Security Intelligence for Real-World Decisions
← Back to Archive

FBI Warns of Kali365 Phishing Kit Targeting Microsoft 365 as Law Enforcement Dismantles First VPN Used by 25 Ransomware Groups

Executive Summary

This week's critical infrastructure threat landscape is marked by significant law enforcement actions against cybercriminal infrastructure alongside emerging threats requiring immediate defensive attention. Key developments include:

  • Major Law Enforcement Actions: International authorities dismantled "First VPN," a criminal VPN service used by at least 25 ransomware groups for network reconnaissance and intrusions. Separately, the alleged operator of the Kimwolf DDoS botnet, which infected nearly two million devices worldwide, was arrested in Canada.
  • Active Exploitation Alerts: CISA added vulnerabilities in Langflow and Trend Micro Apex One to the Known Exploited Vulnerabilities (KEV) catalog. Trend Micro confirmed CVE-2026-34926 is being actively exploited in the wild. Drupal is warning of active exploitation attempts against CVE-2026-9082, a critical SQL injection vulnerability disclosed earlier this week.
  • Critical Severity Vulnerabilities: Cisco patched a CVSS 10.0 vulnerability (CVE-2026-20223) in Secure Workload that could allow unauthenticated remote attackers to access sensitive data. Ubiquiti released patches for three maximum severity vulnerabilities in UniFi OS.
  • Emerging Phishing Threat: The FBI issued a warning about Kali365, a fast-growing phishing kit first observed in April 2026 that targets Microsoft 365 users by abusing legitimate Microsoft device authorization pages to establish persistent access.
  • Supply Chain Compromise: Grafana disclosed that its codebase and other data were stolen after a token compromised in the TanStack supply chain attack was not rotated, highlighting ongoing risks from third-party dependencies.
  • CISA Contractor Incident: Congressional lawmakers are demanding answers after reports that a CISA contractor inadvertently exposed AWS GovCloud credentials on GitHub, raising concerns about government cybersecurity practices.

Threat Landscape

Nation-State Threat Actor Activities

  • Ghostwriter (UAC-0057/UNC1151) Targets Ukraine: The Belarus-aligned threat actor known as Ghostwriter has been observed conducting phishing campaigns against Ukrainian government entities using lures related to Prometheus, a Ukrainian online service. The campaign deploys the Prometheus phishing malware, continuing the group's persistent targeting of Ukrainian government infrastructure. Organizations with ties to Ukraine or Eastern European operations should review their email security controls and user awareness training.
    Source: The Hacker News

Ransomware and Cybercriminal Developments

  • First VPN Criminal Infrastructure Dismantled: European and North American authorities announced the takedown of First VPN, a criminal VPN service that provided anonymization capabilities to at least 25 ransomware groups. The FBI reports the service was used extensively for network reconnaissance and initial intrusion activities. This disruption may temporarily impact ransomware operators' ability to obscure their origins, though criminal groups typically migrate to alternative infrastructure quickly.
    Sources: SecurityWeek, The Hacker News, CSO Online
  • Kimwolf Botnet Operator Arrested: Jacob Butler, 23, of Ottawa, Canada, was arrested for allegedly operating the Kimwolf DDoS botnet, which infected nearly two million devices worldwide. The botnet operated as a DDoS-for-hire service. Butler faces extradition to the United States and up to 10 years in prison. This arrest represents a significant disruption to DDoS-as-a-service operations.
    Sources: SecurityWeek, The Hacker News, CyberScoop, Bleeping Computer
  • Netherlands Seizes Bulletproof Hosting Infrastructure: Dutch financial crime investigators (FIOD) arrested two individuals and seized 800 servers linked to a web hosting company that enabled cyberattacks, interference operations, and disinformation campaigns. This action disrupts infrastructure commonly used by various threat actors.
    Source: Bleeping Computer
  • Kali365 Phishing Kit Emerges: The FBI issued a warning about Kali365, a rapidly proliferating phishing kit first observed in April 2026. The kit targets Microsoft 365 users by abusing legitimate Microsoft device authorization pages to grant persistent access to cybercriminal-controlled applications. This technique bypasses traditional phishing detection by leveraging legitimate Microsoft infrastructure.
    Sources: CyberScoop, CSO Online

