Two weeks of carnage. One issue.

THIS_WEEK_BY_THE_NUMBERS

May 13, 2026. Laurel Highlands, southwestern Pennsylvania. A 1965-vintage water authority serves about 11,000 people across Fayette and Westmoreland Counties. Connellsville. Ohiopyle. Donegal. Mount Pleasant. The kind of place where the water authority’s office is one room above the maintenance bay.

Somebody got in. We don’t know exactly when. We don’t know how. We know the water kept flowing. The bills kept going out. Nobody outside the building knew anything was wrong.

On May 20, a ransomware crew that calls itself “Pear” added Indian Creek Valley Water Authority to its dark web leak site. Their pitch, in their own words: “Pure Extraction And Ransom (PEAR) Team is the community of highly responsible and strictly disciplined members.” Sure. They’ve claimed 87 victims since August 2025. No encryption. Just data theft and the threat of leaking it.

The authority hasn’t said a word publicly. There’s no news coverage. No press release. The only confirmation this happened is the leak site itself. That is the new normal for small municipal targets. You won’t hear about it. The local paper won’t cover it. The first sign your town got hit will be a Facebook post from your cousin asking why the water bill website is down.

That EPA report scanned 1,062 large drinking water systems serving 26.6 million people. 97 of them had critical or high-risk cyber vulnerabilities. Indian Creek wasn’t even on that list. It was too small. The systems being hit right now are the ones the federal government doesn’t have the bandwidth to look at.

If you sit on a town council, a water board, a parks and rec commission, a school board, a county board of commissioners. If you’ve ever said the words “we’re too small for anyone to bother with us.” Stop. That sentence is a defense mechanism. It’s not a strategy. Pear doesn’t care how small you are. Pear cares whether you’ll pay.

May 14. Cisco drops an advisory. Catalyst SD-WAN Controller and Manager. Authentication bypass. The CVSS number was the kind of number that doesn’t happen by accident. 10.0 out of 10. The max. A perfect storm.

72 hours later, CISA issued Emergency Directive 26-03. Federal agencies had until May 17 to patch or disconnect. No negotiation. Pull the plug if you can’t fix it.

Cisco Talos attributed the active exploitation to a group they’re tracking as UAT-8616. Infrastructure overlaps with the kind of operational relay networks Mandiant has linked to China-nexus espionage in the past. They’ve been quietly exploiting Cisco SD-WAN since 2023.

Here’s how it works. Cisco SD-WAN nodes authenticate to each other over a DTLS service on UDP port 12346. An attacker sends a crafted handshake declaring themselves to be a “vHub” device. Certificate verification gets skipped. They get authenticated as an internal high-privileged account. From there: NETCONF access, configuration changes across the entire SD-WAN fabric, SSH key injection. UAT-8616 then downgrades the software to exploit an old privilege escalation bug, gets root, then upgrades it back to cover the tracks.

Within a week, Rapid7 published a working Metasploit module. The public exploit is out. Ten additional copycat clusters are already running their own versions using a JSP web shell called “XenShell.”

Catalyst SD-WAN isn’t an SMB product. You don’t buy one for your dental office. But if you’re a dental group with 8 locations and a regional IT provider, your provider might be running it. If you’re a franchise with corporate networking, your backbone might be running it. If you’re a municipality with remote pump stations or branch offices, your network vendor might be running it.

The thing about supply chain risk is you don’t have to use the vulnerable product. You just have to sit behind someone who does.

On May 11, a researcher who goes by “Nightmare Eclipse” dropped three proof-of-concept exploits on GitHub. The targets weren’t obscure. They weren’t lab-grade. They were three holes in Microsoft Defender. The free antivirus that ships with every copy of Windows. The one running on every machine in your dental office, your law firm, your town hall, your kid’s school.

Eight days later, Huntress incident responders were watching real attackers chain those exploits in live intrusions. Phishing email lands. Standard user clicks. The malware uses the Defender flaw to escalate from regular user to SYSTEM, the highest privilege level Windows offers. From there, domain admin. From there, your file server. From there, your backups.

Observed time from initial phishing click to domain admin: under an hour.

On May 20, CISA added two of them to the Known Exploited Vulnerabilities catalog. CVE-2026-41091, the privilege escalation. CVE-2026-45498, a denial-of-service flaw that lets attackers shut Defender off without tripping any monitoring. Federal agencies have until June 3. There’s a third bug, CVE-2026-45584, a heap overflow in the same engine. Not yet seen in attacks. Yet.

