Hello, stay ahead with CISO Brief 🚀

🔒 Talos IR’s Q1 2026 analysis finds phishing reemerged as the top initial access vector, with public administration and health care tied as the most targeted sectors. Investigations documented abuse of AI-enabled services like Softr to build credential-harvesting pages and the first observed intrusion by Crimson Collective exploiting exposed developer secrets. Pre-ransomware activity rose but no encryptions occurred due to early mitigation. Talos emphasizes properly configured MFA, patching, and centralized logging.

🔎 Researchers at Infrawatch have identified a Belarus-associated platform, ProxySmart, linked to 87 control panels across 17 countries and 94 phone farm locations. The turnkey software provides device management, automated IP rotation, customer provisioning and anti-bot measures, enabling what researchers describe as SIM Farm as a Service. ProxySmart orchestrates both physical smartphones and USB 4G/5G modems, supports multiple proxy protocols, and includes OS fingerprint spoofing, significantly lowering the technical barrier for large-scale mobile proxy operations.

🔐 Symantec researchers describe a new Linux variant of the GoGra backdoor that abuses Microsoft Graph API and Outlook mailboxes for stealthy command-and-control. The malware uses hardcoded Azure AD credentials to obtain OAuth2 tokens and polls a mailbox folder named "Zomato Pizza" for base64-encoded, AES-CBC-encrypted commands. A Go-based dropper hides an i386 ELF payload as a PDF and establishes persistence via systemd and an XDG autostart entry mimicking the Conky monitor. Processed commands are encrypted and returned by reply email with the subject "Output," and the original command email is removed to limit forensic visibility.

🔒 Microsoft released an out-of-band update to address a high-severity privilege-escalation flaw in ASP.NET Core tracked as CVE-2026-40372 (CVSS 9.1). A regression in Microsoft.AspNetCore.DataProtection 10.0.0–10.0.6 allowed the managed encryptor to compute HMAC validation over incorrect payload bytes, enabling forged payloads to pass authenticity checks and potentially grant SYSTEM-level access on non-Windows hosts. Microsoft fixed the issue in ASP.NET Core 10.0.7 and warned tokens issued during the vulnerable window remain valid until the DataProtection key ring is rotated.

🔍 Anthropic warns that its AI vulnerability-discovery system Mythos will sharply increase the pace and volume of software flaws, forcing defenders to prioritize what to fix. The company recommended using the probabilistic EPSS model (developed by Empirical Security and published through FIRST) to triage vulnerabilities—patching CISA’s KEV list first, then addressing CVEs above a chosen EPSS threshold. Empirical Security leaders emphasize that EPSS is machine-driven and already integrated across many vendor products.

🔒 Microsoft has released out-of-band updates to fix a critical ASP.NET Core privilege escalation vulnerability (CVE-2026-40372) in the ASP.NET Core Data Protection APIs. A regression in the Microsoft.AspNetCore.DataProtection 10.0.0–10.0.6 packages caused HMAC validation to be computed over the wrong bytes, allowing forged auth cookies and decryption of protected payloads. Developers should update to 10.0.7, redeploy, and rotate DataProtection key rings to invalidate tokens issued during the vulnerable window.

⚠️ Richard Horne, CEO of the NCSC, warned at the tenth annual CYBERUK in Glasgow that the UK faces a “perfect storm” driven by rising geopolitical tensions and rapid AI-led technological change. He said nationally significant incidents remain broadly steady since the NCSC's last review, but the most serious threats now originate from nation states — notably Russia, China and Iran. The briefing urged organisations to shift from a prevention-only posture to a resilience mindset and to ensure fundamentals such as full visibility, 24/7 monitoring and correct configuration are in place.

🛡️ Acronis researchers have identified a new variant of LOTUSLITE, attributed with medium confidence to the Chinese-linked Mustang Panda, being distributed via a banking-themed lure focused on India. The backdoor uses a dynamic DNS HTTPS C2 and supports remote shell access, file operations, and session management, indicating espionage-focused intent rather than financial theft. The campaign begins with a Compiled HTML (CHM) file that embeds a legitimate executable with a rogue DLL and triggers JavaScript fetched from cosmosmusic[.]com to perform DLL side-loading. The implanted DLL, dnx.onecore.dll, communicates with editor.gleeze[.]com, and similar artifacts were found targeting South Korean and U.S. policy and diplomatic communities.

