Hello, stay ahead with CISO Brief 🚀

🔎 SentinelOne researchers have disclosed fast16, a Lua-based cyber‑sabotage framework compiled in 2005 that predates Stuxnet. The implant embeds a Lua 5.0 VM and encrypted bytecode inside a carrier binary svcmgmt.exe and pairs with a kernel driver that patches executables to corrupt high‑precision calculations. fast16 targets legacy Windows 2000/XP environments and engineering simulation tools, and its discovery revises the timeline of state-backed cyber sabotage.

⚠️ CISA added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog affecting SimpleHelp, Samsung MagicINFO 9 Server, and D-Link DIR-823X routers, citing evidence of active exploitation. The listed flaws include two SimpleHelp issues (CVE-2024-57726, CVE-2024-57728), a Samsung path traversal (CVE-2024-7399), and a D-Link command injection (CVE-2025-29635). Agencies are urged to apply fixes or retire affected devices by May 8, 2026.

🔒 ADT confirmed unauthorized access to customer and prospective customer data detected on April 20, saying it terminated the intrusion and opened an investigation. The company reported that stolen information was limited to names, phone numbers, and addresses, with a small subset including dates of birth and the last four digits of SSNs or Tax IDs. ADT emphasized no payment data or customer security systems were affected. ShinyHunters claims over 10 million records were taken after a vishing attack that allegedly compromised an employee’s Okta SSO and accessed Salesforce data.

🔒 Unit 42 describes a fundamental shift in the npm threat landscape following the September 2025 Shai‑Hulud worm and subsequent 2026 incidents. Adversaries now harvest npm and GitHub tokens to persist inside CI/CD pipelines, deploy dormant multi‑stage payloads, and automatically republish backdoored packages. The report attributes a broad, coordinated campaign to TeamPCP, documents propagation via Docker Hub, GitHub Actions and VS Code extensions, and recommends mitigations such as credential rotation, egress filtering, and dependency pinning.

🚀 AWS Lambda now offers Provisioned Mode for event source mappings that consume Apache Kafka in the Asia Pacific (Taipei) and both AWS GovCloud (US‑East) and GovCloud (US‑West) Regions. Provisioned Mode lets you provision and auto-scale a configured minimum and maximum number of event pollers so polling capacity is ready to handle sudden traffic spikes and reduce processing delays. It supports Amazon MSK and self‑managed Kafka and can be enabled via the ESM API, Console, CLI, SDKs, or CloudFormation. Usage of event pollers is billed by Event Poller Units (EPUs).

🔗 Amazon Quick now integrates with Vee, the AI assistant from Visier, via the Model Context Protocol (MCP), enabling HR, finance, and operations leaders to access governed workforce intelligence directly inside the Quick workspace. After connecting to Visier’s remote MCP server, users can ask natural-language questions about headcount, attrition, tenure, and open requisitions and receive answers grounded in Visier’s governed data model. Vee can also be invoked from automated Quick Flows to run recurring reviews or draft documents, and Quick augments responses with enterprise knowledge from Quick Spaces—such as budgets, policies, and plans—so answers reflect the broader organizational context. The Visier integration is available in all AWS Regions where Amazon Quick is offered.

🔒 Amazon announced VPC egress support for AgentCore Gateway targets and AgentCore Identity, available in managed and self‑managed configurations. The capability lets Gateways invoke private resources inside a customer VPC (for example, EKS-hosted MCP servers) and allows Identity to validate tokens from and fetch tokens for private IdPs. The release also adds private DNS resolution for managed egress resources and is available in fourteen AWS Regions.

🔍 Researchers from three Hong Kong universities demonstrated a method to extract acoustic information from fiber-optic cables by measuring vibration-induced changes in the optical signal. Their experiments showed that strong vibrations such as footsteps can be detected remotely, but clear human speech was not recoverable without a local audio-to-vibration converter or significant control over provider equipment. The attack relies on sending optical pulses and measuring Rayleigh scattering-related deviations, and while technically feasible, it remains an unlikely and costly targeted threat requiring access to the Optical Distribution Network or an implanted converter to amplify audio signals.

🔥 A custom backdoor named Firestarter has been observed persisting on Cisco Firepower and Secure Firewall devices running ASA or FTD software, surviving reboots, firmware updates, and security patches. U.S. CISA and the U.K. NCSC link the activity to a threat actor tracked as UAT-4356, which exploited CVE-2025-20333 and CVE-2025-20362. Cisco recommends reimaging and upgrading affected devices; administrators can check compromise with show kernel process | include lina_cs, and CISA published YARA rules and mitigation guidance.

