Ravie LakshmananMay 03, 2026Vulnerability / Container Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a recently disclosed security flaw impacting various Linux distributions to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.

The vulnerability, tracked as CVE-2026-31431 (CVSS score: 7.8), is a case of local privilege escalation (LPE) flaw that could allow an unprivileged local user to obtain root. The nine-year-old flaw is also tracked as Copy Fail by Theori and Xint. Fixes have been made available in Linux kernel versions 6.18.22, 6.19.12, and 7.0.

“Linux Kernel contains an incorrect resource transfer between spheres vulnerability that could allow for privilege escalation,” CISA said in an advisory.

In a write-up published earlier this week, the researchers said Copy Fail is the result of a logic bug in the Linux kernel’s authentication cryptographic template that allows an attacker to reliably trigger privilege escalation trivially by means of a 732-byte Python-based exploit. It was introduced through three separate, individually harmless changes to the Linux kernel made in 2011, 2015, and 2017.

The high-severity security vulnerability impacts Linux distributions shipped since 2017, and permits an unprivileged local user to obtain root-level access by corrupting the kernel’s in-memory page cache of any readable file, including setuid binaries. This corruption could be carried out by unprivileged users and could result in code execution with root permissions.

“Because the page cache represents the in-memory version of executables, modifying it effectively alters binaries at execution time without touching disk,” Google-owned Wiz said. “This enables attackers to inject code into privileged binaries (e.g., /usr/bin/su) and thereby gain root privileges.”

The prevalence of Linux in cloud environments means the vulnerability has a significant impact. Kaspersky, in its analysis of the flaw, said Copy Fail poses a serious risk to containerized environments, as Docker, LXC, and Kubernetes “grant processes inside a container access to the AF_ALG subsystem if the algif_aead module is loaded into the host kernel” by default.

“Copy Fail poses a risk of breaching container isolation and gaining control over the physical machine,” the Russian security vendor said. “At the same time, exploitation does not require the use of complex techniques, such as race conditions or memory address guessing, which lowers the entry barrier for a potential attacker.”

“Detecting the attack is difficult because the exploit uses only legitimate system calls, which are hard to distinguish from normal application behavior.”

Adding to the urgency is the availability of a fully working exploit proof-of-concept (PoC), with Kaspersky stating Go and Rust versions of the original Python implementation have already been detected in open-source repositories. 

CISA did not share any details about how the vulnerability is being exploited in the wild. However, the Microsoft Defender Security Research Team said it’s “seeing preliminary testing activity that might result most likely in increased threat actor exploitation over the next few days.”

“The attack vector is local (AV:L) and requires low privileges with no user interaction, meaning any unprivileged user on a vulnerable system can attempt exploitation,” it added. “Critically, this vulnerability is not remotely exploitable in isolation, but becomes highly impactful when chained with an initial access vector such as Secure Shell (SSH) access, malicious CI job execution, or container footholds.”

The tech giant has also detailed one possible route attackers could take to exploit the vulnerability –

• Conduct reconnaissance to identify a Linux host or container running a kernel version susceptible to Copy Fail.
• Prepare a small Python trigger for use against the endpoint.
• Execute the exploit from a low-privilege context, either as a regular Linux user on a host or a compromised container process with no special capabilities.
• Exploit performs a controlled 4‑byte overwrite in the kernel page cache, leading to corruption of sensitive kernel‑managed data.
• Attacker escalates their process to UID 0 and obtain full root privileges.

Federal Civilian Executive Branch (FCEB) agencies have been advised to apply the fixes by May 15, 2026, as updates have been pushed by impacted Linux distributions. If patching is not an immediate option, organizations are recommended to disable the affected feature, implement network isolation, and apply access controls. 

The managed security services market is projected to grow from $38.31 billion in 2025 to $69.16 billion by 2030^[1], with cybersecurity being the fastest-growing sector^[2]. Despite this opportunity, many MSPs leave revenue on the table because their go-to-market strategy fails to connect technical expertise with business needs.

