Cybersecurity Radar — 2026-05-14

---

🔴 Critical Alerts

Windows BitLocker Zero-Days (YellowKey & GreenPlasma) — PoC Released

A cybersecurity researcher has published proof-of-concept (PoC) exploits for two unpatched Microsoft Windows vulnerabilities. "YellowKey" bypasses BitLocker drive protection, potentially exposing encrypted data on stolen or accessed devices. "GreenPlasma" is a privilege-escalation flaw granting attackers elevated access. Both remain unpatched as of this writing. Organizations relying on BitLocker for data-at-rest protection are at elevated risk. Recommended action: Restrict physical access to Windows devices, monitor for unusual privilege activity, and apply any Microsoft emergency patches immediately upon release.

CVE-2026-40361 — Critical Zero-Click Microsoft Outlook Vulnerability Patched

Microsoft's May 2026 Patch Tuesday addressed CVE-2026-40361, a critical zero-click Outlook vulnerability that SecurityWeek describes as similar to the decade-old "BadWinmail" bug, which was previously dubbed an "enterprise killer." The flaw can be triggered without user interaction, making it particularly dangerous in enterprise environments. Recommended action: Apply Microsoft's May 2026 cumulative updates immediately, prioritizing Outlook and Exchange deployments.

---

Threat Landscape

Global Cyberattacks Spike 10% in April 2026 — Ransomware Expands, GenAI Risks Surge

Check Point Research reports that global cyber-attack activity rebounded sharply in April 2026 following a brief moderation period, with every region recording higher attack volumes. Ransomware campaigns expanded in scope while generative AI-assisted attacks continued to pose persistent risks across sectors. The report highlights that ransomware groups are evolving tactics alongside the broader threat environment.

Q1 2026 Ransomware: Fewer Groups, Higher Impact — "The Gentlemen" Pre-Staged 14,700 FortiGate Devices

Q1 2026 saw 2,122 organizations hit by ransomware. The top 10 groups accounted for 71% of all victims, reflecting dangerous consolidation. Most notably, threat actor group "The Gentlemen" is reported to have scaled operations using 14,700 pre-exploited FortiGate devices, representing a sophisticated pre-staged access campaign. This consolidation trend means fewer ransomware operators are delivering a proportionally larger share of damage.

Ransomware Groups Escalate to Physical Threats

In an alarming evolution of extortion tactics, ransomware operators are now threatening victims with physical harm or violence, according to Cybersecurity Insiders. This escalation moves cyber extortion beyond data theft and reputational damage into real-world intimidation — raising the stakes for incident response teams and organizational leadership. Targeted sectors and specific threat actors were not disclosed in available reporting at press time.

China-Linked Threat Actor Targets Azerbaijani Energy Sector

The Hacker News reports (as of 13 hours ago) that a threat actor with affiliations to China has been linked to a "multi-wave intrusion" targeting an unnamed Azerbaijani oil and gas company, with activity spanning late December 2025 through late February 2026. This marks an expansion of the group's targeting into the Caucasus energy sector — a strategically significant escalation. TTPs and attribution details are expected to follow in a dedicated report.

ShinyHunters' Eight-Month Infiltration of Instructure (Canvas) — Krebs on Security Analysis

Krebs on Security has published an in-depth analysis revealing that the ShinyHunters breach of Instructure (Canvas) — which resulted in the theft of data on 275 million users — was not an isolated incident. The attack pattern, Krebs reports, appears to have been an escalation of activity ShinyHunters had been building against Instructure's environment for at least eight months prior to the May 2026 events. The breach was initially framed as a Penn-specific issue, but broader context indicates it was part of a sustained, pre-planned campaign.

---

Vulnerabilities & Patches

Microsoft May 2026 Patch Tuesday — 120+ CVEs, 30 Critical, No Zero-Days (in patch set)

Microsoft's May 2026 Patch Tuesday addressed over 120 CVE-numbered vulnerabilities — the first month with no actively exploited zero-days since June 2024, according to SC World. The update includes 30 critical CVEs and four Microsoft Word remote code execution (RCE) flaws. While no zero-days are listed as in-the-wild in this patch cycle, administrators face a busy patching week given the volume and severity. Key products affected include Windows, Azure, and Office.

