IT, Telecom & Cyber · International (Houston)

Patch, Audit, and Contract Levers for Emerging Linux and MFT Flaws

Published May 5, 2026, 5:06 AM CSTINTERNATIONALFull category signal
Ask AI
CISA says ‘Copy Fail’ flaw now exploited to root Linux systems

In 60 seconds

Top move

Treat the Linux 'Copy Fail' kernel exploit as a high-priority patch and supplier-visibility item because CISA added the flaw to its Known Exploited Vulnerabilities list and PoC code roots unpatched mainstream Linux kernels; buyers should map which suppliers deliver or maintain those Linux images

Key takeaways

  • Treat the Linux 'Copy Fail' kernel exploit as a high-priority patch and supplier-visibility item because CISA added the flaw to its Known Exploited Vulnerabilities list and PoC code roots unpatched mainstream Linux kernels; buyers should map which suppliers deliver or maintain those Linux images.[4]
  • Confirm exposure and remediation plans for managed file transfer (MFT) instances because Progress warned a critical MOVEit Automation auth-bypass affects pre-2025 builds and publicly exposed instances exist, creating a direct data-flow and uptime dependency.[3]
  • Reassess SMS-based one-time passwords and endpoint telemetry because Cisco Talos found CloudZ malware using a Microsoft Phone Link plugin to steal SMS/OTP material without compromising the mobile device.[1]
  • Expect increased phishing and supply-side credential risk from abused cloud email services because Kaspersky reports attackers are using Amazon SES and leaked AWS keys to bypass reputation filters; this raises supplier attestations and key-management requirements.[2]
  • Prepare for near-term cost shifts to buyers on patching, incident response, and forensic work unless contracts specify supplier-paid remediation or clear pass-through rules; contracts and SLAs will determine who pays and how fast suppliers must act.[3]

What changed since last run

  • New technical exploit surfaced: a local root Linux kernel vulnerability (CVE-2026-31431) with public PoC and CISA KEV listing — adds kernel-patch and supplier-image risk not covered in previous LMS/endpoint brief.
  • New MFT-specific auth-bypass (MOVEit Automation) notification from vendor increases immediate orchestration and data-flow dependency concerns versus prior focus on LMS and PKI incidents.
  • Endpoint authentication vector change: CloudZ’s Phone Link plugin demonstrates non-mobile interception of SMS OTPs, shifting mitigation priorities from mobile device controls to endpoint/process isolation and MFA post...

Key facts

  • Tracked as CVE-2026-31431
  • Proof-of-concept exploit publicly available against mainstream distributions
  • CISA added the flaw to the KEV catalog
  • Tracked as CVE-2026-4670
  • Affects MOVEit Automation versions before specific 2025 builds
  • Progress reports widespread enterprise usage of MOVEit MFT solutions

Why it matters

Treat the Linux 'Copy Fail' kernel exploit as a high-priority patch and supplier-visibility item because CISA added the flaw to its Known Exploited Vulnerabilities list and PoC code roots unpatched mainstream Linux kernels; buyers should map which suppliers deliver or maintain those Linux images. Confirm exposure and remediation plans for managed file transfer (MFT) instances because Progress warned a critical MOVEit Automation auth-bypass affects pre-2025 builds and publicly exposed instances exist, creating a direct data-flow and uptime dependency. Reassess SMS-based one-time passwords and endpoint telemetry because Cisco Talos found CloudZ malware using a Microsoft Phone Link plugin to steal SMS/OTP material without compromising the mobile device. Expect increased phishing and supply-side credential risk from abused cloud email services because Kaspersky reports attackers are using Amazon SES and leaked AWS keys to bypass reputation filters; this raises supplier attestations and key-management requirements

Cost / money

  • Patching and post-exploit forensic work will create unplanned spend for Linux workloads and hosted services because CISA KEV listing implies prioritized remediation and potential regulatory/compliance obligations for affected systems.[4]
  • Remediation of MFT exposures can generate cross-supplier change orders and recovery costs if contracts lack explicit pass-through or supplier-paid forensic clauses because MOVEit Automation faults affect central data orchestration.[3]

Supplier / commercial

  • Buyers gain leverage to demand patch attestations and image provenance from suppliers that deliver or manage Linux hosts because a single kernel exploit can be present across vendor-supplied images and increases buyer exposure.[4]
  • MFT vendors will be pushed to confirm exposure status and remediation timelines; insist on explicit uptime dependency and notification SLAs to limit downstream cost allocation.[3]
  • Require cloud or email-relay suppliers to provide credential-management evidence (key rotation, secret-scanning practices) as part of procurement reviews because SES abuse ties directly to leaked access keys.[2]

Safety / operations

  • A local-root kernel exploit shortens safe maintenance windows and raises the need for isolation or temporary decommissioning of vulnerable Linux hosts to avoid lateral compromise during patching.[4]
  • SMS OTPs and desktop-side integrations can no longer be treated as low-risk: CloudZ’s Phone Link interception means operations must treat SMS-based MFA as operationally fragile for privileged access.[1]

What to watch

  • Early-signal: Public exploit code for Copy Fail increases the chance of rapid, automated scanning by opportunistic actors; watch for mass scanning indicators against supplier-managed images.[4]
  • Watch for follow-on extortion or data theft tied to MOVEit Automation vulnerabilities given the platform’s prior large-scale incidents; a confirmed breach would materially raise notification and forensic costs.[3]

