Information Security News | AI Aggregator

Dirty Frag is a newly disclosed Linux kernel local privilege escalation vulnerability (CVE-pending) that allows attackers to gain root access by chaining two page-cache write flaws. It affects major Linux distributions, with a public exploit already available. Discovered by Hyunwoo Kim, the vulnerability exploits the zero-copy send path, allowing unauthorized modifications to files like /etc/passwd. Immediate mitigation involves disabling affected kernel modules. Confirmed affected distributions include Ubuntu, RHEL, and Fedora.

An unknown group of hackers, dubbed "PCPJack," has targeted systems previously compromised by the cybercrime group TeamPCP. They evict TeamPCP members and deploy self-replicating code to steal credentials and send data back to their infrastructure. The PCPJack hackers focus on financial gain, reselling stolen credentials and providing access to hacked systems. They also employ phishing tactics, including fake help desk websites, to gather password manager credentials.

Ivanti has issued a critical advisory for its Endpoint Manager Mobile (EPMM) product, revealing multiple actively exploited vulnerabilities, including CVE-2026-6973, which requires admin authentication. The flaws affect only on-premises EPMM deployments. Ivanti urges immediate patch application and monitoring of access logs for exploitation signs. The company has integrated AI into its security processes to enhance vulnerability detection. Organizations are advised to review mobile device management policies and implement network segmentation.

Anthropic's Mythos model has significantly enhanced Mozilla's Firefox cybersecurity efforts, uncovering thousands of high-severity bugs, some dormant for over a decade. In April 2026, Firefox implemented 423 bug fixes, a stark increase from 31 the previous year. Mythos excels in identifying complex sandbox vulnerabilities, outperforming human researchers. While AI aids in generating code patches, human engineers still handle the final implementation. The long-term impact of AI on cybersecurity remains uncertain, with potential benefits for both attackers and defenders.

A cluster of 28 fraudulent Android apps, named CallPhantom, amassed over 7.3 million downloads before being removed from Google Play. These apps, which claimed to provide access to call histories and SMS records, delivered only randomly generated data after users paid. The campaign exploited payment methods that bypassed Google’s policies. ESET reported the apps on December 16, 2025, and noted that refunds for purchases made outside Google Play are difficult for users to obtain.

A fake Claude AI website (claude-pro[.]com) is distributing malware, specifically a DonutLoader payload followed by a previously undocumented backdoor named 'Beagle.' The site mimics the legitimate Claude site and employs malvertising techniques. The malware uses DLL sideloading, with a G DATA signed executable, and communicates with a C2 server (license[.]claude-pro[.]com) over TCP and UDP. Recommendations include downloading from legitimate sources and monitoring for specific malicious files.

An Iranian APT group, MuddyWater, masqueraded as a Chaos ransomware affiliate in a 2026 espionage operation, according to Rapid7's report from May 6. The attack began with social engineering via Microsoft Teams, leading to credential harvesting and internal access. The group established persistence using remote access tools and exfiltrated data, initiating ransom negotiations without deploying ransomware. The operation aimed to obscure state-sponsored activity, complicating attribution and emphasizing the need for thorough investigation beyond typical ransomware indicators.

A Cifas report reveals that 13% of UK employees have sold corporate logins in the past year, exposing organizations to cybercrime. The percentage is higher among senior managers (32%) and C-suite executives (43%). Malicious insider incidents accounted for 27% of insider risk losses, totaling $4.7 million. The report highlights the need for fraud-aware cultures and counter-fraud training to mitigate risks. Additionally, 460,000 compromised credentials from FTSE100 firms were found on cybercrime sites, complicating security efforts.

Palo Alto Networks disclosed a critical buffer overflow vulnerability in PAN-OS, tracked as CVE-2026-0300, with a CVSS score of 9.3. It allows unauthenticated attackers to execute arbitrary code on PA-Series and VM-Series firewalls via the User-ID™ Authentication Portal. Exploitation has been observed targeting exposed portals. Affected versions include PAN-OS 10.2 (below 10.2.7-h34), 11.1 (below 11.1.4-h33), 11.2 (below 11.2.4-h17), and 12.1 (below 12.1.4-h5). Patches are expected between May 13 and May 28, 2026. Immediate actions include restricting portal access and disabling it if unnecessary.

