Cloud Hardening, Active Exploits, and AI Governance

Cloud and enterprise security updates dominated the day, with major vendors rolling out preventive controls, resiliency upgrades, and deeper telemetry. Alongside these proactive moves, researchers detailed active exploitation of web, Linux, and VPN vulnerabilities, while law enforcement and regulators advanced high-profile cases and takedowns. AI’s growing role in both defense and offense remained in focus, from model availability and gateway controls to new attack surfaces created by content rendering.

Cloud Platforms Tighten Resilience and Observability

Google expanded protection against account takeover by making Device Bound Session Credentials (DBSC) generally available across Chrome. The feature cryptographically ties session cookies to a device’s hardware root of trust, blocking reuse of stolen cookies on other systems and shifting defenses from reactive detection to prevention. It will be enabled by default for Workspace customers. Details are outlined in Google Chrome.

AWS introduced packet-level telemetry for DDoS investigations via Shield Advanced attack flow logs. During active events, the service publishes five-minute flow snapshots—IP addresses, ports, protocols, counts, and geolocation—into destinations such as Amazon S3, Amazon CloudWatch Logs, or Amazon Data Firehose to support forensics, SIEM integration, and compliance reporting. Organizations can enable the feature for protected resources and configure delivery per environment. More in AWS Shield.

Google Cloud improved failover performance in AlloyDB for PostgreSQL with a Hot Standby capability. By continuously running PostgreSQL and applying WAL from the primary, standby nodes can promote in roughly 15 seconds following typical detection within 30 seconds, preserving caches and avoiding post-failover brownouts. The feature is enabled for new PostgreSQL 18 instances and will be backported over time, while the 99.99% SLA remains. See the AlloyDB blog.

To lower multicloud connectivity costs, AWS launched a free 500 Mbps tier for its managed interconnect to other cloud providers, leveraging an open specification adopted by Google Cloud and Oracle Cloud Infrastructure (with Azure slated later in 2026). The free tier allows one local interconnect per AWS Region per CSP and includes a CloudWatch synthetic monitor; partner-side charges may still apply. In parallel, Amazon reduced the minimum base capacity for Redshift Serverless to 4 RPUs in seven additional Regions, easing entry for smaller analytics workloads with per-second billing. Details are available for AWS Interconnect and Redshift Serverless.

Amazon also expanded S3 Tables—an Apache Iceberg–native table layer for object storage—into the Asia Pacific (Taipei) and Asia Pacific (New Zealand) Regions. The service automates maintenance tasks such as compaction and integrates with Intelligent-Tiering to balance performance and cost, preserving interoperability with AWS and third-party engines. Read more in Amazon S3 Tables.

Actively Exploited and High-Impact Vulnerabilities

A critical flaw (CVE-2026-8732) in the premium WordPress plugin WP Maps Pro enabled unauthenticated attackers to create administrator accounts and obtain magic login URLs. The issue, fixed in version 6.1.1, stemmed from an exposed nonce and an AJAX endpoint that triggered wp_insert_user() with a hardcoded administrator role. Defiant observed thousands of exploitation attempts in a single day. Site owners should update immediately and review for unauthorized users and indicators of compromise. Coverage: WP Maps Pro.

A newly disclosed local privilege escalation dubbed CIFSwitch impacts Linux systems that combine the kernel CIFS subsystem with vulnerable cifs-utils releases (notably 6.14 and later variants). By forging cifs.spnego key requests and abusing an NSS lookup before privilege drop, an unprivileged attacker can achieve root code execution under certain kernel, userspace, and policy conditions. An upstream kernel patch validating request origins is available; mitigations include disabling CIFS if unused, removing cifs-utils where not required, and disabling unprivileged user namespaces. Details in CIFSwitch flaw.

Palo Alto Networks reported limited in-the-wild exploitation of CVE-2026-0257, an authentication bypass affecting PAN-OS and Prisma Access GlobalProtect portals/gateways when authentication override cookies and specific certificates are configured. Rapid7 observed two exploitation waves granting VPN IP assignment, with no further activity noted in those environments. Administrators should patch promptly, disable the override feature, or provision a dedicated certificate until updates are applied. See PAN-OS CVE.

Rapid7 highlighted a critical argument-injection vulnerability in Gogs, a self-hosted Git service, after extended non-response from the maintainer. Any authenticated user can trigger remote code execution during merges via crafted branch names; defaults allowing open registration and unlimited repository creation heighten risk. Until a fix is released, recommended mitigations include restricting network access, disabling public self-registration, and limiting account creation to administrators. Analysis: Gogs vulnerability.

