Weekly Cybersecurity Threat Briefing — June 1, 2026
# Weekly Cybersecurity Threat Briefing — June 1, 2026
*By Kenneth Litzsey, Litzsey Tech Services*
If you run a small business and think you're too small to be a target — I need you to read this week's briefing carefully. The data is clear: 88% of ransomware attacks now target businesses with fewer than 500 employees. Criminals have done the math, and the math says small businesses are the easiest payoff. Here are the threats you need to know about this week, and — more importantly — what to do about them.
---
## 1. 🔴 cPanel Authentication Bypass — Mass Exploitation & Ransomware (CRITICAL)
**What happened:** A critical authentication bypass vulnerability in cPanel and WHM (CVE-2026-41940, CVSS 9.8) has been under mass exploitation since February. Attackers are using this flaw to gain root access to web hosting servers, deploy "SORRY" ransomware, and conscript servers into botnets. Over 1.5 million internet-facing cPanel instances were at risk, with at least 44,000 confirmed compromises.
**Who's affected:** Any business using cPanel-based web hosting — which includes a huge number of small business websites.
**Risk Level:** 🔴 CRITICAL
**What to do:**
- Contact your hosting provider immediately and ask if they've patched CVE-2026-41940
- If you self-host with cPanel, update to the latest version *today*
- Rotate all cPanel and WHM passwords
- Check your site for signs of compromise (unexpected files, redirects, or performance issues)
---
## 2. 🔴 Microsoft Patch Tuesday: 118+ Vulnerabilities & Secure Boot Deadline (HIGH)
**What happened:** Microsoft's May 2026 Patch Tuesday addressed 118+ CVEs, including 16 critical-severity vulnerabilities. Four critical flaws in Microsoft Word can be exploited just by *previewing* a malicious document — you don't even have to open it. Additionally, there's a hard deadline approaching: the Secure Boot certificate expires June 26, 2026. If your devices aren't updated before then, they may have boot issues.
**Who's affected:** Every business running Windows, Microsoft Office, or Azure services.
**Risk Level:** 🔴 HIGH
**What to do:**
- Apply May 2026 patches immediately across all Windows systems
- Pay special attention to Microsoft Word and Office updates
- Verify Secure Boot certificates are updated on all devices before the June 26 deadline
- Contact your IT provider (that's us!) if you need help checking your Secure Boot status
---
## 3. 🟠 Ransomware Groups Now Specifically Targeting Small Businesses (HIGH)
**What happened:** The Qilin ransomware group has become the most active in the world, hitting 338 confirmed victims in Q1 2026 alone. They're specifically going after HVAC companies, law firms, dental offices, and accounting practices — businesses that never expected to be targeted. They use "double extortion": stealing your data first, then encrypting it, and threatening to publish everything if you don't pay. Average recovery cost: $120,000 to $1.2 million. Average downtime: 24 days.
**Who's affected:** Small businesses across all industries, especially professional services, healthcare, and trades.
**Risk Level:** 🟠 HIGH
**What to do:**
- Ensure you have tested, offline backups (not just cloud sync)
- Enable multi-factor authentication on everything
- Train your team to recognize phishing emails — that's how most attacks start
- Have an incident response plan ready *before* you need it
- Remember: 69% of businesses that paid the ransom got hit again — paying doesn't solve the problem
---
## 4. 🟠 OAuth Phishing Bypasses MFA — "Token Bingo" Campaign (HIGH)
**What happened:** A new phishing campaign called "Token Bingo" is targeting Microsoft 365 users with a clever twist: it doesn't ask for your password at all. Instead, attackers exploit a legitimate Microsoft login feature (OAuth Device Code) to trick you into authorizing their access. You get directed to the *real* Microsoft login page, enter a code, and unknowingly give the attacker full access to your account — even if you have MFA enabled.
