Cyber Intelligence Weekly

Cyber Intelligence Weekly (May 10, 2026): Our Take on Three Things You Need to Know

By Dan Desko
Posted on May 10 / 2026

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we turn to this week’s edition of Cyber Intelligence Weekly, I want to introduce a new Personal Spotlight Series: The Human Side of Cybersecurity.

This series is grounded in conversation rather than commentary. It centers on CISOs and other cyber leaders who are in the seat—navigating real leadership pressure, complex risk decisions, and the human realities of building and sustaining security programs. Some are earlier in their journey, others further along paths many of you may recognize or aspire toward. What they share isn’t theory. It’s experience—earned through moments of progress, frustration, growth, and reflection. These conversations are for the professionals who show up every day to quietly carry the weight of this industry.

Adam Gunnett — “You’re not competing on technology. You’re competing on how you use it.”

In this episode, I sat down with Adam Gunnett , VP of Business Intelligence and Strategy at Busy Beaver Home Improvements, a 19-store home improvement chain with deep roots in the Pittsburgh region. Adam’s career started in traditional IT and network administration before evolving into a broader leadership role across data, strategy, analytics, operations, and innovation. His story is a great example of how technology leaders can earn trust by solving real business problems, not just running systems.

What stood out most was how Adam’s role expanded after he helped implement a new ERP system early in his time at Busy Beaver. Because that project touched nearly every part of the business, he had to understand store operations, point-of-sale, invoicing, special orders, and frontline workflows. That gave him a seat at the table beyond IT—and allowed him to bring data into conversations where business decisions were being made.

Adam also shared how Busy Beaver has used technology to compete with much larger players. From autonomous inventory-scanning robots to electronic shelf labels and AI-powered frontline tools, the company has been able to move quickly because leadership trusted him to explore, test, and implement meaningful innovation. But his message was clear: technology only matters if it solves a real problem.

Additional takeaways from the conversation:

  • Trust is built through execution. Adam earned broader influence by delivering on major projects quickly and effectively.
  • Innovation requires business fluency. To improve operations, he first had to understand how the work actually happens in stores.
  • Change management matters more than implementation. A tool can work technically and still fail if the people/process side is not thought through.
  • Real-world demos drive buy-in. Showing how electronic shelf labels improved picking, stocking, and accuracy helped leaders understand the value.
  • Mid-market companies should start with fundamentals. Infrastructure, cybersecurity, and communication come before dashboards, AI, and advanced analytics.
  • AI should empower people, not just replace them. Busy Beaver’s frontline AI helps employees identify products, answer questions, and assist customers in multiple languages.
  • Cyber risk is business risk. As companies become more connected and data-driven, security must be embedded into planning and resilience.
  • Speed and security are not opposites. With the right guardrails and leaders at the table, organizations can move fast and responsibly.
  • Data only matters if it drives action. Adam asks: if I give you this report, what decision or action will it change?
  • Do not automate a broken process. AI or technology layered on top of a bad process only makes the problem more expensive.

His billboard message was a great one: AI is a multiplier—make sure it’s multiplying the right things. He also offered a second line that captures the Busy Beaver story perfectly: You’re not competing on technology. You’re competing on how you use it.

If there was one thread that defined this conversation, it was this: great technology leadership is not about chasing the newest tool. It is about understanding the business, solving real problems, and using technology to create measurable advantage.

Watch the Full Interview Here: https://www.youtube.com/watch?v=RaRZfvEeSVk

Echelon Events & Thought Leadership Highlight

Modern attacks don’t follow a straight line.

The decisions you make today across tools, workflows, and detection logic will determine whether the next intrusion is contained or missed entirely.

Led by Matt Donato, Devin Jones, and Bryce Hayes, join our Offensive and Defensive Security teams on May 13 for a live, end-to-end simulation that walks both sides of a modern attack, showing exactly how adversaries operate and how defenders can keep up.

You’ll see:

  • How attackers gain access, move laterally, and evade detection
  • How security teams investigate, validate, and respond in real time
  • What actually works when bridging the gap between offense and defense

Purple teaming isn’t theory, it’s how you close real detection gaps and build defenses that hold.

Reserve your spot now and see the full attack chain before you’re forced to respond to it live: https://lnkd.in/eqhrCKgu

Away we go!

1. Final Exams Disrupted After Massive Canvas Cyberattack Hits Universities Nationwide

The timing could not have been worse. As universities across the United States entered final exam season, thousands of students suddenly found themselves locked out of Canvas, one of the most widely used learning management platforms in higher education. The disruption stemmed from a cyberattack against Instructure, the company behind Canvas, that forced the platform offline for several hours and sent colleges scrambling to postpone exams, extend deadlines, and reassure anxious students. Institutions including the University of Pennsylvania, Duke, Baylor, Northwestern, Ohio State, and the University of Florida all reported service interruptions as the incident unfolded.

