lockCybersecurity Threats·Late April – Early May 2026·生成日 May 2026·7件のソース

Cybersecurity Threats Report — Late April / Early May 2026

今回の要点

1.AI is now enabling cybercrime at industrial scale with time-to-exploit shrinking to hours, as SecurityWeek and Wired report Anthropic's 'Mythos' signals a new era of near-instant exploitation — Mozilla used it to find and fix 271 bugs in Firefox, the NSA tested it to find vulnerabilities, and North Korean hackers used AI to steal as much as $12 million in three months [4] [7].
2.MITRE ATT&CK v19 was released on April 28, 2026, with the Defense Evasion tactic in Enterprise ATT&CK split into two new tactics — Stealth and Defense Impairment — and new techniques added including 'Query Public AI Services,' 'Generate Content,' and Social Engineering sub-techniques, bringing the framework to 949 pieces of software, 178 groups, and 59 campaigns [1].
3.Law enforcement intensified cybercrime prosecutions in late April 2026, with two American cybersecurity professionals sentenced to four years each for ALPHV BlackCat ransomware involvement, at least 276 arrests in a coordinated scam center takedown involving the FBI, Dubai Police, and Chinese Ministry of Public Security, and the extradition of a Chinese state-sponsored contract hacker from Italy [2] [3].
4.Multiple critical vulnerabilities are being actively exploited, including a nine-year-old Linux kernel flaw (CVE-2026-31431) enabling local privilege escalation, a cPanel zero-day (CVE-2026-41940) exploited for months before patching, a Windows Shell vulnerability (CVE-2026-32202) flagged by CISA and Microsoft, and 88% of self-hosted GitHub servers exposed to remote code execution via CVE-2026-3854 [6] [7].
5.Supply chain attacks targeting NPM packages and AI model platforms escalated, with a North Korea-nexus actor compromising the Axios NPM package, 1,800 users hit in an attack on SAP, Lightning, and Intercom packages with combined monthly downloads of nearly 10 million, and Hugging Face and ClawHub abused for malware distribution [5] [4].

エグゼクティブサマリー

•AI-powered exploitation has reached industrial scale this period, with SecurityWeek reporting that time-to-exploit has shrunk to hours, Anthropic launching 'Claude Security' in direct response, and Mandiant publishing defensive guidance for enterprises facing AI model-powered vulnerability discovery at unprecedented speed [4] [5].
•MITRE ATT&CK v19's release on April 28, 2026 represents the most significant structural change to the framework in recent memory, splitting Defense Evasion into Stealth and Defense Impairment and adding Sub-Techniques to ICS ATT&CK for the first time, requiring organizations to update detection rules, threat models, and security controls mapped to the prior tactic structure [1].
•Global law enforcement maintained its highest operational tempo to date in late April 2026, with the DOJ, FBI, and international partners executing multiple simultaneous actions including ransomware sentencings, dark web marketplace extraditions, scam center takedowns, and a Chinese state-sponsored hacker extradition, corroborated by both DOJ and FBI sources [2] [3].
•A concurrent wave of critical infrastructure vulnerabilities — spanning Linux kernel, cPanel, Windows Shell, GitHub servers, and SonicWall firewalls — is being actively exploited or remains broadly unpatched, indicating defenders face a broad and simultaneous patching burden across server, network, and development platforms [6] [4].
•The FBI issued a new alert warning that criminal enterprises are hacking brokers and carriers to steal cargo for resale, representing a newly reported hybrid threat vector combining cyber intrusion with physical theft targeting the transportation and logistics sector [4] [3].

市場動向

AI-Powered Exploitation Reaches Industrial Scale

This trend has significantly escalated in the current period. SecurityWeek reported that AI fuels 'industrial' cybercrime as time-to-exploit shrinks to hours, with industrialized cybercrime delivering attacks with greater scale, speed and success [4]. Anthropic unveiled Claude Security specifically to counter an AI-powered exploit surge, with Mythos signaling what the company describes as a new era of near-instant exploitation [4]. Wired corroborated this shift, reporting that Mozilla used Anthr…