This execution gap is where most deals stall. MSPs often focus on frameworks and vulnerabilities, but their clients make decisions based on business outcomes: risk reduction, successful compliance audits, and business continuity. When sales messaging fails to bridge this divide, prospects tend to view cybersecurity as a cost center instead of a strategic investment. To win, MSPs must align security value with business priorities and translate complex offerings into compelling reasons for clients and prospects to act.

Cynomi developed the GTM Academy Sales Kit to address this challenge and provide a structured, outcome-driven approach to help MSP sales teams convert rising demand into consistent, profitable revenue.

Through our work empowering partner growth, we have identified five core go-to-market challenges holding MSPs back and the strategies required to overcome them.

1. Overcoming a Lack of Client Urgency

Data shows that 77% of MSPs cite a lack of client urgency as a major sales challenge^[3]. Technical teams understand a prospect’s security weaknesses, but they struggle to translate that risk into the business terms that drive investment. When that translation fails, cybersecurity becomes a line item to defer rather than a strategic priority. Sellers must learn to frame security program management in terms of operational continuity, regulatory consequences, and reputational liability to create immediate urgency.

2. Navigating Expanded Buying Committees

Buying decisions don’t happen in a vacuum. Buying committees for cybersecurity have expanded to an average of over eight stakeholders, with projections exceeding nine stakeholders by 2026^[4]. You are dealing with executives, finance, IT, and operations. These individuals have different concerns, motivations, and definitions of value. The discovery questions that move a CEO are not the same ones that move a CTO. MSPs must develop tailored discovery frameworks for different business stakeholders to keep complex deals moving forward.

3. Defeating the Cost Objection

Cost sensitivity remains a stubborn barrier, with 66% of SMBs identifying cost as their top obstacle to adopting stronger security^[5]. Prospects often view security as a sunk cost rather than a business enabler. Overcoming this requires an objective scoring framework and clear objection handling that addresses the underlying beliefs driving the hesitation, rather than simply restating the technical pitch.

4. Leveraging Compliance as a Catalyst

Over 56% of new managed security agreements are initiated to meet compliance requirements^[6]. Deadlines surrounding cyber insurance renewals, industry mandates, and state-level privacy laws create a hard timeline that organic sales conversations rarely generate. Providers must position compliance readiness as a potential entry point, but only one outcome of a broader security program management.

To expand revenue from existing clients, MSPs should use visual, CISO Intelligence dashboards to proactively review security postures and identify gaps. This analysis drives tailored upsell campaigns and justifies new investments during strategic business reviews. Benchmarking clients against industry peers creates urgency, while consistent education on the business impact of security reinforces its value.

By turning account management into an ongoing advisory relationship and consistently surfacing new value, MSPs can deepen trust, drive margin improvement, and unlock recurring revenue opportunities year over year.

Turning GTM Challenges into Opportunities: Practical Strategies

Overcoming these sales barriers requires a disciplined, systematic approach anchored in actionable processes and strategic alignment.

• Align sales and technical messaging:Work collaboratively with technical experts to translate security findings into business outcomes. Use client-friendly language to communicate risk, operational impact, and business value rather than technical jargon.
• Map the stakeholder landscape early: Identify all decision-makers and influencers at the outset, including executive, finance, IT, and operational leads. Develop messaging and presentations targeted to each persona’s priorities, and build consensus through regular, transparent communication.
• Quantify outcomes and ROI: Present security investments in terms of measurable impact, such as reduction in incident response time, decreased compliance risk, or improved operational uptime. Providing decision-makers with concrete data driven by business impact assessments supports faster, higher-confidence purchasing decisions.
• Automate for consistency and scale: Leverage sales kits, playbooks, and CRM technology to standardize outreach, discovery, and proposal development. Consistent processes and a central repository for discovery answers ensure smooth handoffs from prospect to client, even with multiple stakeholders involved.
• Measure, optimize, and adapt: Track sales performance against leading indicators such as conversion rates, deal cycle length, and upsell frequency. Analyze your pipeline consistently to identify bottlenecks and refine your sales strategy.