Here’s the thing about Defender. Most SMBs trust it because Microsoft puts it on every machine for free. Most managed service providers list “we have antivirus running” as a security control on their compliance paperwork. Both of those things stop meaning anything the moment the antivirus itself becomes the attack vector. The security guard you hired walked over and unlocked the back door.

Microsoft pushed the fix through the normal Defender definition channel. Engine v1.1.26040.8 or higher. That update should land automatically on most machines. Should. Verify.

A paralegal at a 6-attorney firm opens Outlook on the Web. Logs in to check the morning’s intake. There’s a new message from a client. Subject line is normal. She clicks to open it. Reads it.

That’s it. That was the attack.

She didn’t click a link. She didn’t open an attachment. The email itself contained JavaScript that ran inside her browser session the moment OWA rendered it. Her authenticated mailbox is now hijacked. The attacker reads everything she reads. Sends mail as her. Sees the privileged client communication, the draft contracts, the wire instructions.

That’s CVE-2026-42897. Microsoft issued an out-of-band advisory on May 14. CISA added it to KEV the next day. Federal deadline: May 29. The bug affects on-prem Exchange Server 2016, 2019, and Subscription Edition. Exchange Online is fine. If you’re on Microsoft 365, you can stop reading.

If you’re still running an on-prem Exchange server with OWA exposed to the internet, keep going.

A lot of our readers moved to Exchange Online years ago. But there’s a real chunk of the audience that hasn’t. Municipal IT shops. County legal offices. Older medical and dental practices whose practice management software still has integrations with on-prem Exchange. Some of you are reading this on an Outlook installed against a server that’s sitting in the same room as your file cabinet.

Microsoft’s interim fix is the Exchange Emergency Mitigation Service, EEMS, which auto-deploys a URL rewrite rule if it’s enabled. If your server is air-gapped or EEMS is off, you have to run the Exchange On-premises Mitigation Tool by hand. There is no third option.

Wednesday afternoon, May 7. A junior at a Wake County high school pulls up Canvas to check an English assignment due that night. The login page loads. The fields don’t. Where the username box should be, there’s a block of black text.

“ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some ‘security patches.’ You have till the end of the day by 12 May 2026 before everything is leaked.”

Within an hour, the same screen was loading at Durham Public Schools. Chapel Hill-Carrboro. Cumberland County. Then it was at UNC-Chapel Hill. Duke. Wake Forest. NC A&T. ECU. Every major North Carolina school district. Every major North Carolina university. Same defaced page. Same ransom note. Same deadline.

Wake County yanked the Canvas icon out of the WakeID portal. NCDPI confirmed the breach by Wednesday evening. By Thursday morning the story was wall-to-wall on WRAL.

Here’s what actually happened. ShinyHunters got into Instructure (Canvas’s parent company) on April 25. They exploited a vulnerability in Canvas’s Free-For-Teacher account system. Instructure detected the intrusion on April 29 and revoked the access. They didn’t tell anyone publicly until May 1. They didn’t tell schools how bad it was until ShinyHunters started defacing login pages a week later.

The hackers claim 3.65 terabytes. 275 million records. 8,809 institutions. Names, email addresses, student IDs, and the actual content of student-teacher messages. By May 11, Instructure said they’d “reached an agreement with the unauthorized actor.” Unconfirmed reports peg the payment around $10 million. Canvas came back online. The data is destroyed. According to the hacker. Who told the company. Who told the schools.

ShinyHunters is not new. They’re the same crew that hit Ticketmaster, AT&T, ADT, and the Snowflake customer base in 2024. They’re operationally linked to Scattered Spider and LAPSUS$. Their entire 2026 playbook is the same: get into a third-party SaaS provider, exfiltrate the customer data, then extort the customers downstream.

That’s the part that should worry every NC business owner reading this. You’re not in K-12. Doesn’t matter. Every dental practice using a cloud practice management platform. Every law firm on a hosted document system. Every accounting firm running QuickBooks Online. Every municipality on a SaaS billing platform. You are all sitting in the same exposure pattern. Your vendor gets hit. Your data is gone before the breach notice arrives. The first you hear about it is when the hacker emails you directly.

Most SMBs do zero vendor due diligence. They click “I agree” on the terms of service and move on. That worked for ten years. It does not work anymore. You don’t have to audit your vendor like a CISO would. You just have to ask the four questions in the action box below. If they can’t answer, you know exactly where your data is going to be in 18 months.