CISA has released guidance urging critical infrastructure operators to enhance their defenses against potential cyberattacks as part of the "CI Fortify" initiative. This guidance emphasizes the importance of isolating vital systems and ensuring recovery capabilities during crises, particularly in light of threats from China. Operators are advised to identify critical customers, maintain business continuity plans, document system operations, and collaborate with vendors to address communication dependencies. Recommendations also extend to equipment vendors and service providers to facilitate these efforts.

In early May 2026, a supply chain attack compromised DAEMON Tools software, delivering malware via trojanized installers from its official website, starting April 8. Affected versions include 12.5.0.2421 to 12.5.0.2434. The malware activates a backdoor upon execution of specific binaries, leading to data collection and targeted exploitation of high-value systems in Russia, Belarus, and Thailand. Organizations are advised to monitor for anomalous activity and block communications to the malicious domain env-check.daemontools[.]cc.

More than 119,000 Vimeo users' email addresses were exposed in a breach linked to third-party analytics vendor Anodot. The incident, first reported in April by ShinyHunters, involved a threat to release data unless a deal was made. Vimeo confirmed the breach, stating that while technical data and email addresses were taken, no video content, login credentials, or payment information was compromised. Vimeo has since disabled Anodot's access and is cooperating with law enforcement in an ongoing investigation.

Cisco Talos reported an intrusion involving the CloudZ RAT and a new Pheno plugin, active since January 2026. The attacker exploited the Microsoft Phone Link application to intercept SMS and OTP messages. The attack began with a fake ScreenConnect update, deploying a Rust-compiled loader that executed a .NET RAT. The Pheno plugin monitored Phone Link processes to log activity, enabling data exfiltration. Detection signatures and Snort rules have been established to combat this threat.

North Korean hackers have compromised the gaming platform sqgame[.]net, targeting ethnic Koreans in China by distributing backdoored software since late 2024. ESET linked the operation to the ScarCruft group. The Windows installer was clean, but an update introduced a downloader that deployed the RokRAT backdoor and BirdCall implant. On Android, two games were repackaged with malicious code. The Android BirdCall variant collects sensitive data and supports command-and-control via Zoho WorkDrive. ESET notified sqgame in December 2025, but received no response.

A sophisticated phishing campaign observed between April 14-16, 2026, targeted over 35,000 users across 13,000 organizations, primarily in the U.S. The attackers used legitimate email services and crafted messages that mimicked internal compliance communications. The multi-step process included CAPTCHA challenges and led to an adversary-in-the-middle (AiTM) attack, capturing authentication tokens. Microsoft recommends user education, advanced anti-phishing solutions, and enabling network protection to mitigate risks.

On May 1, Instructure confirmed a data breach affecting approximately 9,000 schools and 275 million individuals, including students and staff. Compromised data includes names, email addresses, student ID numbers, and user messages. The threat actor group ShinyHunters claimed responsibility, citing a Salesforce misconfiguration as the cause. Instructure does not believe that birth dates, passwords, government identifiers, or financial information were impacted. The company is investigating the incident with third-party experts.

Deniss Zolotarjovs, a Latvian national, was sentenced to 102 months in prison for his involvement in a Russian ransomware group that extorted over 54 companies, causing losses exceeding $56 million. Active from June 2021 to August 2023, he pressured victims for ransom, leveraging sensitive data, including children's health information. Arrested in Georgia in December 2023, he was extradited to the U.S. and pleaded guilty to money laundering and wire fraud in July 2025.

Progress Software issued a critical alert regarding two severe vulnerabilities in its MOVEit Automation platform, allowing authentication bypass and privilege escalation. CVE-2026-4670 enables unauthenticated access, while CVE-2026-5174 allows attackers to gain administrative rights. Affected versions include MOVEit Automation 2025.1.4 and earlier. Organizations must upgrade to secure versions (2025.1.5, 2025.0.9, 2024.1.8) immediately to prevent unauthorized access and potential breaches.