Emerging Attack Vectors

  • Megalodon GitHub Supply Chain Attack: Security researchers disclosed details of an automated campaign called Megalodon that pushed 5,718 malicious commits to 5,561 GitHub repositories within a six-hour window. The attack leverages malicious CI/CD workflows to compromise software supply chains. Organizations using GitHub for critical infrastructure software development should review their repository security settings and commit verification processes.
    Source: The Hacker News
  • Grafana Supply Chain Compromise: Grafana disclosed that hackers accessed its GitHub repositories after a token compromised in the TanStack supply chain attack was not rotated. The attackers stole Grafana's codebase and other data. This incident underscores the importance of credential rotation following third-party security incidents.
    Source: SecurityWeek
  • BYOVD Attack Research: New research details how Windows kernel mode drivers can be exploited from user mode without requiring the associated hardware, expanding the attack surface for Bring Your Own Vulnerable Driver (BYOVD) attacks. This technique is increasingly used by both nation-state actors and ransomware groups to disable security software.
    Source: The Hacker News
  • Fake AI Tool Sites Distributing Infostealers: Threat actors are using SEO poisoning to promote fake Gemini and Claude Code websites that distribute infostealer malware. The payloads collect extensive data including collaboration authentication keys and cryptocurrency wallets. Organizations should warn users about downloading AI tools from unofficial sources.
    Source: Infosecurity Magazine
  • Chromium Browser-to-Bot Vulnerability: Google inadvertently leaked details of a Chromium vulnerability that could allow attackers to turn browsers into bots. Organizations should ensure Chrome and Chromium-based browsers are updated promptly when patches become available.
    Source: CSO Online

Sector-Specific Analysis

Energy Sector

  • Industrial Router Exploitation Concerns: SecurityWeek reported on ongoing exploitation of industrial routers, with specific concerns about a Huawei router flaw that triggered a telecom blackout. Energy sector organizations relying on industrial networking equipment should review their router firmware versions and network segmentation practices.
    Source: SecurityWeek
  • OT/AI Integration Challenges: Analysis from CSO Online highlights significant challenges in applying AI strategies to operational technology environments, noting that "your AI strategy stops where the PLC starts." Energy sector organizations pursuing AI integration should carefully evaluate the unique security requirements of OT environments and avoid assumptions that IT security approaches will translate directly.
    Source: CSO Online

Water & Wastewater Systems

  • Gas Station Infrastructure Vulnerabilities: SecurityWeek's weekly roundup included reporting on gas station hacking techniques. While primarily affecting fuel retail, these vulnerabilities may have implications for water sector organizations using similar SCADA and industrial control systems. Water utilities should review the security of any shared infrastructure components.
    Source: SecurityWeek
  • Cisco Secure Workload Vulnerability Impact: Water utilities using Cisco Secure Workload for network segmentation and workload protection should prioritize patching CVE-2026-20223 (CVSS 10.0), which could allow unauthenticated access to sensitive operational data.
    Source: The Hacker News

Communications & Information Technology

  • Ubiquiti UniFi OS Critical Vulnerabilities: Ubiquiti released patches for three maximum severity vulnerabilities in UniFi OS. Given the widespread deployment of Ubiquiti equipment in enterprise and critical infrastructure environments, organizations should prioritize these updates. The vulnerabilities can be exploited by remote attackers without authentication.
    Source: Bleeping Computer
  • Drupal SQL Injection Under Active Attack: Organizations running Drupal-based web infrastructure should immediately patch CVE-2026-9082, a critical SQL injection vulnerability that is now being actively exploited. Drupal reports attacks against thousands of websites since disclosure.
    Sources: SecurityWeek, Bleeping Computer
  • Microsoft 365 Phishing Campaign: The Kali365 phishing kit poses significant risk to communications infrastructure operators using Microsoft 365. The kit's abuse of legitimate Microsoft device authorization pages makes detection challenging. Organizations should implement conditional access policies and monitor for unusual OAuth application grants.
    Sources: CyberScoop, CSO Online