MITRE ATT&CK v19 Restructures Defense Evasion Taxonomy

A significant structural update to the threat intelligence framework occurred this period. MITRE released ATT&CK v19 on April 28, 2026, with the biggest change being the split of the Defense Evasion Tactic in Enterprise ATT&CK into two new tactics: Stealth and Defense Impairment [1]. This release also introduced Sub-Techniques to ICS ATT&CK and the beginnings of Detection Strategies in Mobile ATT&CK [1]. New techniques added include Query Public AI Services, Generate Content (covering Audio-Visu…

Global Law Enforcement Sustains Cybercrime Disruption Operations

This trend continues with intensified activity in the current period. The DOJ announced on April 30, 2026 that two American cybersecurity professionals were each sentenced to four years in prison for their role in deploying ALPHV BlackCat ransomware [2]. A coordinated takedown of scam centers on April 29, 2026 resulted in at least 276 arrests through unprecedented cooperation between the FBI, Dubai Police Department, and Chinese Ministry of Public Security [2]. The FBI announced the extradition …

Critical Vulnerabilities in Enterprise Software Actively Exploited

New high-severity vulnerabilities are being actively exploited in the current period. HelpNetSecurity reported that a cPanel zero-day tracked as CVE-2026-41940 was exploited for months before a patch was released [6]. A nine-year-old Linux kernel flaw tracked as CVE-2026-31431 was found to enable reliable local privilege escalation, corroborated by Wired which described it as a dangerous new Linux exploit giving attackers root access to countless computers [6]. HelpNetSecurity also highlighted t…

Supply Chain and NPM Ecosystem Attacks Continue to Escalate

This trend continues with new incidents in the current period. Mandiant's threat intelligence blog reported that a North Korea-nexus threat actor compromised the widely used Axios NPM package in a supply chain attack [5]. SecurityWeek reported that 1,800 users were hit in a supply chain attack on SAP, Lightning, and Intercom packages, with the compromised Lightning and Intercom packages having a combined monthly download count of nearly 10 million [4]. HelpNetSecurity noted that shadow AI, deepf…

競合動向

AI-Powered Exploitation Reaching Industrial Scale

This trend continues from the previous reporting period with significant new developments. SecurityWeek reported that AI is fueling 'industrial' cybercrime, with attacks delivered at greater scale, speed, and success, and that defenders must match this with AI and automation [4]. New this period, Anthropic unveiled 'Claude Security' specifically to counter an AI-powered exploit surge, with SecurityWeek noting that 'Mythos' signals a new era of near-instant exploitation [4]. Wired reported that M…

MITRE ATT&CK v19 Restructures Defense Evasion Taxonomy

A significant new development this period is the release of ATT&CK v19 on April 28, 2026. The biggest structural change is the split of the Defense Evasion Tactic in Enterprise ATT&CK into two new tactics: Stealth and Defense Impairment [1]. This release also adds Sub-Techniques to ICS ATT&CK and introduces the beginnings of Detection Strategies in Mobile ATT&CK [1]. New techniques added include 'Query Public AI Services,' 'Generate Content,' 'Social Engineering,' 'Downgrade Attack,' and 'Safe M…

Supply Chain Attacks Expanding Across NPM and Software Packages

Supply chain attacks remain a persistent and active threat vector, continuing from the previous reporting period with new corroborated incidents. Mandiant reported that a North Korea-nexus threat actor compromised the widely used Axios NPM package in a supply chain attack [5]. New this period, SecurityWeek reported that 1,800 users were hit in a 'Mini Shai-Hulud' attack on SAP, Lightning, and Intercom packages, with the compromised Lightning and Intercom packages having a combined monthly downlo…

Global Law Enforcement Actions Against Ransomware and Dark Web Markets

Law enforcement actions against cybercriminal infrastructure continue at high tempo into late April 2026, with several new significant actions this period. The DOJ announced on April 30, 2026 that two American cybersecurity professionals — Ryan Goldberg of Georgia and Kevin Martin of Texas — were each sentenced to four years in prison for their role in a conspiracy involving ALPHV BlackCat ransomware, corroborated by both SecurityWeek and the DOJ [2] [4]. Also on April 30, 2026, the DOJ announce…

Critical Vulnerabilities in Linux Kernel and Web Infrastructure Actively Exploited

