CISO Daily Digest: Linux Copy Fail & SaaS Extortion (20260502)

Linux Kernel ‘Copy Fail’ Vulnerability — Local Privilege Escalation to Root

• A critical vulnerability in the Linux kernel, dubbed “Copy Fail”, allows local users to escalate privileges to root on multiple mainstream Linux distributions
• The bug has existed in the kernel for approximately 9 years and was discovered through AI-assisted code analysis
• The vulnerability affects a core memory management subsystem, enabling attackers with low-privileged access to gain full system control
• Major Linux distributions (Ubuntu, Red Hat, Debian) have released emergency patches

🔗 Reference: Combined coverage (iThome, Dark Reading)

本週活躍威脅

📌 Cybercrime Groups Use Vishing and SSO Abuse in Rapid SaaS Extortion Attacks

Cybercrime groups have launched a wave of SaaS extortion attacks combining vishing (voice phishing) with Single Sign-On (SSO) abuse. Attackers call employees pretending to be IT support, trick them into approving MFA prompts, then use the compromised SSO session to exfiltrate data and demand ransom. The attacks target organizations using Okta, Azure AD, and other identity providers.

🔗 Reference: The Hacker News

📌 China-Linked Hackers Target Asian Governments, NATO States, Journalists, and Activists

Chinese state-linked threat actors are conducting a broad espionage campaign targeting Asian government agencies, NATO member states, journalists, and activists. The attackers are exploiting vulnerabilities in Exchange and IIS servers for initial access, then deploying custom backdoors for persistent intelligence gathering.

🔗 Reference: The Hacker News

📌 Trellix Confirms Source Code Breach with Unauthorized Repository Access

Cybersecurity firm Trellix confirmed a data breach where unauthorized actors gained access to internal source code repositories. The incident is under investigation, and the company has stated that no customer data was compromised. The breach follows a pattern of attackers targeting security vendors for their intellectual property.

🔗 Reference: The Hacker News

📌 Ubuntu and Canonical Websites Hit by DDoS Attack

The official websites of Ubuntu and Canonical were taken offline by a distributed denial-of-service (DDoS) attack, shortly after the disclosure of the ‘Copy Fail’ Linux kernel vulnerability. While no direct link has been established, the timing raises concerns about retaliatory attacks against open-source infrastructure.

🔗 Reference: iThome

📌 30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign

A sophisticated phishing campaign using Google AppSheet compromised approximately 30,000 Facebook Business accounts. Attackers abused AppSheet’s legitimate infrastructure to create convincing phishing pages that evaded security filters, demonstrating the growing trend of phishing-as-a-service using trusted platforms.

🔗 Reference: The Hacker News

What OPSWAT Can Do

The ‘Copy Fail’ kernel vulnerability and the surge in supply-chain attacks underscore the need for defense-in-depth beyond traditional patch management. OPSWAT’s MetaDefender Platform can help organizations detect and block exploit attempts through multi-engine file scanning, CDR to neutralize weaponized documents, and Proactive DLP to prevent credential theft and data exfiltration — particularly relevant for the SSO/vishing and source-code theft scenarios reported this week.