The attackers, believed to be linked to the ShinyHunters cybercriminal group, reportedly displayed ransom messages directly inside the platform before Instructure shut systems down to contain the breach. According to the company, the attackers exploited vulnerabilities tied to Free-for-Teacher accounts and maintained unauthorized access even after an earlier intrusion had been discovered days prior. Instructure later confirmed that personal data including usernames, email addresses, enrollment information, and user messages had been accessed during the initial breach, though the company stated that core learning content, passwords, and assignment submissions were not compromised.

What makes this incident particularly alarming is the sheer scale of the platform’s footprint across education. Canvas supports learning environments at a significant percentage of North American colleges and universities, meaning a single compromise created operational chaos across thousands of classrooms simultaneously. For many schools, the outage was more than an inconvenience. Professors lost access to exams and grading systems during one of the busiest academic periods of the year, while students worried about delayed testing, academic records, and the exposure of personal information. Security experts also warned that the stolen data could later be weaponized in phishing campaigns designed to impersonate universities, professors, or school administrators.

The incident underscores a growing reality in cybersecurity: attackers are increasingly targeting centralized cloud platforms that serve entire industries because one successful compromise creates downstream disruption for thousands of organizations at once. Educational institutions, many already stretched thin from an IT and security staffing perspective, now face mounting pressure to strengthen vendor risk management, improve incident response planning, and prepare for operational continuity when critical third-party platforms suddenly go dark. For students and educators alike, this attack was a stark reminder that cybersecurity incidents are no longer isolated IT problems. They are business continuity events with immediate real-world consequences.

Critical cPanel Vulnerability Under Active Exploitation

This week’s Cloud Security Corner focuses on a critical vulnerability impacting cPanel and WHM, two of the most widely used web hosting management platforms on the internet. The flaw, tracked as CVE-2026-41940, carries a CVSS score of 9.8 and is already being actively exploited in the wild. Security researchers and hosting providers have confirmed that attackers began exploiting vulnerable systems before patches were even released, and at least one organization has reportedly experienced ransomware deployment tied to the flaw.

The risk here is substantial because cPanel underpins hosting environments for millions of websites, many operated by small and mid-sized businesses that rely heavily on third-party providers for infrastructure management. Successful exploitation can reportedly provide attackers with full server control, creating opportunities for ransomware, credential theft, website defacement, or malware distribution. Hosting providers like Namecheap temporarily restricted access to management interfaces while patches were rolled out, while others warned customers to assume compromise if systems remained exposed during the vulnerability window.

Recommended Actions:

  • Immediately verify that all cPanel and WHM systems have been updated to the latest patched versions
  • Restrict administrative access to management interfaces using VPNs or IP allowlists
  • Review server logs for unusual authentication attempts, web shell activity, or unauthorized account creation
  • Rotate credentials and API keys associated with hosting infrastructure
  • Enable multifactor authentication for all administrative accounts
  • Validate backups and recovery processes in case ransomware or destructive activity occurred before patching

Real-World Takeaway: The timeline between vulnerability disclosure and exploitation is collapsing. Organizations can no longer rely on traditional patching cycles measured in weeks. For internet-facing cloud infrastructure, especially hosting and management platforms, the expectation now must be emergency-level response within hours or days.

2.  Attackers Used AI to Rapidly Expand Access Across Enterprise Networks

A recent cyber intrusion targeting operational technology environments in Mexico is raising new alarms across the industrial security community after researchers revealed that attackers leveraged artificial intelligence to accelerate offensive operations inside enterprise networks. According to industrial cybersecurity firm Dragos, the attackers used AI-generated malicious scripts and tooling to rapidly expand their foothold after gaining initial access, allowing them to move faster and scale activity across multiple compromised IT environments. Analysts reviewing the incident examined roughly 350 separate artifacts tied to the campaign, many of which appeared to have been created or enhanced using generative AI capabilities.

What makes this incident especially concerning is not simply the use of AI itself, but the way it shortened the traditional attacker timeline. Security teams have long relied on the assumption that adversaries require time, skill, and manual effort to customize tooling and pivot between systems. In this case, AI appeared to streamline portions of that process, enabling attackers to automate reconnaissance, scripting, and offensive adaptation at a pace that overwhelmed conventional defensive workflows. Researchers noted that the techniques used in the attack relied heavily on known offensive playbooks, but AI dramatically reduced the effort required to operationalize them inside the victim environment.

  • Anthropic’s Claude AI handled prompt-and-response interaction, intrusion planning, and the development and deployment of malicious tools.
  • OpenAI’s GPT models assigned analytical roles, processing collected data and generating structured Spanish output.

