Discover new vulnerabilities and AI-driven threats affecting multiple platforms. ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­    ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏  ͏ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­ ­  
View in browser
Copy of WTR Newsletter Email Header (8)-2

In this week's roundup, we feature an on-demand session from Vali Cyber CTO Austin Gadient exploring how major compliance frameworks apply to virtual infrastructure — and how the hypervisor blind spot is creating real liability and legal risk for security leaders as regulatory scrutiny intensifies; elsewhere in the threat landscape, a newly disclosed 19-year-old Linux kernel privilege escalation vulnerability dubbed CIFSwitch allows any unprivileged local user to forge authentication requests and gain full root access across roughly 30 distribution and edition combinations, a threat actor is caught using AI coding tools to build and iteratively refine a modular EDR evasion framework linked to known ransomware operations — underscoring why preemptive controls are becoming the only reliable defense, researchers demonstrate a self-replicating AI worm that autonomously propagates through Linux, Windows, and IoT devices by dynamically probing each target for unique vulnerabilities, and five ransomware operations — INC, Qilin, Play, SafePay, and DragonForce, several maintaining dedicated ESXi encryptors — posted seven new victims to their leak sites in a single day. Read on! 

WTR Webinar Feature (1)

On Demand Webinar: Hypervisor Blind Spots: Compliance, Liability, and Risk

Hypervisors have long existed outside the scope of most compliance frameworks — and attackers have noticed.  In case you missed our live VMUG session last week, the recording is now available on demand on our BrightTALK channel. Vali Cyber CTO Austin Gadient explores major compliance frameworks and their implications for virtual infrastructure, and what that gap means for organizational liability and legal risk. With MITRE ATT&CK v17 elevating virtualization-layer techniques and auditors beginning to scrutinize the hypervisor blind spot, security leaders are increasingly being held personally accountable for risks they were previously able to overlook. Austin breaks down what regulators and auditors are starting to expect, how high-profile attacks from modern threat actors are accelerating that scrutiny, and practical steps teams can take to strengthen governance before compliance pressure turns into legal exposure.

Watch the Webinar

Ari-1
Ari Saperstein, Manager of Global Channel Technical Enablement:

"Once again we see long-standing vulnerabilities discovered and exploited. Unknown exploit surfaces leave security systems woefully unprepared. The importance of preemptive security is more important than ever to protect against exploits that has not yet been discovered."

On New CIFSwitch Linux flaw gives root on multiple distributions

Joseph Comps - Threat Intelligence Analyst
Joseph Comps, Solutions Engineer & Threat Intelligence Analyst:

"The research coming out of the University of Toronto's "AI Worm" is informative, but a bit misleading in the name. This tool is really more of an automated pentesting framework, designed to scan for and exploit a series of known vulnerabilities and misconfigurations. Nevertheless, it perfectly illustrates why organizations must maintain a robust defense-in-depth approach to their security."

On A Fundamentally New Threat’: Researchers Develop New AI-Powered Worm That Might Be Unstoppable 
Linux_tux

New CIFSwitch Linux flaw gives root on multiple distributions  

CIFSwitch is a 19-year-old local privilege escalation vulnerability in the Linux kernel's CIFS subsystem that allows any unprivileged local user to forge authentication requests trusted by a root-privileged helper process, ultimately loading a malicious NSS module to achieve full root code execution. Confirmed out of the box across roughly 30 distribution and edition combinations — including Ubuntu, RHEL, AlmaLinux, and Kali — a working proof-of-concept is publicly available. An upstream kernel patch exists and distribution-level updates are rolling out now.

Read more
th

Threat Actor Uses AI to Build EDR Evasion Tools 

Researchers uncovered a threat actor using AI coding tools to build and iteratively refine a modular EDR evasion framework — and the results underscore a growing reality: EDR alone is no longer sufficient. Working inside an AI-native development environment, the actor assigned roles to multiple agents to produce nearly 80 evasion modules covering over 70 techniques, with agents reporting near-universal effectiveness after iteration. The operation has been linked to known ransomware and data theft activity, and highlights why preemptive controls — not reactive detection — are becoming the only reliable defense. 

Read more
Untitled design (11)

‘A Fundamentally New Threat’: Researchers Develop New AI-Powered Worm That Might Be Unstoppable 

Researchers from the University of Toronto and Cambridge have demonstrated a self-replicating AI worm that autonomously propagates through a network of Linux, Windows, and IoT devices — dynamically probing each target for unique vulnerabilities rather than exploiting a single flaw like traditional worms. Powered by an open-source LLM, the worm infected half the devices in the test network in five days and parasitically harvests computing power to fuel its own inference. The researchers warn that timeline will compress as consumer devices become more AI-capable. 

Read more
AA24Q4Cp

Ransomware crews Inc., Qilin, Play, SafePay, and DragonForce posted seven fresh victims to leak sites on June 2 alone 

Five ransomware operations — INC, Qilin, Play, SafePay, and DragonForce, several of which maintain dedicated ESXi encryptors — posted seven new victims to their leak sites on a single day, a concentration researchers say carries operational meaning. New academic research offers a framework for analyzing whether single-day clusters reflect shared infrastructure, overlapping access brokers, or coincidence — and suggests many crews follow measurable posting routines that defenders can use to sharpen threat hunting.

Read more

Thanks for reading! Feel free to share this email with your network, and for more hypervisor and Linux cybersecurity updates, visit valicyber.com.

 

Website
LinkedIn
X

Vali Cyber, Inc., 529 Rookwood Place, Charlottesville, VA 22903, USA

Unsubscribe Manage preferences