Clouds Expand Logging And Key Controls; MOVEit Patched Amid Exploits

Cloud platforms emphasized prevention and visibility today. AWS added data‑plane auditability in EventBridge, and introduced cross‑account key sharing in Payment Cryptography to simplify centralized control of sensitive cryptographic material. On the patch front, Progress released fixes for critical flaws in MOVEit Automation, while CISA said exploitation of the Linux kernel “Copy Fail” bug is already underway, as reported by BleepingComputer.

Logging and key controls deepen

AWS expanded observability by enabling data‑plane API logging for Amazon EventBridge into CloudTrail. With data‑plane calls such as PutEvents now captured, teams can audit requester identity, payload metadata, and timestamps, bringing event‑driven architectures into standard compliance and incident‑response workflows. The feature must be opted in per event bus and is available across commercial, GovCloud (US), and China regions. The added telemetry strengthens investigations into anomalous event injection and improves cross‑service correlation; it also requires review of retention and access controls so captured data aligns with governance policies.

Separately, AWS introduced cross‑account key sharing for payment cryptography via resource‑based policies. Centralizing key material behind precise, per‑resource permissions reduces duplication and manual import/export flows across multi‑account environments, while improving lineage and auditing. Because these changes concentrate sensitive assets, administrators should design least‑privilege policies and validate cross‑account workflows before broad rollout. In regulated settings, centralization can streamline lifecycle operations without sacrificing control.

Google broadened endpoint protections for clinical workflows with Chrome Enterprise Premium, integrating advanced data loss prevention, phishing and malware defenses, and granular controls to block unauthorized copy/paste, printing, or screen capture of patient data. Partnerships with Epic, Imprivata, AuthX, and Citrix aim to reduce latency, enable passwordless access, and unify web and virtualized workflows, backed by enhanced reporting and forensics for audit readiness. See the overview for healthcare integrations in Chrome Enterprise. The focus is on clinician efficiency and layered safeguards around sensitive records.

Orchestration and data‑AI pipelines scale out

Google rebranded Cloud Composer as Managed Airflow and brought Apache Airflow 3.1 to General Availability. The release adds a decoupled architecture for scalability and security, native DAG versioning, redesigned managed backfills, and event‑driven scheduling with data‑asset triggers. A built‑in Data Engineering Agent and Gemini Cloud Assist Investigations provide AI‑driven log analysis, root‑cause hints, and suggested fixes at the DAG‑run level. New declarative deployment bundles defined in YAML simplify end‑to‑end orchestration across tools like dbt, Spark, and DTS, with GitHub Actions and an IDE extension to cut setup time and reduce context switching. The result is faster troubleshooting and a lower barrier to enterprise‑grade orchestration.

AWS released incremental, ML‑based matching for Entity Resolution, eliminating full reprocessing when new data arrives. AWS reports typical 95% time reduction, with 1 million incremental records processed in under an hour and support up to 50 million incremental records against 1 billion historical. For customer 360, fraud detection, and MDM, the efficiency gains make continuous matching economically feasible. In model development, SageMaker AI added an agentic customization experience that designs experiments, prepares data, evaluates with LLM‑as‑a‑judge, and outputs reusable code artifacts for deployment on Bedrock or SageMaker endpoints—compressing months of work into days or hours and improving transparency and auditability.

To broaden access to analytics, Amazon Quick now offers Dataset Q&A, a conversational text‑to‑SQL agent that selects relevant datasets, generates engine‑aware SQL for Redshift, Athena, Aurora PostgreSQL, and Iceberg on S3, and honors row‑ and column‑level security. An Explain feature exposes the agent’s reasoning and generated SQL, supporting governance while simplifying ad hoc analysis.

Google also advanced agentic and migration‑friendly data backends with Firestore updates. Highlights include tighter links with AI Studio and external coding agents via Firestore Skills and a remote MCP service, natural‑language query in console, built‑in full‑text search (preview), expanded query capabilities including subquery‑based JOINs, scalable change streams, and enhanced lifecycle controls. With larger document sizes, geospatial queries, and usage insights, Firestore aims to shorten the path from AI concepts to production while easing MongoDB‑compatible migrations.

Advisories and patches

Progress Software shipped fixes for two MOVEit Automation vulnerabilities, including a critical authentication bypass (CVE‑2026‑4670, CVSS 9.8) and a high‑severity privilege escalation (CVE‑2026‑5174). Updates are available in releases 2025.1.5, 2025.0.9, and 2024.1.8, and the vendor warns that exploitation may target backend command port interfaces. Organizations should prioritize upgrades, restrict and monitor access to backend interfaces, review logs and accounts, and rotate credentials if compromise is suspected. Recent ransomware exploitation of related MFT products underscores the urgency.

CISA added the Linux kernel “Copy Fail” vulnerability to its Known Exploited list after public disclosure and a proof‑of‑concept led to observed in‑the‑wild use within a day. As covered by BleepingComputer, CVE‑2026‑31431 resides in algif_aead and enables unprivileged local users to obtain root by modifying four controlled bytes in the page cache. Distributions have begun pushing kernel updates; under BOD 22‑01, federal agencies must patch within two weeks. Rapid deployment of patched kernels and interim mitigations is recommended.

Active exploitation and campaigns

A multinational law‑enforcement operation led by Dubai Police, with major support from the U.S. FBI and China’s Ministry of Public Security, resulted in at least 276 arrests, the shutdown of nine crypto scam centers, and the restraint of over $701 million in alleged proceeds, according to The Hacker News. Investigators identified hundreds of fake investment sites, seized a recruitment Telegram channel, and linked infrastructure to pig‑butchering and romance‑baiting schemes. Authorities highlighted continued refinement of lures and tooling, reinforcing the need for industry information‑sharing and cross‑border enforcement.

Separately, a previously unknown actor is exploiting CVE‑2026‑41940 in cPanel/WHM against government and MSP networks, with reports of Mirai deployments and a ransomware variant following public proof‑of‑concept release. Telemetry shows rapid post‑disclosure weaponization and scanning across tens of thousands of IPs, while custom exploit chains and durable access techniques raise the risk to hosting infrastructure and service providers.

Microsoft reported a multi‑stage “code of conduct” phishing campaign impersonating internal compliance communications. The operation used CAPTCHAs and intermediate staging to bypass automated analysis and culminated in an adversary‑in‑the‑middle login flow that intercepted tokens even with non‑phishing‑resistant MFA. Indicators, mitigations, and hunting guidance were published in Microsoft’s report, which emphasizes strengthening mail hygiene, Safe Links/Attachments, and adoption of phishing‑resistant authentication.

In the software supply chain, Lightning AI disclosed that a malicious PyTorch Lightning release on PyPI (lightning==2.6.3) executed an obfuscated JavaScript payload via the Bun runtime to steal secrets, browser credentials, and cloud tokens. As reported by BleepingComputer, the maintainer reverted to a clean version and is auditing builds. Any environment that imported the compromised release should assume exposure and rotate credentials, scan for indicators, and review CI/CD integrity controls.