The attack also reinforces growing concerns surrounding the security posture of operational technology and industrial control system environments. Many OT networks still operate with legacy infrastructure, limited segmentation, outdated authentication controls, and minimal visibility into east-west traffic. Those weaknesses become significantly more dangerous when attackers can use AI to accelerate exploitation, generate tailored scripts, or rapidly test multiple attack paths simultaneously. Experts warn that the convergence of AI-enabled offensive tooling and under-secured industrial environments creates a dangerous combination for sectors such as manufacturing, utilities, transportation, and energy.

The broader cybersecurity industry has already seen warnings about malicious AI usage from major providers like Anthropic, which previously disclosed state-linked espionage campaigns experimenting with generative AI for offensive cyber operations. But the Mexico incident demonstrates that this threat is no longer theoretical. AI is actively being incorporated into real-world attack chains today. For defenders, the lesson is clear: organizations can no longer treat AI as simply a future risk discussion. Security operations, threat hunting, incident response, and OT visibility programs must evolve now to keep pace with adversaries that are increasingly operating at machine speed.

Unauthorized Access to Anthropic’s Mythos Model Raises New AI Security Questions

This week’s AI Security Corner centers on reports that unauthorized users gained access to Anthropic’s highly restricted Mythos AI model, despite the company limiting access to a small group of approved organizations through Project Glasswing. Mythos has been described as a powerful cybersecurity-focused AI model capable of identifying vulnerabilities and assisting in exploit development, making the security around the platform itself especially important.

According to reports, a small online group allegedly accessed the model through a combination of contractor-related access paths, publicly exposed infrastructure clues, and educated guesses around internal naming conventions. Anthropic stated it is investigating the matter and currently has no evidence that its core systems were breached. Still, the incident highlights a growing issue in AI security: protecting the surrounding ecosystem is often just as important as protecting the model itself.

Recommended Actions:

  • Inventory all AI-related platforms, APIs, and testing environments across your organization
  • Review third-party vendor and contractor access to AI systems and datasets
  • Apply least-privilege access controls and strong segmentation between production and development environments
  • Monitor AI infrastructure for anomalous access patterns or unauthorized queries
  • Avoid predictable endpoint naming conventions and exposed testing interfaces
  • Extend zero trust principles to AI systems, including identity validation and device trust checks

Real-World Takeaway: The next generation of AI-related breaches may not involve sophisticated attacks against the model itself. Instead, attackers will look for weak identity controls, forgotten vendor access, exposed APIs, and operational gaps around the ecosystem supporting the AI platform. AI security is quickly becoming an identity and governance challenge as much as a technical one.

3. PAN-OS Zero-Day Exploited in Ongoing Firewall Attacks

A newly disclosed vulnerability in Palo Alto Networks firewalls is rapidly becoming one of the most closely watched cybersecurity threats of 2026. The flaw, tracked as CVE-2026-0300, affects PAN-OS software running on PA-Series and VM-Series firewalls and allows an unauthenticated attacker to execute arbitrary code with root privileges simply by sending specially crafted packets to exposed authentication portals. With a critical CVSS score of 9.3 and active exploitation already confirmed by both Palo Alto Networks and CISA, security teams across government and enterprise environments are racing to identify exposed systems before attackers gain a foothold.

The vulnerability specifically targets the User-ID Authentication Portal, also known as the Captive Portal feature, when it is exposed to untrusted or internet-facing networks. Researchers say exploitation activity began before official patches were available, giving attackers a dangerous head start. Palo Alto Networks later confirmed that a state-sponsored threat actor was behind at least some of the observed attacks, using stolen credentials and open-source tooling to quietly move through victim environments over several weeks. The company noted that the attackers deliberately avoided deploying noisy malware, instead relying on operational discipline and short access windows to remain below the detection thresholds of many traditional security monitoring systems.

The incident highlights a growing trend in modern cyber operations: edge infrastructure is becoming a prime target for both nation-state actors and cybercriminal groups because compromising a firewall often provides direct access into the heart of enterprise networks. PAN-OS vulnerabilities have repeatedly become valuable offensive tools in recent years due to the widespread adoption of Palo Alto firewalls across Fortune 500 organizations, healthcare providers, financial institutions, and government agencies. Security experts warn that organizations exposing authentication portals directly to the public internet are at the highest risk, particularly if proper network segmentation and management interface restrictions are not in place.

While Palo Alto Networks is preparing permanent fixes for affected PAN-OS versions over the coming weeks, organizations are being urged to act immediately rather than wait for patch cycles alone. Recommended mitigations include disabling the User-ID Authentication Portal where possible, restricting portal access to trusted internal IP ranges, and disabling Response Pages on internet-facing interfaces. Customers with Threat Prevention subscriptions can also enable Threat ID 510019 to help block exploitation attempts. The broader lesson is becoming increasingly clear: perimeter devices can no longer be treated as passive infrastructure. They are now among the most aggressively targeted assets in modern enterprise environments, and attackers know exactly where to look.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about

Are you ready to get started?