⚠️ A critical vulnerability in the Python-based sandbox Terrarium (CVE-2026-5752) allows attackers to execute arbitrary code with root privileges by traversing JavaScript prototype chains in the Pyodide WebAssembly environment. Disclosed by CERT/CC and credited to researcher Jeremy Brown, the flaw permits sandbox escapes from Docker-deployed containers and can expose sensitive files or services. Because the project is no longer actively maintained, immediate mitigations are recommended, such as disabling untrusted code submissions and isolating containers.

🚨 Over 1,300 Internet-exposed Microsoft SharePoint servers remain unpatched against CVE-2026-32201, a spoofing vulnerability Microsoft fixed in its April 2026 Patch Tuesday. The flaw affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition and was flagged as a zero-day exploited in the wild. Fewer than 200 systems have been patched since the update; organizations should apply Microsoft's fixes or recommended mitigations immediately.

🔒 The Winter 2025 SOC 1 report from AWS is now available, covering 184 services for the 12‑month period January 1–December 31, 2025. Customers can download the report through AWS Artifact. AWS reiterates its commitment to meeting heightened expectations for cloud service providers, and to continuously bring additional services into compliance scope. If you have questions or feedback, contact your AWS account team or the AWS Compliance team.

🛡️ France's government agency ANTS confirmed a data breach after a threat actor claimed to have stolen citizen records in an intrusion last week. The agency says exposed fields may include login IDs, full names, email addresses, dates of birth, unique account identifiers and, for some individuals, postal addresses, places of birth and phone numbers. ANTS has notified CNIL, the Paris prosecutor and involved ANSSI, is informing affected users and warns the data could be used for phishing and social engineering.

🌐 Amazon SageMaker now supports multi-region replication from IAM Identity Center (IdC), allowing administrators to deploy SageMaker Unified Studio domains in regions separate from their IdC instance. This capability preserves centralized single sign-on while enabling data residency and sovereignty controls. It is aimed at enterprise and regulated customers who need to process sensitive data in specific jurisdictions without fragmenting identity management.

🔒 Two weeks after the April 7 disclosure of a remote code injection flaw (CVE-2026-34197) in Apache ActiveMQ, ShadowServer reports nearly 6,500 internet-facing instances remain unpatched. The vulnerability affects versions before 5.19.4 and 6.2.3 and can let an authenticated attacker load remote Spring XML to achieve code execution. CISA added the bug to its KEV list and organizations are urged to upgrade immediately.

🔔 AWS has added five new Qwen foundation models to SageMaker JumpStart, including Qwen3-Coder-Next, Qwen3-30B-A3B, Qwen3-30B-A3B-Thinking-2507, Qwen3-Coder-30B-A3B-Instruct, and Qwen3.5-4B. The models support agentic coding, extended reasoning, multimodal and multilingual workloads, and lightweight deployments. Customers can deploy them from SageMaker Studio or via the SageMaker Python SDK to accelerate development of coding agents and multimodal applications.

🔗 Amazon Elastic Kubernetes Service (EKS) introduces the Amazon EKS Hybrid Nodes gateway to automate networking between an EKS cluster VPC and Kubernetes Pods running on EKS Hybrid Nodes. The gateway removes the need to make on‑premises pod networks routable and avoids extensive coordination with network teams by automatically maintaining VPC route tables as workloads scale. Deployed to Amazon EC2 instances via Helm, the gateway also enables control-plane-to-webhook, pod-to-pod, and AWS service connectivity (ALB, NLB, Amazon Managed Service for Prometheus). The codebase is open source and the feature is available in all Regions where EKS Hybrid Nodes is supported, excluding China Regions. AWS offers the gateway itself at no additional charge; customers pay for underlying EC2 and data transfer costs.

🧾 AWS Marketplace now provides a unified, self-service workflow for sellers to submit VAT invoices and receive automated VAT disbursements under deemed supply rules in the EU, UK, and Norway. Sellers can use the AWS Marketplace Management portal or AWS Partner Central to submit invoices, track status in real time, and consolidate multiple deemed supply transactions into a single periodic invoice when they share the same AWS EMEA branch and currency. The system validates required fields and disburses VAT after buyer payment, while supporting pre-submission so payments are processed once conditions are satisfied. Enhanced Seller Reports assist reconciliation and audit readiness and remove prior manual steps and separate platform onboarding.

🎉 Google Cloud today announced its 2026 Partner of the Year winners, honoring partners who used Google Cloud technologies to deliver transformative customer outcomes. Winners span global and country-level awards across categories such as Artificial Intelligence, Data, Security, Infrastructure Modernization, Google Workspace, and more. The awards recognize innovation, collaboration, and measurable impact in industries worldwide. Congratulations to the partners driving progress and customer success.