Security Intelligence for Real-World Decisions
← Back to Archive

Russia-Linked GreyVibe Weaponizes AI for Cyberattacks as Carnival Breach Exposes 6 Million; Critical FortiClient EMS Flaw Under Active Exploitation

1. Executive Summary

This week's intelligence cycle reveals an accelerating convergence of artificial intelligence and cyber threats, with Russia-linked threat actors demonstrating sophisticated AI-augmented attack capabilities while critical infrastructure faces mounting pressure from both nation-state and criminal actors.

  • AI-Powered Threat Evolution: The Russia-linked "GreyVibe" threat cluster is actively leveraging ChatGPT, Gemini, and other AI tools to supercharge cyberattacks against Ukrainian targets, offering a preview of future threat actor operations. Separately, researchers observed an AI agent conducting a complete cyberattack autonomously in under one hour.
  • Major Data Breach Impact: Carnival Corporation confirmed a data breach affecting nearly 6 million individuals, attributed to the ShinyHunters extortion gang. The incident originated from a social engineering attack, highlighting persistent human-factor vulnerabilities.
  • Active Exploitation Alert: Critical vulnerabilities in FortiClient Enterprise Management Server (EMS) are under active exploitation, with threat actors deploying a previously undocumented credential stealer called "EKZ." Organizations using FortiClient EMS should prioritize immediate patching.
  • ICS/OT Security Concerns: CISA released eight Industrial Control System advisories affecting security cameras, building automation systems, maritime voyage data recorders, HVAC systems, and EV charging infrastructure—underscoring the expanding attack surface across critical infrastructure sectors.
  • Open Source Supply Chain: IBM and Red Hat announced a $5 billion commitment to secure open source supply chains through "Project Lightwell," while a critical unpatched vulnerability in the Gogs Git service exposes approximately 30,000 deployments to remote code execution attacks.
  • Heightened Threat Environment: Water ISAC reports indicate a heightened threat environment with potential Iranian retaliation following U.S. military actions, with specific indicators of compromise targeting water facilities using port-hopping techniques.

2. Threat Landscape

Nation-State Threat Actor Activities

  • GreyVibe (Russia-Linked): Researchers have identified a likely Russian threat cluster designated "GreyVibe" actively targeting Ukrainian entities. The group's extensive use of commercial AI tools including ChatGPT and Gemini for generating phishing lures and developing custom malware represents a significant evolution in threat actor tradecraft. Security analysts warn this operational model will likely be adopted by other state-aligned and cybercriminal groups. (SecurityWeek, Bleeping Computer)
  • Iranian Threat Actors: Water ISAC has issued an updated situation report (TLP:AMBER+STRICT) regarding heightened threat environment and potential retaliation by Iranian threat actors following recent U.S. strikes on Iran. Critical infrastructure operators, particularly in the water sector, should maintain elevated vigilance. (Water ISAC)
  • JINX-0164 (Cryptocurrency Targeting): A newly documented threat actor designated JINX-0164 is conducting targeted campaigns against cryptocurrency organizations using fake recruiter lures and macOS-specific malware. The campaign aims to facilitate digital asset theft through sophisticated social engineering. (The Hacker News, Infosecurity Magazine)

Ransomware and Cybercriminal Developments

  • ShinyHunters Activity: The ShinyHunters extortion gang has claimed responsibility for the Carnival Corporation breach affecting 6 million individuals. The attack vector was social engineering, demonstrating the group's continued focus on high-value targets in the hospitality and travel sectors. (Bleeping Computer)
  • BTMOB Android Malware-as-a-Service: A new Android remote access trojan named BTMOB is being offered to cybercriminals with a builder interface for generating custom phishing payloads. The malware combines financial theft capabilities with data exfiltration and remote access, enabling full device takeover. (SecurityWeek, Bleeping Computer)
  • Evolving Ransomware Intrusion Techniques: The FBI has released multiple alerts on credential theft and evolving ransomware intrusion techniques, with particular emphasis on tech support impersonation schemes where employees unknowingly invite threat actors into corporate networks. (Water ISAC, CSO Online)

