May 27, 2026 by sig9

Hacker Wars - May 27, 2026

bulletin-feature-image

Your daily dose of infosec chaos

Today’s threat landscape is serving up a mix of physical and digital attacks. From hackers literally walking into offices to plant USB drives, to AI coding assistants getting weaponized for supply chain attacks, adversaries are getting creative. Meanwhile, CISA is in emergency mode over a cPanel zero-day and Iranian state actors are blurring the hacktivism line.

FBI Warns of Hackers Physically Planting USB Drives at Law Firms

The Silent Ransom Group is taking a hands-on approach - literally. The FBI reports they’re sending actual human operatives into law firm offices to plug in USB drives loaded with malware. Because apparently phishing emails were too impersonal for these threat actors.

What to do: Implement strict visitor policies, train staff to challenge unknown individuals, and disable USB ports via group policy where possible.

SymJack Attack Weaponizes AI Coding Agents for Supply Chain Compromise

Researchers have uncovered “SymJack” - an attack that tricks AI coding assistants like Cursor into installing malicious MCP servers through poisoned repositories and symlink tricks. Your helpful AI pair programmer might be silently exfiltrating your secrets to an attacker-controlled server. The supply chain attack surface just got an AI-shaped expansion.

What to do: Audit your MCP server configurations, verify repository sources before letting AI agents interact with them, and monitor for unexpected network connections from development environments.

CISA Gives Feds 4 Days to Patch Actively Exploited cPanel Flaw

CISA has dropped an emergency directive giving federal agencies just four days to patch a critical vulnerability in the LiteSpeed cPanel plugin. The flaw is already being exploited in the wild, which means if you’re running cPanel with LiteSpeed, you’re potentially already compromised. Four days is aggressive even by CISA standards.

What to do: Patch your cPanel installations immediately. If you can’t patch yet, consider disabling the LiteSpeed plugin until you can.

LA Metro Cyberattack Tied to Iranian State-Sponsored Hackers

What initially looked like another hacktivist hit on LA Metro has been traced back to Iranian state infrastructure. This is a textbook example of how nation-states use hacktivist personas as cover for their operations. The line between “script kiddie with a cause” and APT group just got blurrier.

What to do: Don’t dismiss attacks labeled as “hacktivism” - treat all incidents with the same rigor and assume state-level actors could be behind any sophisticated operation.

GlassWorm Botnet Taken Down After Security Firms Kill C2 Channels

Good news for once: security researchers successfully disrupted the GlassWorm botnet by taking down all four of its command-and-control channels. The malware’s infrastructure is now dead in the water. Enjoy the brief moment of defenders actually winning one.

What to do: Run a scan to ensure your systems weren’t part of the botnet. Update your threat intel feeds with the known GlassWorm indicators.

Catch you tomorrow. In the meantime, go check your attack surface.

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

This bulletin is provided for informational purposes. Contact us for tailored security analysis.