Top stories

Story 1BleepingComputerMay 4, 2026

CISA says ‘Copy Fail’ flaw now exploited to root Linux systems

Signal strongSource-grounded
Source notes [4]Read source

What happened

CISA warned that the 'Copy Fail' Linux kernel vulnerability is being exploited in the wild and added it to its Known Exploited Vulnerabilities list. The vulnerability lets unprivileged local users gain root on many mainstream Linux distributions and public PoC code exists, making this an operational patch-and-inventory issue for any buyer running affected kernels

Buyer takeaway

Treat this as a real remediation and contract-visibility need because the flaw affects vendor-supplied images and public PoC exists that can be weaponized quickly

Cost / money

Expect near-term remediation and forensic verification costs if images must be rebuilt or hosts isolated; buyers may need to negotiate supplier-paid remediation where suppliers maintain images

Supplier / commercial

Require suppliers to supply patch attestations, image provenance, and a defined patch cadence; make image-control responsibilities explicit in SOWs or managed-service agreements

Safety / operations

Kernel exploits increase the chance of lateral movement and compressed maintenance windows; operations should plan for temporary isolation and coordinated supplier testing before mass rollouts

What to watch

Watch whether suppliers delay patching for custom images or claim unsupported configurations; limited vendor support creates higher buyer-side remediation load

Key facts

  • Tracked as CVE-2026-31431
  • Proof-of-concept exploit publicly available against mainstream distributions
  • CISA added the flaw to the KEV catalog

Source excerpts

Tracked as CVE-2026-31431, this security flaw was found in the Linux kernel's algif_aead cryptographic algorithm interface and enables unprivileged local users to gain root privileges on unpatched Linux systems by writing four controlled bytes to the page cache of any readable file. Theori researchers disclosed it on Thursday and shared what they described as a "100% reliable" Python-based exploit that can be used to root Ubuntu 24
"If your kernel was built between 2017 and the patch — which covers essentially every mainstream Linux distribution — you're in scope
"If your kernel was built between 2017 and the patch — which covers essentially every mainstream Linux distribution — you're in scope. " While major Linux distros began pushing the fix via kernel updates, Tharros' principal vulnerability analyst, Will Dormann, noted on Thursday that there were no "official updates" when Theori published its advisory
Story 2BleepingComputerMay 4, 2026

Progress warns of critical MOVEit Automation auth bypass flaw

Signal strongSource-grounded
Source notes [3]Read source

What happened

Progress Software warned of a critical authentication-bypass vulnerability in MOVEit Automation and released security updates for affected builds. Public searches show many exposed instances online, creating a direct risk to data automation flows and increasing the need for vendor confirmation and coordinated remediation

Buyer takeaway

Treat MFT instances as high-priority assets in supplier inventories because a single orchestration point can expose multiple downstream systems

Cost / money

If a managed-MFT supplier does not commit to remediation, buyers may incur change-order costs or emergency forensic bills to restore flows

Supplier / commercial

Use renewals to negotiate explicit remediation SLAs, notification windows, and cost-pass-through or indemnity clauses for MFT-related breaches

Safety / operations

Unpatched MFT instances risk automated data exfiltration and require tight coordination to avoid breaking scheduled business workflows during patching

What to watch

Watch for suppliers claiming customer-managed responsibility for instances that were deployed or maintained under the managed service — this changes who pays for fixes

Key facts

  • Tracked as CVE-2026-4670
  • Affects MOVEit Automation versions before specific 2025 builds
  • Progress reports widespread enterprise usage of MOVEit MFT solutions

Source excerpts

Progress Software warned customers to patch a critical authentication bypass vulnerability in its MOVEit Automation enterprise-grade managed file transfer (MFT) application
Map of MOVEit Automation instances exposed online (Shodan) While the company has yet to flag these security issues as exploited in the wild, other MoveIT MFT vulnerabilities have been targeted in attacks in recent years. For instance, the Clop ransomware gang exploited a zero-day in the MOVEit Transfer secure file transfer platform in an extensive series of data theft attacks in 2023 that affected more than 2,100 organizations and over 62 million individuals, according to Emsisoft estimates
Map of MOVEit Automation instances exposed online (Shodan) While the company has yet to flag these security issues as exploited in the wild, other MoveIT MFT vulnerabilities have been targeted in attacks in recent years
Story 3BleepingComputerMay 5, 2026

CloudZ malware abuses Microsoft Phone Link to steal SMS and OTPs

Signal strongSource-grounded
Source notes [1]Read source

What happened

Cisco Talos researchers found CloudZ RAT deploying a Pheno plugin that abuses Microsoft Phone Link on Windows to access a local SQLite database and steal SMS messages and one-time passwords. The technique allows attackers to capture OTP material without compromising the mobile device, undermining SMS-based MFA for affected endpoints

Buyer takeaway

Assume SMS OTPs are interceptable via desktop-side channels and require suppliers to support stronger MFA alternatives for critical access

Cost / money

Shifts spend toward stronger MFA solutions, endpoint detection, and supplier attestations of secure integrations rather than relying on mobile-only controls

Supplier / commercial

Require suppliers that integrate desktop-mobile linkages to provide evidence of secure data handling and isolation controls in their integrations

Safety / operations

Endpoint telemetry and process-hardened isolation become operational priorities because attackers can leverage legitimate desktop apps to reach otherwise protected credentials

What to watch

Watch for more malware families to reuse Phone Link access patterns; if Phone Link usage is widespread in the estate, risk balloons quickly

Key facts

  • CloudZ RAT uses a new Pheno plugin to target Phone Link
  • Pheno accesses local Phone Link SQLite DB to capture SMS/OTPs
  • Observed active intrusion dating back to January