Emerging Attack Vectors

  • Autonomous AI-Driven Attacks: Security researchers observed a cyberattack conducted entirely by an AI agent, completing the full attack chain in under one hour without human intervention. This development signals a fundamental shift in the threat landscape toward machine-speed attacks. (Security Magazine)
  • Package Impersonation Evolution: Threat actors have moved beyond simple typosquatting to realistic package impersonation in open source repositories, creating malicious packages that closely mimic legitimate code rather than relying on misspelled names. (Infosecurity Magazine)
  • FIFA World Cup Fraud Schemes: The FBI is warning of fake websites impersonating FIFA ahead of the 2026 World Cup, designed to steal personal and financial information, sell fraudulent tickets and hospitality packages, and conduct other fraud schemes. (Bleeping Computer)

3. Sector-Specific Analysis

Energy Sector

  • HVAC Control System Vulnerability: CISA issued an advisory for Schneider Electric EcoStruxure Machine Expert HVAC systems. While specific details require review of the full advisory, vulnerabilities in HVAC control systems can impact building automation and energy management across facilities. Organizations using these systems should review ICSA-26-148-07 and apply recommended mitigations. (CISA ICS Advisories)
  • EV Charging Infrastructure: CISA released an advisory for XCharge C6 electric vehicle charging systems (ICSA-26-148-08). Successful exploitation of identified vulnerabilities could impact charging infrastructure operations. EV charging operators should review the advisory and implement appropriate security controls. (CISA ICS Advisories)

Water and Wastewater Systems

  • Targeted Attacks on Water Facilities: Water ISAC has released TLP:AMBER intelligence regarding indicators of compromise used in targeted attacks against water facilities, including a Utah SIAC report detailing port-hopping techniques being used against Utah assets. Member utilities should access these reports through the Water ISAC portal. (Water ISAC)
  • GAO Report on Sector Cybersecurity: The Government Accountability Office has released a report titled "Actions Needed to Address Persistent Cybersecurity Threats to the Water and Wastewater Sector," highlighting ongoing challenges and recommending specific actions to improve sector resilience. (Water ISAC)
  • Iranian Threat Heightened: Water ISAC's updated situation report on potential Iranian retaliation specifically identifies water sector assets as potential targets. Utilities should review their incident response plans and ensure monitoring capabilities are optimized. (Water ISAC)

Communications and Information Technology

  • Gogs Zero-Day Vulnerability: A critical unpatched zero-day vulnerability in the Gogs self-hosted Git service allows authenticated attackers to achieve remote code execution on internet-facing instances. Approximately 30,000 deployments are potentially exposed. The lack of vendor response highlights the risks associated with open source projects with limited maintenance resources. (Bleeping Computer, CSO Online)
  • Gitea Container Registry Flaw: A vulnerability in Gitea exposed approximately 30,000 deployments to attacks, allowing attackers to pull private container images and potentially access source code, credentials, and infrastructure details. (SecurityWeek)
  • Zapier Vulnerability Chain: A five-step flaw chain in the Zapier automation service, now patched, could have allowed a single attacker to act as any signed-in user across thousands of connected applications. Organizations using Zapier should verify they are running the latest version. (CyberScoop)
  • Industrial Network Converters: CISA issued an advisory for Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet converters (ICSA-26-148-02). These devices are commonly used in industrial environments for serial-to-network communications. (CISA ICS Advisories)

Transportation Systems

  • Maritime Voyage Data Recorder Vulnerability: CISA released advisory ICSA-26-148-01 for MacGregor Voyage Data Recorder (VDR) G4e systems. VDRs are critical maritime safety systems that record vessel data for accident investigation. Successful exploitation could impact maritime safety and regulatory compliance. Maritime operators should review the advisory and coordinate with MacGregor for patches or mitigations. (CISA ICS Advisories)

