Trending Topics

Copy Fail Vulnerability Turns Any Local Linux User into Root in Seconds

A nine‑year‑old logic bug in the Linux kernel, now tracked as CVE‑2026‑31431 and nicknamed Copy Fail, has emerged as one of the most reliable paths to privilege escalation on modern Linux systems. Copy Fail lives in the kernel’s algif_aead cryptographic interface and allows an unprivileged user to perform a precise four‑byte write into the page cache of any file they can read, including setuid‑root binaries such as /usr/bin/su. With that single primitive, a 732‑byte Python script can corrupt the in‑memory image of a setuid binary and spawn a root shell in under a second, without touching the file on disk or relying on races, kernel leaks, or distro‑specific offsets. Because the bug dates back to a 2017 in‑place optimization in the authencesn template, essentially all major Linux distributions shipping kernels 4.14 and newer are affected, including Ubuntu, Debian, and RHEL, as well as SUSE, Amazon Linux, and many cloud- and container‑optimized variants. What makes Copy Fail especially dangerous is the combination of portability, tiny exploit size, stealth, and cross‑container impact. The same short Python script, using only standard library modules and AF_ALG sockets plus splice(), has been shown to work as‑is on multiple distros and architectures, with no per‑kernel adjustments. The write occurs entirely through the crypto API’s scatter‑gather list, bypassing the normal VFS write path, so the corrupted page is never marked dirty and on‑disk checksums remain unchanged; standard file integrity checks see nothing wrong because only the cached copy is modified. Since the page cache is shared, the primitive also crosses container boundaries, meaning that any code execution within a container or multi‑tenant environment can be elevated to node‑level root, breaking isolation between workloads and tenants. Researchers compare Copy Fail to earlier flaws like Dirty Pipe and Dirty COW, but emphasize that this time there is no race or crash‑prone timing window; it is a straight‑line logic bug in a different subsystem that works predictably wherever AF_ALG is available to unprivileged users. The good news is that fixes are already landing, and the remediation story is relatively straightforward. Kernel maintainers removed the 2017 optimization and reverted algif_aead to safer out‑of‑place behavior, eliminating the condition in which page‑cache pages could be linked into a writable scatterlist. Distributions including Ubuntu, Red Hat, Debian, SUSE, Amazon Linux, and others have issued patched kernel packages, and security agencies like CERT‑EU and national CERTs are urging organizations to prioritize updates on multi‑tenant Linux hosts, Kubernetes nodes, CI/CD runners, and any system that executes untrusted code, since these are the environments where an unprivileged shell is easiest to obtain and most damaging. Where immediate patching is not feasible, short‑term risk reduction measures include blocking AF_ALG socket creation via seccomp or SELinux, blacklisting algif_aead so the vulnerable code path is not reachable, and tuning EDR or logging to flag unusual AF_ALG usage or sudden setuid‑binary executions from low‑privilege accounts. In the longer term, Copy Fail is a reminder that even mature kernels can hide high‑impact bugs for years, and that shared‑kernel models in cloud and container platforms must be paired with aggressive kernel patching and strict restrictions on powerful interfaces like AF_ALG to keep “one user account to root” scenarios from becoming the norm.

EtherRAT Uses SEO‑Poisoned Admin Tools and Ethereum C2 to Hijack Enterprise Accounts