Breaches, Takedowns, and Actor Tradecraft

California Attorney General Rob Bonta sued 23andMe (now Chrome Holding Co.) over a 2023 incident that exposed data on roughly 6.9 million customers, including genetic profiles and ancestry information. The complaint alleges failures to safeguard data, delayed detection, a facilitating coding error, and misleading statements, citing violations of multiple California statutes including the CCPA and the California Genetic Information Privacy Act. The case seeks injunctions and statutory penalties. Overview: 23andMe case.

ShinyHunters claimed a breach at Charter Communications via vishing that led to access to Salesforce data; the company stated no sensitive personal information or CPNI was stolen. Analysis of leaked material by Have I Been Pwned confirmed 4.9 million unique accounts with contact details and about 85,000 internal records. The incident reflects broader targeting of CRM platforms following social-engineering compromises. More in Charter breach.

Dutch law enforcement, supported by the NCSC, disrupted a botnet comprising at least 17 million devices and over 200 Netherlands-hosted servers. While not named by officials, reporting linked infrastructure to proxy services such as Asocks. Authorities seized servers and emphasized fundamentals for reducing botnet risk, including timely patching, securing edge devices, strong passwords with two-factor authentication, and safe app sourcing. Details: Dutch Takedown.

WithSecure researchers documented Greyvibe, a Russian-aligned group using large language models to accelerate operations against Ukrainian private, government, and military targets. The group employed diverse lures and custom malware—PowerShell-based PhantomRelay and LegionRelay, and Android spyware FallSpy—while leveraging generative AI to write code, craft social engineering, and obfuscate scripts. The profile overlaps with state interests and broader cybercrime ecosystems. Findings summarized in Greyvibe report.

The FBI warned that the Silent Ransom Group (also known as Luna Moth/Chatty Spider/UNC3753) has escalated from phone-based lures to impersonating victim IT staff by phone and in person. The group coaxes employees into granting remote desktop access or permitting USB insertions, then exfiltrates data with legitimate tools like WinSCP or disguised Rclone, often without deploying ransomware. Recommended mitigations include phishing-resistant MFA, strict visitor verification, limiting access from untrusted networks, disabling unneeded remote access and external drives, and blocking port 22 where feasible. Summary: FBI Alert.

Kaspersky reported campaigns distributing fake Android IPTV apps outside official stores to capitalize on major sporting events. Samples included banking Trojans such as Massiv and a Cerberus-derived strain named Perseus, which abuses Accessibility Services to harvest data and execute unauthorized transactions. The English-language Perseus variant also targets note-taking apps to extract passwords and recovery phrases. Guidance: avoid third-party APKs, prefer trusted stores and official providers, and scrutinize Accessibility permissions. Analysis in the Kaspersky blog.

AI in the Enterprise: Governance, Safety, and New Models

Palo Alto Networks completed its acquisition of Portkey and will integrate the AI Gateway into its Prisma AIRS platform to secure and govern AI agents at scale. The unified control plane is designed to offer a single API to LLMs, an agent registry, semantic routing and caching, and security controls such as artifact scanning, automated red teaming, runtime security, and agent identity enforcement with least-privilege. The approach targets the operational risks of autonomous agents in production. Announcement: Palo Alto.

Microsoft added Claude Opus 4.8 to its Foundry environment, providing access to Anthropic’s latest model optimized for complex, long-running workflows with improved coding, agentic behavior, and deep reasoning across long documents and multi-source inputs. Teams can evaluate and deploy the model alongside others with operational controls suited for production use. Details in Microsoft Foundry.

Researchers described “ChatGPhish,” a technique that turns ChatGPT’s web summarization renderer into a phishing vector by causing the assistant to automatically fetch attacker-controlled Markdown links and images. This can surface live links, QR codes, and spoofed alerts inside the assistant UI and leak metadata such as IP and User-Agent, expanding adversarial surfaces from email to general browsing and document processing. Vendors are urged to tighten how assistants fetch and render third-party content. Report: ChatGPhish.

IBM and Red Hat announced Project Lightwell, a large-scale program aiming to act as a clearinghouse and coordination layer for open source vulnerability remediation. Starting with Java/Maven and a cohort of financial institutions, the initiative will triage, backport, and validate fixes to deployed dependency versions, and share validated patches upstream. It addresses maintenance gaps in critical open source components and will be offered commercially after the design phase. Overview: Project Lightwell.