Cyber Intelligence Weekly

Cyber Intelligence Weekly (May 3, 2026): Our Take on Three Things You Need to Know

By Dan Desko
Posted on May 03 / 2026

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Partner Promo – 50% Off Incogni

I wanted to highlight a favorite tool of mine that helps keep my data off data broker sites. Are you tired of spam calls and sketchy emails, I was too?

A new favorite of mine, Incogni, removes your data from broker sites so you can stay off scammers’ radar and keep your personal information where it belongs.

Before we turn to this week’s edition of Cyber Intelligence Weekly, I want to introduce a new Personal Spotlight Series: The Human Side of Cybersecurity.

This series is grounded in conversation rather than commentary. It centers on CISOs and other cyber leaders who are in the seat—navigating real leadership pressure, complex risk decisions, and the human realities of building and sustaining security programs. Some are earlier in their journey, others further along paths many of you may recognize or aspire toward. What they share isn’t theory. It’s experience—earned through moments of progress, frustration, growth, and reflection. These conversations are for the professionals who show up every day to quietly carry the weight of this industry.

Dawn Cappelli (Dragos) — “Be authentic.”

In this episode, I sat down with Dawn Cappelli, CISSP , a cybersecurity leader whose career has helped shape entire disciplines inside the industry. Dawn started as a software engineer programming nuclear power plants at Westinghouse, later moved to Carnegie Mellon, and then joined CERT in 2001. Her first major security assignment was working with the Secret Service to help protect the 2002 Salt Lake City Olympics from cyber incidents. That work quickly evolved into a focus on insider threat, where Dawn helped build the foundation for what would become modern insider risk programs.

What stood out most was Dawn’s willingness to take on problems that did not yet have playbooks. At CERT, she helped create a groundbreaking insider threat body of research by studying real cases with technologists and behavioral psychologists. Later, at Rockwell Automation, she built an insider risk program, then stepped into the CISO role after effectively writing the job description herself. From there, she helped lead early thinking around OT cybersecurity, eventually bringing CISOs together to share ideas on how to protect industrial environments.

Today, Dawn continues that mission at Dragos, where she helped build OT-CERT, a free resource community for organizations with operational technology environments. What started as a “retirement” chapter became what she calls her dream job: giving away practical resources to help small and midsized organizations protect critical infrastructure.

Additional takeaways from the conversation:

  • Passion matters. When Dawn hired security professionals, passion was the first thing she looked for.
  • Cybersecurity can be a way to “save the world.” Dawn’s work has always been tied to protecting people, infrastructure, and civilization.
  • The basics are still underappreciated. In OT, organizations need fundamentals like incident response, network visibility, secure remote access, defensible architecture, and risk-based vulnerability management before chasing AI.
  • AI should assist, not autonomously defend OT. Dawn sees value in AI-assisted recommendations, but not in letting AI take unsupervised action in industrial environments.
  • Leaders create expectations through behavior. Sending emails late at night or on weekends can unintentionally make teams feel like they need to be online too.
  • CISOs must understand the business. Technical ability matters, but risk management, communication, and business context are what make a CISO effective.
  • Authenticity builds trust. The CEO, board, and leadership team need to know that when a CISO raises an issue, it is real and worth attention.
  • Sometimes you have to stand your ground. Dawn shared a story about pushing a major risk to the board deck despite funding pressure, which ultimately led to a practical compromise.
  • OT still needs basic cyber hygiene. Many attacks still come through unpatched VPNs, insecure remote access, and poor segmentation.
  • Great CISOs know when not to overreact. Controlling emotion and choosing when to escalate are critical leadership skills.

Her billboard message for every new CISO was simple: Be authentic. Dawn’s point was clear: security leaders cannot just tell people what they want to hear. They have to speak truthfully, raise real risks, and stay grounded in what they believe is right for the organization.

If there was one thread that defined this conversation, it was this: the best security leaders combine courage, practicality, and authenticity—especially when the easiest thing would be to stay quiet.

Watch the Full Interview Here: https://www.youtube.com/watch?v=9_DP7UT1X0w

Echelon Events & Thought Leadership Highlight

Modern attacks don't follow a straight line.

The decisions you make today across tools, workflows, and detection logic will determine whether the next intrusion is contained or missed entirely.

