Detailed write-ups
Microsoft customer stories: St. Luke’s and ManpowerGroup (May 22)
Two case studies from the Microsoft Security blog: St. Luke’s Health System reports roughly 200 analyst hours saved per month using Security Copilot for triage, summarisation, and KQL drafting; ManpowerGroup describes the underlying “AI-ready SOC foundation” work — identity, data lake, and incident-grade documentation — required before agents become useful. Useful as a counterweight to vendor demos: both pieces are explicit that the agentic surface only pays off after the data, identity, and process plumbing are in shape.
Sources: Microsoft Security Blog
Ransomware confidence vs. endpoint recovery (May 18)
Help Net summarises survey work showing the gap between perceived readiness and the actual speed and completeness of endpoint restore. Boards see green dashboards; the first night of an incident reveals stale image catalogs, missed identity dependencies, and EDR posture drift on the very machines you need back first. The piece reframes “recovery readiness” as a SOC operational metric — pair with a tabletop that ends not at contain but at last endpoint restored to last-known-good.
Sources: Help Net Security
The CVE wave hitting your alerts this week
Five separate active-exploitation stories landed during the window and each one will show up in your alert queue with a different shape. Defender CVE-2026-41091 (link-following LPE to SYSTEM) and CVE-2026-45498 (DoS on Antimalware Platform) are on CISA KEV with a June 3 federal deadline — ironic that the EDR is the persistence surface. Exchange OWA CVE-2026-42897 (CVSS 8.1, crafted-email XSS in OWA browser context) has no patch: the Emergency Mitigation Service M2.1.x URL-rewrite rule is the only door. NGINX Rift (CVE-2026-42945) is under active exploitation, and a separate 18-year-old NGINX rewrite-module flaw enables unauthenticated RCE — check both your edge and any embedded NGINX in appliances. Drupal shipped urgent core updates on May 20 (the matching SQLi CVE-2026-9082 is on KEV with sub-48-hour exploit-to-patch). YellowKey (CVE-2026-45585) is the Chaotic Eclipse BitLocker bypass — Microsoft’s mitigation is to remove autofstx.exe from WinRE BootExecute; long-term answer is TPM+PIN on Windows 11 / Server 2022/2025. Build a single ticket queue tagged by these five CVE IDs and watch hit-rate over the next two weeks.
Sources: Help Net Security (Defender CVEs) · The Hacker News (Exchange OWA) · Help Net Security (NGINX Rift) · The Hacker News (NGINX rewrite) · The Hacker News (Drupal) · Help Net Security (YellowKey)
TeamPCP / Nx Console: the poisoned IDE that became a credential heist
Two complementary write-ups on the same incident: a malicious Nx Console v18.95.0 (VS Code Marketplace, ~2.2M installs) shipped a 498 KB obfuscated payload pulled from a dangling orphan commit in nrwl/nx, harvested 1Password vaults, Claude Code configs, npm/GitHub/AWS secrets off developer endpoints, and ultimately let TeamPCP into GitHub’s own internal codebase. SOC implication: developer endpoints are now a high-value target with a different telemetry surface than corporate laptops — look for new outbound destinations from VS Code helper processes, sudden reads of secret-manager files, and SSH-agent activity outside dev windows. If you don’t collect EDR telemetry from engineering Macs, this incident is the budget justification.
Sources: Help Net Security · The Hacker News
Kali365: another MFA-bypass PhaaS to add to the detection set (May 22)
Kali365 is the latest adversary-in-the-middle phishing-as-a-service kit aimed at Microsoft 365. The novelty isn’t the AiTM proxy — it’s the post-auth step: the kit captures the OAuth refresh token after a successful MFA challenge, then registers a long-lived persistence path that survives password reset. Detection signal: anomalous device registration immediately after first sign-in from an unusual IP, plus token-issued events without matching user-agent changes. Entra ID Conditional Access on token-binding helps but only if you’ve actually turned it on for the whole tenant, not just the pilot group.