Source excerpts

“With a confirmed Phone Link activity on the victim's machine, the attacker using the CloudZ RAT can potentially intercept the Phone Link application’s SQLite database file on the victim's machine, potentially compromising SMS-based OTP messages and other authenticator application notification messages,” explain Cisco Talos researchers
This gives the attacker access to sensitive information without needing to comprmise the mobile device. “With a confirmed Phone Link activity on the victim's machine, the attacker using the CloudZ RAT can potentially intercept the Phone Link application’s SQLite database file on the victim's machine, potentially compromising SMS-based OTP messages and other authenticator application notification messages,” explain Cisco Talos researchers
Microsoft Phone Link comes installed on Windows 10 and 11, and allows using the computer to make and take calls, respond to texts, or view notifications received on the mobile device (Android and iOS). By leveraging the application, the threat actor could intercept sensistive messages delivered to the target's mobile phone without compromising the device
Story 4BleepingComputerMay 4, 2026

Amazon SES increasingly abused in phishing to evade detection

Signal strongSource-grounded
Source notes [2]Read source

What happened

Kaspersky reports an uptick in phishing campaigns abusing Amazon SES to bypass filters, driven in part by exposed AWS access keys found in public assets. Because SES is a trusted sending service, attackers can send convincing emails that evade reputation blocks and increase the likelihood of successful phishing

Buyer takeaway

Require cloud/email providers and integration suppliers to prove secret hygiene and automated secret-scanning practices as a procurement condition

Cost / money

Failure to enforce key-management practices increases incident-response and remediation spend when phishing campaigns scale

Supplier / commercial

Build credential-management attestations into supplier onboarding and renewals; require evidence of rotation, least-privilege IAM, and monitoring

Safety / operations

Operational detection suffers when attackers use legitimate relays; augment technical controls with supplier-provided logs and rapid take-down support

What to watch

Watch for credential leaks in vendor code, repos, or CI/CD artifacts that can enable large-volume phishing campaigns via trusted infrastructure

Key facts

  • Increase in phishing leveraging Amazon SES observed by Kaspersky
  • Main driver appears to be leaked AWS credentials in public repositories
  • Attackers automate secret scanning and permission validation

Source excerpts

Finding the access keys is typically done in an automated way using bots built on the open-source TruffleHog utility, which is designed to scan for leaked secrets. Threat actors now rely on automated attacks that streamline secret scanning, permission validation, and email distribution, enabling unprecedented levels of abuse
Threat actors now rely on automated attacks that streamline secret scanning, permission validation, and email distribution, enabling unprecedented levels of abuse
The Amazon Simple Email Service (SES) is being increasingly abused to send convincing phishing emails that can bypass standard security filters and render reputation-based blocks ineffective. Although the resource has been leveraged for malicious activity in the past, the current spike may be due to a large number of AWS Identity and Access Management access keys exposed in public assets

VP Snapshot

Executive Risk & Action View

Treat the Linux 'Copy Fail' kernel exploit as a high-priority patch and supplier-visibility item because CISA added the flaw to its Known Exploited Vulnerabilities list and PoC code roots unpatched mainstream Linux kernels; buyers should map which suppliers deliver or maintain those Linux images.

Overall
70
Cost
79
Supply
25
Schedule
20
Compliance
15

Top signals

30-180dcost

Signal 1: Cost / money

Patching and post-exploit forensic work will create unplanned spend for Linux workloads and hosted services because CISA KEV listing implies prioritized remediation and potential regulatory/compliance obligations for affected systems.

Signal 2: Cost / money

Remediation of MFT exposures can generate cross-supplier change orders and recovery costs if contracts lack explicit pass-through or supplier-paid forensic clauses because MOVEit Automation faults affect central data orchestration.

Signal 4: Supplier / commercial

MFT vendors will be pushed to confirm exposure status and remediation timelines; insist on explicit uptime dependency and notification SLAs to limit downstream cost allocation.

30-180dcommercial

Signal 3: Supplier / commercial

Buyers gain leverage to demand patch attestations and image provenance from suppliers that deliver or manage Linux hosts because a single kernel exploit can be present across vendor-supplied images and increases buyer exposure.

Signal 5: Supplier / commercial

Require cloud or email-relay suppliers to provide credential-management evidence (key rotation, secret-scanning practices) as part of procurement reviews because SES abuse ties directly to leaked access keys.

30-180dsupplier

Signal 6: Safety / operations

A local-root kernel exploit shortens safe maintenance windows and raises the need for isolation or temporary decommissioning of vulnerable Linux hosts to avoid lateral compromise during patching.

Recommended actions

OpsDue 3d

Inventory all Linux hosts and map each to the supplier or managed-image owner.

Supplier-mapped inventory with prioritized patch targets and contact points for coordinated remediation.

CategoryDue 3d

Request immediate exposure and remediation status from owners of any MOVEit Automation instances in our estate and from managed-MFT providers.

Documented vendor confirmations and initial remediation/mitigation commitments for each affected MFT instance.

ContractsDue 21d

Open contract amendment talks with MFT and managed-hosting suppliers to add explicit forensic cooperation, notification SLAs, and cost-pass-through or supplier-paid remediation...

Negotiation positions or amendment drafts that assign forensic cooperation and remediation cost responsibilities.

CategoryDue 21d

Update procurement security requirements to deprecate SMS-based OTP for admin and high-risk access paths and require stronger MFA options from suppliers.

Revised supplier security checklist that excludes SMS OTP for privileged access and requires app-based or hardware MFA evidence.

LegalDue 60d

Work with Legal to insert credential-management and secret-handling attestations, rotation obligations, and breach-notification SLAs into cloud/email-relay contracts.

