AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites
Microsoft warned that attackers are adapting SEO poisoning techniques for AI-generated software recommendations, pushing users toward fake utility download sites that deploy ScreenConnect for persistence before launching cryptomining payloads. The campaign is a meaningful shift in social engineering surface area — users who have learned to distrust search results may extend implicit trust to AI chatbot suggestions, making the channel an increasingly attractive lure. Defenders should treat AI search and chatbot outputs as another untrusted content source, and user awareness programs should be updated to reflect that AI recommendations can be poisoned just like search results.
LA Metro Cyberattack Linked to Iranian State-Sponsored Hackers
Researchers linked the disruptive LA Metro cyberattack to infrastructure previously associated with Iranian government-backed activity, with the incident reportedly requiring hundreds of servers to be reviewed and including claims of data theft and destructive activity — though rail and bus service were not affected. The hacktivist branding overlaying the attack is consistent with a pattern of Iranian state-linked groups using ideological cover to obscure attribution and complicate incident response. Transportation and critical infrastructure operators should treat hacktivist-branded incidents as potentially state-linked until proven otherwise, particularly when the scope of access extends to virtualization, web infrastructure, or OT-adjacent systems.
CISA Gives Feds 4 Days to Patch Actively Exploited cPanel Plugin Flaw
CISA added CVE-2026-48172 to its Known Exploited Vulnerabilities catalog and ordered federal agencies to patch the actively exploited LiteSpeed cPanel user-end plugin flaw by May 29, with the vulnerability allowing remote unauthenticated attackers to execute arbitrary scripts with root privileges on affected servers. The four-day remediation window reflects the severity of unauthenticated root execution on internet-facing hosting infrastructure. Organizations running LiteSpeed with cPanel should update immediately, review logs for suspicious activity, and remove the plugin entirely if patching isn’t immediately possible.
High-Severity SharePoint RCE Bug Patched by Microsoft
Microsoft patched CVE-2026-45659, a high-severity remote code execution vulnerability affecting on-premises SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016, requiring authentication but no user interaction once an attacker has access. On-premises SharePoint remains a consistent target for ransomware operators, nation-state actors, and access brokers due to its deep integration with internal file systems, Active Directory, and business workflows. Teams should confirm May updates are applied and review whether internet-facing SharePoint instances have unnecessary exposure that could lower the bar for the authentication requirement.
FBI Links First VPN Service to Ransomware Gangs, Botnets, and Criminal Dark Web Activity
The FBI disclosed that at least 25 ransomware groups used First VPN Service infrastructure for intrusions, reconnaissance, credential abuse, botnet activity, denial-of-service attacks, and scams, with the service marketed on Russian-language cybercrime forums and using protocols designed to disguise VPN traffic as normal HTTPS. The advisory reinforces that IP blocklists targeting known VPN and proxy infrastructure are insufficient on their own, since services like this are specifically engineered to evade network-layer controls. Security teams should correlate VPN and proxy indicators with identity telemetry, impossible travel alerts, unfamiliar autonomous systems, remote access logs, and unusual scanning or lateral movement patterns to surface abuse that IP blocking alone won’t catch.
The post InfoSec News Nuggets 05/27/2026 appeared first on AboutDFIR – The Definitive Compendium Project.