🔎 Since February, Unit 42 has observed sustained operations by TGR-STA-1030 across multiple countries, with a pronounced concentration in Central and South America. The observed intrusions reuse the same tactics, techniques, and procedures previously attributed to this group, indicating continuity with prior espionage campaigns. Analysts reference The Shadow Campaigns: Uncovering Global Espionage for historical context, and advise organizations in affected regions to review detections and strengthen defensive controls.

📜 The House Republican proposals — the SECURE Data Act and the GUARD Financial Data Act — would establish federal privacy standards that broadly preempt stronger state laws while limiting private lawsuits and centralizing enforcement with the FTC and state attorneys general. The bills emphasize data minimization, controller-processor obligations, a federal data broker registry, and new limits on automated profiling and teen data. Critics warn the measures could weaken existing protections, impose heavy operational burdens on CIOs and CISOs, and force vendors and legal teams to rework procurement, retention, and AI training practices.

🔧 Microsoft is rolling out Windows Update improvements to give users more control over update timing and reduce disruptive restarts. Insiders will see options to skip updates during OOBE, select specific pause dates via a calendar for up to 35 days, and separate standard power actions from update-triggering commands. Driver, .NET, and firmware updates will be consolidated with monthly quality updates to minimize reboots, while users can still opt to install specific updates earlier.

🤖 Google Cloud Next '26 in Las Vegas showcased a broad enterprise push into the agentic era, with over 32,000 attendees and 260 product, partner, and customer announcements. Highlights include the new Gemini Enterprise Agent Platform, the Gemini Enterprise app, 8th-generation TPUs, and a host of agent-focused capabilities for development, runtime, memory, observability, and governance. The week emphasized production readiness, cross-cloud data integration, and strengthened security through the Wiz acquisition and Model Armor integrations.

🔐 AWS Secrets Manager now prefers hybrid post-quantum TLS (ML‑KEM) for supported clients to reduce harvest-now, decrypt-later risk. Customers using the listed clients and SDK versions can get ML‑KEM key exchange without code changes; secrets at rest remain encrypted with AWS KMS and symmetric algorithms are considered quantum-resistant. Verify client negotiation via CloudTrail tlsDetails.keyExchange == X25519MLKEM768 and check SDK/OpenSSL requirements (for example, OpenSSL 3.5+ for Python). CRYSTALS‑Kyber support is being phased out in 2026, so upgrades are recommended to avoid fallback to traditional TLS.

🔒 Tyler Buchanan has pleaded guilty in a Florida court to conspiring with others to hack company computer systems and steal at least $8 million in virtual currency. He faces sentencing later this year. Buchanan is tied to the notorious Scattered Spider group, which has used SMS phishing and colleague impersonation to target employees. Security leaders are urged to reinforce defenses and train staff against social engineering.

📞 BlackFile, a financially motivated extortion group active since February 2026, is using vishing and spoofed VoIP/CNAM calls to impersonate IT support and harvest employee credentials and one-time passcodes. Palo Alto Networks' Unit 42 and RH-ISAC report attackers register devices to bypass multifactor authentication, escalate to executive accounts, and search Salesforce and SharePoint via APIs for files containing terms like 'confidential' and 'SSN'. Stolen data is moved to attacker-controlled infrastructure and published on a dark web leak site before seven-figure ransom demands are issued; victims have also faced swatting and targeted harassment. Organizations are advised to tighten call-handling policies, enforce caller identity verification, and conduct simulation-based social engineering training.

🔒 The US Cybersecurity and Infrastructure Security Agency (CISA) does not yet have access to Anthropic’s bug-hunting AI model, Claude Mythos, while other government bodies do. Anthropic has restricted preview access through Project Glasswing to a select set of agencies, industry groups, and software providers over concerns the model could be misused to find and exploit vulnerabilities. Bloomberg reports members of a private Discord channel obtained unauthorized access and have been using Mythos for non-cybersecurity purposes, supplying screenshots to support their claim.

🔐 Microsoft will roll out Entra passkey support for phishing‑resistant passwordless authentication on Windows devices starting in late April, with general availability expected by mid‑June 2026. The capability enables device‑bound FIDO2 passkeys stored in the Windows Hello container and used via face, fingerprint, or PIN on corporate, personal, and shared devices, including unmanaged Windows machines. Administrators can control rollout and access through Conditional Access and Authentication Methods policies.