Contract clause templates requiring key-rotation practices, secret-scanning evidence, and accelerated notification for credential exposure incidents.

OpsDue 60d

Develop a staged patch-validation playbook with suppliers for kernel updates and MFT upgrades, including supplier-supplied test images and rollback procedures.

A published patch-validation playbook and supplier commitments to provide test artifacts and rollback support.

Risk register

RiskTriggerMitigation
Early-signal: Public exploit code for Copy Fail increases the chance of rapid, automated scanning by opportunistic actors; watch for mass scanning indicators against supplier-managed images.Early-signal: Public exploit code for Copy Fail increases the chance of rapid, automated scanning by opportunistic actors; watch for mass scanning indicators against supplier-managed images.Confirm exposure with category, contracts, and operations before the next supplier commitment.
Watch for follow-on extortion or data theft tied to MOVEit Automation vulnerabilities given the platform’s prior large-scale incidents; a confirmed breach would materially raise notification and forensic costs.Watch for follow-on extortion or data theft tied to MOVEit Automation vulnerabilities given the platform’s prior large-scale incidents; a confirmed breach would materially raise notification and forensic costs.Confirm exposure with category, contracts, and operations before the next supplier commitment.

CM Snapshot

Category Manager Decision Detail

Today's priorities

Inventory all Linux hosts and map each to the supplier or managed-image owner.

because the 'Copy Fail' kernel exploit affects mainstream distributions and suppliers often control the OS image and patch cadence, an accurate supplier-mapped inventory is requ...

Due 3d

high

CM move

Use this as the immediate supplier or contract action to move before the next sourcing gate.

Request immediate exposure and remediation status from owners of any MOVEit Automation instances in our estate and from managed-MFT providers.

because Progress warned of an auth-bypass in MOVEit Automation and exposed instances have been observed online, vendor confirmation is needed to prevent data-flow interruptions.

Due 3d

high

CM move

Use this as the immediate supplier or contract action to move before the next sourcing gate.

Open contract amendment talks with MFT and managed-hosting suppliers to add explicit forensic cooperation, notification SLAs, and cost-pass-through or supplier-paid remediation...

because MFT and hosted service vulnerabilities can trigger complex cross-supplier investigations and costs, contract language should set expectations and payment responsibility.

Due 21d

high

CM move

Use this as the immediate supplier or contract action to move before the next sourcing gate.

Update procurement security requirements to deprecate SMS-based OTP for admin and high-risk access paths and require stronger MFA options from suppliers.

because CloudZ’s Phone Link plugin can intercept SMS and OTP material without touching the mobile device, SMS-based authentication is operationally weak for critical accounts.

Due 21d

high

CM move

Use this as the immediate supplier or contract action to move before the next sourcing gate.

Supplier radar

BleepingComputer

high

Observed supplier signal

Buyers gain leverage to demand patch attestations and image provenance from suppliers that deliver or manage Linux hosts because a single kernel exploit can be present across vendor-supplied images and increases buyer exposure.

Commercial implication

Buyers gain leverage to demand patch attestations and image provenance from suppliers that deliver or manage Linux hosts because a single kernel exploit can be present across vendor-supplied images and increases buyer exposure.

Next step: Validate the source-backed signal with incumbents and alternates before the next award or pricing decision.

BleepingComputer

high

Observed supplier signal

MFT vendors will be pushed to confirm exposure status and remediation timelines; insist on explicit uptime dependency and notification SLAs to limit downstream cost allocation.

Commercial implication

MFT vendors will be pushed to confirm exposure status and remediation timelines; insist on explicit uptime dependency and notification SLAs to limit downstream cost allocation.

Next step: Validate the source-backed signal with incumbents and alternates before the next award or pricing decision.

BleepingComputer

high

Observed supplier signal

Require cloud or email-relay suppliers to provide credential-management evidence (key rotation, secret-scanning practices) as part of procurement reviews because SES abuse ties directly to leaked access keys.

Commercial implication

Require cloud or email-relay suppliers to provide credential-management evidence (key rotation, secret-scanning practices) as part of procurement reviews because SES abuse ties directly to leaked access keys.

Next step: Validate the source-backed signal with incumbents and alternates before the next award or pricing decision.

Negotiation levers

Inventory all Linux hosts and map each to the supplier or managed-image owner.

When to use: because the 'Copy Fail' kernel exploit affects mainstream distributions and suppliers often control the OS image and patch cadence, an accurate supplier-mapped inventory is requ...

Expected outcome: Supplier-mapped inventory with prioritized patch targets and contact points for coordinated remediation.

Commercial mechanism to carry into the next supplier conversation

Request immediate exposure and remediation status from owners of any MOVEit Automation instances in our estate and from managed-MFT providers.

When to use: because Progress warned of an auth-bypass in MOVEit Automation and exposed instances have been observed online, vendor confirmation is needed to prevent data-flow interruptions.

Expected outcome: Documented vendor confirmations and initial remediation/mitigation commitments for each affected MFT instance.

Commercial mechanism to carry into the next supplier conversation

Open contract amendment talks with MFT and managed-hosting suppliers to add explicit forensic cooperation, notification SLAs, and cost-pass-through or supplier-paid remediation...

When to use: because MFT and hosted service vulnerabilities can trigger complex cross-supplier investigations and costs, contract language should set expectations and payment responsibility.

Expected outcome: Negotiation positions or amendment drafts that assign forensic cooperation and remediation cost responsibilities.

Commercial mechanism to carry into the next supplier conversation

Update procurement security requirements to deprecate SMS-based OTP for admin and high-risk access paths and require stronger MFA options from suppliers.