A Vietnamese-linked phishing campaign, codenamed AccountDumpling, has compromised approximately 30,000 Facebook accounts using Google AppSheet to distribute phishing emails. The emails, appearing to be from Meta Support, create urgency for users to submit appeals to avoid account deletion. Various lures, including fake job offers and account verification requests, direct victims to phishing sites. Evidence points to a Vietnamese individual behind the operation, with stolen data being sold on underground markets.

The Australian and U.S. governments, alongside international partners, issued guidance on the safe deployment of agentic AI systems, highlighting risks such as productivity losses, privacy breaches, and cybersecurity incidents. Organizations are advised to limit AI access to sensitive data, use it for low-risk tasks, and implement strict controls. The document emphasizes the need for strong governance, continuous monitoring, and human oversight to mitigate systemic risks and unexpected behaviors in AI systems.

Britain's National Cyber Security Centre (NCSC) warns of an impending "patch wave" due to AI accelerating security flaw discovery. CTO Ollie Whitehouse emphasizes that organizations must prepare for rapid software updates as vulnerabilities are uncovered more quickly. The NCSC advises prioritizing internet-facing systems, automating updates, and preparing for frequent patch cycles. The warning comes amid a rise in serious cyber incidents in the U.K., largely driven by hostile foreign states.

Canonical's web infrastructure is under a sustained DDoS attack by the pro-Iran hacktivist group 313 Team, which has claimed responsibility for the disruption affecting Ubuntu's main website and subdomains. The attack, which began on Thursday evening, has rendered the site inaccessible for over 12 hours. The group has shifted from hacktivism to extortion, threatening continued attacks unless Canonical responds to their communication. Users are unable to download Ubuntu versions or access Canonical accounts during this disruption.

Anthropic has launched Claude Security in public beta for Claude Enterprise customers, enabling AI-powered vulnerability detection in production codebases without custom tooling. Utilizing the Opus 4.7 model, it scans for vulnerabilities, validates findings to reduce false positives, and suggests patches. New features include scheduled scans, directory-level targeting, CSV/Markdown exports, webhook notifications, and persistent dismissals. This aims to enhance vulnerability coverage for enterprise security teams efficiently.

OpenAI has introduced an "Advanced Account Security" feature for ChatGPT and Codex accounts, aimed at enhancing protection against account takeover attacks. Users must employ two physical security keys or passkeys, eliminating traditional passwords and recovery options via email or SMS. This feature also restricts support access for account recovery and enforces shorter sign-in sessions. Users will receive alerts for logins and can opt out of having their conversations used for model training. The requirement for cybersecurity professionals in OpenAI's Trusted Access for Cyber program to enable this feature begins June 1.

Cybersecurity researchers have identified a Python-based backdoor, DEEP#DOOR, which establishes persistent access and steals sensitive information. It begins with a batch script that disables Windows security and extracts a Python payload. The malware communicates with a Rust-based tunneling service for remote command execution and surveillance, including keylogging and credential theft from browsers and cloud services. It employs various anti-analysis techniques and persistence mechanisms, complicating detection and remediation efforts.

The US Cybersecurity and Infrastructure Security Agency (CISA) has urged operational technology (OT) operators to abandon implicit trust in their networks. CISA released a 28-page guide, developed with multiple federal agencies, advocating for the adaptation of zero trust principles in critical infrastructure sectors, including power and water. The guidance emphasizes designing controls under the assumption that adversaries may already be present, validating access requests based on identity, context, and risk.

Two Americans, Ryan Goldberg and Kevin Martin, were sentenced to four years in prison for their involvement in a ransomware scheme using ALPHV BlackCat, targeting over 1,000 victims in the U.S. from April to December 2023. They extorted approximately $1.2 million in Bitcoin and laundered the funds. Their actions included leaking patient data and exploiting their cybersecurity expertise for criminal gain. Co-conspirator Angelo Martino is set for sentencing in July 2026. The FBI led the investigation.