Operator-Led Resources for Security Program Management

To support service providers in achieving predictable growth, Cynomi established the GTM Academy.

Designed as a practical enablement program for MSPs and MSSPs, the GTM Academy features resources developed by practitioners who are actively running and scaling security practices. The first release is the Complete Sales Kit, which includes dozens of resources covering every stage of the sales lifecycle, from initial prospecting through close and expansion.

The kit provides actionable tools to solve the toughest sales challenges, including:

• Actionable videos from MSP operators and GTM practitioners
• Ideal client profile (ICP) strategic frameworks to target buyers effectively
• Positioning scripts and email templates to drive engagement
• Discovery frameworks tailored for technical and business stakeholders
• Cheat sheets and scoring worksheets for building a predictable pipeline
• Upselling and cross-selling playbooks to expand existing accounts

As a Security Growth Platform, that unifies security program management, risk management, and GRC capabilities to help partners scale, Cynomi understands that the sales motion and service delivery must reinforce each other to protect every client, at every maturity level. The Complete Sales Kit provides the foundation for building that motion, empowering your team to deliver expert guidance with confidence and consistency.

Building a Sustainable Sales Advantage

To move from reactive selling to predictable success, MSPs need a scalable system that evolves with the market. Invest in continuous education by hosting internal workshops, reviewing wins and losses, and connecting sales metrics to business goals like margin improvement and client retention.

A culture of continuous learning, built on insights from top performers and peer mentoring, prepares your team to address new threats and regulations with authority. By embedding these best practices, MSPs can become trusted security advisors, reduce friction, accelerate revenue, and maximize client value.

Cybersecurity researchers have disclosed details of a new China-aligned espionage campaign targeting government and defense sectors across South, East, and Southeast Asia, along with one European government belonging to NATO.

Trend Micro has attributed the activity to a threat activity cluster it tracks under the temporary designation SHADOW-EARTH-053. The adversarial collective is assessed to be active since at least December 2024, while sharing some level of network overlap with CL-STA-0049, Earth Alux, and REF7707.

“The group exploits N-day vulnerabilities in internet-facing Microsoft Exchange and Internet Information Services (IIS) servers (e.g., ProxyLogon chain), then deploys web shells (Godzilla) for persistent access and stages ShadowPad implants via DLL sideloading of legitimate signed executables,” security researchers Daniel Lunghi and Lucas Silva said in an analysis.

Targets of the campaigns include Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan. The lone European country that features in the threat actor’s victimology footprint is Poland.

The cybersecurity vendor said it observed nearly half the SHADOW-EARTH-053 targets, particularly those in Malaysia, Sri Lanka, and Myanmar, also compromised earlier by a related intrusion set dubbed SHADOW-EARTH-054, although no evidence of direct operational coordination has been observed.

The starting point of the attacks is the exploitation of known security flaws to breach unpatched systems and drop web shells like Godzilla to facilitate persistent remote access. The web shells function as a delivery vehicle for command execution, enabling reconnaissance and ultimately resulting in the deployment of the ShadowPad backdoor via AnyDesk. The malware is launched using DLL side-loading.

In at least one case, the weaponization of the React2Shell (CVE-2025-55182) is said to have facilitated the distribution of a Linux version of Noodle RAT (aka ANGRYREBEL and Nood RAT). It’s worth mentioning here that the Google Threat Intelligence Group (GTIG) linked this attack chain to a group known as UNC6595.

Also put to use are open-source tunneling tools like the IOX, GO Simple Tunnel (GOST), and Wstunnel, as well as RingQ to pack malicious binaries and evade detection. To facilitate privilege escalation, SHADOW-EARTH-053 has been found to use Mimikatz, while lateral movement is accomplished using a custom remote desktop protocol (RDP) launcher and C# implementation of SMBExec known as Sharp-SMBExec.

“The primary entry vector used in this campaign were vulnerabilities in internet-facing IIS applications,” Trend Micro said. “Organizations should prioritize applying the latest security updates and cumulative patches to Microsoft Exchange and any web applications hosted on IIS.”