When to use: because CloudZ’s Phone Link plugin can intercept SMS and OTP material without touching the mobile device, SMS-based authentication is operationally weak for critical accounts.

Expected outcome: Revised supplier security checklist that excludes SMS OTP for privileged access and requires app-based or hardware MFA evidence.

Commercial mechanism to carry into the next supplier conversation

Talking points

Treat the Linux 'Copy Fail' kernel exploit as a high-priority patch and supplier-visibility item because CISA added the flaw to its Known Exploited Vulnerabilities list and PoC code roots unpatched mainstream Linux kernels; buyers should map which suppliers deliver or maintain those Linux images.
Confirm exposure and remediation plans for managed file transfer (MFT) instances because Progress warned a critical MOVEit Automation auth-bypass affects pre-2025 builds and publicly exposed instances exist, creating a direct data-flow and uptime dependency.
Reassess SMS-based one-time passwords and endpoint telemetry because Cisco Talos found CloudZ malware using a Microsoft Phone Link plugin to steal SMS/OTP material without compromising the mobile device.
Expect increased phishing and supply-side credential risk from abused cloud email services because Kaspersky reports attackers are using Amazon SES and leaked AWS keys to bypass reputation filters; this raises supplier attestations and key-management requirements.

Supplier radar

SupplierSignalImplicationNext stepConfidence
BleepingComputerBuyers gain leverage to demand patch attestations and image provenance from suppliers that deliver or manage Linux hosts because a single kernel exploit can be present across vendor-supplied images and increases buyer exposure.Buyers gain leverage to demand patch attestations and image provenance from suppliers that deliver or manage Linux hosts because a single kernel exploit can be present across vendor-supplied images and increases buyer exposure.Validate the source-backed signal with incumbents and alternates before the next award or pricing decision.high
BleepingComputerMFT vendors will be pushed to confirm exposure status and remediation timelines; insist on explicit uptime dependency and notification SLAs to limit downstream cost allocation.MFT vendors will be pushed to confirm exposure status and remediation timelines; insist on explicit uptime dependency and notification SLAs to limit downstream cost allocation.Validate the source-backed signal with incumbents and alternates before the next award or pricing decision.high
BleepingComputerRequire cloud or email-relay suppliers to provide credential-management evidence (key rotation, secret-scanning practices) as part of procurement reviews because SES abuse ties directly to leaked access keys.Require cloud or email-relay suppliers to provide credential-management evidence (key rotation, secret-scanning practices) as part of procurement reviews because SES abuse ties directly to leaked access keys.Validate the source-backed signal with incumbents and alternates before the next award or pricing decision.high

Negotiation levers

  • Inventory all Linux hosts and map each to the supplier or managed-image owner.because the 'Copy Fail' kernel exploit affects mainstream distributions and suppliers often control the OS image and patch cadence, an accurate supplier-mapped inventory is requ...Supplier-mapped inventory with prioritized patch targets and contact points for coordinated remediation.

    high confidence

  • Request immediate exposure and remediation status from owners of any MOVEit Automation instances in our estate and from managed-MFT providers.because Progress warned of an auth-bypass in MOVEit Automation and exposed instances have been observed online, vendor confirmation is needed to prevent data-flow interruptions.Documented vendor confirmations and initial remediation/mitigation commitments for each affected MFT instance.

    high confidence

  • Open contract amendment talks with MFT and managed-hosting suppliers to add explicit forensic cooperation, notification SLAs, and cost-pass-through or supplier-paid remediation...because MFT and hosted service vulnerabilities can trigger complex cross-supplier investigations and costs, contract language should set expectations and payment responsibility.Negotiation positions or amendment drafts that assign forensic cooperation and remediation cost responsibilities.

    high confidence

  • Update procurement security requirements to deprecate SMS-based OTP for admin and high-risk access paths and require stronger MFA options from suppliers.because CloudZ’s Phone Link plugin can intercept SMS and OTP material without touching the mobile device, SMS-based authentication is operationally weak for critical accounts.Revised supplier security checklist that excludes SMS OTP for privileged access and requires app-based or hardware MFA evidence.

    high confidence

What to do / What to watch

What to do now

  • Inventory all Linux hosts and map each to the supplier or managed-image owner.

    Why: because the 'Copy Fail' kernel exploit affects mainstream distributions and suppliers often control the OS image and patch cadence, an accurate supplier-mapped inventory is requ...

    Owner: Ops

    Expected outcome: Supplier-mapped inventory with prioritized patch targets and contact points for coordinated remediation.

    [4]
  • Request immediate exposure and remediation status from owners of any MOVEit Automation instances in our estate and from managed-MFT providers.

    Why: because Progress warned of an auth-bypass in MOVEit Automation and exposed instances have been observed online, vendor confirmation is needed to prevent data-flow interruptions.

    Owner: Category

    Expected outcome: Documented vendor confirmations and initial remediation/mitigation commitments for each affected MFT instance.

    [3]

Next few weeks

  • Open contract amendment talks with MFT and managed-hosting suppliers to add explicit forensic cooperation, notification SLAs, and cost-pass-through or supplier-paid remediation...

    Why: because MFT and hosted service vulnerabilities can trigger complex cross-supplier investigations and costs, contract language should set expectations and payment responsibility.

    Owner: Contracts

    Expected outcome: Negotiation positions or amendment drafts that assign forensic cooperation and remediation cost responsibilities.

    [3]
  • Update procurement security requirements to deprecate SMS-based OTP for admin and high-risk access paths and require stronger MFA options from suppliers.

    Why: because CloudZ’s Phone Link plugin can intercept SMS and OTP material without touching the mobile device, SMS-based authentication is operationally weak for critical accounts.