Picture a senior partner at a regional law firm. Mid-week. Mid-afternoon. The phone rings on his direct line. The caller knows his name. Knows the firm’s name. Knows the practice management software they use. Says he’s calling from IT support because there’s been a problem with the case management database and he needs the partner to install a quick remote-access tool so they can sort it out before billing runs tonight.

The partner installs the tool. The “IT guy” walks him through where to click. In ten minutes the attacker has direct access to the partner’s machine. In an hour they have access to every client file on the network. In a day they’ve exfiltrated the firm’s entire matter database. No malware. No ransomware. No encryption. Nothing to detect.

That’s the Silent Ransom Group. Also tracked as Luna Moth. Also tracked as Chatty Spider. UNC3753 if you’re reading Mandiant’s reports. On May 19 they added a new victim to their leak site: Barclay Damon, a full-service law firm with offices across New York and the northeastern states. No ransom amount listed. No data samples leaked yet. Just the name, sitting on the leak site alongside the names of about 38 other US law firms that didn’t pay.

The FBI issued Private Industry Notification 20250523-001 specifically about this group last year. Their methods include phone-based pretexting like the scenario above. They also send a person physically to the firm, posing as IT, who plugs in a USB drive and walks out with the data. SRG specifically targets law firms because privileged client data carries unusual extortion leverage. And because law firms historically pay.

Per BakerHostetler’s 2026 incident response report, the typical law firm ransomware payout is around $450,000. The highest they tracked was $1.9 million. Halcyon counted over 200 ransomware incidents against US law firms between 2025 and early 2026. INC Ransom claimed ten different firms in a single 48-hour window earlier this year.

The trick this works on isn’t naivete. It’s hierarchy. Senior attorneys outrank IT staff in most firms. When the attorney is on the phone with someone who sounds like IT and knows the right vocabulary, the attorney does what they think IT is asking them to do. That’s how this works. Every time. The fix is a written policy that overrides the hierarchy.

A traveling dental hygienist drives to a continuing education seminar in Charlotte. Hotel parking lot. Laptop bag locked in the trunk. She comes out three hours later. Window’s broken. Bag is gone. She makes the call to the practice. “It’s okay, it’s encrypted with BitLocker.” That used to be a true sentence.

On May 19, the same researcher who dropped the Defender exploits (“Nightmare Eclipse,” again) published a working proof of concept for YellowKey. Take a powered-off Windows 11 or Server 2025 laptop. Plug in a specially prepared USB drive. Boot into Windows Recovery Environment. Hold CTRL during boot. You now have a command prompt with full read/write access to the BitLocker-encrypted drive.

The trick uses NTFS transactional logging in the recovery environment. The crafted USB drive forces the recovery shell to spawn against an already-unlocked BitLocker volume. Microsoft confirmed it. Assigned CVE-2026-45585. Shipped a manual mitigation script on May 20. No permanent patch yet.

Here’s the thing about BitLocker on a modern business laptop. It defaults to TPM-only mode. No PIN. No password. The chip on the motherboard unlocks the drive automatically the moment Windows starts to boot. That’s convenient. It’s also exactly the configuration YellowKey exploits.

Every dental hygienist running scans at a remote screening event. Every law firm partner with a laptop in their car on Friday afternoon. Every municipal field inspector. Every motorsports venue with media credential laptops getting handed out and handed back. Every device that leaves your office is a YellowKey target if BitLocker is configured the default way.

The fix is a startup PIN. Six digits. Type it in when the laptop boots. It’s mild friction. It moves you from “the thief gets the data” to “the thief gets a paperweight.” Worth it.

Look at what we just covered. A water authority that doesn’t know it got hit. A network backbone vulnerability rated 10.0. The free antivirus that protects every Windows computer turned into a privilege escalation tool. An email reader that runs code without anyone clicking anything. Every NC school district waking up to a ransom note on the login screen. Law firms paying half a million dollars after a single phone call. Encrypted laptops that aren’t actually encrypted if the thief knows the trick.

The connecting thread is not technical sophistication. The connecting thread is that the defenses everyone assumed were working aren’t. The vendor you trusted. The antivirus you paid for. The encryption on your laptop. The “small target” argument. None of it holds up under the May 2026 threat landscape.

The good news is that the action items in this issue are all under 30 minutes of work. The hard part is just doing them. Pick one. Do it tonight. Then pick the next one tomorrow.