Black Arrow Cyber Threat Intelligence Briefing 22 May 2026

24 May

Welcome to this week’s Black Arrow Cyber Threat Intelligence Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Executive Summary

Authorities in the UK have warned organisations about the cyber risks of AI, both because it has elevated the risks of an attack and the internal risks when used by organisations in their operations. While AI presents new risks, attackers are also advancing their use of more established tactics, from social engineering to exploiting vulnerabilities.

Research this week highlights the effects of cyber attacks, through the financial costs to organisations and the damage to business growth. In response, business leaders are focusing on their resilience to a cyber incident, including their business continuity plans. We highlight that, for organisations with regulatory requirements, compliance must be continuous.

We also discuss how resilience is played out in the way organisations respond to a cyber incident, and the role of a CISO in helping the business leadership team to manage the effect of an incident throughout the organisation. We describe how preparation for a cyber incident is essential, and some mistakes to avoid. Contact us to discuss how we support organisations like yours to lay the foundations to manage a cyber incident more confidently.

Top Cyber Stories of the Last Week

Bank of England, FCA and Treasury Raise Alarm Over Frontier AI

The Bank of England, FCA and Treasury have warned UK financial services firms to strengthen cyber security controls as frontier AI (advanced AI systems at the cutting edge of capability) increases the speed, scale and cost efficiency of attacks. The authorities said current models can already exceed what a skilled practitioner could achieve, raising risks to customers, market integrity and financial stability. Boards are expected to understand the threat, invest in core defences, manage supplier risk, fix weaknesses quickly, protect data and access, and improve response and recovery planning.

https://www.infosecurity-magazine.com/news/bank-england-fca-treasury-alarm/

NCSC Publishes Guidance on Securing Agentic AI Use

The UK’s NCSC has issued new guidance on the safe use of agentic AI, meaning AI systems that can act with a degree of independence. Developed with partners in Australia, Canada, the US and New Zealand, the guidance warns that poorly controlled AI agents could access too much data, make decisions faster than people can review, or behave unpredictably. Organisations are advised to start with tightly controlled pilots, limit access to only what is necessary, monitor activity closely and ensure clear ownership, human oversight and incident response plans before wider deployment.

https://www.infosecurity-magazine.com/news/ncsc-publishes-guidance-securing/

Social Engineering Attacks Are Rising as Employee Data Becomes Easier to Exploit

Optery reports that targeted social engineering is rising, with 96% of cyber security leaders seeing an increase over the past year. Attackers are using legitimate data brokers and people search sites to find employee details, such as personal phone numbers, email addresses, job roles and home addresses, making impersonation more convincing across email, calls, texts and social media. Nearly three quarters reported credential compromise linked to these attacks, while IT and identity teams were targeted more often than executives. The research found that organisations are increasingly prioritising reduction of exposed employee data, with around 60% already using this approach and a third identifying it as a top investment priority.

https://www.biometricupdate.com/202605/social-engineering-attacks-are-rising-as-employee-data-becomes-easier-to-exploit

Mobile Phishing Is a Bigger Threat than Email Now – How to Stay Protected

Verizon’s latest data breach research shows attackers are increasingly moving from email to mobile channels such as text messages and phone calls. Based on more than 31,000 incidents and 22,000 confirmed breaches, phone-based phishing was around 40% more effective than email in simulations. Human involvement featured in 62% of breaches, while exploitation of software weaknesses rose to 31% of initial entry points. The report also highlights growing risks from unapproved AI use, with 67% of employees using personal AI accounts on company devices.

https://www.zdnet.com/article/mobile-phishing-is-a-bigger-threat-than-email-now/

Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credential Theft as Top Breach Vector

Verizon’s 2026 DBIR found that exploiting unpatched vulnerabilities became the leading cause of data breaches in 2025, accounting for 31% of cases across more than 22,000 confirmed breaches. Credential abuse fell to 13%, while ransomware appeared in 48% of breaches. Patching performance also worsened, with the median time to fully fix flaws rising to 43 days. Third parties were involved in 48% of breaches, highlighting the growing risk from suppliers and cloud services. The findings underscore the urgency of prioritising vulnerability remediation and strengthening core security practices, as attack speeds increase and exposure expands through third-party and cloud dependencies.