Healthcare and Public Health

  • HIPAA Security Conference: HHS Office for Civil Rights and NIST are hosting "Safeguarding Health Information: Building Assurance through HIPAA Security 2026" on September 2, 2026. Healthcare organizations should plan attendance for updates on security requirements and best practices. (NIST)

Financial Services

  • Cryptocurrency Sector Targeting: The JINX-0164 campaign specifically targets cryptocurrency firms through fake recruiter lures and macOS malware. Cryptocurrency exchanges, custodians, and DeFi platforms should enhance screening of recruitment-related communications and strengthen endpoint security for macOS devices. (The Hacker News)
  • AI-Enabled Sanctions Evasion: Reports indicate growing concerns about AI-enabled sanctions evasion, creating new governance challenges for financial institutions and compliance teams. (CSO Online)

Commercial Facilities / Hospitality

  • Carnival Corporation Breach: The world's largest cruise line operator confirmed a data breach affecting nearly 6 million customers. The incident, claimed by ShinyHunters, originated from a social engineering attack. Affected individuals face identity theft risks and should monitor for suspicious activity. (SecurityWeek, Bleeping Computer)
  • Travel Sector Unprepared: Research indicates 92% of travel agencies experienced some form of cyber threat in the last 12 months, yet the sector remains largely unprepared as summer travel season approaches. (Security Magazine)
  • Building Access Control: CISA issued advisories for ABB Busch-Welcome 2 Wire Door Opener Actuator (ICSA-26-148-04) and ABB EIBPORT (ICSA-26-148-03) building automation systems. Facilities using these systems should review advisories and implement recommended security measures. (CISA ICS Advisories)

Physical Security Systems

  • CCTV Security Camera Vulnerabilities: CISA released advisory ICSA-26-148-06 for KMW CCTV Security Cameras. Successful exploitation could allow unauthorized access to video surveillance systems. (CISA ICS Advisories)
  • Network Video Recorder Flaw: CISA issued advisory ICSA-26-148-05 for CP Plus 8 Channel Network Video Recorders. Organizations using these devices for security monitoring should review and apply mitigations. (CISA ICS Advisories)

4. Vulnerability and Mitigation Updates

Critical Vulnerabilities Requiring Immediate Attention

Product Vulnerability Severity Status Action Required
FortiClient EMS CVE-2026-35616 (Authentication Bypass) Critical Actively Exploited Apply hotfix immediately
Gogs Git Service RCE Zero-Day (Unpatched) Critical No Patch Available Restrict internet exposure; monitor for exploitation
Gitea Container Registry Access Flaw High Patched Update to latest version
Zapier Account Takeover Chain High Patched Verify current version

CISA ICS Advisories (May 28, 2026)

CISA released eight Industrial Control System advisories this week:

  • ICSA-26-148-01: MacGregor Voyage Data Recorder (VDR) G4e – Maritime safety systems
  • ICSA-26-148-02: PUSR USR-W610 RS232/485 to Wi-Fi/Ethernet Converter – Industrial communications
  • ICSA-26-148-03: ABB EIBPORT – Building automation
  • ICSA-26-148-04: ABB Busch-Welcome 2 Wire Door Opener Actuator – Access control
  • ICSA-26-148-05: CP Plus 8 Ch. Network Video Recorder – Video surveillance
  • ICSA-26-148-06: KMW CCTV Security Cameras – Video surveillance
  • ICSA-26-148-07: Schneider Electric EcoStruxure Machine Expert HVAC – Building automation
  • ICSA-26-148-08: XCharge C6 – EV charging infrastructure

