Hello, stay ahead with CISO Brief 🚀

⚠️ CISA added eight vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation and highlighting three flaws in Cisco Catalyst SD-WAN Manager. The list includes high-impact issues such as CVE-2025-32975 (Quest KACE SMA, CVSS 10.0) and authentication, path traversal, and XSS flaws in PaperCut, TeamCity, Kentico, and Zimbra. CISA noted prior ties of CVE-2023-27351 to Lace Tempest and recent Arctic Wolf telemetry on KACE abuse; Cisco confirmed active exploitation of two SD-WAN flaws in March 2026. Federal civilian agencies are urged to remediate the three Cisco vulnerabilities by April 23, 2026, and the remaining flaws by May 4, 2026.

📞 Amazon Web Services announced that Amazon Connect Outbound Campaigns can now dial contacts in a configurable priority order using up to 10 profile attributes for voice campaigns and voice activities in journeys. Initial attempts are prioritized over reattempts to preserve ordering during campaign execution. The capability is available in all AWS Regions where Outbound Campaigns is offered at no additional cost and is configured via Amazon Connect Customer Profiles. This enhancement helps agents focus on higher-value or time-sensitive contacts, improving campaign effectiveness and conversion rates.

🔒 KelpDAO reported a cross-chain exploit on April 18 that resulted in the theft of roughly 116,500 rsETH (about $293 million), funds which were then routed through Tornado Cash. The attacker compromised the verifier's RPC nodes in the DVN layer, feeding falsified chain data while DDoS-ing healthy nodes to force reliance on poisoned endpoints and accept a forged cross-chain message. LayerZero, Unichain and partners assisted in the investigation, which attributed the operation to the state-sponsored Lazarus Group, and KelpDAO paused rsETH contracts across Ethereum mainnet and L2s.

⚠️A cluster of 26 malicious apps on Apple's China App Store impersonated popular crypto wallets such as MetaMask, Coinbase, Trust Wallet, and OneKey to harvest recovery seed phrases and drain funds. The apps used typosquatting, fake branding, and were disguised as games or calculators to bypass local restrictions. They redirected victims to phishing pages that pushed trojanized wallets via abused iOS provisioning profiles; those trojans intercept mnemonics, encrypt them, and exfiltrate them. Kaspersky links the campaign, dubbed FakeWallet, to the ongoing SparkKitty operation, and Apple has removed the apps following disclosure.

🔧 Amazon Elastic Block Store (Amazon EBS) in the AWS European Sovereign Cloud (Germany) Region now supports up to four Elastic Volumes modifications per volume within a rolling 24‑hour window. Elastic Volumes lets you increase size, change type, or adjust performance without detaching volumes or restarting instances. The enhancement is automatically available and permits starting a new modification immediately after the previous one completes, improving operational agility for sudden data growth or workload spikes.

🔔 Amazon Elastic VMware Service (Amazon EVS) now provides Microsoft Windows Server licensing entitlements, allowing customers to migrate or create Windows Server VMs in EVS and obtain licensing directly from AWS. Administrators configure an EVS connector to their VMware vCenter and supply VM IDs via the console or CLI. Licensing is charged on a per vCPU‑hour basis and can be added or removed at any time; the feature is available in all Regions where EVS is offered.

🔒 Check Point Research uncovered a SystemBC proxy botnet of over 1,570 infected hosts tied to a Gentlemen ransomware affiliate, with telemetry indicating primarily corporate victims across the US, UK, Germany, Australia, and Romania. The discovery shows affiliates pairing SystemBC SOCKS5 tunneling with Cobalt Strike for covert payload delivery and lateral movement. Check Point published IoCs and a YARA signature to help defenders identify related activity.

🛡️ AWS IoT Greengrass v2.17 now supports running the edge runtime as a non-root user on Linux, helping organizations meet security and compliance requirements that prohibit root access. The update adds an uninstall lifecycle action for components and introduces nucleus lite optimizations — including a Secure Tunneling lite component (~4 MB), TPM 2.0 support for fleet provisioning, and a PKCS#11 interface for HSM-backed authentication — to reduce memory consumption. v2.17 is available in all Regions where Greengrass is offered.

🔒Seiko USA's website was briefly defaced over the weekend, showing a page titled 'HACKED' in the Press Lounge that replaced normal content with an extortion notice. The attackers claimed they had accessed the company's Shopify backend and exfiltrated the entire customer database, including names, email addresses, phone numbers, order history, shipping data, and account details. The message instructed Seiko to contact a specific customer account (ID 8069776801871) and warned of a 72-hour deadline before publishing the alleged data; Seiko has removed the message and has not publicly confirmed the incident.