https://www.securityweek.com/verizon-dbir-2026-vulnerability-exploitation-overtakes-credential-theft-as-top-breach-vector/

Critical Microsoft Vulnerabilities Doubled: from Exposure to Escalation

Microsoft disclosed 1,273 vulnerabilities in 2025, and critical weaknesses doubled from 78 to 157. The sharpest concern is in cloud and business platforms, where critical issues in Azure and Dynamics 365 rose from 4 to 37. Microsoft Office also saw a 234% rise in vulnerabilities, increasing the risk of staff being targeted through everyday documents and emails. The findings highlight that while patching remains essential, excessive privilege and weak identity controls are enabling attackers to escalate access and extend impact across systems and cloud environments.

https://www.bleepingcomputer.com/news/security/critical-microsoft-vulnerabilities-doubled-from-exposure-to-escalation/

Cyber Attacks Cost UK Businesses £3.7Bn in Litigation in 2025

Gallagher and the independent economic research consultancy CEBR estimate that cyber attacks cost large UK businesses £11.7bn in 2025, with shareholder litigation accounting for £3.7bn and disrupted trading a further £5.4bn. Reputational damage added £573m, alongside £339m in lost customer goodwill. 88% of large UK businesses have cyber insurance, however only 59% are insured for third-party legal claims and fewer than half for regulatory fines or GDPR penalties, leaving boards exposed to costs that can continue long after systems are restored.

https://www.uktech.news/cybersecurity/cyber-attacks-cost-uk-businesses-3-7bn-in-litigation-in-2025-20260518

Crime Increasingly a ‘Serious Barrier’ to UK Growth, Say Business Leaders

The British Chambers of Commerce reports that cyber attacks are contributing to rising crime levels that are increasingly affecting UK business growth. In a survey of 1,411 firms, 21% experienced cyber attacks in the past year, alongside wider fraud and scam activity. High-profile incidents involving major UK brands demonstrate the scale of potential impact, with significant financial losses and operational disruption. The findings highlight that cyber threats are not only a security issue but a wider economic risk, requiring sustained investment and stronger support to improve business resilience and reduce disruption to growth.

https://www.theguardian.com/uk-news/2026/may/17/crime-serious-barrier-uk-growth-business-leaders

Cyber Resilience is the New Business Continuity Plan

Cyber resilience is becoming central to business continuity as disruption increasingly affects operations, customers, compliance and suppliers at the same time. Security incidents, cloud outages, identity compromise and supplier failures can quickly spread across connected systems. Effective continuity planning now depends on understanding the organisation’s most critical processes, the systems and suppliers they rely on, and how quickly they must recover. Plans should be tested against realistic scenarios, including ransomware and cloud failure, to ensure critical operations can continue when key systems or data cannot be fully trusted.

https://www.securityweek.com/cyber-resilience-is-the-new-business-continuity-plan/

Cyber Threats Push SMBs to Spend More on Security

Global market research and advisory firm IDC has found that 60% of small and medium sized businesses expect to increase cyber security spending over the next 12 months as threats increase and AI adoption accelerates. However, many remain reactive, with informal security ownership, limited planning and gaps in staff training. Nearly half say keeping up with new threats is their biggest concern, while 84% of micro businesses and 65% of small businesses are unprepared or only taking early steps to manage AI related risks, including more convincing phishing and deepfake scams.

https://www.helpnetsecurity.com/2026/05/21/idc-smbs-cybersecurity-spending-report/

When Compliance Isn’t Continuous, That’s a Security Risk

Manual governance, risk and compliance (GRC) processes are becoming a growing security risk as organisations struggle to keep pace with regulation. While 95% have introduced some automation, only 4% have fully automated the process. The burden is significant, with 83% of security leaders reporting delays from manual tasks and 58% spending over 2,000 hours a year collecting evidence. With 72% managing six or more compliance frameworks, delayed control testing and policy updates can leave leadership with an outdated view of cyber security risk, reinforcing the need for continuous monitoring of controls.