Sources: Help Net Security
Your purple team isn’t purple (May 18)
The Hacker News argues most organisations describe themselves as “purple” when they simply put red and blue in the same Slack channel and called it integration. The missing ingredient is a continuous validation loop — BAS or attack-simulation telemetry feeding back into detection-engineering tickets with measurable rule-coverage outcomes. Worth quoting at your next program review when someone asks why “we already have purple.”
Sources: The Hacker News
Operation Saffron: First VPN dismantled (May 21)
International takedown coordinated through Europol: 33 bulletproof servers seized across 27 countries, a Ukrainian admin arrested, and the full user database (~5,000 criminal accounts) recovered. First VPN had been used since 2014 by 25 ransomware groups — including Avaddon — for recon, intrusion staging, and C2 obfuscation. For SOC, the seized database is the part that matters: expect threat-intel feeds to ship updated IOCs and historical attribution data over the next two to four weeks — tee up retro-hunts against your six-month log retention.
Sources: Help Net Security
Aikido: deleted Google API keys keep working for up to 23 minutes (May 22)
Aikido Security tested revocation lag across GCP and found Google API keys remain valid for up to 23 minutes (median ~16 min) after deletion — across Gemini, BigQuery, Maps, and every GCP service that uses the API-key format. By contrast, Service Account keys revoke in roughly five seconds and the newer Gemini-specific key format in about a minute, so faster revocation is technically achievable. Google’s response: this is a “known property” rather than a security issue. SOC implication is brutal and concrete: “we revoked the key” does not mean “the attacker is locked out.” Update IR runbooks to treat Google API-key revocation as a 30-minute window during which the SOC must keep watching the GCP “Enabled APIs and services” audit log, throttle access at the perimeter, rotate downstream service-account credentials, and only declare containment after the lag window closes. Add a runbook step that documents revocation timestamp and verification timestamp as two distinct fields.
Sources: Help Net Security
DBIR 2026 in the SOC seat (May 20)
Help Net’s SOC-flavoured summary of Verizon’s DBIR 2026: vulnerability exploitation overtook credential theft as the leading initial-access vector (31% vs. 13%) for the first time in 19 years, third-party-related breaches are up 60%, ransomware sits at 48%, and AI is now compressing time-to-exploit from months to hours. Critically: organisations patched only 26% of CISA KEV entries this year (down from 38% in 2024). Use this to re-prioritise the patch SLA conversation with engineering, and to argue for a dedicated KEV-driven exposure-management workflow that doesn’t depend on monthly vuln-management cycles.
Sources: Help Net Security
ISC diary, structural critique, and the long-tail OS reading
Xavier Mertens’s ISC diary on May 23 collects a handler-authored primer on red-teaming tools that frequently surface in malware analysis — useful for analysts who want to recognise the tooling on the other side of the keyboard. CySecurity News’s “SOC alert overload” piece argues structurally that more analysts won’t fix volume problems — only triage architecture will — and pairs well with the purple-team and DBIR items above. Canonical Ubuntu Core 26 ships with 15 years of security maintenance (relevant for OT/edge fleet planners), and Debian 13.5’s point release bundles roughly 100 DSAs — standard housekeeping but worth flagging to whoever owns your Linux estate. The 2026 DevOps Threats Report walks through AI-integrated DevOps surfaces (prompt injection through pipelines, RCE in agent-driven build systems) — required reading if your SOC has started taking tickets from engineering platforms. Finally, the McAfee + ChatGPT product showcase is worth a one-paragraph glance: a preview of how vendors will pitch conversational-AI front doors for SOC over the next 12 months.
Sources: SANS ISC (May 23) · CySecurity News · Help Net Security (Ubuntu Core 26) · Help Net Security (Debian 13.5) · Help Net Security (DevOps Threats) · Help Net Security (McAfee + ChatGPT)
|