“In scenarios where immediate patching is not feasible, we strongly recommend deploying Intrusion Prevention Systems (IPS) or Web Application Firewalls (WAF) with rulesets specifically tuned to block exploit attempts against these known CVEs (Virtual Patching).”

GLITTER CARP and SEQUIN CARP Go After Activists and Journalists

The disclosure comes as the Citizen Lab flagged a new phishing campaign undertaken by two distinct China-affiliated threat actors targeting and impersonating journalists and civil society, including Uyghur, Tibetan, Taiwanese, and Hong Kong diaspora activists. The wide-ranging campaigns were first detected in April and June 2025, respectively.

The clusters have been codenamed GLITTER CARP, which has singled out the International Consortium of Investigative Journalists (ICIJ), and SEQUIN CARP, whose main target was ICIJ journalist Scilla Alecci and other international journalists writing about topics of critical interest to the Chinese government.

“The actor employs well-thought-out digital impersonation schemes in phishing emails, including impersonation of known individuals and tech company security alerts,” the Citizen Lab said. “Although the targeted groups vary, this activity employs the same infrastructure and tactics across all cases, frequently reusing the same domains and same impersonated individuals across multiple targets.”

GLITTER CARP, besides conducting broad-scale phishing attacks, has been tied to phishing campaigns targeting the Taiwanese semiconductor industry. Some aspects of these efforts were previously documented by Proofpoint in July 2025 under the name UNK_SparkyCarp. SEQUIN CARP (aka UNK_DualTone), on the other hand, shares similarities with a group tracked by Volexity as UTA0388 and an intrusion set detailed by Trend Micro as TAOTH.

The end goal of the campaigns is to obtain initial access to email-based accounts via credential harvesting, phishing pages, or by socially engineering the target into granting access to a third-party OAuth token. GLITTER CARP’s phishing emails also involve the use of 1×1 tracking pixels that point to a URL on the attacker’s domain to gather device information and confirm if they were opened by the recipients.

The Citizen Lab said it “observed concurrent targeting of specific organizations using both the AiTM phishing kit (GLITTER CARP, UNK_SparkyCarp) and the delivery of HealthKick using different phishing tactics by a separate group (UNK_DropPitch).” This indicates some level of overlap between these groups, it added, although the precise nature of the relationship remains unknown.

“Our analysis of the GLITTER CARP and SEQUIN CARP attacks shows that digital transnational repression increasingly operates through a distributed network of actors,” the research unit said. “The targets we identified in both GLITTER CARP and SEQUIN CARP align with the intelligence priorities of the Chinese government.”

“The breadth of targeting documented in this report and by others, combined with the available information on China’s past and current use of contractors which mirrors the activity we have observed, suggests with a medium level of confidence that commercial entities hired by the Chinese state may have been behind both clusters of activity described here.”

When reached for comment, Mark Kelly, staff threat researcher at Proofpoint, told The Hacker News via email that both UNK_SparkyCarp and UNK_DualTone have carried identity-focused phishing activity against a range of targets, characterizing the targeting of civil society members as likely a “longstanding feature of these groups’ targeting” rather than a recent shift.

“We have observed UNK_SparkyCarp (GLITTER CARP) conducting credential phishing activity against academic, political, semiconductor, and legal sector targets in the United States, Europe, and Taiwan,” Kelly added. “We have not observed the group targeting civil society specifically.”

“However, this is very likely a result of our visibility, and we concur with the attribution within Citizen Lab’s reporting. We understand the group has been heavily active in targeting civil society groups of interest to the Chinese government for some time, which is further supported by domains spoofing perceived opposition groups, such as Falun Gong, that date back several years.”

Proofpoint also noted that it has detected UNK_DualTone targeting multiple U.S.-based journalists in May 2025, and that the activity closely aligns with a campaign using lures related to protests planned on the occasion of the U.S. Army 250th Anniversary Parade.

(The story was updated after publication on May 2, 2026, with additional insights from Proofpoint.)