https://www.scworld.com/perspective/when-compliance-isnt-continuous-thats-a-security-risk

Taking Care of Business: The CISO’s Role in a Cyber Crisis

In a cyber crisis, the CISO’s role expands beyond managing the immediate response to helping the whole organisation protect operations, reputation and trust. Effective preparation means having clear escalation routes, tested crisis plans, defined responsibilities and joined-up communications across legal, compliance, HR, PR, business continuity and recovery teams. During and after a major incident, CISOs must translate complex security issues into business impact, support evidence gathering and regulatory obligations, guide recovery and ensure lessons learned strengthen future resilience.

https://www.techtarget.com/searchsecurity/tip/Taking-care-of-business-The-CISOs-role-in-a-cyber-crisis

Four Incident Response Mistakes That Slow Recovery and Raise Breach Costs

Organisations can lose valuable time and face higher breach costs when incident response plans are unclear, untested or disconnected from legal, insurance and specialist response teams. Common mistakes include negotiating supplier contracts during a crisis, taking rushed actions that destroy evidence, failing to involve legal advisers early, and overlooking cyber insurance notification requirements. These gaps can delay containment, prolong business disruption and increase legal or financial exposure. Regularly tested plans, agreed response roles and pre-arranged expert support help organisations recover faster while preserving critical evidence.

https://www.msspalert.com/native/four-incident-response-mistakes-that-slow-recovery-and-raise-breach-costs

Governance, Risk and Compliance

Gallagher warns cyber-related litigation likely to increase - Insurance Post

Cyber attacks drive £3.7bn in shareholder litigation costs for UK businesses, Gallagher research finds - Reinsurance News

Crime increasingly a ‘serious barrier’ to UK growth, say business leaders | Crime | The Guardian

Cyber threats push SMBs to spend more on security - Help Net Security

PYMNTS | WEF Says Cybersecurity Has Become Economic Priority

Boulevard of Broken Dreams: 2 Decades of Cyber Fails

Cyber Resilience is the New Business Continuity Plan - SecurityWeek

Taking care of business: The CISO's role in a cyber crisis | TechTarget

The endless CISO reporting line debate — and what it says about cybersecurity leadership | CSO Online

When compliance isn’t continuous, that’s a security risk | perspective | SC Media

Communicating cyber risk in dollars boards understand - Help Net Security

Verizon DBIR 2026: What The Experts Are Saying

Threats

Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity

Cyber Warfare and Cyber Espionage

The Newest Space Race Is Cyber - InfoRiskToday

Fuel Tank Breaches Expand Scope of Iran's Cyber Offensive

Nation State Actors

China

Chinese APTs Expand Targets, Update Backdoors in Recent Campaigns - SecurityWeek

FCC walks back router update ban before it bricks America's network security

Trump warns Taiwan against independence - Gulf Times

Trump says he and Xi discussed cyberattacks and spying between US, China - Nextgov/FCW

Russia

NCSC warns of Russian cyber hijack threat | UKAuthority

Russian APT Turla builds long-term access tool with Kazuar Botnet evolution

Iran

Fuel Tank Breaches Expand Scope of Iran's Cyber Offensive

Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence

FrostyNeighbor Carefully Targets Govt Orgs in Poland, Ukraine

Ghostwriter group resumes attacks on Ukrainian Government targets

Tools and Controls

Q&A: Why Vulnerability Scans Are Giving Businesses a False Sense of Security - IT Security Guru

Linus Torvalds says AI-powered bug hunters have made Linux security mailing list ‘almost entirely unmanageable’

Most Organizations Use AI Agents for Sensitive Security Tasks - Infosecurity Magazine

Cyber Pros Can't Decide If AI Is a Good or a Bad Thing

AI shrinks vulnerability exploitation window to hours - Help Net Security

AI is drowning software maintainers in junk security reports - Help Net Security

Taking care of business: The CISO's role in a cyber crisis | TechTarget

How AI Hallucinations Are Creating Real Security Risks

Ouroboros of cybersecurity is confirmed as the AI vulnerability disclosure cycle eats itself | TechFinitive

