Cybersecurity Today would like to thank Material Security for sponsoring this podcast. Material Security provides faster, more complete detection and response for email, identity, and data threats inside Google Workspace and Microsoft 365. You can contact them at material.security. QR code phishing surges. new urgent patch out for Apache HTTP servers. Pro-Aran crew shakes down Ubuntu's maintainer. Taiwanese student wirelessly triggers the brakes on high-speed trains. CISA tells critical infrastructure, prepare to disconnect. This is Cybersecurity Today, and I'm your host, David Shipley. Let's get started. Microsoft Threat Intelligence published its Q1 phishing report last week. The headline number? 8.3 billion email-based phishing attacks between January and March alone. But the more interesting data is in the trend lines, and one in particular deserves more attention than it's been getting. QR code phishing. In January, Microsoft saw 7.6 million phishing attacks using QR codes. By March, that was 18.7 million. A 146% jump in three months. According to Cybersecurity Dive, that makes QR code phishing the fastest growing attack vector of the quarter. This matters because there's been a current of opinion in some corners of the cybersecurity community that QR codes as a threat are overhyped. They call it hacker lore. It's a neat trick, but it's not a real threat at scale because you can't get infected from it. It's just social engineering. That position is becoming harder to defend. The QR code phishing technique works because corporate defenses are built for text. When a phishing email lands at a managed workstation, it runs a gauntlet. Email security gateways, URL rewriting, EER, web proxies. The defenders have decades of practice at scanning text-based links and flagging the ones that lead somewhere bad. And even then, stuff still gets through. A QR code skips the entire gauntlet. The malicious URL is embedded inside an image. Text-based scanners can't read it. And the moment a user pulls out their phone to scan it, they leave, in many cases, the corporate-controlled environment entirely. Most phones are unmanaged. No proxy, no URL rewrite, no EDR. The user is alone with the attacker. That's what 18.7 million attacks in a single month now look like. The Microsoft report has a few other findings worth flagging. Captcha gated phishing pages, fake security challenges that are designed to filter out automated scanners and only let in real humans through to a malicious site, also hit a record high in March. The fishing-as-a-service platform Tycoon 2FA, which used to dominate that space, has been knocked back hard by a coordinated takedown effort. At the end of 2025, three-quarters of CAPTCHA-gated fishing pages ran on Tycoon 2FA. By March, it was 41%. That is a real win. But the overall volume is still climbing, Which means the technique itself is now being adopted across the broader phishing ecosystem. Platforms come and go. The attack patterns, when they work, grow and persist. And the goal of all this, almost without exception, is the same. Microsoft says 94% of email phishing in March was aimed at stealing login credentials. Not delivering malware. Not delivering ransomware payloads. Just trying to capture those usernames and passwords. The keys that unlock everything else. So if you run a security awareness program this is a good moment Make sure you training people to be wary of QR codes and suspicious links Same skepticism Verify the source before you scan And if you lead an organization that hasn't built QR codes into its phishing training yet, this is the data that says it's time to start. QR codes is hacker lore? No, never was. QR code phishes are a real threat and they're hacker fact. Apache HTTP server users have a new urgent patch to apply. The Apache Software Foundation released fixes yesterday for CVE 2026-23918, a double free vulnerability in the HTTP2 protocol handling that scores an 8.8 on the CVSS scale. There are two outcomes here. The first is a denial-of-service attack that's almost embarrassingly easy to trigger. According to the Hacker News, one TCP connection, two HTTP2 frames, no authentication required, and a worker process crashes. Apache respawns it, but every request on the dead worker is dropped, and the attacker can keep the pattern going indefinitely. The second is far more serious, remote code execution. The researchers who found these bugs built a working proof of concept on x86-64 architecture. The RCE path requires the Apache portable runtime with the mMap allocator. And here's the part that matters, that allocator is the default on Debian-derived systems and the official HTTP-D Docker image. If you're running Apache HTTP server version 2.4.66 with mod underscore HTTP2 enabled, and given how widely HTTP2 is turned on in production deployments, that's a lot of you. The fix is in version 2.4.67. NPM pre-fork is not affected. Everything else with HTTP 