Foxconn confirms factory attacks, BitLocker zero-day accesses protected drives, MDASH patches Windows flaws

From the CISO series, it's cybersecurity headlines. These are the cybersecurity headlines for Thursday, May 14, 2026. I'm Sarah Lane. Foxconn confirms North American factory attack. Foxconn said that several North American factories were hit by a cyber attack claimed by the Nitrogen Ransomware Group, which says it stole 8 terabytes of data, including confidential files tied to customers like Apple, Intel, Google, Dell, and NVIDIA. Foxconn said it activated incident response measures and is restoring affected operations. The ransomware group continues to pressure some victims through data theft and file encryption. BitLocker Zero Day accesses protected drives. A researcher known as Chaotic Eclipse or Nightmare Eclipse, released proof-of-concept exploits for two unpatched Windows Zero Days, dubbed Yellow Key and Green Plasma, including a BitLocker bypass that can expose encrypted drives through the Windows recovery environment. Security researchers confirmed parts of the Yellow Key exploit, which abuses NTFS transaction logs, to launch a command shell with access to unlocked BitLocker volumes on TPM-only systems. The disclosure follows earlier leaked Windows exploits from the same researcher. MDash patches 16 Windows flaws. Microsoft unveiled MDash, a multi-model AI system that uses more than 100 specialized agents to discover and validate software vulnerabilities in Windows code bases The company said MDash identified 16 flaws patched in this month Patch Tuesday release including two critical remote code execution bugs affecting Windows networking and authentication components. This follows similar AI-driven cybersecurity efforts from Anthropic and OpenAI. Mistral develops new AI model for banks. Bloomberg sources say Mistral AI is developing a cybersecurity-focused AI model for European banks, looking for alternatives to Anthropik's restricted access mythosystem. The company has reportedly been in talks with financial institutions concerned about AI-driven cyber threats and Europe's limited access to advanced US security models. Mistral CEO Arthur Mensch also argued that Europe needs domestic AI security tools to avoid dependence on foreign systems. Huge thanks to our sponsor, Doppel. Social engineering attacks look trustworthy, a routine request, an internal email, a familiar face on a call, but Doppel sees through that disguise. Its AI native platform detects and disrupts attacks across every channel while training employees to recognize deep fakes and deception. They fight relentlessly to protect your business, brand, and your people. Doppel, outpacing what's next in social engineering. Learn more at doppel.com. That's D-O-P-P-L.com. Exim mailer flaw allows remote code execution. A critical remote code execution flaw was disclosed in the XML server affecting versions 4 through 4 compiled with GNU TLS and certain SMTP features enabled The vulnerability stems from a use bug during TLS shutdown that could let unauthenticated attackers execute commands, access emails, and potentially access compromised environments. Researchers at KBOW said AI-assisted tools helped accelerate exploit development, though a human researcher ultimately produced the successful exploit. Bug Hunter tracks down three massive MCP flaws. An Akamai researcher uncovered three major vulnerabilities in model context protocol, or MCP servers, tied to Apache Software Foundation, Doris, Apache Pino, and Alibaba RDS that could allow SQL injection, sensitive data theft, or full database compromise through AI-connected systems. Apache patched an SQL injection flaw in Doris. Pino added optional OAuth protections, but still has some unresolved issues. Alibaba reportedly declined to patch its RDS-MCP vulnerability, which researchers say could expose sensitive metadata through unauthenticated requests. Attackers weaponize RubyGems. Socket researchers uncovered a campaign dubbed GemStuffer that abuses the RubyGems packet registry as a dead-drop system for exfiltrated data rather than traditional malware delivery. More than 100 malicious gems scraped public-facing UK government websites and uploaded the collected data back to RubyGems using embedded API keys letting attackers retrieve the information without dedicated command and control infrastructure Researchers warn it highlights how software package registries could increasingly be abused as covert data transport layers in future supply chain attacks. Tables turn on The Gentleman. Checkpoint analyzed leak internal data from the ransomware group The Gentleman after unknown hackers breached the gang's back-end systems and began selling 16 gigabytes of stolen data. The leak revealed a structured ransomware-as-a-service operation led by an operator known as Zeta88, with specialized members handling reconnaissance, credential access, negotiations, and malware development with a 90-to-10 affiliate payout model. The group is said to rely on known vulnerabilities, common ransomware tooling, and some AI-assisted developments. All security startups will tell you they talk to potential customers. The problem is that you limit your development when you only talk to CISOs who might buy. It's not the same guidance you'll get from a CISO who advises. That's the start of our discussion on this week's episode of Defense In-Depth. Look for the episode, Why Cyber Startups Need CISO Advisors, wherever you get your podcasts. And if you have some thoughts on the news from today or about our show in general, be sure to reach out to us. Feedback at CISOseries.com. We really want to hear from you. I am Sarah Lane reporting for the CISO Series. You stay classy out there. I mean it. Cybersecurity headlines are available every weekday. Head to CISOseries.com for the full stories behind the headlines. you