Developer Workstations Are Now Part of the Software Supply Chain

Mozilla warns UK: Breaking VPNs will not magically fix Britain's age-check mess

Mythos Proves Potent in Vulnerability Discovery, Less Convincing Elsewhere - SecurityWeek

Microsoft is officially killing SMS verification for personal accounts | PCWorld

When compliance isn’t continuous, that’s a security risk | perspective | SC Media

Four Incident Response Mistakes That Slow Recovery and Raise Breach Costs | native | MSSP Alert

You’re using a password manager, but you’re storing everything wrong

Linus Torvalds admits he has a 'love-hate relationship with AI' | ZDNET

Self-hosting your password vault eliminates the one breach that could lock you out of everything

Reports Published in the Last Week

Government publish the cyber security breaches survey 2025/2026

Attackers bypass traditional security tools with ‘user driven’ attacks - BetaNews

Hackers Bypass Security Tools to Target Users Directly - Infosecurity Magazine

Bridewell CTI Report 2026 - IT Security Guru

Verizon DBIR 2026: What The Experts Are Saying

UK Cyber Security Breaches Survey 2025/2026: Key Takeaways | Alston & Bird - JDSupra

Other News

Cybersecurity Fears Rise Ahead of 2026 FIFA World Cup | EasternEye

Cyber attacks more advanced five years on from HSE breach

Cyber-Enabled Cargo Crime: How Cybercrime Tradecraft is Used to Steal Freight

The End Of The Secret String: Why Cybersecurity Must Move From Hidden Keys To Governed Matter

Vulnerability Management

Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credential Theft as Top Breach Vector - SecurityWeek

Q&A: Why Vulnerability Scans Are Giving Businesses a False Sense of Security - IT Security Guru

AI shrinks vulnerability exploitation window to hours - Help Net Security

Critical Microsoft Vulnerabilities Doubled: From Exposure to Escalation

The Boring Stuff is Dangerous Now

Linus Torvalds says AI-powered bug hunters have made Linux security mailing list ‘almost entirely unmanageable’

Ouroboros of cybersecurity is confirmed as the AI vulnerability disclosure cycle eats itself | TechFinitive

AI is drowning software maintainers in junk security reports - Help Net Security

Windows Zero-Day Barrage Continues After Patch Tuesday

Supply Chain Security Crisis: Too Many Vulnerabilities, Too Little Visibility - SecurityWeek

Google's Surge in Chrome Vulnerability Discoveries Likely Driven by AI - SecurityWeek

Microsoft to automatically roll back faulty Windows drivers

Cyber Pros Can't Decide If AI Is a Good or a Bad Thing

AI can find bugs and flaws, but don't forget the cybersecurity basics

HackerOne takes an axe to its bug bounty rewards

Linus Torvalds admits he has a 'love-hate relationship with AI' | ZDNET

Vulnerabilities

Microsoft Patches Exploited UnDefend and RedSun Defender Zero-Days - SecurityWeek

Microsoft Warns of Two Actively Exploited Defender Vulnerabilities

Windows Zero-Day Barrage Continues After Patch Tuesday

CVE-2026-42897: Microsoft confirms active exploitation of Exchange Server zero-day

Microsoft rejects critical Azure vulnerability report, no CVE issued

New Windows 'MiniPlasma' zero-day exploit gives SYSTEM access, PoC released

Unpatched Windows zero-day from 2020 gives hackers full system access | PCWorld

Cisco warns of an actively exploited SD-WAN flaw with max severity | CSO Online

Cisco Patches CVSS 10.0 Secure Workload REST API Flaw Enabling Data Access

Hackers bypass SonicWall VPN MFA due to incomplete patching

Attackers are bypassing MFA on SonicWall VPNs because something was wrong with previous fix

The 4th Linux kernel flaw this month can lead to stolen SSH host keys | ZDNET

Critical Linux Kernel Flaw 'ssh-keysign-pwn' Exposes SSH Keys and Shadow Passwords

