In partnership with

|
Fact
|
The "Bad Epoll" Linux kernel vulnerability disclosed in July 2026 sat undetected in mainline Linux for close to three years, silently giving any unprivileged user a path to root on servers and Android devices alike (The Hacker News, July 2026).
|
|
|
This week is a reminder that the boring stuff, kernels, MFA policies, login flows, is where the real damage lives. A kernel bug hid in plain sight for three years, 81 million password-spray attempts found the gaps in "we have MFA," and an AI-assisted malware kit spent real engineering effort just learning to hide from your antivirus.
PS: Was this forwarded to you? Subscribe free at exzeccyber.com/subscribe →
|
|
Kernel Vulnerability
🐛 The Linux Kernel Bug That Waited Three Years to Hand Out Root Access
Intro
Somewhere in the Linux kernel, a race condition sat quietly since 2023, waiting for someone to notice it could hand any local user complete control of the machine.
What Happened
Researchers disclosed "Bad Epoll" (CVE-2026-46242) on July 3, a use-after-free bug in the kernel's epoll event-handling code. Two parts of the kernel try to clean up the same object at once, one frees the memory while the other keeps writing to it, and an ordinary, unprivileged user can ride that race straight to root. It hits Linux servers, desktops, and Android devices alike. A fix is out, but proof-of-concept exploit code is already public.
Why It Matters
This is not a niche server flaw. It's a bug in the piece of the kernel that handles basic I/O event notifications, meaning it touches nearly everything running Linux or Android, and it went undetected for close to three years.
The Other Side
Exploiting it isn't trivial. Researchers describe it as a genuine race condition, timing-sensitive and not "click and own," and there's no confirmed evidence of in-the-wild exploitation yet. The public PoC changes that math fast.
| |
👉 Takeaway
Patch your Linux servers and check for Android security updates now. "Not yet exploited" and "not exploitable" are different claims, and only one of them is true here.
|
TL;DR: A three-year-old Linux kernel race condition (CVE-2026-46242) lets any local user become root, on servers and Android alike.
|
| |
Accountability
The FTC hit Amazon with a $2.25 million penalty for blocking identity theft victims from getting records of fraudulent transactions made in their names, a right guaranteed under federal law. Some customers were told "privacy" or "security" reasons prevented Amazon from handing over the records. Others waited past the legally required 30-day window. Even law enforcement agents requesting records on victims' behalf got turned away.
→ If you've been a fraud victim and a company you use stonewalls your records request, you have a legal right to push back, and now a $2.25 million reason to believe it.
|
| |
Ransomware
CISA confirmed ransomware gangs are now exploiting "BlueHammer," a Microsoft Defender privilege escalation flaw a researcher leaked in April specifically to protest how Microsoft handles vulnerability disclosure. It hands attackers who already have basic access a path straight to SYSTEM privileges. Microsoft patched it in April, but plenty of machines haven't caught up.
→ If your patch cadence lags Patch Tuesday by more than a month, BlueHammer is exactly the kind of flaw that turns "we'll get to it" into an incident report.
|
| |
Cybercrime
Polish police, working with the FBI and Homeland Security Investigations, arrested four members of a group accused of breaching telecom partners and hijacking employee email accounts to pull off SIM-swapping attacks, then draining victims' cryptocurrency exchange accounts. Investigators estimate tens of millions of Polish złoty in laundered proceeds, at least $5 million.
→ SIM-swapping still works because phone numbers are treated as identity proof. If your crypto or financial accounts rely on SMS for recovery, that's the door these guys walked through.
|
|
Granola Runs Revenue On Attio
"When I think of revenue, I think of Attio." - Shreman Shrestha, Head of Business at Granola
Here's what that adds up to:
Zero missed leads and 10x faster access to customer context
Five hours saved per week with automated updates
| |
AI Malware
Researchers uncovered "Avalon," a modular malware framework distributed through a multi-stage phishing chain: a fake legal document, a password-protected archive, an ISO image hiding a Windows shortcut, all built to slip past email security. Once running, it disables forensic logging and specifically evades Microsoft Defender, SentinelOne, CrowdStrike, Sophos, and five other named security products, and it packs a ransomware module called CrownX. Researchers say the code shows signs of AI-assisted development.