Transportation Systems

  • DDoS Threat Reduction: The arrest of the Kimwolf botnet operator and seizure of its infrastructure may temporarily reduce DDoS attack capacity available to threat actors targeting transportation systems. However, organizations should maintain DDoS mitigation capabilities as alternative botnets remain operational.
    Sources: SecurityWeek, Bleeping Computer
  • Identity-Based Attack Concerns: Analysis from CSO Online emphasizes that identity has become the primary attack surface in modern breaches. Transportation sector organizations should review identity and access management controls, particularly for systems managing passenger data and operational technology access.
    Source: CSO Online

Healthcare & Public Health

  • Trend Micro Apex One Zero-Day: Healthcare organizations using Trend Micro Apex One for endpoint protection should immediately apply patches for CVE-2026-34926, a directory traversal vulnerability being actively exploited in the wild. The on-premise version is affected.
    Sources: SecurityWeek, The Hacker News, Bleeping Computer
  • HIPAA Security 2026 Conference Announced: HHS Office for Civil Rights and NIST announced the "Safeguarding Health Information: Building Assurance through HIPAA Security 2026" conference scheduled for September 2, 2026. This event will provide guidance on HIPAA security compliance and emerging healthcare cybersecurity challenges.
    Source: NIST

Financial Services

  • Tech Support Fraud Convictions: Two former executives of a call-tracking and analytics company pleaded guilty to concealing a years-long tech support fraud scheme. Financial institutions should remain vigilant about vendors and partners with access to customer contact information.
    Source: Bleeping Computer
  • App Store Fraud Prevention: Apple reported blocking $2.2 billion in App Store fraud over the past year, bringing total blocked fraudulent transactions since 2020 to over $11 billion. Financial services organizations should consider similar fraud detection approaches for their mobile application ecosystems.
    Source: Infosecurity Magazine

Vulnerability & Mitigation Updates

Critical Vulnerabilities Requiring Immediate Attention

CVE Product Severity Status Action Required
CVE-2026-20223 Cisco Secure Workload CVSS 10.0 (Critical) Patch Available Immediate patching; unauthenticated remote access to sensitive data
CVE-2026-34926 Trend Micro Apex One (On-Premise) High Actively Exploited Immediate patching; directory traversal vulnerability
CVE-2026-9082 Drupal Critical Actively Exploited Immediate patching; SQL injection attacks ongoing
Multiple CVEs Ubiquiti UniFi OS Maximum Severity Patch Available Priority patching; three vulnerabilities exploitable without authentication
Langflow Vulnerability Langflow High Added to CISA KEV Patch per CISA guidance; federal agencies have binding deadline

CISA Advisories and KEV Updates

  • KEV Catalog Additions: CISA added vulnerabilities in Langflow and Trend Micro Apex One to the Known Exploited Vulnerabilities catalog on Thursday, May 22. Federal agencies are required to remediate these vulnerabilities within specified timeframes. Private sector organizations should treat KEV additions as high-priority patching targets.
    Source: The Hacker News
  • KEV Nomination Process: CISA announced it will now accept nominations to its Known Exploited Vulnerabilities catalog from the security community. This development allows researchers and organizations to submit evidence of active exploitation for vulnerabilities not yet tracked by CISA. Security Magazine analysis notes this is an important step in improving the catalog's coverage.
    Sources: SecurityWeek, Security Magazine