New this period, HelpNetSecurity reported on two significant vulnerabilities disclosed in late April 2026. A nine-year-old Linux kernel flaw tracked as CVE-2026-31431 was found to enable reliable local privilege escalation, representing a high-severity threat to a wide range of systems [6]. Wired corroborated this, reporting that a dangerous new Linux exploit gives attackers root access to countless computers [7]. Separately, HelpNetSecurity reported that a cPanel zero-day tracked as CVE-2026-41…

制度・規制動向

AI-Powered Exploitation Reaches Industrial Scale

This trend has significantly escalated this reporting period with new corroborating evidence. SecurityWeek reported that AI is fueling 'industrial' cybercrime as time-to-exploit shrinks to hours, with industrialized cybercrime delivering attacks with greater scale, speed and success [4]. Anthropic unveiled Claude Security specifically to counter an AI-powered exploit surge, with SecurityWeek noting that 'Mythos' signals a new era of near-instant exploitation [4]. Wired reported that Mozilla used…

Supply Chain and Open-Source Package Compromises Persist

Supply chain attacks against widely used software ecosystems continue as a high-priority threat vector this reporting period. SecurityWeek reported that 1,800 users were hit in a 'Mini Shai-Hulud' attack on SAP, Lightning, and Intercom packages, with the compromised Lightning and Intercom packages having a combined monthly download count of nearly 10 million [4]. Mandiant's threat intelligence blog reported that a North Korea-nexus threat actor compromised the widely used Axios NPM package in a …

Global Law Enforcement Intensifies Cybercrime Prosecutions

U.S. and international law enforcement agencies continue to escalate coordinated enforcement actions against cybercriminal networks this period. The DOJ announced on April 30, 2026 that two American cybersecurity professionals were each sentenced to four years in prison for their role in deploying ALPHV BlackCat ransomware [2], corroborated by SecurityWeek reporting that Ryan Goldberg of Georgia and Kevin Martin of Texas were each sentenced to four years in prison for helping a ransomware gang […

MITRE ATT&CK v19 Restructures Threat Taxonomy

New this reporting period, MITRE released ATT&CK v19 on April 28, 2026, introducing significant structural changes to the threat framework used widely by defenders. The most significant change is the split of the Defense Evasion Tactic in Enterprise ATT&CK into two separate tactics: Stealth and Defense Impairment [1]. The release also adds Sub-Techniques to ICS ATT&CK for the first time, and introduces the beginnings of Detection Strategies in Mobile ATT&CK [1]. New techniques added include 'Que…

Critical Vulnerabilities in Linux Kernel and Web Infrastructure Actively Exploited

New this reporting period, multiple high-severity vulnerabilities in foundational infrastructure components have been disclosed and in some cases actively exploited. HelpNetSecurity reported on April 30, 2026 that a nine-year-old Linux kernel flaw tracked as CVE-2026-31431 enables reliable local privilege escalation [6]. Wired corroborated this, reporting that a dangerous new Linux exploit gives attackers root access to countless computers [7]. HelpNetSecurity also reported that a cPanel zero-da…

重要な変化の整理

MITRE ATT&CK v19 Released with Major Tactic Restructuring

更新

ATT&CK v19 was officially released on April 28, 2026, confirming the split of the Defense Evasion tactic in Enterprise ATT&CK into two new tactics: Stealth and Defense Impairment. The release also adds Sub-Techniques to ICS ATT&CK and introduces Detection Strategies in Mobile ATT&CK. The framework now contains 949 pieces of software, 178 groups, and 59 campaigns — up from 910, 176, and 55 respectively in v18. Enterprise now includes 15 tactics, 222 techniques, and 475 sub-techniques. Numerous ne…

関連: Threat Intelligenceソース: MITRE ATT&CK Updates

Law Enforcement Escalates Cybercrime Actions Through Late April 2026

更新

Enforcement activity has intensified with several high-profile actions. A Chinese state-sponsored contract hacker was extradited from Italy on April 27, 2026 [3]. Two American cybersecurity professionals were each sentenced to four years in prison for their role in ALPHV BlackCat ransomware attacks on April 30, 2026 [2]. A coordinated takedown of scam centers led to at least 276 arrests through unprecedented FBI, Dubai Police, and Chinese Ministry of Public Security cooperation on April 29, 2026…