A new EtherRAT campaign is turning one of IT’s most trusted habits into an attack vector by using SEO‑poisoned “admin tool” downloads to compromise high‑privilege enterprise users. Threat researchers found that the operation specifically targets system administrators, DevOps engineers, and security staff by impersonating the utilities they search for every day, such as remote management tools, password reset helpers, and log viewers. The attackers manipulate search rankings across engines like Bing, Yahoo, DuckDuckGo, and Yandex so that fake GitHub projects advertising these tools appear at the top of results, then funnel victims through a multi‑stage download flow that ends with EtherRAT installed on their systems. What makes this campaign stand out is the effort put into credibility and resilience rather than just the malware itself. The initial GitHub “facade” repositories are clean and professional, with README files, issues, and stars that make them look like legitimate open source projects, while the actual payloads are hosted in secondary repos and releases that are harder for casual reviewers to notice. Behind that, EtherRAT uses Ethereum smart contracts as part of its C2 resolution layer, embedding C2 information on‑chain so that even if individual domains or repos are taken down, the operators can spin up new infrastructure and have infected hosts discover it automatically by reading the blockchain. Once installed on an admin’s machine, EtherRAT focuses on credential and session theft, targeting browser cookies, SSH keys, VPN configurations, and tokens for cloud and DevOps platforms, giving attackers a direct path into core infrastructure with the same authority as the compromised administrator. For defenders, EtherRAT is a reminder that search results and GitHub are now part of the enterprise attack surface, especially for privileged users. Organizations should discourage admins from downloading tools directly from search results and instead maintain an approved catalog of utilities vetted and mirrored internally, with clear policies for requesting new software. Security teams can also reduce exposure by monitoring for new tools pulled from unfamiliar GitHub accounts, restricting where admin workstations can browse and download from, and alerting on unusual outbound traffic, including connections to Ethereum RPC endpoints from systems that do not normally interact with blockchains. Since EtherRAT’s goal is to turn one compromised admin into an organization‑wide breach, enforcing least privilege, rolling out hardware‑backed MFA, and tightening just‑in‑time access for cloud and domain admin roles can significantly limit how far the attackers can go, even if they manage to land their malware through a deceptively “legitimate” download.

Actively Exploited cPanel Zero‑Day Lets Attackers Log In as Admin Without a Password

A critical vulnerability in cPanel and WHM, now tracked as CVE‑2026‑41940, has been under active exploitation for months and gives attackers a direct path to full control of millions of websites. The flaw sits in the authentication logic for cPanel’s web interface and allows a remote attacker to bypass the login screen entirely, gaining administrative access without valid credentials. Hosting providers and researchers say exploitation began as early as February 23, 2026, well before a patch or public advisory existed, meaning some attackers had true zero‑day access to high‑value hosting environments while everyone else remained unaware of the risk. With Shodan showing roughly 1.5 million internet-exposed cPanel instances and the platform sitting at the heart of shared hosting and managed WordPress offerings worldwide, the potential blast radius spans everything from personal blogs to major e‑commerce sites and SaaS front ends. Technical analysis by Rapid7 and watchTowr Labs ties the bug to a CRLF injection issue in how cPanel’s cpsrvd daemon creates and loads session files. Before authentication completes, cpsrvd writes a new session file to disk, keyed off the whostmgrsession cookie. By omitting an expected segment of that cookie and abusing newline handling, an attacker can trick cPanel into skipping the usual encryption and verification steps and load a forged session as if it were a legitimate admin's. The result is an authentication bypass with root‑level consequences: successful exploitation grants control over the WHM interface, all cPanel accounts on the host, associated websites, email, and databases, and in many cases the underlying operating system itself. Providers, including Namecheap, KnownHost, and others, responded to cPanel’s April 28 advisory by temporarily blocking access to cPanel and WHM ports at the network edge while they rushed to apply emergency patches across tens of thousands of servers. For organizations that depend on cPanel-based hosting, the window for complacency has already closed. WebPros (cPanel’s vendor) has released fixed builds for all currently supported versions, as well as WP Squared, its managed WordPress platform, and security agencies are urging administrators to treat patching as an emergency change, not a routine update. If you manage your own cPanel servers, you should immediately upgrade to a non‑vulnerable release, review logs for suspicious logins or new admin accounts, and rotate credentials and API tokens for hosted sites in case attackers have already leveraged the bug. If you rely on third‑party hosting, confirm in writing that your provider has applied CVE‑2026‑41940 fixes and ask whether they saw any signs of exploitation on the infrastructure hosting your domains. Longer term, this incident is a reminder that critical control planes like cPanel deserve layered defenses: restrict access to admin ports with IP allow‑lists or VPN, enforce strong MFA for all panel logins, monitor for anomalous admin sessions and config changes, and avoid treating shared control panels as “set and forget” components when they effectively hold the keys to your entire web presence.