Recommended Defensive Measures

  • Microsoft 365 OAuth Protection: In response to the Kali365 phishing kit, organizations should:
    • Implement conditional access policies restricting OAuth application consent
    • Monitor Azure AD sign-in logs for unusual device code authentication flows
    • Review and audit existing OAuth application permissions
    • Enable alerts for new application consent grants
  • Supply Chain Security: Following the Grafana/TanStack incident:
    • Implement automated credential rotation following third-party security incidents
    • Review dependencies for known compromised packages
    • Enable commit signing and verification for critical repositories
    • Monitor for unauthorized repository access
  • BYOVD Mitigation: To address expanding vulnerable driver exploitation:
    • Implement driver blocklists using Windows Defender Application Control (WDAC)
    • Enable Hypervisor-Protected Code Integrity (HVCI) where supported
    • Monitor for suspicious driver loading activity
    • Review Microsoft's recommended driver block rules

Resilience & Continuity Planning

Lessons Learned

  • Credential Exposure Incident Response: The CISA contractor credential exposure incident and the Grafana token compromise both highlight the critical importance of:
    • Immediate credential rotation following any suspected exposure
    • Automated scanning of code repositories for secrets before commit
    • Separation of development and production credentials
    • Regular audits of third-party access tokens and their permissions
  • Criminal Infrastructure Takedowns: The First VPN and Kimwolf botnet takedowns demonstrate that while law enforcement actions can disrupt criminal operations, organizations should not assume reduced threat levels. Criminal groups typically migrate to alternative infrastructure within days to weeks.

Supply Chain Security Developments

  • GitHub Repository Security: The Megalodon campaign's ability to push malicious commits to over 5,500 repositories in six hours underscores the need for:
    • Branch protection rules requiring code review
    • Signed commits from verified contributors
    • Automated security scanning in CI/CD pipelines
    • Monitoring for unusual commit patterns
  • AI Tool Supply Chain Risks: The fake Gemini and Claude Code sites distributing infostealers highlight risks as organizations adopt AI development tools. Establish approved sources for AI tools and warn developers about SEO-poisoned download sites.

Cross-Sector Dependencies

  • Identity Infrastructure: CSO Online analysis emphasizes that identity has become the primary attack surface across all sectors. Organizations should evaluate their identity provider dependencies and implement redundancy for critical authentication systems.
  • Endpoint Protection Dependencies: The Trend Micro Apex One zero-day exploitation demonstrates that security tools themselves can become attack vectors. Organizations should maintain visibility into their security tool attack surface and have contingency plans for security tool compromise.

Regulatory & Policy Developments

Congressional Oversight

  • CISA Contractor Incident Investigation: Lawmakers in both houses of Congress are demanding answers from CISA following reports that a contractor inadvertently exposed AWS GovCloud credentials on GitHub. This incident may lead to increased scrutiny of government contractor security practices and potentially new requirements for credential management.
    Sources: KrebsOnSecurity, Schneier on Security

CISA Initiatives

  • KEV Nomination Process: CISA's new process for accepting vulnerability nominations to the Known Exploited Vulnerabilities catalog represents a significant expansion of public-private collaboration. Organizations can now submit evidence of active exploitation for consideration, potentially accelerating the identification of threats to critical infrastructure.
    Sources: SecurityWeek, Security Magazine

International Developments

  • Cross-Border Law Enforcement Cooperation: This week's coordinated actions—the First VPN takedown involving European and North American authorities, the Netherlands server seizures, and the Canada-US cooperation on the Kimwolf arrest—demonstrate strengthening international cooperation against cybercriminal infrastructure. Organizations should anticipate continued disruption of criminal services, though temporary in nature.

