AI Speeds Bug Hunters but Slows Bug Bounties; Fast16 Malware Analyzed

The 250 CISOs who co-authored the Mythos “AI Storm” strategy paper over one weekend in April are reconvening in-person on what comes next. The CISO Summit Series runs in San Francisco (May 29, hosted by Salesforce), New York City (June 8, hosted by Google), and Washington, DC (June 9, hosted by Microsoft). SANS is a lead partner organization alongside CSA, [un]prompted, RSAC, FIRST, and Knostic.

Each summit pairs short technical and strategy lectures with peer turbo talks and workshop sessions. Output: the topic list and contributors for the next expedited strategy papers the industry needs, plus the structure for a standing CISO community.

Attendance is limited to CISOs, CSOs, and CROs running their organization’s security program and budget.

Register: May 29 in San Francisco * June 8 in New York City * June 9 in Washington, DC

In the span of months, cyber-focused models have been exceeding estimates for improving speed and reliability, and practitioners are reckoning with the advantages and the challenges of AI automation. Read on in this issue of NewsBites for an overview of the state of AI-augmented vulnerability discovery in practice.

Vulnerabilities identified with the help of AI are growing prevalent in security advisories, software update cycles, and bug bounty programs; for some organizations this has enabled remediation of critical flaws, but for others the influx of information without quality control or judgment has proved counterproductive. Microsoft's May 2026 patch Tuesday included 16 flaws discovered with assistance from the company's "multi-model agentic scanning harness" (MDASH), including four critical vulnerabilities. This month Palo Alto Networks also more than doubled its typical number of monthly advisories, releasing 26 CVEs and stating, "this is the first time where the majority of findings were the result of frontier AI models scanning [PAN's] code." In April, Mozilla also more than quintupled its number of bug fixes from the previous month, citing assistance from Mythos. A new report from the UK's AI Security Institute (AISI) follows up on its February testing of AI models' performance of cybersecurity tasks, with additional data showing models' reliability and speed growing beyond an estimated trend: "the length of cyber tasks that frontier models can complete autonomously has doubled on the order of months." On the other hand, Linus Torvalds describes the state of the Linux security mailing list as "unmanageable" due to excessive redundant AI-assisted bug reports: "If you found a bug using AI tools, the chances are somebody else found it too. If you actually want to add value, read the documentation, create a patch too, and add some real value on *top* of what the AI did." The cURL project and Nextcloud have both suspended their bug bounty programs due to massive floods of low-quality AI-generated submissions, and Bugcrowd says that vulnerability reports more than quadrupled in March, but that the majority were invalid. While the volume of HackerOne submissions grew by 76 percent in March, the proportion of genuine flaws remained unchanged at 25 percent. Katie Moussouris, CEO of Luta Security, stated to The Register that vulnerability discovery is "the cheap end of the pipeline," while "triage, disclosure, building patches that do not break production, and getting customers to deploy them is the expensive end, and nobody has funded it for this volume."

Kim Zetter has published a thorough look into the latest analysis of the Fast16 malware, conducted by researchers at the Institute for Science and International Security and Symantec's Threat Hunter Team who deciphered Stuxnet after it was discovered. Fast16 "was designed to subvert nuclear weapons testing simulations with the aim of undermining those tests and slowing the progress of a nuclear program." The malware appears to have been developed at roughly the same time as Stuxnet. Both "share a conceptual framework in that both attacks involved subverting the integrity of data." Zetter writes that "Stuxnet increased the pressure inside centrifuges and caused them to spin out of control, while feeding false data to operators to make them think the centrifuges were working fine. Fast16 took a different approach and fed operators false data about nuclear warheads testing to make engineers believe the tests were not fine, while in fact they may have been." Researchers at Symantec found that Fast16 was designed to target at least two software simulation programs, LS-DYNA and AUTODYN; Iranian nuclear engineers were using LS-DYNA to conduct explosives research. "Fast16 is singularly focused, and is only interested in the programs when they are modeling high-explosive detonations. Fast16 determines which software is being used, and only engages when it’s sure the program is simulating a high-explosive detonation and using specific models to do so." David Albright, founder and president of the Institute for Science and International Security, writes that "The effect could be to waste time, resources, and lower the overall morale of the program."

The latest in a series of flaws in the Linux kernel was disclosed by Qualys on May 15, 2026, in the Open Source Software Security list. CVE-2026-46333 allows a non-privileged attacker to read sensitive files by obtaining file descriptors that a privileged process still has open while the process is exiting, due to a flaw in the logic of the ptrace access check. SSH host private keys or hashed passwords in \etc\shadow could potentially be accessed this way; the undermining of SSH host identity trust and possibility of persistence are why the KnightLi blog states "this should be treated as high priority even though it is not a 'direct root shell' bug." Like Copy Fail, Dirty Frag, and Fragnesia, there was proof-of-concept (PoC) exploit code available simultaneous with the disclosure. Users should check the status of their distribution, and KnightLi also notes that "distributions backport fixes, so the same upstream-looking [kernel] version number may mean different patch states across distributions." The general steps for remediation are to refresh package metadata, install the new kernel package with the fix, reboot into the new kernel, and use uname -r to verify the running kernel is fixed. Rebooting is mandatory to run a new kernel package, but if immediate reboot is not possible, users should set the Yama ptrace_scope to 2 (admin-only attach) or 3 (no attach).

