Weekly Cyber Update: 29 May 2026

The Cyber Threat Intelligence Briefing is a weekly round-up of the latest cybersecurity news, trends and indicators, curated by our CISO, Nick Harris. Here’s our pick of the top stories, and why you should care

---

Critical Drupal flaw exploited in live attacks

The US Cybersecurity and Infrastructure Security Agency (CISA) has told federal agencies to urgently patch an SQL injection vulnerability in the Drupal content management system (CMS) that is under active exploitation. CVE-2026-9082 has a CVSS score of 9.8 and can be exploited without authentication – leading to possible information disclosure, privilege escalation and remote code execution.

Why it matters

Drupal is popular among large enterprises. Imperva has observed over 15,000 attacks attempting to exploit the vulnerability across 65 countries, with most so far targeting the gaming, financial services, business, and IT sectors. Automated scanning makes it easier for threat actors to find and exploit exposed systems.

Assured’s recommended action

Identify affected Drupal instances and apply emergency vendor patches in line with Drupal’s advice. Update WAFs with virtual patching signatures to enhance protection ahead of emergency patch deployment. Brief SecOps team to hunt for indicators of compromise (IoCs).

---

Fake Gemini and Claude Code sites deliver infostealers

Security researchers have warned of a new phishing campaign designed to spread info-stealing malware through infected web pages. The threat actors behind it used SEO-poisoning techniques to artificially improve the ranking of their sites – which promise access to Google’s Gemini CLI and Anthropic’s Claude Code. In fact, they are designed to trigger an installation of infostealing malware.

Why it matters

Users in the US and UK are reportedly being singled out in this campaign, with a deliberate focus on enterprise users and developer workstations. The malware is programmed to steal credentials, session cookies and other info from Chrome, Edge, Brave and Firefox browsers, as well as data from Slack, Discord, Zoom, Telegram, Teams and other applications. It is designed to run entirely in memory using PowerShell, which means traditional scanning tools will not pick it up.

Assured’s recommended action

Restrict PowerShell on endpoints by configuring it to run in Constrained Language Mode. Configure browsers to block unauthorised web-to-clipboard write access when interacting with external domains. Configure EDR to detect the attack in line with researchers’ recommendations.

---

TrendAI patches zero-day vulnerability exploited in the wild

Cybersecurity giant TrendAI has patched a zero-day vulnerability in its Apex One endpoint security product which is currently being exploited in the wild. CVE-2026-34926 is described as a directory traversal vulnerability in the on-premises version of the product. An attacker must have access to the Apex One Server and have obtained administrative credentials to the server to exploit the bug. Doing so could allow threat actors to inject malicious code into endpoint agents.

Why it matters

TrendAI’s Apex One platform has been a popular target for threat actors over the years. CISA has listed 11 historic vulnerabilities that have been or are being exploited in the wild, including this one. It warns that vulnerabilities like it are popular attack vectors and “pose significant risks”.

Assured’s recommended action

Block internet access to the management console until updates have been applied. Apply the patch in line with the TrendAI’s guidance. Hunt for IoCs.

---

Kali365 PhaaS platform steals Microsoft account details via OAuth code abuse

The FBI has warned users of attacks using the Kali365 phishing-as-a-service (PhaaS) platform to gain persistent access to Microsoft 365 accounts. Hackers use Kali365 to generate an email spoofing Microsoft and containing a legitimate device code for victims to enter on a Microsoft verification page. Doing so will give the attackers persistent OAuth access to the victim’s account.

Why it matters

Cybercrime services like Kali365 help low-skilled threat actors to bypass MFA and achieve persistent access to Microsoft 365 accounts for data theft, extortion, espionage, BEC and other attacks.

Assured’s recommended action

Block device code flow for all users, and create limited exceptions if required. Block authentication transfer policies to stop users transferring authentication from PCs to mobile devices. Roll out phishing-resistant MFA. Update end-user education programmes to share details of the threat with employees.

---

GCHQ warns that cybersecurity is now “10 times more urgent”

The head of GCHQ has argued that UK businesses need to treat cybersecurity with much greater urgency, as AI rapidly reshapes the threat landscape. Anne Keast-Butler claimed in the agency’s first annual lecture that corporate cybersecurity now represents the “front-line defence of our nation, our economy and our way of life” – especially for critical infrastructure (CNI) providers. Keast-Butler warned of frontier AI’s ability to discover new vulnerabilities, and of the impending disruption that quantum computing will cause. This makes cyber “10 times more urgent”, she added.

Why it matters

Keast-Butler’s words should serve as another reminder of the need to review and update cyber-resilience plans.

Assured’s recommended action

Use the speech to argue with the board for more investment into resilience initiatives. Audit for legacy encryption and prepare a roadmap for post-quantum cryptography. Integrate AI and automation into detection and response and patch/vulnerability management tooling. Establish internal governance and guardrails to minimise shadow AI. Transition from passwords to phishing-resistant authentication like passkeys. And prioritise supply chain risk management.