関連: Law Enforcementソース: DOJ CCIPS, SecurityWeek

AI-Powered Exploitation Reaches Industrial Scale

更新

Multiple sources now report AI is enabling cybercrime at industrial scale with dramatically reduced time-to-exploit. SecurityWeek reported that AI fuels 'industrial' cybercrime as time-to-exploit shrinks to hours, and that Anthropic unveiled 'Claude Security' to counter AI-powered exploit surges [4]. Wired reported that North Korean hackers used AI for malware development and fake company websites, stealing as much as $12 million in three months [7]. Mandiant published analysis on defending ente…

関連: Emerging Threatsソース: FBI Cyber Division, Mandiant Blog, Help Net Security, Wired Security

Critical Vulnerabilities Actively Exploited in Linux and cPanel

新規

Two significant vulnerabilities emerged in late April 2026. HelpNetSecurity reported a nine-year-old Linux kernel flaw (CVE-2026-31431) enabling reliable local privilege escalation, and a cPanel zero-day (CVE-2026-41940) that was exploited for months before a patch was released [6]. Wired also highlighted a dangerous new Linux exploit giving attackers root access to a large number of systems [7]. These represent newly disclosed high-severity vulnerabilities not present in previous reporting.

関連: Vulnerabilitiesソース: Help Net Security, Wired Security

FBI Warns of Hacker-Enabled Cargo Theft Surge

新規

The FBI issued a new alert warning that criminal enterprises are hacking both brokers and carriers to steal cargo for resale, representing a newly reported threat vector targeting the transportation and logistics sector [4]. This aligns with the FBI's earlier Operation Winter SHIELD initiative focused on protecting the transportation and logistics sector [3]. The combination of cyber intrusion and physical cargo theft marks a distinct escalation in hybrid criminal tactics.

関連: Emerging Threatsソース: FBI Cyber Division, SecurityWeek

示唆・見るべき論点

1.The deployment of Anthropic's 'Mythos' AI by both Mozilla (finding 271 Firefox bugs) and the NSA for vulnerability discovery, combined with commodity phishing kits like Bluekit now incorporating AI Assistants, signals that AI-assisted exploitation is bifurcating into both elite state-level and mass-market criminal tooling simultaneously — defenders must address both tiers rather than treating AI exploitation as solely a sophisticated threat [4] [7].
2.The MITRE ATT&CK v19 split of Defense Evasion into Stealth and Defense Impairment, combined with new AI-specific techniques like 'Query Public AI Services' and 'Generate Content,' means organizations with SIEM and SOAR detection logic mapped to the Defense Evasion tactic must urgently audit and remap their rules to avoid detection coverage gaps introduced by the tactic restructuring [1].
3.The combination of a nine-year-old Linux kernel privilege escalation flaw (CVE-2026-31431), a cPanel zero-day exploited for months before disclosure (CVE-2026-41940), and 88% GitHub server exposure to remote code execution illustrates that vulnerability dwell time and patching latency remain structurally unresolved problems — organizations should prioritize automated patch cadence and continuous exposure management over reactive patch responses [6].
4.The convergence of North Korean AI-assisted malware development, state-sponsored contract hacker extraditions, and scam center takedowns involving unprecedented FBI-Dubai-China coordination reflects a maturing international enforcement posture, yet HelpNetSecurity's reporting that AI is accelerating nation-state cyber programs suggests enforcement actions are not keeping pace with offensive capability development [6] [3].
5.Supply chain attacks now span traditional NPM packages (Axios, Lightning, Intercom), enterprise software (SAP), and AI model platforms (Hugging Face, ClawHub), with Cisco releasing an open-source AI model provenance toolkit in response — organizations dependent on open-source ecosystems and AI models should implement provenance verification and software composition analysis as baseline controls [5] [4] [6].

ソース

[1]リサーチ

MITRE ATT&CK Updates2026-04-28

Documents ATT&CK v19 released April 28, 2026, splitting Defense Evasion into Stealth and Defense Impairment, adding Sub-Techniques to ICS ATT&CK, introducing Detection Strategies in Mobile ATT&CK, and adding new techniques including Query Public AI Services, Generate Content, and Social Engineering sub-techniques. Framework now contains 949 software, 178 groups, and 59 campaigns.

OriginBriefで自分のテーマを監視する

無料で始める →

← Cybersecurity Threats Reports 無料で始める →