    Owner: Category

    Expected outcome: Revised supplier security checklist that excludes SMS OTP for privileged access and requires app-based or hardware MFA evidence.

    [1]

Longer view

  • Work with Legal to insert credential-management and secret-handling attestations, rotation obligations, and breach-notification SLAs into cloud/email-relay contracts.

    Why: because Amazon SES abuse is being driven by leaked AWS keys and stronger contractual controls will reduce supplier-side credential risk and improve response obligations.

    Owner: Legal

    Expected outcome: Contract clause templates requiring key-rotation practices, secret-scanning evidence, and accelerated notification for credential exposure incidents.

    [2]
  • Develop a staged patch-validation playbook with suppliers for kernel updates and MFT upgrades, including supplier-supplied test images and rollback procedures.

    Why: because kernel-level fixes and MFT patches carry uptime and integration risk, coordinated test windows and supplier test artifacts reduce operational fallout during deployment.

    Owner: Ops

    Expected outcome: A published patch-validation playbook and supplier commitments to provide test artifacts and rollback support.

    [4]

What to watch

  • Early-signal: Public exploit code for Copy Fail increases the chance of rapid, automated scanning by opportunistic actors; watch for mass scanning indicators against supplier-managed images
  • Watch for follow-on extortion or data theft tied to MOVEit Automation vulnerabilities given the platform’s prior large-scale incidents; a confirmed breach would materially raise notification and forensic costs
  • Early-signal: Public exploit code for Copy Fail increases the chance of rapid, automated scanning by opportunistic actors; watch for mass scanning indicators against supplier-managed images.: Early-signal: Public exploit code for Copy Fail increases the chance of rapid, automated scanning by opportunistic actors; watch for mass scanning indicators against supplier-managed images
  • Watch for follow-on extortion or data theft tied to MOVEit Automation vulnerabilities given the platform’s prior large-scale incidents; a confirmed breach would materially raise notification and forensic costs.: Watch for follow-on extortion or data theft tied to MOVEit Automation vulnerabilities given the platform’s prior large-scale incidents; a confirmed breach would materially raise notification and forensic costs
  • Treat the Linux 'Copy Fail' kernel exploit as a high-priority patch and supplier-visibility item because CISA added the flaw to its Known Exploited Vulnerabilities list and PoC code roots unpatched mainstream Linux kernels; buyers should map which suppliers deliver or maintain those Linux images
  • Confirm exposure and remediation plans for managed file transfer (MFT) instances because Progress warned a critical MOVEit Automation auth-bypass affects pre-2025 builds and publicly exposed instances exist, creating a direct data-flow and uptime dependency
  • Reassess SMS-based one-time passwords and endpoint telemetry because Cisco Talos found CloudZ malware using a Microsoft Phone Link plugin to steal SMS/OTP material without compromising the mobile device
  • Expect increased phishing and supply-side credential risk from abused cloud email services because Kaspersky reports attackers are using Amazon SES and leaked AWS keys to bypass reputation filters; this raises supplier attestations and key-management requirements

Market pulse

IndexLatestChangeAs of
Palo Alto (PANW)320 +0.00 (+0.00%)May 5, 2026, 10:08 AM
CrowdStrike (CRWD)285 +0.00 (+0.00%)May 5, 2026, 10:08 AM
Zscaler (ZS)195 +0.00 (+0.00%)May 5, 2026, 10:08 AM
Fortinet (FTNT)72 +0.00 (+0.00%)May 5, 2026, 10:08 AM
  • Palo Alto: Palo Alto clients may see increased demand for kernel-level detection and endpoint isolation features
  • CrowdStrike: CrowdStrike-like services are relevant for telemetry that links desktop Phone Link activity to C2 behaviour

Sources

Inline citations jump here. Expand a source to read the excerpt, the AI interpretation, and the original link.

[1] CloudZ malware abuses Microsoft Phone Link to steal SMS and OTPs

bleepingcomputer.com · May 5, 2026

Expand

AI reading

Cisco Talos researchers found CloudZ RAT deploying a Pheno plugin that abuses Microsoft Phone Link on Windows to access a local SQLite database and steal SMS messages and one-time passwords. The technique allows attackers to capture OTP material without compromising the mobile device, undermining SMS-based MFA for affected endpoints

Buyer takeaway

Assume SMS OTPs are interceptable via desktop-side channels and require suppliers to support stronger MFA alternatives for critical access

Cost / money

Shifts spend toward stronger MFA solutions, endpoint detection, and supplier attestations of secure integrations rather than relying on mobile-only controls

Supplier / commercial

Require suppliers that integrate desktop-mobile linkages to provide evidence of secure data handling and isolation controls in their integrations

Safety / operations

Endpoint telemetry and process-hardened isolation become operational priorities because attackers can leverage legitimate desktop apps to reach otherwise protected credentials

What to watch

Watch for more malware families to reuse Phone Link access patterns; if Phone Link usage is widespread in the estate, risk balloons quickly

Key facts

  • CloudZ RAT uses a new Pheno plugin to target Phone Link
  • Pheno accesses local Phone Link SQLite DB to capture SMS/OTPs
  • Observed active intrusion dating back to January