Training & Resource Spotlight

Upcoming Workshops and Training

  • NIST AI for Manufacturing Workshop
    Date: May 27, 2026
    Focus: AI integration in manufacturing product development and production processes, addressing productivity and resilience improvements while managing associated risks.
    Relevance: Critical for manufacturing sector organizations evaluating AI adoption.
    Source: NIST
  • NCCoE Manufacturing Cybersecurity Incident Response Guidelines
    Date: June 4, 2026 | 1:00 PM – 2:00 PM
    Format: Virtual
    Focus: Overview of upcoming guidelines on improving cybersecurity incident response in manufacturing environments.
    Source: NIST NCCoE
  • NIST NCCoE Genomic Data PETs Testbed & Dioptra Webinar
    Date: June 9, 2026 | 1:00 PM – 3:30 PM EDT
    Format: Virtual
    Focus: Privacy-Enhancing Technologies (PETs) Testbed and Dioptra platform demonstrations.
    Relevance: Healthcare and research organizations handling sensitive genomic data.
    Source: NIST NCCoE
  • NIST Workshop on Hardware CPE and CVSS Updates
    Date: June 22, 2026
    Focus: Hardware representation in Common Platform Enumeration (CPE) and Common Vulnerability Scoring System (CVSS) application to hardware vulnerabilities.
    Relevance: Critical for organizations managing hardware asset inventories and vulnerability programs.
    Source: NIST

New Tools and Frameworks

  • Google CodeMender Integration: Google announced the integration of CodeMender into its agent ecosystem as part of its push for AI-led application security. Organizations evaluating AI-assisted security tools should monitor this development.
    Source: CSO Online
  • Microsoft Browser AI Safety Features: Microsoft announced new features to make AI "safe for work" in browsers. Organizations should evaluate these controls for enterprise browser deployments.
    Source: CSO Online

Best Practices Highlighted

  • Cultural Fit in Security Hiring: Security Magazine analysis emphasizes that cultural fit is central to success in security roles. Organizations building security teams should consider organizational culture alignment alongside technical qualifications.
    Source: Security Magazine

Looking Ahead: Upcoming Events

Key Conferences and Briefings

  • NIST AI for Manufacturing Workshop – May 27, 2026
    Focus on AI integration challenges and opportunities in manufacturing environments.
  • NCCoE Manufacturing Project Update – June 4, 2026
    Virtual briefing on cybersecurity incident response guidelines for manufacturing.
  • NIST NCCoE Genomic Data PETs Webinar – June 9, 2026
    Privacy-enhancing technologies demonstration for healthcare and research sectors.
  • NIST Hardware CPE/CVSS Workshop – June 22, 2026
    Technical workshop on hardware vulnerability identification and scoring.
  • Iris Experts Group Annual Meeting – June 25, 2026
    Forum for government agencies employing iris recognition technology.
  • 2026 Time and Frequency Seminar – July 21, 2026
    NIST seminar covering precision timing systems relevant to critical infrastructure synchronization.
  • HIPAA Security 2026 Conference – September 2, 2026
    HHS OCR and NIST joint conference on healthcare information security.

Threat Periods Requiring Heightened Awareness

  • Memorial Day Weekend (May 23-26, 2026): Holiday weekends historically see increased ransomware activity as threat actors exploit reduced staffing. Organizations should ensure incident response capabilities remain available and consider implementing additional monitoring.
  • Post-Takedown Threat Actor Migration: Following the First VPN and Kimwolf takedowns, expect threat actors to migrate to alternative infrastructure within 1-2 weeks. Monitor for new criminal services emerging to fill the gap.
  • Drupal Exploitation Window: With active exploitation of CVE-2026-9082 ongoing, organizations running unpatched Drupal installations face elevated risk. Prioritize patching before the holiday weekend.

Anticipated Developments

  • CISA KEV Nomination Process: Watch for the first community-nominated vulnerabilities to be added to the KEV catalog, which may expand coverage of threats affecting critical infrastructure.
  • Congressional CISA Oversight: Expect continued congressional scrutiny of CISA security practices following the contractor credential exposure incident. Potential policy changes may affect government contractor security requirements.
  • Kali365 Evolution: Given the FBI warning about this fast-growing phishing kit, anticipate continued development and deployment. Organizations should proactively implement OAuth security controls.

This intelligence briefing is based on open-source reporting from May 16-23, 2026. Information is provided for situational awareness and should be verified through official channels before taking action. Organizations are encouraged to share relevant threat information through appropriate public-private partnership channels.

Disclaimer

This briefing is generated using AI analysis of public news sources. Always verify critical information through authoritative sources before taking action.