Last week, the US Cybersecurity and Infrastructure Security Agency (CISA) added two CVEs to the Known Exploited Vulnerabilities (KEV) catalog: a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and a critical cross-site scripting vulnerability in Microsoft Exchange Server. The Cisco vulnerability (CVE-2026-20182) was detected and addressed in February 2026. The "new advisory is for a new vulnerability in the control connection handshaking." US Federal Civilian Executive Branch (FCEB) agencies were required to mitigate that vulnerability by Sunday, May 17. Microsoft released an advisory for the Exchange Server vulnerability (CVE-2026-42897) on May 14, 2026, two days after the company's monthly security release. Microsoft describes the vulnerability as "improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network." The issue affects Exchange Server Subscription Edition 2016 and 2019. Users are advised to ensure that they have the Exchange Emergency Mitigation Service enabled to protect their systems while the company develops a more permanent fix. The vulnerability is being actively exploited. US FCEB agencies have until May 29 to mitigate CVE-2026-42897.

Researchers at Cyera discovered four vulnerabilities in the OpenClaw open-source platform for autonomous AI agents. Dubbed ClawChain, the four vulnerabilities are a critical time-of-check/time-of-use race condition (TOCTOU) filesystem write escape vulnerability (CVE-2026-44112); a high severity execution allowlist env-vars disclosure vulnerability (CVE-2026-44115); a high-severity MCP loopback privilege escalation vulnerability (CVE-2026-44118); and a high-severity TOCTOU filesystem read escape vulnerability (CVE-2026-44113). After gaining a foothold in a targeted system, attackers could exploit the vulnerabilities to achieve elevated privileges, attain persistence in the system, and steal data. The vulnerabilities were reported to OpenClaw maintainers in April 2026 and all have been addressed in updated versions. Cyera recommends that users take several actions immediately: patch OpenClaw, identify exposed instances, and rotate secrets. They further recommend short-term hardening, which involves auditing agent access, treating agents as privileged identities, reviewing supply chain inputs, and network segmentation.

Grafana Labs, a provider of open source analytics, monitoring, and data visualization software, has disclosed that a threat actor infiltrated the company's GitHub repository and stole the company's codebase. Grafana posted on social media: "We recently discovered that an unauthorized party obtained a token with access to the Grafana Labs GitHub environment, enabling the threat actor to download our codebase." The company has invalidated the compromised credentials, and has refused to pay a ransom demanded by the attacker, who threatened to publish the code. Grafana says that the incident did not affect customer data or personal information, and that customer systems appear to be unaffected.

NYC Health and Hospitals (NYCHHC) says a breach in which intruders had access to systems for months resulted in the theft of medical records and other personal information belonging to at least 1.8 million individuals. The compromised data include health insurance plan and policy information, medical record numbers, diagnoses, medications, test results, images, treatment plans, biometric information (fingerprints and palm prints), billing, claims, and payment information, Social Security numbers, tax ID numbers, passports, driver’s licenses, payment card information, and other financial account information. NYCHHC detected the breach on February 2, 2026, and took steps at that time to secure the network. The intruders had access to NYCHHC systems from November 2025 through February 2026. The breach is believed to have been enabled by a breach at an unidentified third-party vendor. NYCHHC reported the breach to the US Department of Health and Human Services Office for Civil Rights (HHS OCR) on March 24, 2026, but only recently updated the number of individuals affected by the incident. Several other healthcare-related organizations have also updated the number of individuals affected: Erie Family Health Centers in Chicago, Illinois, reports that a breach in which intruders had access to systems between December 2025 and January 2026 affected 570,000 individuals; a November 2025 breach of Florida Physician Specialists' network reportedly affected 276,000 individuals; and Nacogdoches Memorial Hospital in Texas reported a breach affecting 2.5 million individuals.

A misconfigured AWS bucket was exposing data from the Tabiq hotel check-in system for several years. Security researcher Anurag Sen discovered the vulnerability in the Tabiq system that was leaking customer information because the bucket was set up as public. Sen contacted TechCrunch for help notifying Japanese tech company Reqrea, which maintains Tabiq. After TechCrunch reached out to Reqrea and Japan's JPCERT, Reqrea locked down the bucket in question, which had been leaking customers' passport and driver's license scans, as well as facial images. Until the bucket was made private, the images dating back to 2020 had been accessible by anyone who knew the bucket's name. Reqrea plans to notify affected individuals about the incident as soon as it concludes its investigation. AWS buckets are by default private. Amazon has put several layers of warning in place before allowing buckets to be made public.

In the first cyber operation of its scale coordinated by INTERPOL in the Middle East and North Africa (MENA) region, Operation Ramz "aimed to investigate and disrupt malicious infrastructure, identify and arrest suspects, and prevent future losses. The operation focused on neutralizing phishing and malware threats, as well as tackling cyber scams that inflict severe cost to the region." In the course of the operation, which ran from October 2025 through February 2026, authorities arrested 201 people, identified 382 suspects and 3,867 victims, and seized 53 servers. In Jordan, authorities found a computer running financial investment scams. Individuals working these systems were discovered to be victims of human trafficking; they had been promised jobs, but their passports were confiscated once they arrived in Jordan. Two people believed to have orchestrated the schemes were arrested. In Oman, authorities found a sever containing sensitive data in a private residence. They disabled the server after discovering it contained vulnerabilities and was infected with malware. In Morocco, authorities seized equipment containing information related to phishing schemes. Three people were taken into custody and others are under investigation. Operation Ramz involved the cooperation of 13 countries participated: Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, UAE, and "INTERPOL worked closely with its partners, Group-IB, Kaspersky, the Shadowserver Foundation, Team Cymru and TrendAI to track illegal cyber activities and identify malicious servers."