After the CopyFail vulnerability gave root access from any user on almost all distributions last week, this week we’ve got DirtyFrag. This chains the vulnerability in CopyFail (xfrm-ESP) and a new vulnerability in a RPC function which allows similar overwriting of the page cache.
Both vulnerabilities manipulate the Linux page cache where data from disk is stored for rapid access. The kernel will always prefer the cached version of a file, which means that anything that is able to manipulate the contents of the cache can effectively replace the contents of the file. Both of the vulnerabilities leverage a similar mechanism – picking a binary which is flagged to run as root, such as su, and replacing the contents that would prompt for the users password with a launcher to immediately run a shell.
Like CopyFail, DirtyFrag requires the ability to execute code on the target in the first place, but turning almost any code or command execution vulnerability in any network service into root raises the impact significantly, allowing an attacker to break out of containers and privilege environments, or establish a persistent presence in the system when the original vulnerabilities are discovered and closed.
The previous mitigations to block specific kernel modules related to CopyFail are not sufficient to block the new vulnerabilities. At the time of writing this, there are no available patches from the distributions, however the vulnerable kernel modules can be temporarily disabled.
CopyFail added to KEV
CISA (the United States cyber security agency) has added CopyFail to the KEV, or Known Exploited Vulnerabilities list. Attacks on the KEV have been observed under active exploitation, which in the case of CopyFail is hardly a surprise.
The KEV is designed as a tool to allow security teams in government and commercial industry to prioritize the highest risk vulnerabilities – or at least give another source of data to point at when you say “we really need to patch this now”.
Prolonged Ubuntu DDOS
On the heels of the CopyFail vulnerability impacting almost all distributions, Ubuntu has had to face a prolonged distributed denial-of-service (DDoS) attack against the main infrastructure. Ars Technica reported at the beginning of the attack, and after several days, services appear to be restored. In the meantime, core services such as package updates, core repositories, and even the Ubuntu and Canonical websites were largely unreachable.
An Iraqi group claims responsibility for the attack, but it is unclear if they were the actual perpetrators – or why. The timing with the CopyFail vulnerability seems like an opportune moment to cause chaos by taking the update mechanisms of a major distribution offline, but in the era of modern Internet behavior, it could also just have been a Tuesday.
Anti-DDoS Company Does DDoS
Meanwhile, Brian Krebs reports on the Brazilian ISP Huge Networks, a denial of service mitigation company for Brazilian ISPs, which has been implicated as the originator of (wait for it) large denial of service attacks, originating from Brazil and targeting Brazilian ISPs.
A leaked file share disclosed the SSH keys of the CEO of Huge Networks, as well as a set of Python scripts for compromising unpatched TPLink Archer home routers to recruit them as part of a denial of service botnet. Using a DNS amplification attack, where small spoofed DNS queries return results 60 or 70 times as large as the original request, smaller ISPs in Brazil were hit with enormous traffic loads.
The CEO of Huge lays the blame on a compromised Digital Ocean virtual server which may have led to the theft of the SSH keys used in controlling the attacks, blaming a competitor attempting to tarnish the reputation of Huge.
Infrastructure (the Company) Ransomed
The educational software mega-company Infrastructure has been breached by ShinyHunters, a theft and extortion group behind many recent high-profile attacks against casinos, hotels, and government agencies. ShinyHunters has also been linked to the hack of Jaguar Land Rover in 2025 which caused billions in damages.
The stolen information includes identifiable data about students including emails, student ID numbers, and messages between users of the Canvas educational management and learning system. The attackers claim that they have the data of 9000 schools and 275 million students, teachers, and staff.
While writing this, ShinyHunters upped the ante, replacing many schools Canvas portals with a ransom demand and causing Infrastructure to apparently shut down many more. Considering this is during finals period for many schools, the disruption is likely to impact many school schedules – probably not a coincidence.
Student Hacks Train Radios, Finds Out
TETRA is a European digital trunking radio standard used by law enforcement, transportation and critical infrastructure, and military agencies for communications, roughly similar to the P25 system used by law enforcement and emergency services in the United States. TETRA can be used for both voice and data communications.