2 enabled is. Patch fast. The DDoS is trivial enough that opportunistic attackers will start using it within days, even if the RC chain stays in the lab for a little while longer. Canonical, the London-based company that develops and supports Ubuntu Linux, has been under sustained DDoS attack since Thursday evening. The main Ubuntu website has been down for stretches, along with a number of subdomains. Users haven't been able to download distributions to the usual channels or log into their Canonical accounts. Some services, like the archive and discourse pages, have stayed up. The attack is, at the time of recording, ongoing. According to the Register, the group claiming responsibility is the Islamic Cyber Resistance in Iraq, also known as the 313 team. They're a pro-Iran hacktivist crew, and they're not subtle about their moves. After taking the canonical site down, they followed up on Telegram with a direct message to the company. There's a simple way out. We've emailed you a session contact ID, and if you don't respond, the attack continues. That's not hacktivism anymore. That's just plain old extortion. The register flags the same group as having hit eBay Japan, eBay US, and Blue Sky in the past month alone. Now here's where the timing gets a little uncomfortable. Earlier this week, we covered the addition of CVE-2026-31-431, also known as Linux copy-fail, to CISA's known exploited vulnerabilities catalog. It's a nine-year-old Linux kernel-privileged escalation flaw that lets an unprivileged user walk out with root access on essentially every major Linux distribution shipped since 2017. Containerized environments are especially exposed. Active exploitation is underway. Federal civilian agencies in the U.S. have been told to patch by May 15th. The Register is also reporting that researcher proof-of-concept code is being weaponized in the wild as we speak. The patch path for Ubuntu users runs through Canonical's infrastructure. and Canonical's infrastructure has been intermittently unreachable for the better part of five days. The good news It not a catastrophic outage APT mirror networks are distributed and most operational patching pipelines won depend on the main Ubuntu website But for administrators working from documentation, looking up advisories, or managing canonical accounts, the timing is rough. A lesson in all this is this. The supply chain that delivers your patches is itself often now a target. When you plan your incident response, plan for the day the patch you need may be on the other side of an attack you didn't see coming. A 23-year-old university student in Taiwan brought four high-speed trains to a halt for 48 minutes by buying radio gear online and broadcasting a faked emergency signal. The incident happened on April 5th. The student, identified in local press by his surname Lin, was arrested on April 28th. According to Bleeping Computer, Lin used a software-defined radio, equipment he ordered online, to intercept and decode the radio parameters used by Taiwan High Speed Rail's Tetra communication system. He then programmed those parameters into the handheld radios, configured one to broadcast a high-priority general alarm signal, and triggered emergency braking on four trains in motion. For scale, Taiwan High-Speed Rail runs a single 350-kilometer line down the country's western coast. Trains move at up to 300 kilometers an hour. The service carries roughly 82 million passengers a year and is partly state-supported. Here's the detail that should stop every OT operator listening in their tracks. The Tetra system had been in serviced in this rail line for 19 years. Its parameters had never been rotated in that time. Static credentials in a critical infrastructure radio system across, again, 19 straight years. Authorities say that static design is what allowed Lynn to bypass what they describe as seven verification layers. None of those layers mattered because the secret they were verifying against had never changed. Lynn had an alleged accomplice. A 21-year-old reportedly supplied some of the critical THSR parameters. Police seized 11 handheld radios, the SDR, and a laptop from his residence. He's now facing up to 10 years in prison under Taiwan's Article 184. He's currently out on bail of about $3,300 US dollars. His lawyer's defense is that the emergency signal transmission was accidental. Authorities have, in the polite phrasing of the report, found that allegation unconvincing. The bigger picture beyond Taiwan is that Tetra isn't a one-country standard. It's used by police forces, transit systems, utilities, and emergency services across Europe, Asia, and parts of the Americas. The Taiwan incident is a real-world demonstration of what happens when an OT radio standard gets specified once, deployed once, and then left alone for a generation. The technology was secure when it shipped. The deployment got insecure as time passed, and the secrets stayed the