology discovered a new tracking technique called FROST that allows malicious websites to monitor user activity by exploiting SSD timing patterns through JavaScript.
• FROST abuses the browser’s Origin Private File System (OPFS) API to create large local files and continuously perform disk reads that force real SSD access. By creating large files and measuring delays in storage activity, a malicious site can detect when users open other websites or applications.
• Unlike previous SSD side-channel attacks that depend on privileged system interfaces, FROST operates entirely inside the browser. The technique also works cross-browser and can monitor activity occurring in entirely separate applications sharing the same SSD.
• This creates a stealthy surveillance vector capable of tracking browsing habits and application usage from a malicious webpage.
• Without mitigations such as limiting OPFS storage, restricting high-resolution timers, or requiring permissions, users on macOS and Linux may remain vulnerable to storage-based fingerprinting attacks.

CrowdStrike Disrupts Glassworm Botnet That Preyed on Open-Source Supply Chain

Article Link: https://cyberscoop.com/crowdstrike-glassworm-botnet-takedown/

• CrowdStrike, with help from Google and Shadowserver Foundation, disrupted the Glassworm botnet, a large malware operation that had been infecting open-source software projects since early 2025.
• The threat group targeted software developers and compromised trusted tools such as GitHub repositories, VSCode extensions, npm packages, and Python packages. By inserting malware into legitimate software components, attackers could spread infections downstream to developers and organizations that unknowingly downloaded the compromised code.
• Glassworm relied on several different systems to stay hidden and keep running, including the Solana blockchain, BitTorrent, Google Calendar, and cloud servers. Researchers said the attack was largely automated and built to spread quickly through trusted software development tools and processes.
• The malware targeted Windows, macOS, and Linux systems and was capable of stealing credentials and sensitive data while also deploying a remote access tool called GlasswormRAT. More than 300 GitHub repositories were reportedly affected.
• The takedown demonstrates how coordinated industry disruption efforts can slow threat actors even when arrests are unlikely. By dismantling attacker infrastructure and exposing tactics, defenders can make it harder and more expensive for cybercriminals to rebuild their operations.

New CIFSwitch Linux Flaw Gives Root on Multiple Distributions

Article Link: https://www.bleepingcomputer.com/news/security/new-cifswitch-linux-flaw-gives-root-on-multiple-distributions/

• Researchers at Manizada have disclosed a newly identified Linux vulnerability, dubbed “CIFSwitch,” a local privilege escalation flaw that allows unprivileged users to gain root access. The vulnerability stems from weaknesses in the CIFS/SMB authentication workflow used for Kerberos-based network shares, enabling attackers to exploit the mechanism and elevate privileges on affected systems. systems.
• The issue occurs because the Linux kernel’s CIFS subsystem does not properly verify where certain authentication requests are coming from. This flaw allows attackers to create fake requests that are trusted by the root-level cifs.upcall helper, potentially enabling them to gain elevated privileges on affected systems.
• By manipulating trusted parts of the forged request, attackers can trigger a context change and load a malicious module before security controls take effect, ultimately allowing them to execute code with full root privileges.
• The flaw affects multiple Linux distributions under specific conditions and requires local access, though a public proof-of-concept (PoC) exploit is already available. A patch has been released, and organizations should apply updates, disable unnecessary CIFS functionality, remove unused cifs-utils, and consider restricting unprivileged user namespaces.
• Additional information: https://heyitsas.im/posts/cifswitch/