Full advisories and CSAF files are available at: CISA ICS Advisories

Recommended Defensive Measures

  • FortiClient EMS: Fortinet released hotfixes in April 2026 after the vulnerability was exploited as a zero-day. Organizations should verify patch status immediately. The ongoing campaign deploys the "EKZ" credential stealer, so post-exploitation indicators should be monitored. (SecurityWeek, The Hacker News)
  • Gogs Deployments: With no patch available, organizations should: (1) Remove Gogs instances from direct internet exposure; (2) Implement network segmentation; (3) Restrict authentication to trusted users; (4) Consider migration to actively maintained alternatives. (CSO Online)
  • Open Source Component Monitoring: Given the evolution from typosquatting to realistic package impersonation, organizations should implement software composition analysis (SCA) tools and verify package authenticity beyond name matching. (Infosecurity Magazine)
  • Indian CERT Guidance: India's CERT has urged organizations to contain exploited internet-facing vulnerabilities within 12 hours—a benchmark that critical infrastructure operators globally should consider adopting. (CSO Online)

5. Resilience and Continuity Planning

Lessons Learned

  • Social Engineering Remains Primary Vector: The Carnival breach affecting 6 million individuals originated from a social engineering attack, reinforcing that technical controls must be complemented by robust security awareness training and verification procedures for sensitive requests.
  • Open Source Maintenance Gaps: The Gogs zero-day situation illustrates the risks of depending on open source projects with limited maintenance resources. Organizations should assess the maintenance status of critical open source dependencies and have contingency plans for unmaintained projects.
  • AI Attack Speed: The observation of an AI agent completing a full cyberattack in under one hour demonstrates that traditional incident response timelines may be insufficient. Organizations should evaluate automated detection and response capabilities.

Supply Chain Security Developments

  • IBM/Red Hat Project Lightwell: IBM and Red Hat announced a $5 billion commitment to secure open source supply chains through "Project Lightwell." The initiative aims to fix vulnerabilities without breaking production systems and position the companies as a "security clearinghouse" for enterprise open source applications. This represents a significant industry investment in addressing supply chain security challenges. (SecurityWeek, CSO Online)
  • GlassWorm Takedown: While the GlassWorm malicious repository operation has been disrupted, security researchers emphasize that the broader repository security problem remains far from solved. Organizations should maintain vigilance for similar threats. (CSO Online)

Cross-Sector Dependencies

  • AI Tool Dependencies: The GreyVibe campaign's use of commercial AI tools (ChatGPT, Gemini) for attack development highlights a new dependency consideration—threat actors leveraging the same AI services used by defenders. This creates complex considerations for AI governance and potential abuse monitoring.
  • Automation Platform Risks: The Zapier vulnerability chain demonstrated how a flaw in a widely-used automation platform could enable attackers to act as any user across thousands of connected applications, illustrating cascading risk from integration platforms.

6. Regulatory and Policy Developments

Federal Guidelines and Regulatory Changes

  • CISA Cyber Incident Reporting Town Halls: CISA has announced a revised town hall schedule to engage with stakeholders on cyber incident reporting requirements for critical infrastructure. Organizations should participate to understand upcoming reporting obligations and provide input on implementation. (Water ISAC)
  • House Homeland Security Committee AI Hearing: The House panel is poised to hold a hearing examining AI's impact on cybersecurity, part of a series of examinations that will now include a public event. This signals continued Congressional attention to AI-related security challenges. (CyberScoop)

Vulnerability Disclosure Policy Developments

  • Microsoft CVD Position: Microsoft has issued a strong statement in favor of Coordinated Vulnerability Disclosure (CVD), criticizing "uncoordinated" zero-day disclosures following the removal of a GitHub researcher account. Microsoft warned that disclosure of several unpatched vulnerabilities without notice has put "customers at unnecessary risk." This highlights ongoing tensions in the security research community regarding disclosure practices. (The Hacker News, Infosecurity Magazine)

International Developments

  • GCHQ AI/Quantum Warning: GCHQ's director has urged urgent business cyber action as AI and quantum computing reshape the threat landscape. The statement emphasizes the need for organizations to prepare for both near-term AI-enabled threats and longer-term quantum computing implications. (Infosecurity Magazine)

AI Governance

  • Enterprise AI Governance Imperative: Industry analysis emphasizes that AI governance can no longer be ignored, with organizations facing increasing pressure to implement controls around AI usage. A new AI usage report reveals that enterprise AI risk is heavily concentrated among a small group of "power users," suggesting targeted governance approaches may be effective. (CSO Online, The Hacker News)