same. CISA on Tuesday released new guidance for critical infrastructure operators, urging them to prepare for the day a major cyber attack disconnects them from the world. The new initiative is called CI Fortify. It's international, modeled on the Australian government guidance published last year and aimed at a specific scenario. Not a ransomware incident, not a vendor outage, a geopolitical crisis where operators of water systems, power grids, and pipelines need to keep delivering essential services while their digital surroundings turn actively hostile. The trigger isn't theoretical. According to Cybersecurity Dive, Western intelligence agencies have been warning that Beijing may sabotage critical infrastructure in the United States and allied countries to keep them from interfering with a potential invasion of Taiwan. The Vault Typhoon campaign, Chinese state-aligned activity caught pre-positioning inside US critical infrastructure, is the loudest signal that the groundwork has already been laid for such an attack. CI Fortify asks operators to do two things The first is isolation Identify your critical customers CISA specifically names nearby military bases as an example Define what services you need to keep delivering to them. Identify the operational technology assets required. Build the continuity plans that let you operate off the network for weeks to months. The second is recovery. Document how your systems actually run, not how the manual says they run. Backup critical files and the line that matters the most. Practice replacing systems or transitioning to manual operations in case isolation fails and components get destroyed. The framing line to take away from this guidance is direct. Operators should assume in a conflict scenario that third-party connections, telecoms, internet, vendors, service providers, upstream dependencies will be unreliable, and that threat actors will already have some access to the operational technology network. For Canadian listeners, this is not just an American story. Canada's critical infrastructure operates in the exact same threat environment, with many of the same vendor dependencies and many of the same Chinese state-aligned actors in the same digital neighborhoods. CI Fortified is also a useful template wherever you operate. It's worth also noting that Canada still has not passed a basic critical cyber infrastructure law and is the last G7 country to get one on the books. And that's a fitting close for today's episode. Earlier, we talked about a single university student in Taiwan who halted four high-speed trains by exploiting parameters that hadn't been rotated in 19 years. CI Fortified is the institutional answer to a deeper version of that exact same question. What happens when your adversary isn't a curious kid who bought online radio gear, but a nation-state with years of preparation, an active geopolitical motive and a foothold already in place? The answer this guidance offers is preparation, isolation, recovery, practice. Now, while there's still time. That's Cybersecurity Today for Wednesday, May 6, 2026. If you've been keeping track, I've now reported recently on cybersecurity stories on cars and now on trains. And if you're thinking, is he trying to complete the set by finding an aircraft cyber story so he can say hacks on planes, trains, and automobiles? You'd be 100% correct. And I wouldn't be fulfilling my role as Cybersecurity Today's resident culture critic, or my Canadian duty, without recommending you watch that movie. It'll help stave off the cyber disaster despair you may have felt after our last two stories. It's one of John Candy's best. Also, if you're thinking, I probably enjoyed that QR code story a little too much, you'd also be correct. We appreciate all of your feedback. Feel free to leave a comment under the YouTube video or to drop by technewsday.com or .ca and send us a note. Thank you to everyone who has left a rating or review on their favorite podcast platform. It really helps us reach more people and it makes our day. Jim Love will be back on the news desk on Friday. I'll be back on Monday with the latest headlines. Stay safe. Here's a question worth asking. What happens after a phishing email slips past your filters? Most email security tools only guard the front door, but attackers are already inside. Material security is different. It's a unified detection and response platform purpose-built for Google Workspace and Microsoft 365, protecting email, files, and accounts all in one place. We're talking automated phishing remediation, account takeover containment, and sensitive data protection without alert fatigue. Find out why companies like Figma, Reddit, and Lyft trust Material to stop the threats other tools miss. See Workspace Security in action at Material.Security. That's Material.Security. And if you do contact them, take a second and say, thanks for sponsoring Cybersecurity today. Thank you.
