Linux Kernel Flaw 'Dirty Frag' Exploited in Wild; PAN-OS Zero-Day Under Active Attack; Google Spots First AI-Developed Exploit

Google's Threat Analysis Group (GTIG) has discovered and thwarted what is believed to be the first zero-day exploit actively developed by AI. The exploit targeted a critical vulnerability in a popular open-source web administration tool, designed to bypass two-factor authentication. Evidence for AI generation includes unusually detailed docstrings, perfect 'Pythonic' formatting, and a 'hallucinated' CVSS score. This incident confirms the predictions of AI's ability to autonomously create novel exploits, significantly escalating the cyber threat landscape, particularly for open-source software.

Further analysis of the Canvas LMS breach by ShinyHunters reveals more specific attack techniques. The initial access via 'Free-For-Teacher' accounts is now linked to MITRE T1078 (Valid Accounts), followed by T1098.005 (Cloud Accounts) for privilege escalation and lateral movement within the multi-tenant cloud environment. Attackers moved from their initial foothold to access data across thousands of institutions. The group now claims to have accessed billions of private messages, a higher estimate than previously reported, underscoring the extensive data exfiltration.

Further analysis of the Braintrust AI platform breach reveals additional MITRE ATT&CK techniques involved, including T1528 (Steal Application Access Token), T1539 (Steal Web Session Cookie), and T1496 (Resource Hijacking). The report highlights the potential for attackers to engage in 'model-jacking' or 'cryptojacking for AI' using stolen keys, incurring costs or manipulating models. New detection methods like AWS GuardDuty alerts and expanded mitigation strategies, including D3FEND Cloud User and Group Permissions, CSPM/CWPP, and billing alerts, are also detailed.

Further analysis of the 'Operation HookedWing' phishing campaign reveals advanced technical details. Threat actors utilize a custom phishing kit with dynamically loaded C2 server locations via external JavaScript, making detection more challenging. In addition to GitHub.io, the campaign leverages Vercel for hosting malicious landing pages. The phishing emails now impersonate Google alongside Microsoft, and the custom kit exfiltrates not only credentials but also the victim's IP address and detailed geolocation information using a PHP form. This indicates a highly sophisticated and adaptive threat actor, potentially acting as a credential or initial access broker.

New information confirms that the critical authentication bypass (CVE-2026-4670) and high-severity privilege escalation (CVE-2026-5174) in MOVEit Automation can be chained by an unauthenticated attacker to gain full administrative control over the system. Progress Software has released an additional patched version, 2025.1.5, to address these vulnerabilities. The update also includes enhanced hunting hints, such as monitoring MOVEit Automation audit logs for unexpected administrative actions, unusual outbound network connections, and `MOVEitAuto.exe` spawning unexpected child processes. Organizations are urged to patch immediately to one of the fixed versions: 2025.1.5, 2025.0.9, or 2024.1.8.

The CVSS score for CVE-2026-0300 has been updated from 9.3 to 9.8, reflecting an increased critical impact. Exploitation is now attributed to sophisticated state-sponsored threat actors, indicating a higher level of threat. Palo Alto Networks has released Threat Prevention signatures to aid in detecting and blocking exploitation attempts. A new hunting hint for the Captive Portal URL (https://<firewall-ip-or-hostname>/php/login.php) has also been provided. Customers are strongly advised to implement immediate mitigations by restricting access to the Captive Portal, as signatures alone are not a complete solution.

New analysis by Rapid7 reinforces the attribution of the MuddyWater false flag operation, which masquerades as Chaos ransomware, to the Iranian state-sponsored group. A key finding explicitly links the 'Donald Gay' code-signing certificate, used in the campaign, to infrastructure controlled by Iran's Ministry of Intelligence and Security (MOIS). This provides more definitive evidence of state sponsorship and intelligence-gathering objectives, further clarifying the nature of the espionage campaign and the actor's tactics.