China‑Linked Hackers Run Espionage Campaign Across Asian Governments and Telecoms

A newly detailed cyber espionage campaign shows how China‑linked threat groups have quietly embedded themselves in Asian governments and telecom networks for years. Reporting highlights clusters such as UNC2814 and CL‑STA‑1087, which have systematically targeted ministries, militaries, and telecom operators across Southeast Asia and beyond, often remaining dormant in compromised environments for months while mapping networks and quietly harvesting sensitive data. Rather than smash‑and‑grab attacks, these operations prioritize strategic access: stealing diplomatic cables, trade and energy negotiations, military planning documents, and telecom metadata that reveal who is talking to whom, and when. What stands out in this wave of activity is how heavily the actors lean on legitimate infrastructure and “everyday” services as camouflage. Google’s Threat Intelligence Group and Mandiant describe how China‑nexus teams use SaaS platforms and API calls such as Google Sheets, cloud storage, and email services as command‑and‑control channels, so that malicious traffic blends in with normal enterprise usage and is hard to distinguish in logs. Other advisories from Five Eyes and allied governments warn that these groups are also building large “covert networks” of compromised routers and IoT devices worldwide, routing attacks through consumer hardware to mask origin and evade geographic blocks. In one long‑running case, a cluster tracked as CL‑STA‑1087 spent years within Southeast Asian military organizations, using custom backdoors such as AppleChris and MemFun alongside native tools and DLL hijacking to maintain stealthy persistence and search for highly specific files related to joint exercises and Western cooperation. For defenders in the region, the message is clear: these are patient, well‑resourced campaigns that assume traditional perimeter defenses can be sidestepped. Telecoms and government networks need to assume compromise is possible and focus on detecting subtle signs of long‑term intrusion, such as unusual use of SaaS APIs, anomalous service‑to‑service authentication, and quiet lateral movement between sensitive enclaves. That means tightening identity controls, enforcing least privilege on service accounts, segmenting critical systems from general user networks, and deploying monitoring tuned to catch abuse of “normal” tools rather than just obvious malware. International advisories also stress the importance of rapid patching for edge devices and VPNs, hardening and monitoring telecom infrastructure, and sharing threat intelligence across borders, since the same China‑linked clusters have been observed hopping between ministries, carriers, and agencies in multiple countries as part of a coordinated, long‑horizon collection effort.

Ubuntu Website Hit by DDoS Attack Claimed by 313 Team

Canonical’s Ubuntu website and related services were recently disrupted by a large‑scale DDoS attack, temporarily knocking core web properties offline and returning 503 errors to users. Early reporting attributes the incident to 313 Team, a pro‑Iranian hacktivist outfit active throughout the current Middle East conflict and known for noisy but often short‑lived disruption campaigns. While there is no evidence that Ubuntu’s repositories or package signing keys were compromised, the outage raised understandable concerns about access to security advisories, CVE documentation, and other infrastructure that developers and administrators rely on for updates. The attack appears to have focused on overwhelming Ubuntu’s front‑end web infrastructure with a flood of traffic, not on exploiting a software vulnerability or breaching backend systems. Users mainly experienced timeouts and service-unavailable messages when attempting to reach ubuntu[.]com and some associated services, a pattern typical of volumetric or application‑layer DDoS campaigns driven by botnets. Because Ubuntu is both a flagship Linux distribution and a key source of open source security guidance, even a temporary outage has outsized ripple effects for enterprises that synchronize updates or depend on Canonical’s documentation during incident response. For organizations that depend on Ubuntu, this incident is a reminder that availability can be just as important as confidentiality and integrity. Practical steps include maintaining local mirrors or redundant package sources for critical repositories, subscribing to Canonical status and security feeds, and ensuring that your own web‑facing services are protected by layered DDoS defenses, including upstream scrubbing and rate limiting. It is also wise to treat high‑profile hacktivist claims with caution: verify service integrity (for example, checking package signatures) but avoid amplifying unverified narratives, since many of these groups rely more on publicity and fear than on sustained, high‑impact technical damage.