Source excerpts

“With a confirmed Phone Link activity on the victim's machine, the attacker using the CloudZ RAT can potentially intercept the Phone Link application’s SQLite database file on the victim's machine, potentially compromising SMS-based OTP messages and other authenticator application notification messages,” explain Cisco Talos researchers
This gives the attacker access to sensitive information without needing to comprmise the mobile device. “With a confirmed Phone Link activity on the victim's machine, the attacker using the CloudZ RAT can potentially intercept the Phone Link application’s SQLite database file on the victim's machine, potentially compromising SMS-based OTP messages and other authenticator application notification messages,” explain Cisco Talos researchers
Microsoft Phone Link comes installed on Windows 10 and 11, and allows using the computer to make and take calls, respond to texts, or view notifications received on the mobile device (Android and iOS). By leveraging the application, the threat actor could intercept sensistive messages delivered to the target's mobile phone without compromising the device

Used in this brief

  • Safety / operations: SMS OTPs and desktop-side integrations can no longer be treated as low-risk: CloudZ’s Phone Link interception means operations must treat SMS-based MFA as operationally fragile for privileged access
  • Next 2-4 weeks — Update procurement security requirements to deprecate SMS-based OTP for admin and high-risk access paths and require stronger MFA options from suppliers.. Rationale: because CloudZ’s Phone Link plugin can intercept SMS and OTP material without touching the mobile device, SMS-based authentication is operationally weak for critical accounts.. Owner: Category. KPI: Revised supplier security checklist that excludes SMS OTP for privileged access and requires app-based or hardware MFA evidence
  • Endpoint authentication vector change: CloudZ’s Phone Link plugin demonstrates non-mobile interception of SMS OTPs, shifting mitigation priorities from mobile device controls to endpoint/process isolation and MFA post
Open original source

[2] Amazon SES increasingly abused in phishing to evade detection

bleepingcomputer.com · May 4, 2026

Expand

AI reading

Kaspersky reports an uptick in phishing campaigns abusing Amazon SES to bypass filters, driven in part by exposed AWS access keys found in public assets. Because SES is a trusted sending service, attackers can send convincing emails that evade reputation blocks and increase the likelihood of successful phishing

Buyer takeaway

Require cloud/email providers and integration suppliers to prove secret hygiene and automated secret-scanning practices as a procurement condition

Cost / money

Failure to enforce key-management practices increases incident-response and remediation spend when phishing campaigns scale

Supplier / commercial

Build credential-management attestations into supplier onboarding and renewals; require evidence of rotation, least-privilege IAM, and monitoring

Safety / operations

Operational detection suffers when attackers use legitimate relays; augment technical controls with supplier-provided logs and rapid take-down support

What to watch

Watch for credential leaks in vendor code, repos, or CI/CD artifacts that can enable large-volume phishing campaigns via trusted infrastructure

Key facts

  • Increase in phishing leveraging Amazon SES observed by Kaspersky
  • Main driver appears to be leaked AWS credentials in public repositories
  • Attackers automate secret scanning and permission validation

Source excerpts

Finding the access keys is typically done in an automated way using bots built on the open-source TruffleHog utility, which is designed to scan for leaked secrets. Threat actors now rely on automated attacks that streamline secret scanning, permission validation, and email distribution, enabling unprecedented levels of abuse
Threat actors now rely on automated attacks that streamline secret scanning, permission validation, and email distribution, enabling unprecedented levels of abuse
The Amazon Simple Email Service (SES) is being increasingly abused to send convincing phishing emails that can bypass standard security filters and render reputation-based blocks ineffective. Although the resource has been leveraged for malicious activity in the past, the current spike may be due to a large number of AWS Identity and Access Management access keys exposed in public assets

Used in this brief

  • Supplier / commercial: Require cloud or email-relay suppliers to provide credential-management evidence (key rotation, secret-scanning practices) as part of procurement reviews because SES abuse ties directly to leaked access keys
  • Next quarter — Work with Legal to insert credential-management and secret-handling attestations, rotation obligations, and breach-notification SLAs into cloud/email-relay contracts.. Rationale: because Amazon SES abuse is being driven by leaked AWS keys and stronger contractual controls will reduce supplier-side credential risk and improve response obligations.. Owner: Legal. KPI: Contract clause templates requiring key-rotation practices, secret-scanning evidence, and accelerated notification for credential exposure incidents
  • Kaspersky reports an uptick in phishing campaigns abusing Amazon SES to bypass filters, driven in part by exposed AWS access keys found in public assets. Because SES is a trusted sending service, attackers can send convincing emails that evade reputation blocks and increase the likelihood of successful phishing
Open original source

[3] Progress warns of critical MOVEit Automation auth bypass flaw

bleepingcomputer.com · May 4, 2026

Expand

AI reading

Progress Software warned of a critical authentication-bypass vulnerability in MOVEit Automation and released security updates for affected builds. Public searches show many exposed instances online, creating a direct risk to data automation flows and increasing the need for vendor confirmation and coordinated remediation

Buyer takeaway

Treat MFT instances as high-priority assets in supplier inventories because a single orchestration point can expose multiple downstream systems

Cost / money

If a managed-MFT supplier does not commit to remediation, buyers may incur change-order costs or emergency forensic bills to restore flows

Supplier / commercial

Use renewals to negotiate explicit remediation SLAs, notification windows, and cost-pass-through or indemnity clauses for MFT-related breaches

Safety / operations

Unpatched MFT instances risk automated data exfiltration and require tight coordination to avoid breaking scheduled business workflows during patching

What to watch

Watch for suppliers claiming customer-managed responsibility for instances that were deployed or maintained under the managed service — this changes who pays for fixes

Key facts

  • Tracked as CVE-2026-4670
  • Affects MOVEit Automation versions before specific 2025 builds
  • Progress reports widespread enterprise usage of MOVEit MFT solutions

