Practical Cyber Intelligence for Business Leaders in Non-Superpower Nations

The Day Security Products Become the Weapon

When the tools built to defend you are the ones being exploited, the foundational assumptions of security need rethinking.

The most significant story this week centers on multiple vulnerabilities discovered in Trend Micro Apex One. Reported by security-next.com on May 21, 2026, this is not simply a matter of unpatched systems. Trend Micro has acknowledged active exploitation in the wild in its official advisory, and CISA has issued its own alert alongside adding the vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog. For CVE identifiers and specific impact details, please refer directly to the latest Trend Micro advisory and CISA's official page. Information is being updated continuously, and decisions should be grounded in primary sources.

For context, Apex One is an integrated endpoint protection platform deployed as an agent across tens of thousands of PCs and servers, combining antivirus, behavioral detection, and threat intelligence capabilities. If that agent itself becomes an attacker's foothold, the foundational assumption of defense collapses entirely. I do not use that as a figure of speech. I consider it a structural problem.

Further compounding this week's picture, Microsoft has acknowledged active exploitation of privilege escalation and denial-of-service vulnerabilities in Microsoft Defender in its own advisory. Two major security products confirmed as actively exploited in the same week is a moment that stands out even across my twenty-year career. It may be more accurate to say that attacker strategy has not simply changed but matured. Rather than probing weakly defended perimeters, adversaries are now setting their sights directly on the core of the defensive stack. That trend is clearly readable in this week's data.

On today's date, May 22, 2026, Tokyo Hoso Kogyo confirmed it had fallen victim to a ransomware attack. The company operates in road paving and civil engineering. The incident may lack dramatic flair, but it is instructive. The fact that a mid-sized company operating adjacent to public infrastructure was targeted once again demonstrates that attackers are not filtering victims by industry or organizational size.

Kintetsu World Express also disclosed a cyberattack this week, specifically affecting an overseas group company. International logistics is the nervous system of global commerce, handling customers' confidential data, customs documentation, and the full visibility of supply chain movements. In this case, an overseas subsidiary served as the entry point, and that raises a pointed question about how effectively Japanese headquarters-level security governance actually reaches foreign subsidiaries in practice.

I have observed a consistent pattern over many years. Japanese organizations tend to concentrate security investment at headquarters, while overseas affiliates and subsidiaries are left operating under the optimistic assumption that serious incidents are unlikely to affect them. However, analysis of APT intrusion paths shows overwhelmingly that adversaries bypass well-fortified headquarters and route in through the periphery. This is a good opportunity to assess whether your overseas entities and affiliates are operating at the same security standard as your headquarters. And given that active exploitation of Apex One is currently ongoing, verifying the patch status of all domestic deployments of that product should be treated as an immediate top priority.

Looking at this week's incident lineup, business owners at small and mid-sized organizations might be tempted to conclude that none of it applies to them. APT campaigns, nation-state cyber espionage — the direct targets are, admittedly, often large enterprises and government bodies. That instinct, however, is a dangerous one to act on this particular week.

First, a serious SQL injection vulnerability has been discovered in Drupal, the CMS powering hundreds of thousands of websites worldwide. The vendor itself has warned that exploitation can begin within hours of a release. If your organization runs any internal or public-facing websites on Drupal, verify your update status right now.

Second, vulnerabilities have been disclosed simultaneously in both BIND 9 and Unbound. DNS is effectively the address book of your entire IT infrastructure. If it is poisoned, employees can be silently redirected to fraudulent sites for any destination they attempt to reach. Many organizations do not manage DNS servers directly, but it is well worth contacting your managed service provider to confirm how they are handling this.

Additionally, five of the seven vulnerabilities CISA added to the KEV catalog this week are associated with legacy products from 2010 or earlier, including Internet Explorer. This is a good opportunity to audit whether any aging devices or embedded systems remain connected to your network. The assumption that old systems are too obscure to be targeted is precisely the condition that makes them attractive to attackers, as this week's CISA data makes clear.

My practice is to distinguish clearly between evidence-based facts and the analytical judgments of research organizations when discussing nation-state attribution. Two developments stood out this week.

The first involves the APT group tracked as Webworm. According to an analysis published by ESET Research on May 20, 2026, this group has implemented a new toolset and updated intrusion techniques that significantly improve its ability to evade detection. ESET attributes the group to China-nexus activity, though this represents ESET's own attribution assessment and should not be treated as confirmed fact. Reported targets include government agencies and critical infrastructure across the Asia-Pacific region, a scope that includes Japan.

The second involves a group designated Shadow-Earth-053, which is reported to be conducting sustained intrusion operations against government and defense sector organizations across Asia by exploiting unpatched Microsoft Exchange vulnerabilities. Japan is explicitly named among the organizations within its targeting scope. The campaign is designed around long-term persistence, with the deliberate goal of delaying detection while continuously exfiltrating sensitive information.

I maintain a position of political neutrality, but one observation I can state as fact based on twenty years of monitoring is this: periods of elevated geopolitical tension consistently correlate with heightened cyber espionage activity. The convergence of confirmed active exploitation in Apex One and Microsoft Defender with simultaneous reports of advancing APT capabilities in the same week is a context too coherent to dismiss as coincidence. It is context that defenders should keep clearly in mind.

Practical defensive actions drawn from this week's incidents

① Verify emergency patches for Apex One. With active exploitation confirmed, remaining in a state of "currently assessing" is not an acceptable posture. Consult Trend Micro's latest advisory and begin updating to the patched version today. Organizations with large internal deployments should use endpoint management tooling to conduct a bulk verification sweep.

② Audit the update status of Microsoft Defender. Confirm that Windows Update is functioning correctly and, in particular, that automatic updates have not been disabled in server environments. Privilege escalation vulnerabilities directly accelerate post-intrusion lateral movement, so early containment has a measurable impact on the scale of damage.

③ Update Drupal immediately. Take the vendor's warning about exploitation within hours at face value. Strongly recommend confirming update status with your development vendor or internal team owner before the end of this week.

④ Review your DNS infrastructure. If your organization runs BIND 9 or Unbound, prioritize updating to the fixed versions published by each respective project. If you use a managed service, contact your provider and ask directly about their remediation status. Silence from a provider is not evidence of safety.

⑤ Conduct a legacy asset inventory. The fact that many of the vulnerabilities CISA added this week are tied to products from 2010 or earlier means that old assets are being actively used in real attacks today, not in theory. Gaining full visibility into every device on your network and establishing an isolation or retirement plan for end-of-life products is the foundation of long-term defense. This should become a recurring habit, not a one-time exercise.

Next week, we continue tracking the evolving threat landscape — including any new developments from this week's active exploitation campaigns. See you Friday.

Written by a Japan-based information security professional with over 20 years of experience, in collaboration with AI assistants.

© 2026 Samurai Cyber Watch. Redistribution with attribution permitted for non-commercial use.