🚀 Amazon DocumentDB now supports an in-place major version upgrade from MongoDB-compatible 5.0 to 8.0 via the AWS Management Console, AWS SDK, or AWS CLI. The upgrade requires no new clusters, no endpoint changes, and no index rebuilds, reducing operational overhead and minimizing disruption. Version 8.0 delivers up to 7x faster query latency and up to 5x improved storage compression, and introduces features such as collation, views, new aggregation stages and operators, enhanced text search with text index v2, and much faster vector index builds (up to 30x). In-place MVU is available in all Regions where DocumentDB 8.0 is offered at no additional cost.

🔐 Amazon EKS now supports seven new IAM condition keys for cluster creation and configuration APIs, giving organizations finer-grained governance over cluster settings. Administrators can enforce private-only API endpoints, require customer-managed KMS keys for secret encryption, restrict approved Kubernetes versions, mandate deletion protection, set control plane scaling tiers, and enable zonal shift. The keys apply to CreateCluster, UpdateClusterConfig, UpdateClusterVersion, and AssociateEncryptionConfig APIs and integrate with Service Control Policies for centralized multi-account enforcement. They are available in all Regions where EKS is offered at no additional charge.

⚠️ A critical vulnerability (CVE-2026-5760) in SGLang allows remote code execution via specially crafted GGUF model files. The flaw targets the /v1/rerank endpoint, where a malicious tokenizer.chat_template containing a Jinja2 SSTI payload is rendered using an unsandboxed jinja2.Environment(), enabling arbitrary Python execution. Researcher Stuart Beck reported the issue to CERT/CC, which recommends replacing jinja2.Environment() with ImmutableSandboxedEnvironment to mitigate the risk. No patch was obtained during coordination.

⚡ Amazon Connect Outbound Campaigns now supports hourly segment refresh, reducing the minimum refresh interval from 24 hours to one hour. This lets campaigns enroll newly eligible customers throughout the day instead of waiting for a daily run. The capability applies across all campaign types, is available in all AWS Regions where Amazon Connect Outbound Campaigns is offered at no extra cost, and can be enabled via the console or the API by turning on the Refresh option.

🔐 Microsoft Deputy CISO Ilya Grebnov outlines practical steps to make opportunistic cyberattacks harder by design. He emphasizes credential elimination using managed identities and federated tokens, paired with endpoint reduction to move services off the public internet. The article further advocates platform engineering—paved paths, policy-as-code, and centralized core services—to enforce consistent secure defaults and reduce the attack surface at scale.

🔎 Darktrace researchers have analyzed a newly identified malware called ZionSiphon that combines typical endpoint compromise techniques with functions tailored to industrial control systems, specifically targeting water treatment and desalination infrastructure. The sample includes privilege escalation, persistence, and USB-based propagation alongside environment and software checks for reverse osmosis and chlorine control. While it can scan OT protocols such as Modbus and attempt register modifications, implementation gaps and a country-validation flaw suggest the strain is an early-stage tool that may fail to activate in many environments.

🛡️ This AWS Security Blog post demonstrates how to clone an AWS CloudHSM cluster across Regions using the copy-backup-to-region workflow and Client SDK 5 (recommended version 5.17 or later). It walks through creating and initializing a source cluster, generating a backup, copying that backup to a destination Region, and launching a new cluster from the copied backup, including certificate transfer and security group adjustments. The guide emphasizes that non-exportable keys can only be synchronized to cloned clusters, that users and passwords must be maintained manually after the initial backup, and that Client SDK 3 reached end-of-support on January 1, 2025, so migration to SDK 5 is required.

🔒 Microsoft warns that threat actors are increasingly abusing external Microsoft Teams collaboration to impersonate IT or helpdesk staff and gain remote access. Attackers initiate cross-tenant chats to request remote assistance—commonly via Quick Assist—then perform reconnaissance and deploy small payloads into user-writable locations. They abuse trusted, signed applications for execution and use HTTPS-based C2 and tools like Rclone to exfiltrate filtered, high-value data, often blending into normal traffic. Administrators are urged to treat external Teams contacts as untrusted, restrict remote-assistance tools, and limit WinRM usage.

🔒 Two phishing campaigns are delivering Formbook infostealer to Windows devices using distinct stealth techniques. One abuses DLL sideloading via RAR attachments containing multiple DLLs and an EXE, while the other hides payloads in obfuscated JavaScript and PDF files that drop PowerShell commands and a custom loader. WatchGuard warns these methods leverage trusted processes to evade detection and urges monitoring of archive attachments, anomalous DLL loads and suspicious PowerShell activity.