AI Agent Controls Expand; Canvas Breach Claims And Kernel LPE

Platform defenses for agentic AI and cloud operations took center stage. Google introduced an inline control plane for AI agents via Agent Gateway, while AWS previewed the ability for AI agents to operate desktop applications inside managed environments with WorkSpaces. On the hardening front, Unit 42 detailed a highly reliable Linux local‑privilege‑escalation dubbed “Copy Fail,” with upstream fixes available and mitigations outlined for teams that cannot patch immediately.

Governing and scaling agentic AI

Google’s new Gateway sits in the request path of user‑to‑agent, agent‑to‑agent, and agent‑to‑tool traffic to enforce existing enterprise controls—DLP, runtime protections, identity checks, and telemetry—without rewriting applications. The program debuts with a broad ISV ecosystem spanning data‑loss prevention, prompt‑manipulation defenses, identity‑first authorization, and analytics, aligning partner capabilities to real‑time inspection and governance needs as agentic AI moves into production. To accelerate adoption, Google published five design guides for resilient, governed multi‑agent systems on its Gemini Enterprise Agent Platform, covering long‑running state, a layered governance stack, orchestration patterns, and interoperability via A2A and MCP; see the Gemini guides for patterns and code samples.

On AWS, the WorkSpaces preview enables AI agents to interact with legacy desktop apps by pointing and clicking like a user, bridging the “last‑mile” where APIs do not exist. Enterprise governance applies consistently—permissions, logging, and auditing mirror human WorkSpaces. For regulated workloads, AWS also expanded its managed agent platform to GovCloud (US‑West); AgentCore bundles runtime isolation, MCP‑based tool access, identity‑backed delegation, and observability/evaluations to move agents from prototype to production under elevated compliance expectations (AgentCore).

Managed hunting extends to Microsoft Defender

CrowdStrike introduced Falcon OverWatch for Defender, bringing its human‑led, intelligence‑driven threat‑hunting to environments running Microsoft Defender by deploying a lightweight Falcon sensor alongside existing protections. The service focuses on post‑exploit detection—credential abuse, lateral movement, living‑off‑the‑land tooling, and in‑memory tradecraft—areas where signature‑ or automation‑only approaches routinely miss hands‑on‑keyboard activity. CrowdStrike cites operational scale (trillions of events analyzed daily, thousands of new hunting patterns yearly) and daily high‑severity intrusion detections as evidence of impact, aiming to harden Microsoft‑centric fleets without disrupting current endpoint deployments.

Cloud visibility and operational control

AWS added AI Traffic Analysis dashboards to AWS WAF to surface the identity, intent, and volume of AI‑driven web traffic, extending Bot Control detections to more than 650 bots and agents. The console and CloudWatch metrics support near‑real‑time views, filtering, and a new API for top‑path analysis so teams can tune allow/block decisions, implement tiered access or per‑path pricing, and automate responses based on spikes and anomalies (AWS WAF). For data‑layer reliability and capacity planning, ElastiCache now emits thirteen node‑level and engine‑level metrics that illuminate network baseline usage, memory fragmentation, major page faults, connection exhaustion, and pub/sub scaling—helping operators set portable alarms and make proactive scaling and tuning decisions (ElastiCache).

Operations teams also gain continuity and efficiency improvements. Amazon MQ supports in‑place major upgrades from RabbitMQ 3.13 to 4.2, preserving configurations and data while requiring planned downtime; classic mirrored queues must be migrated to quorum queues before upgrading, and post‑upgrade patching is automated for the 4.2 line (Amazon MQ). For serverless packaging, the SAM CLI adds BuildKit—bringing multi‑stage builds, faster caching, cross‑architecture images, and secret management at build time to Lambda container workflows (SAM CLI).

Advisories and active threats

Unit 42’s “Copy Fail” analysis describes a deterministic logic error in the Linux AF_ALG interface that lets an unprivileged user inject a precise four‑byte overwrite into the page cache of setuid binaries, yielding reliable local privilege escalation across kernels shipped since 2017. Upstream has reverted the risky optimization; vendors are shipping updated kernels, and disabling the affected module is a stated interim mitigation. Teams that cannot patch immediately should treat exposed hosts as high risk until remediated and validated.

Threat activity spanned supply chain, education, and persistent espionage. Kaspersky reported that DAEMON Tools installers were trojanized beginning April 8, delivering staged payloads and, in selective cases, a more capable QUIC RAT implant (Kaspersky). Separately, actors claiming to be ShinyHunters said they exfiltrated hundreds of millions of records tied to institutions using Instructure’s Canvas; the vendor confirmed a breach exposing names, emails, and private messages, while some universities issued notices as investigations continue (BleepingComputer). In long‑running intrusions, Cisco’s research details UAT‑8302, a China‑nexus cluster using extensive reconnaissance, credential theft, DLL side‑loading, and multi‑stage loaders across government targets in South America and southeastern Europe, with indicators and detections published for defenders (Talos).