**Who's affected:** Any business using Microsoft 365 (which is most of you).
**Risk Level:** 🟠 HIGH
**What to do:**
- Train employees to never enter device codes they didn't generate themselves
- Be suspicious of any email asking you to visit microsoft.com/devicelogin
- Review your Azure AD/Entra ID sign-in logs for unfamiliar device code authentications
- Consider disabling Device Code Flow in your Microsoft 365 tenant if you don't use it
---
## 5. 🟠 Microsoft Defender Actively Exploited (HIGH)
**What happened:** Two vulnerabilities in Microsoft Defender itself are being actively exploited in the wild. CVE-2026-41091 (CVSS 7.8) allows attackers to escalate privileges to SYSTEM level — basically taking over the entire machine. CVE-2026-45498 is a denial-of-service bug. CISA has added both to its Known Exploited Vulnerabilities catalog, meaning federal agencies have a mandatory deadline to fix them. You should treat it just as urgently.
**Who's affected:** All Windows systems running Microsoft Defender (which is the default antivirus on every Windows machine).
**Risk Level:** 🟠 HIGH
**What to do:**
- Ensure Microsoft Defender is set to update automatically
- Verify your Defender Antimalware Platform is on the latest version
- Check Windows Update — don't postpone those security updates
---
## 6. 🟡 Drupal & Ghost CMS Under Active Attack (MEDIUM)
**What happened:** Two popular content management systems are being actively exploited. A SQL injection flaw in Drupal Core (CVE-2026-9082, CVSS 9.8) allows attackers to take over websites remotely. Meanwhile, a similar flaw in Ghost CMS (CVE-2026-26980, CVSS 9.4) has already been used to hijack 700+ websites, injecting malicious JavaScript that tricks visitors into running malware.
**Who's affected:** Businesses running websites on Drupal or Ghost CMS.
**Risk Level:** 🟡 MEDIUM (Critical if you use these platforms)
**What to do:**
- If your website runs on Drupal, update immediately — CISA's remediation deadline was May 27
- If you use Ghost CMS, update to version 6.19.1 or later
- Audit your website for unauthorized changes or injected scripts
- If you're not sure what CMS your site uses, ask your web developer
---
## 7. 🟡 Fake Purchase Order Emails Delivering Malware (MEDIUM)
**What happened:** A sustained phishing campaign is using fake purchase order emails to deliver Remcos RAT (Remote Access Trojan) malware. The emails look like legitimate procurement communications with subject lines like "Order Request: PO #SB-0407026-001." The attachments use double-extension tricks to disguise executables as documents. Once opened, the malware gives attackers remote access to your computer without dropping detectable files.
**Who's affected:** Businesses that regularly handle purchase orders, invoices, and supplier communications — so basically everyone.
**Risk Level:** 🟡 MEDIUM
**What to do:**
- Be extra cautious with email attachments, especially from unfamiliar senders
- Look for double file extensions (e.g., document.txz that's actually an executable)
- Verify unexpected purchase orders by calling the supposed sender directly
- Ensure your email security filters are up to date
---
## ⚡ Quick Wins for This Week
**1. Check your Secure Boot status NOW.** The June 26 certificate expiration is less than 4 weeks away. If your Windows devices aren't updated, you could face boot failures. Run Windows Update on every machine this week.
**2. Disable OAuth Device Code Flow if you don't need it.** Most small businesses don't use smart TVs or printers to log into Microsoft 365. Turning off this feature closes a phishing avenue that bypasses MFA entirely.
**3. Test your backups this week — don't just check that they exist.** With ransomware groups specifically targeting small businesses, the only guarantee you won't pay a ransom is knowing your backups actually work. Restore a test file. Verify the backup completed. Check the dates.
---
*Have questions about any of these threats? Need help checking your systems? That's what we're here for. Reach out to Litzsey Tech Services — we help small businesses stay safe without the jargon or the stress.*
*Stay safe out there,*
*Kenneth Litzsey*
*Litzsey Tech Services | litzseytech.com*