Windows 10 KB5087544 Extended Security Update Released

Microsoft has released the Windows 10 KB5087544 extended security update to address the May 2026 Patch Tuesday vulnerabilities, including a fix for newly reported issues with Remote Desktop warnings. Organizations running extended-support Windows 10 deployments should prioritize this update.

Zero Day Initiative — May 2026 Security Update Review

The Zero Day Initiative (ZDI) has published its comprehensive review of the May 2026 security updates, noting the heavy volume of patches and highlighting that nothing in this cycle has yet been listed as exploited in the wild — though ZDI cautions this status can change quickly. Patch prioritization guidance is available directly from ZDI for security operations teams.

---

Breaches & Incidents

West Pharmaceutical Services Hit by Disruptive Ransomware Attack

West Pharmaceutical Services, a global manufacturer of drug delivery systems and packaging components, was forced to take systems offline worldwide following a ransomware attack, disrupting operations across the company. The scope of data exfiltration, the ransomware group responsible, and the full operational impact have not been fully disclosed. West Pharmaceutical Services supplies critical components to the pharmaceutical industry, amplifying the potential downstream impact of the disruption.

Instructure (Canvas) Reaches Ransom Agreement with ShinyHunters — 3.65TB of Education Data at Risk

Instructure, the company behind the Canvas learning management platform, reached a ransom agreement with the ShinyHunters threat group following the theft of data on approximately 275 million Canvas users — representing 3.65TB of sensitive education records. The agreement was aimed at preventing wider leaks and further extortion. The breach affected millions of students globally, coinciding with final examination season. Krebs on Security's separate analysis (see Threat Landscape above) reveals this was the culmination of an eight-month infiltration campaign.

---

Industry & Policy

OpenAI Launches "Daybreak" — AI-Powered Vulnerability Detection and Patch Validation

OpenAI has launched Daybreak, a new cybersecurity initiative combining frontier AI model capabilities with Codex Security to help organizations identify and patch vulnerabilities before attackers can exploit them. The platform aims to accelerate the vulnerability-to-patch lifecycle, potentially offering significant advantages to security teams facing the volume of disclosures seen in May's Patch Tuesday cycle.

CISO Role Gaining Strategic Prominence in 2026

Industry analysis highlights that the CISO role has taken on significantly greater strategic importance in 2026, driven by growing AI security risks, complex compliance requirements (including CMMC frameworks), and a surge in high-impact data breaches. Organizations are increasingly elevating cybersecurity leadership to board-level influence. This shift reflects the operational reality that ransomware and nation-state threats now directly affect business continuity and regulatory standing.

---

What to Watch

• Windows zero-day exploitation window: The YellowKey (BitLocker bypass) and GreenPlasma (privilege escalation) PoCs are now public. With no patch available, watch for rapid exploitation in the wild — particularly targeting enterprise environments where physical device access may occur during travel or at unsecured locations.

• "The Gentlemen" pre-staged FortiGate infrastructure: With 14,700 pre-compromised FortiGate devices reportedly under this group's control, a large-scale ransomware or extortion campaign could be imminent. Organizations using FortiGate devices should audit for indicators of compromise immediately.

• China-linked energy sector espionage expansion: The multi-wave intrusion into Azerbaijani oil and gas infrastructure signals a geographic broadening of Chinese-affiliated APT operations into the Caucasus. Energy and critical infrastructure operators in adjacent regions should heighten monitoring.

---

Reader Action Items

1. Patch immediately — prioritize CVE-2026-40361 (Outlook zero-click RCE) and all 30 Critical May Patch Tuesday CVEs. Deploy Microsoft's May 2026 cumulative updates, including KB5087544 for Windows 10 extended support. The zero-click Outlook flaw requires no user interaction to trigger — it is exploitable before a user opens any email.

2. Audit FortiGate devices for compromise indicators. Given reporting that "The Gentlemen" ransomware group pre-staged access on 14,700 FortiGate devices, run immediate IOC sweeps on all FortiGate appliances in your environment. Review Fortinet's advisory portal for relevant detection signatures and ensure firmware is current.

3. Harden Windows endpoints against the BitLocker/privilege-escalation zero-days. While awaiting Microsoft patches for YellowKey and GreenPlasma, restrict physical device access, enforce full-disk encryption monitoring alerts, limit local administrator accounts, and deploy application control policies to reduce privilege-escalation attack surface. Monitor Windows Security Event logs for anomalous privilege use.