Weekly Threat Roundup: Managing the Chaos of Linux Flaws, PAN-OS, and AI Phishing
Hey everyone,
If this week feels like cron.daily decided to run every minute with anger issues, you're not alone. Between the new Linux auth flaw popping up, the active exploitation of PAN-OS (CVE-2026-0257), and the surge in AI-driven OAuth phishing, it's been a grind for the SOC.
I wanted to open a thread on the Weekly Recap highlights to see how everyone is prioritizing the triage list.
The PAN-OS Situation
We've seen the deep dives on CVE-2026-0257, but are people actually seeing active exploitation attempts in the wild? We've started hunting for suspicious GlobalProtect activity that might indicate the auth bypass. Here is a basic KQL query I'm running in Sentinel to filter for anomalies:
DeviceEvent
| where DeviceVendor == "Palo Alto Networks"
| where Application == "globalprotect"
| where Activity contains "authentication" or Activity contains "login"
| project TimeGenerated, SourceIP, DestinationIP, Activity, Message
| where Activity !contains "success"
| sort by TimeGenerated desc
Linux & Supply Chain Risks
The recap mentions a "busted auth path" and repo-side issues. With the recent supply chain noise (like the npm packages targeting Claude directories), I'm double-checking our build pipelines. It feels like every curl | sh is a suspect right now.
AI Phishing (OAuth)
The lowering of the bar for phishing via AI is concerning. It's no longer just broken English; it's context-aware social engineering abusing OAuth tokens.
How are you all handling the patch prioritization this week? Is the Linux flaw taking precedence over the PAN-OS firewall fixes, or are you focusing on the AI phishing threat first?
We're treating CVE-2026-0257 as critical since it's an internet-facing edge device. The Linux flaw is worrying, but unless it's a local priv-esc that chains with something else, the PAN-OS issue is louder right now.
On the AI phishing front, we caught one trying to mimic a Microsoft SSO page that was almost perfect. The only tell was a slightly off-color pixel in the footer. We updated our email gateways to sandbox any links pointing to 'login' pages, but the volume is increasing.
Great query, thanks for sharing. I modified it slightly to look for failed SSL VPN negotiations which often precede these bypass attempts in our logs.
Regarding the 'repo-side faceplant' mentioned in the news: if you're running internal PyPI or npm mirrors, make sure you audit your user permissions. We found a dev account with admin rights that shouldn't have had them during our panic-audit on Monday.
From a MSP perspective, this week is a nightmare. We have clients on older PAN-OS versions that are going to be painful to upgrade without downtime.
For the Linux side, we're just pushing kernel updates aggressively. The 'busted auth path' rhetoric makes me nervous about potential sudo vulnerabilities. Has anyone seen specific IoCs for the Linux flaw yet, or is it still mostly theoretical disclosure?
Regarding the Linux auth flaw, before you reboot for kernel updates, check your auth logs for rapid-fire failures. We've noticed that exploitation attempts often trigger a unique cadence of failed sessions that standard anomaly detection misses.
You can hunt for these bursts in recent logs with:
grep "Failed password" /var/log/auth.log | awk '{print $1,$2,$3}' | uniq -c | sort -nr | head
Building on Sam's observation regarding the Linux auth flaw, visualizing the cadence of failures is crucial for distinguishing automated noise from active exploitation. I usually pipe the auth logs to uniq to spot the exact timestamp clusters:
grep "authentication failure" /var/log/auth.log | awk '{print $1, $2, $3}' | uniq -c | sort -rn | head
This effectively highlights the burst patterns, making it easier to correlate with the specific kernel versions currently being targeted in the wild.
While the infrastructure flaws are loud, don't sleep on the AI phishing mentioned in the intro. We've seen OAuth token theft attempts where the browser process spawns a shell. I'm hunting for chrome.exe or msedge.exe spawning powershell.exe or cmd.exe, which is highly irregular for standard web browsing.
ProcessCreate
| where ParentProcessName in ("chrome.exe", "msedge.exe")
| where FileName in ("powershell.exe", "cmd.exe", "pwsh.exe")
Precisely. To quickly isolate those high-frequency events in the terminal before dashboards load, I use this awk one-liner to group failures by minute:
awk '/authentication failure/ {print $1,$2,$3}' /var/log/auth.log | sort | uniq -c | sort -rn
It makes spotting the 'angry cron' cadence much easier visually.
The AI OAuth angle is tricky since the domains are usually legitimate, bypassing standard SPF/DMARC checks. We’ve shifted focus to analyzing login timing and “impossible travel” indicators which these bots often miscalculate.
I've been using this snippet to flag rapid, cross-region token requests in our SIEM export:
df['timestamp'] = pd.to_datetime(df['timestamp'])
df = df.sort_values('user')
df['time_diff'] = df.groupby('user')['timestamp'].diff().dt.total_seconds()
suspicious = df[(df['time_diff'] < 60) & (df['country'] != df['country'].shift(1))]
It’s caught a few anomalies that strict ML filters missed.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access