Cloud AI Upgrades, Active Exploits, and ICS Patch Warnings

Cloud platforms emphasized production-ready AI and scale, as Google introduced Gemini 3.1 Pro to deepen reasoning and execution across enterprise tooling, and AWS expanded EC2 G7e GPU capacity to Tokyo for higher-throughput inference. At the same time, defenders confronted active exploitation of a critical BeyondTrust Remote Support flaw detailed by Unit 42 and a fresh wave of industrial control advisories from CISA, underscoring the need to patch, isolate management interfaces, and reduce exposure.

Platform AI And Data Pipelines Level Up

Google advanced data-centric AI operations inside its analytics stack. Autonomous embedding generation in BigQuery turns vector creation into a managed table column, integrates with VECTOR_SEARCH, and adds an AI.SEARCH helper to simplify semantic queries; the preview aims to eliminate custom pipelines and retries while exposing status and error metadata via SQL and INFORMATION_SCHEMA (BigQuery embeddings). Complementing that, a step-by-step guide shows how the Conversational Analytics API can build natural-language data agents that respect BigQuery permissions, stream intermediate artifacts such as generated SQL and Vega-Lite specs, and support stateful dialogues for follow-ups (Conversational Analytics).

For modernization beyond key-value stores, Google made a native CQL endpoint generally available so many Apache Cassandra applications can target Spanner with minimal changes, trading cluster complexity for global transactions, strongly consistent secondary indexes, and managed observability and scaling (Spanner CQL). On the compute side, AWS broadened its general-purpose portfolio with new regional availability for custom Intel Xeon 6–based instances that seek higher memory bandwidth and better price-performance for common services and AI inference workloads (EC2 M8i‑flex). Together with earlier G7e rollouts noted above, these moves point to faster prototyping and steadier production economics for AI-heavy applications.

Mobile Ecosystems: Defense Gains And New Abuse

Google summarized 2025 protections across Play and Android, citing automation and human review that blocked more than a million policy-violating submissions, scaled Play Protect scanning to hundreds of billions of daily checks, and rolled out in-call scam mitigations alongside integrity signals and expanded fraud defenses. The report also notes developer-side improvements, from policy insights in tooling to expanded pre-review checks (Security Blog). The thread emphasizes AI-assisted detection, broader enforcement, and guardrails that limit sensitive data access.

In contrast, new Android malware dubbed PromptSpy shows how threat actors can co-opt generative models for persistence and reach. ESET’s analysis describes a trojan that forwards UI dumps to an AI service, receives JSON instructions to automate taps via accessibility services, pins itself in recent apps, and captures screens and inputs—paired with VNC-based remote access and a themed dropper site for distribution (The Hacker News). This technique adapts to differing device layouts, reducing friction for operators.

Patching Priorities: From Admin Tools To VoIP

Following BeyondTrust’s Feb. 6 disclosure of a pre-auth RCE in Remote Support (CVE-2026-1731) that Unit 42 confirms is being exploited to deploy web shells, SparkRAT and VShell, defenders are urged to patch, lock down admin interfaces, and hunt for indicators of compromise. Microsoft, meanwhile, addressed a high-severity privilege escalation in Windows Admin Center (CVE-2026-26119) that could lead to domain compromise under certain conditions; the issue was fixed in version 2511 released in December 2025, and Microsoft assesses exploitation as more likely, warranting verification and access restrictions (The Hacker News).

CISA ordered rapid remediation of a hardcoded-credential flaw in Dell RecoverPoint (CVE-2026-22769) after reports of prolonged exploitation by a tracked cluster, reflecting accelerated enforcement timelines under BOD 22‑01 (BleepingComputer). Separately, Rapid7 detailed a critical overflow in Grandstream GXP1600-series VoIP phones (CVE-2026-2329) enabling unauthenticated RCE and stealthy eavesdropping; firmware 1.0.7.81 remediates the issue and should be applied promptly (BleepingComputer).

Account-takeover techniques continue to evolve as well. Researchers describe campaigns abusing the OAuth 2.0 device-code flow alongside vishing to convince users to enter codes on legitimate Microsoft pages; once completed, attackers obtain refresh tokens that grant persistent access across connected services, underscoring the value of auditing consents and tightening conditional access (BleepingComputer). In developer environments, Endor Labs reported six high-to-critical issues in the OpenClaw agent framework—including SSRF, webhook authentication gaps, and path traversal—while OX Security highlighted unpatched risks in popular VS Code-family extensions that enable local file exfiltration and arbitrary JavaScript against localhost; both analyses include PoC exploits and concrete hardening steps (CSO, Infosecurity). Why it matters: developer workstations often hold direct paths to source, secrets, and pipelines, magnifying the impact of extension or framework flaws.

Industrial Controls: Unpatched Risks And Vendor Fixes

CISA warned on multiple ICS products, starting with PUSR’s USR‑W610 Wi‑Fi router where flaws include emptyable authentication, plaintext credential handling, and lack of management frame protection; the product is end‑of‑life and will not be patched, making isolation and compensating controls essential (CISA). EnOcean’s SmartServer IoT received a fix (v4.60.023) for a remotely triggerable command injection via IP‑852 messages that could enable arbitrary command execution; CISA advises updating and reducing exposure (CISA).

Two additional advisories addressed insecure access and file disclosure paths. A high‑severity authentication weakness in Welker’s OdorEyes EcoSystem with XL4 Controller could let remote actors influence the underlying PLC without safeguards, risking process deviations; organizations should contact the vendor and harden network boundaries (CISA). Valmet patched a path traversal in DNA Engineering Web Tools (to C2022) that enables unauthenticated arbitrary file reads, potentially exposing configuration or credential material in critical environments (CISA). Across all four, CISA reiterates core practices: minimize internet exposure, segment control networks, place devices behind firewalls, use secure remote access, and assess operational impact before changes.