Windows Zero-Days Expose Systems, Critical NGINX Flaw Under Active Attack, and State-Sponsored Ransomware Targets OT

Instructure has officially confirmed paying an undisclosed ransom to the ShinyHunters hacking group following the massive Canvas data breach. This decision, made to secure the return and destruction of 3.65 TB of stolen data affecting 275 million users, has drawn significant criticism for setting a dangerous precedent. The U.S. House Homeland Security Committee has launched an investigation into Instructure's actions, raising concerns about validating cybercriminal business models and the unverifiable nature of data destruction claims. This development escalates the incident's impact, adding regulatory scrutiny and long-term implications for the ed-tech sector.

Further analysis of the YellowKey BitLocker bypass reveals that Windows 10 is not affected, clarifying the scope of the vulnerability. The attack specifically involves holding the CTRL key during the Windows Recovery Environment (WinRE) boot process to trigger the flaw, as reproduced by researcher Will Dormann. There is also speculation regarding the possibility of an intentional backdoor. Additional mitigation strategies now include setting strong BIOS/UEFI passwords and considering file-level encryption for sensitive data, beyond just BitLocker with a PIN.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the actively exploited Microsoft Exchange zero-day, CVE-2026-42897, to its Known Exploited Vulnerabilities (KEV) catalog. This inclusion mandates federal agencies to apply mitigations by May 29, 2026, underscoring the critical nature of the flaw. The vulnerability, rated CVSS 8.1, is an XSS issue allowing attackers to execute arbitrary JavaScript by sending a specially crafted email that, when opened in Outlook Web Access (OWA), can lead to credential theft. New detection methods include deploying Web Application Firewalls (WAFs) and enhanced IIS log analysis for XSS payloads. Organizations are urged to apply Microsoft's provided mitigations immediately.

The updated analysis of Turla's Kazuar P2P botnet reveals a sophisticated leader election process where only one node communicates externally, significantly boosting stealth. The malware's modular framework now includes Kernel, Bridge, and Worker components, allowing for flexible task execution. Additionally, new defense evasion capabilities, such as AMSI and ETW bypasses, and over 150 configuration options, highlight the botnet's advanced design for long-term, stealthy espionage, with a continued focus on targets like Ukraine.

The updated guidance for NIST SP 800-172 Revision 3 now explicitly includes its assessment companion, SP 800-172A Revision 3. The primary focus is on bolstering defenses against Advanced Persistent Threats (APTs) by promoting cyber resiliency and defense-in-depth strategies, including zero-trust architectures and micro-segmentation. The controls are now available in machine-readable formats like JSON and YAML, facilitating automation. The scope of affected organizations is clarified to include aerospace and critical infrastructure sectors, beyond just DIB and research institutions.

Anthropic is set to brief the Financial Stability Board (FSB), a global financial regulator, on its 'Mythos' AI model. This follows a request from the Bank of England's governor, reflecting growing international concern over Mythos's ability to autonomously discover novel software vulnerabilities. Regulators are grappling with the 'dual-use' nature of such AI, which could pose a systemic risk to the global financial system if weaponized. A select group of companies, including JPMorgan Chase and Microsoft, currently have limited access to Mythos for defensive purposes, raising questions about equitable access to security intelligence and future regulatory frameworks.

Security researchers at Wiz have provided further details on the TeamPCP supply chain attack. The report confirms the worm-like propagation mechanism, where attackers stole developer credentials and API tokens to publish malicious versions of popular open-source packages, including Tanstack. This led to the compromise of two OpenAI employee devices. The incident highlights the critical risk of developer account takeovers and the cascading impact on the software supply chain, reinforcing the need for robust MFA and dependency vetting.