→ The evasion list reads like a shopping list of what your security stack probably runs. AI is lowering the skill floor for building malware that specifically targets your defenses by name.
|
| |
AI Security
Security researchers demonstrated how Claude Desktop's connections to local tools and files can be manipulated into acting against the user, effectively turning a helpful AI assistant into an attacker's agent inside the machine it's supposed to protect. The research is a proof of concept, not an active campaign, but it's a preview of what agentic AI security testing looks like going forward.
→ If your organization is rolling out desktop AI agents with file or tool access, agentic AI needs the same adversarial testing you'd give any new privileged software, not a one-time vendor questionnaire.
|
|
| |
Nation-State
The State Department is offering up to $10 million for information on UNC5792 and UNC4221, the Russian FSB and military-linked hacking groups we flagged two weeks ago for tricking targets into handing over Signal backup recovery keys. Typical targets: US and NATO government, military, and diplomatic officials, plus journalists and researchers covering Russia and Ukraine.
→ The tactic hasn't changed since we covered it: real Signal support never asks for your recovery key. The bounty just confirms how seriously Washington is taking it.
|
| |
Credential Attack
A password-spraying campaign generated more than 81 million login attempts against Microsoft 365 accounts over two weeks, exploiting a legacy authentication flow (ROPC) that skips MFA entirely. Huntress confirmed 78 compromised accounts across 64 organizations, most of which had MFA enabled, just not configured to cover this specific login path.
→ Having MFA "on" isn't the same as having it enforced everywhere. Check whether your Conditional Access policies actually cover every authentication flow, not just the ones you use daily.
|
|
| |
Practical play
Scammers are planting fake purchase receipts, impersonating brands like Norton, McAfee, and PayPal, directly inside Shop, Shopify's order-tracking app used by tens of millions of people. Each fake receipt lists a phone number to "dispute" the charge, which connects to a scammer posing as support, who then talks victims into handing over credentials, card details, or remote access to their device. The fake receipts often have poor grammar, the one reliable tell. If you see a purchase you don't recognize in any order-tracking or shopping app, do not call the number on the receipt. Look up the company's real support line independently, or check your bank statement directly.
→ Anyone who calls you back and asks for a one-time code or remote access to your computer is not support. Verify independently, every time.
|
|
37 Free Claude Prompts With The AI Report
Subscribe to The AI Report, the free 5-minute daily AI brief for 400,000+ business leaders, and you’ll get 37 Claude prompts free in your welcome email. They’re organised by the 8 situations every manager faces. You get both: the newsletter and the prompts.
Strange but real
💾 The Hacker Turned Out to Be a Windows Error Message From the 1980s
Intro
A user was convinced a hacker had broken into his PC. The hacker's name was "General Failure," and he'd technically been there since MS-DOS.
What Happened
The panic started with a classic disk error message, "General failure reading drive C," a line of text DOS and early Windows have been printing since the 1980s whenever a disk operation fails. Decades removed from that era, the phrasing read less like a system message and more like a hacker's calling card, and the user reported being convinced someone named General Failure had compromised the machine.
Why It Matters
Old, cryptic error text doesn't age well once the average user has never seen a command prompt. Confusing system messages don't just annoy people, they actively mislead them about what's happening on their own machine, sometimes toward the wrong conclusion entirely.
The Other Side
No actual compromise occurred here, which is the whole joke. It's a reminder that not every scary-looking message is a security incident, and that decades-old error strings are still floating around in modern systems, completely unchanged.
| |
👉 Takeaway
Before you assume you've been hacked, search the exact error message. There's a decent chance it's older than the concept of hacking as pop culture knows it.
|
TL;DR: A DOS-era disk error message, "General failure reading drive C," convinced a modern user he had a hacker named General Failure inside his PC.
|
Claude vs Gemini. OpenAI vs Anthropic. Which lab ships next? Real money on all of it. Kalshi is the CFTC-regulated prediction market for tech readers. Trade what you know.