7. Training and Resource Spotlight

New Tools and Platforms

  • Google AI Threat Defense Platform: Google has unveiled a new AI Threat Defense platform combining capabilities from Mandiant, Wiz, and Gemini to help customers "fight AI with AI." The platform aims to address the challenge of machine-speed attacks identified by security leaders. (SecurityWeek)
  • Edamame Runtime Verification: France-based startup Edamame has launched a runtime verification platform using host telemetry and AI analysis to detect coding-agent "intent drift," secret theft, and supply-chain attacks in real time. (SecurityWeek)
  • Geordie AI Security Platform: Geordie has raised $30 million for its AI security and governance platform, with funding from Balderton Capital, Crosspoint Capital, General Catalyst, and Ten Eleven Ventures. (SecurityWeek)

Industry Research

  • CISO Experience Preferences: An ISC2 survey reveals that cybersecurity staff prefer CISOs with real attack response experience, suggesting organizations should prioritize incident response experience when hiring security leadership. (Infosecurity Magazine)
  • Industrialization of Exploitation: CSO Online analysis examines what the "industrialization of exploitation" means for defenders, providing strategic context for security teams facing increasingly automated and scaled attack operations. (CSO Online)

Upcoming Training Opportunities

  • H2OSecCon: Water ISAC's security conference is scheduled for next week. Water sector security professionals should confirm registration and attendance. (Water ISAC)

8. Looking Ahead: Upcoming Events

Conferences and Workshops

  • June 4, 2026 (1:00 PM - 2:00 PM EDT): NCCoE Manufacturing Project Update – Virtual event providing an overview of upcoming guidelines on improving cybersecurity incident response in manufacturing environments. (NIST)
  • June 9, 2026 (1:00 PM - 3:30 PM EDT): NIST NCCoE Genomic Data PETs Testbed & Dioptra Webinar – Showcasing recent work on Privacy-Enhancing Technologies (PETs) Testbed and Dioptra platform. (NIST)
  • June 22, 2026: NIST Workshop on Hardware CPE and CVSS Updates – One-day workshop on hardware representation in Common Platform Enumeration (CPE) and Common Vulnerability Scoring System (CVSS) application to hardware. (NIST)
  • June 25, 2026: Iris Experts Group Annual Meeting – Forum for discussion of technical questions related to iris recognition for USG agencies. (NIST)
  • July 21, 2026: 2026 Time and Frequency Seminar – NIST Time and Frequency Division's annual seminar covering precision clocks, atomic frequency standards, and quantum information. (NIST)
  • September 2, 2026: Safeguarding Health Information: Building Assurance through HIPAA Security 2026 – Joint HHS OCR and NIST conference on HIPAA security requirements. (NIST)

Threat Periods Requiring Heightened Awareness

  • FIFA World Cup 2026: With the tournament approaching, the FBI warning about fake FIFA websites indicates an elevated fraud threat period. Organizations should alert employees about World Cup-themed phishing and fraud schemes.
  • Summer Travel Season: The travel sector's reported unpreparedness combined with elevated threat activity suggests heightened risk for hospitality and transportation sectors through the summer months.
  • Iranian Retaliation Window: Water ISAC's heightened threat assessment regarding potential Iranian retaliation warrants continued elevated monitoring, particularly for water and energy sector assets.

Regulatory Milestones

  • CISA Cyber Incident Reporting: Organizations should monitor CISA's revised town hall schedule for opportunities to engage on upcoming cyber incident reporting requirements for critical infrastructure.

This intelligence briefing is compiled from open-source reporting and is intended to support critical infrastructure protection decision-making. Recipients are encouraged to verify information through official channels and share relevant threat intelligence through appropriate information sharing mechanisms.

Report Date: Friday, May 29, 2026

Disclaimer

This briefing is generated using AI analysis of public news sources. Always verify critical information through authoritative sources before taking action.