Led by Matt Donato, Devin Jones, and Bryce Hayes, join our Offensive and Defensive Security teams on May 13 for a live, end-to-end simulation that walks both sides of a modern attack, showing exactly how adversaries operate and how defenders can keep up.

You’ll see:

  • How attackers gain access, move laterally, and evade detection
  • How security teams investigate, validate, and respond in real time
  • What actually works when bridging the gap between offense and defense

Purple teaming isn’t theory, it’s how you close real detection gaps and build defenses that hold.

Reserve your spot now and see the full attack chain before you’re forced to respond to it live: https://lnkd.in/eqhrCKgu

Away we go!

1. Critical cPanel Flaw Under Active Attack as Millions of Sites Face Potential Exposure

A newly disclosed vulnerability in cPanel, one of the most widely used web hosting platforms in the world, is already being exploited in the wild, raising urgent concerns across the hosting and small business ecosystem. The flaw, tracked as CVE-2026-41940, carries a near-maximum severity rating and can allow attackers to take full control of affected servers. The U.S. Cybersecurity and Infrastructure Security Agency has now added it to its Known Exploited Vulnerabilities catalog, confirming that this is not a theoretical risk. It is active, real, and unfolding.

What makes this situation particularly concerning is the timing. Evidence suggests exploitation began before patches were even released, giving attackers a head start. Hosting providers have reported seeing suspicious activity weeks earlier, and at least one business has already claimed a ransomware incident tied to the vulnerability. In that case, attackers allegedly demanded payment after locking systems, signaling that this flaw is being used for immediate financial gain, not just quiet reconnaissance.

The scope of potential exposure is massive. Security researchers estimate there are more than a million internet-facing cPanel instances, many supporting small and mid-sized organizations that rely heavily on hosting providers for security management. For these companies, patching is not always instantaneous. It often depends on the provider’s update cycle, leaving a window of vulnerability that attackers are clearly exploiting.

This incident is another reminder of how quickly modern threats move. When critical vulnerabilities surface in widely deployed platforms, the gap between disclosure and exploitation continues to shrink. Organizations should not assume their hosting provider has everything covered. Now is the time to verify patch status, restrict administrative access, monitor for unusual activity, and assume compromise if systems were exposed prior to updates. In today’s threat landscape, speed is not just an advantage. It is survival.

When AI Tools Become Your Cloud’s Weakest Link

This week’s cloud security spotlight comes straight out of the recent Vercel incident, where attackers gained access to internal systems through a compromised third-party AI tool connected via OAuth. While the initial foothold came from an employee device, the real risk unfolded in the cloud. The attacker leveraged access to a Google Workspace account, moved laterally into Vercel environments, and accessed environment variables that could be used to reach downstream systems

This is a textbook example of how modern cloud environments are no longer just AWS, Azure, or GCP. They are ecosystems of SaaS apps, developer tools, browser extensions, identity providers, and AI platforms all stitched together with trust. In this case, that trust was granted through OAuth permissions, which are often over-scoped and under-monitored. Once inside, attackers do not need to break infrastructure. They simply use what is already connected.

What to do now:

  • Audit all OAuth-connected applications in Google Workspace, Microsoft 365, and identity providers
  • Remove unused or over-permissioned third-party apps
  • Enforce least privilege for SaaS integrations and developer tools
  • Rotate all environment variables, API keys, and tokens tied to cloud workloads
  • Monitor for abnormal token usage, including impossible travel and unusual API calls
  • Implement conditional access and device trust for all cloud-connected identities

Real-world takeaway: The cloud breach you are preparing for will likely not come from a misconfigured S3 bucket anymore. It will come from something your team connected last quarter and forgot about. Identity is the new perimeter, and OAuth is one of its most overlooked attack paths.

2. When Security Tools Become the Attack Path: Lessons from the Checkmarx and Bitwarden Incidents

Over the past several weeks, a troubling pattern has emerged in the cybersecurity ecosystem: the very tools designed to protect organizations are being turned into attack vectors. Security firms like Checkmarx and Bitwarden recently found themselves caught in the fallout of a broader supply chain compromise tied to a popular open source vulnerability scanner. What started as a breach of a single upstream tool quickly cascaded into multiple downstream compromises, highlighting just how interconnected and fragile modern software ecosystems have become.