Multiple attacks against the TETRA encryption and management systems were demonstrated at BlackHat USA 2025, allowing for traffic and voice decryption and injection of messages. This does not mean that one should be playing around with these attacks in the wild.
The RTL-SDR Blog reports that a student has been arrested for interfering with the TETRA network used by the Taiwan High Speed Rail Corporation.
The student is accused of not only entering voice conversations, but triggering multiple high-priority alerts which switched trains to emergency manual braking.
Remember: Research and learning, good. Triggering train emergencies, bad.
CPanel Vuln Around for 64 Days
There is evidence that the CPanel vulnerability last week has been under active exploitation for a significant amount of time, with the company KnownHost reporting evidence of exploitation of the bug at over two months, starting in February 2026.
That nobody noticed the ongoing attacks implies a relatively patient campaign to gain access to CPanel systems, instead of a slash-and-burn style attack to install crypto miners and get out. With an approximately 1.5 million CPanel instances exposed to the Internet in the that time window, there may well be a long tail on this vulnerability. Simply patching the exposure does not evict an attacker who was able to gain access to the system and create persistent methods to log in again.
Edge Passwords in the Clear
The SANS Technology Institute Internet Storm Center reports a curious vulnerability in Microsoft Edge: When using the Edge browser password manager — the default “Would you like to save this password?” behavior of the browser — the entire password database is decrypted and stored in RAM, even for passwords that have not been used this session!
This leaves the entire stored password vault in Edge exposed to any process able to trigger a memory dump, or otherwise access the browser RAM. (You can verify this yourself by using the “dump memory to file” dropdown menu item and searching the resulting file for a password of your choice.) This exposure is a significant risk and vector for password stealing, since a common trick of infostealer malware is to extract passwords and tokens from running processes.
Microsoft Edge is based on the Chromium code base – the same code that makes up Google Chrome, the Vivaldi browser, Brave, Opera, and of course Chromium itself – but is the only variant showing this behavior. Edge probably isn’t anyones favorite browser of choice, but being the default carries a lot of weight for casual users – or corporate users not given a choice.
DaemonTools Backdoored
The DaemonTools app for mounting disk images has been backdoored with a targeted malware payload for at least a month, reports Ars Technica. DaemonTools is used for creating, mounting, and editing disk images of systems, and can emulate multiple types of drive hardware.
The infected version has been pushed from the official update channels, and is signed with the same certificates, making detection for the average user nearly impossible. The malicious version performs reconnaissance on the infected system, collecting network information, nearby devices, installed software, and running processes, however does little else until additional payloads are downloaded. Kasperky Labs reports that of thousands of systems known to be infected, only 12 received a second-stage payload of a backdoor tool to allow future access, and only a single system was seen to receive a full remote-access toolkit.
Kaspersky notes that majority of impacted systems are located in Russia, China, and Europe, and all of the systems targeted with the more advanced payload were in government, science, or manufacturing environments. Deploying the advanced payload to only a small number of specifically targeted systems implies a coordinated plan behind the attack, which Ars is already comparing to recent high-profile attacks against CCleaner and Solar Winds, where utilities were compromised worldwide, but the attack payloads were only deployed against specific high-value targets.
Oracle Switching to Monthly Updates
Oracle is accelerating to a monthly update schedule for security issues. Previously, updates were released on a quarterly schedule, but citing the increased pace of security research and vulnerability discovery, security updates are being broken out from normal product updates.
While most of us will be lucky in life and avoid having to maintain such software, chances are very high that everyone reading here will interact with a company backed by an Oracle product this week.
This articles is written by : Nermeen Nabil Khear Abdelmalak
All rights reserved to : USAGOLDMIES . www.usagoldmines.com
You can Enjoy surfing our website categories and read more content in many fields you may like .
Why USAGoldMines ?
USAGoldMines is a comprehensive website offering the latest in financial, crypto, and technical news. With specialized sections for each category, it provides readers with up-to-date market insights, investment trends, and technological advancements, making it a valuable resource for investors and enthusiasts in the fast-paced financial world.