Exploit available for new DirtyDecrypt Linux root escalation flaw

Exploitation of Critical NGINX Vulnerability Begins - SecurityWeek

Critical flaw in software powering a third of the internet is already being exploited - free checker now available - IT Security Guru

Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws

Security Researchers, Aided By Anthropic's Mythos, Claim To Have Breached macOS

Max-severity flaw in ChromaDB for AI apps allows server hijacking

Debian 13.5 point release lands with security fixes, bug patches - Help Net Security

Dell confirms its SupportAssist software causes Windows BSOD crashes

Chrome 148 Update Patches Critical Vulnerabilities - SecurityWeek

Google Project Zero Discloses Zero-Click Exploit Chain for Pixel 10 Devices

This Chrome flaw could hand hackers the keys to your browser

Google accidentally exposed details of unfixed Chromium flaw

Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence

'Claw Chain' OpenClaw Flaws Allow Sandbox Escape, Backdoor Delivery - SecurityWeek

TrendAI Patches Apex One Zero-Day Exploited in the Wild - SecurityWeek

Critical Wordpress Plugin Vulnerability Exposes Websites to Authentication Bypass Attacks

Sector Specific

Industry specific threat intelligence reports are available.

Automotive
Construction
Critical National Infrastructure (CNI)
Defence & Space
Education & Academia
Energy & Utilities
Estate Agencies
Financial Services
FinTech
Food & Agriculture
Gaming & Gambling
Government & Public Sector (including Law Enforcement)
Health/Medical/Pharma
Hotels & Hospitality
Insurance
Legal
Manufacturing
Maritime & Shipping
Oil, Gas & Mining
OT, ICS, IIoT, SCADA & Cyber-Physical Systems
Retail & eCommerce
Small and Medium Sized Businesses (SMBs)
Startups
Telecoms
Third Sector & Charities
Transport & Aviation
Web3

Contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to external articles are provided for general interest and awareness only. Linking to or reposting external content does not constitute endorsement of or by any organisation, service, or product. We do not control and are not responsible for the content, security, or availability of external websites or links. Full credit is given to the original authors and sources. E&OE.

Black Arrow Admin

Black Arrow Cyber Threat Intelligence Briefing 22 May 2026

Executive Summary

Top Cyber Stories of the Last Week

Bank of England, FCA and Treasury Raise Alarm Over Frontier AI

NCSC Publishes Guidance on Securing Agentic AI Use

Social Engineering Attacks Are Rising as Employee Data Becomes Easier to Exploit

Mobile Phishing Is a Bigger Threat than Email Now – How to Stay Protected

Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credential Theft as Top Breach Vector

Critical Microsoft Vulnerabilities Doubled: from Exposure to Escalation

Cyber Attacks Cost UK Businesses £3.7Bn in Litigation in 2025

Crime Increasingly a ‘Serious Barrier’ to UK Growth, Say Business Leaders

Cyber Resilience is the New Business Continuity Plan

Cyber Threats Push SMBs to Spend More on Security

When Compliance Isn’t Continuous, That’s a Security Risk

Taking Care of Business: The CISO’s Role in a Cyber Crisis

Four Incident Response Mistakes That Slow Recovery and Raise Breach Costs

Governance, Risk and Compliance

Threats

Ransomware, Extortion and Destructive Attacks

Ransomware and Destructive Attack Victims

Phishing & Email Based Attacks

Other Social Engineering

2FA/MFA

Artificial Intelligence

Bots/Botnets

Careers, Roles, Skills, Working in Cyber and Information Security

Cloud/SaaS

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Cyber Crime, Organised Crime & Criminal Actors

Data Breaches/Leaks

Data Protection

Data/Digital Sovereignty

Encryption

Fraud, Scams and Financial Crime

Identity and Access Management

Insider Risk and Insider Threats

Law Enforcement Action and Take Downs

Linux and Open Source

Malware

Mobile

Outages

Passwords, Credential Stuffing & Brute Force Attacks

Regulations, Fines and Legislation

Social Media

Software Supply Chain

Supply Chain and Third Parties