In the case of Checkmarx, the situation unfolded in stages. Malicious code introduced through the compromised dependency was able to harvest sensitive credentials such as repository tokens and SSH keys. Those stolen credentials were then used to gain access to Checkmarx’s own systems, allowing attackers to distribute further malicious updates to its users. Even after initial remediation efforts, the attackers appear to have maintained persistence, leading to repeated incidents and ultimately a ransomware data leak attributed to a separate group that likely acquired access through the original breach.

Bitwarden was also impacted through a similar path, with a malicious package briefly distributed through its software delivery pipeline. While the exposure window was limited, the overlap in infrastructure and tactics points to a coordinated campaign by an access broker group that specializes in compromising trusted tools and reselling access. This model is becoming increasingly effective because it targets software that already has privileged access to sensitive environments, making it easier for attackers to move laterally once inside.

The broader lesson is difficult but unavoidable. Security tools are no longer just part of the defense stack. They are now part of the attack surface. Organizations must treat them with the same level of scrutiny as any other critical system. That means validating software integrity, locking down CI/CD pipelines, rotating credentials aggressively, and continuously monitoring for signs of compromise. In today’s environment, trust is no longer implicit, even for the tools built to protect

AI Models Are Not the Only Risk. The Access Around Them Is

This week’s AI security focus centers on the unauthorized access to Anthropic’s Mythos model. While the headlines focus on the model’s capabilities, the more important lesson is how access was reportedly obtained. A small group was able to reach the model through a combination of third-party access, predictable infrastructure patterns, and publicly exposed clues about how systems were structured.

This highlights a growing reality. As organizations rush to adopt advanced AI, they are securing the model itself but overlooking the ecosystem around it. That includes vendor environments, contractor access, evaluation platforms, API endpoints, and even simple URL structures. Attackers do not need to break the model if they can find a way around it.

What to do now:

  • Inventory all AI systems, including testing environments, sandboxes, and vendor-hosted models
  • Enforce strict access controls and segmentation between production and evaluation environments
  • Limit contractor and third-party access to only what is absolutely required
  • Monitor access logs for unusual queries, access patterns, or unexpected endpoints
  • Avoid predictable naming conventions and exposed endpoints for sensitive AI assets
  • Apply zero trust principles to AI platforms just as you would core infrastructure

Real-world takeaway: AI security is quickly becoming an access control problem disguised as a technology problem. The organizations that win here will not just have better models. They will have tighter control over who can reach them, how, and from where.

3. Trusted Defenders Turned Attackers: Insider Ransomware Scheme Ends in Prison Sentences

In a case that cuts to the core of trust in the cybersecurity industry, two professionals tasked with helping organizations respond to ransomware incidents have been sentenced to four years in prison for secretly carrying out attacks themselves. The individuals, who worked in incident response and ransomware negotiation roles, pleaded guilty to conspiracy charges after prosecutors revealed they used their positions to launch and profit from ransomware campaigns tied to the ALPHV, also known as BlackCat, group.

According to court filings, the scheme unfolded over several months in 2023. The attackers leveraged their insider knowledge of incident response processes, victim behavior, and negotiation dynamics to target organizations and maximize financial impact. In at least one case, they successfully extorted more than one million dollars. Investigators also uncovered a broader pattern of misconduct involving a third conspirator who allegedly coordinated with ransomware groups, shared sensitive victim intelligence, and even disclosed insurance coverage details to help attackers demand higher payments.

What makes this case especially alarming is not just the financial damage, but the erosion of trust it represents. Incident responders and negotiators are often brought in during the most critical moments of a cyber crisis. They are given deep access to systems, sensitive data, and executive decision-making processes. When that trust is abused, the consequences ripple far beyond a single incident. It challenges the foundational assumption that defenders are always acting in the best interest of their clients.

The industry response has already begun to shift. Companies involved have implemented tighter controls, including monitored communication channels, stricter oversight of negotiations, and enhanced transparency with government agencies. For organizations, the takeaway is clear. Vendor risk management must extend beyond technical capability and into governance, accountability, and verification. In a world where insider threats can come from even the most trusted advisors, trust must be earned continuously and validated rigorously.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about

Are you ready to get started?