Source excerpts

Progress Software warned customers to patch a critical authentication bypass vulnerability in its MOVEit Automation enterprise-grade managed file transfer (MFT) application
Map of MOVEit Automation instances exposed online (Shodan) While the company has yet to flag these security issues as exploited in the wild, other MoveIT MFT vulnerabilities have been targeted in attacks in recent years. For instance, the Clop ransomware gang exploited a zero-day in the MOVEit Transfer secure file transfer platform in an extensive series of data theft attacks in 2023 that affected more than 2,100 organizations and over 62 million individuals, according to Emsisoft estimates
Map of MOVEit Automation instances exposed online (Shodan) While the company has yet to flag these security issues as exploited in the wild, other MoveIT MFT vulnerabilities have been targeted in attacks in recent years

Used in this brief

  • Treat the Linux 'Copy Fail' kernel exploit as a high-priority patch and supplier-visibility item because CISA added the flaw to its Known Exploited Vulnerabilities list and PoC code roots unpatched mainstream Linux kernels; buyers should map which suppliers deliver or maintain those Linux images. Confirm exposure and remediation plans for managed file transfer (MFT) instances because Progress warned a critical MOVEit Automation auth-bypass affects pre-2025 builds and publicly exposed instances exist, creating a direct data-flow and uptime dependency. Reassess SMS-based one-time passwords and endpoint telemetry because Cisco Talos found CloudZ malware using a Microsoft Phone Link plugin to steal SMS/OTP material without compromising the mobile device. Expect increased phishing and supply-side credential risk from abused cloud email services because Kaspersky reports attackers are using Amazon SES and leaked AWS keys to bypass reputation filters; this raises supplier attestations and key-management requirements
  • What to watch: Watch for follow-on extortion or data theft tied to MOVEit Automation vulnerabilities given the platform’s prior large-scale incidents; a confirmed breach would materially raise notification and forensic costs
  • Next 72 hours — Request immediate exposure and remediation status from owners of any MOVEit Automation instances in our estate and from managed-MFT providers.. Rationale: because Progress warned of an auth-bypass in MOVEit Automation and exposed instances have been observed online, vendor confirmation is needed to prevent data-flow interruptions.. Owner: Category. KPI: Documented vendor confirmations and initial remediation/mitigation commitments for each affected MFT instance
Open original source

[4] CISA says ‘Copy Fail’ flaw now exploited to root Linux systems

bleepingcomputer.com · May 4, 2026

Expand

AI reading

CISA warned that the 'Copy Fail' Linux kernel vulnerability is being exploited in the wild and added it to its Known Exploited Vulnerabilities list. The vulnerability lets unprivileged local users gain root on many mainstream Linux distributions and public PoC code exists, making this an operational patch-and-inventory issue for any buyer running affected kernels

Buyer takeaway

Treat this as a real remediation and contract-visibility need because the flaw affects vendor-supplied images and public PoC exists that can be weaponized quickly

Cost / money

Expect near-term remediation and forensic verification costs if images must be rebuilt or hosts isolated; buyers may need to negotiate supplier-paid remediation where suppliers maintain images

Supplier / commercial

Require suppliers to supply patch attestations, image provenance, and a defined patch cadence; make image-control responsibilities explicit in SOWs or managed-service agreements

Safety / operations

Kernel exploits increase the chance of lateral movement and compressed maintenance windows; operations should plan for temporary isolation and coordinated supplier testing before mass rollouts

What to watch

Watch whether suppliers delay patching for custom images or claim unsupported configurations; limited vendor support creates higher buyer-side remediation load

Key facts

  • Tracked as CVE-2026-31431
  • Proof-of-concept exploit publicly available against mainstream distributions
  • CISA added the flaw to the KEV catalog

Source excerpts

Tracked as CVE-2026-31431, this security flaw was found in the Linux kernel's algif_aead cryptographic algorithm interface and enables unprivileged local users to gain root privileges on unpatched Linux systems by writing four controlled bytes to the page cache of any readable file. Theori researchers disclosed it on Thursday and shared what they described as a "100% reliable" Python-based exploit that can be used to root Ubuntu 24
"If your kernel was built between 2017 and the patch — which covers essentially every mainstream Linux distribution — you're in scope
"If your kernel was built between 2017 and the patch — which covers essentially every mainstream Linux distribution — you're in scope. " While major Linux distros began pushing the fix via kernel updates, Tharros' principal vulnerability analyst, Will Dormann, noted on Thursday that there were no "official updates" when Theori published its advisory

Used in this brief

  • Safety / operations: A local-root kernel exploit shortens safe maintenance windows and raises the need for isolation or temporary decommissioning of vulnerable Linux hosts to avoid lateral compromise during patching
  • Next 72 hours — Inventory all Linux hosts and map each to the supplier or managed-image owner.. Rationale: because the 'Copy Fail' kernel exploit affects mainstream distributions and suppliers often control the OS image and patch cadence, an accurate supplier-mapped inventory is requ.... Owner: Ops. KPI: Supplier-mapped inventory with prioritized patch targets and contact points for coordinated remediation
  • Next quarter — Develop a staged patch-validation playbook with suppliers for kernel updates and MFT upgrades, including supplier-supplied test images and rollback procedures.. Rationale: because kernel-level fixes and MFT patches carry uptime and integration risk, coordinated test windows and supplier test artifacts reduce operational fallout during deployment.. Owner: Ops. KPI: A published patch-validation playbook and supplier commitments to provide test artifacts and rollback support
Open original source

[5] Palo Alto

finance.yahoo.com · n.d.

Expand
Open original source

[6] CrowdStrike

finance.yahoo.com · n.d.

Expand
Open original source
More from IT, Telecom & CyberBack to Executive View