Hello, stay ahead with CISO Brief 🚀

Every day the cybersecurity world moves fast — new incidents, evolving AI risks, changing regulations, and critical vendor updates. We cut through the noise to deliver only what matters most for your business and security strategy.

CISO Brief brings you a daily digest of high-signal news: major breaches, hyperscaler security releases, AI and compliance shifts, and the latest threat intelligence — all in one concise update.

Built for CISOs, CTOs, and architects, our goal is to save you time, reduce distraction, and keep you always on pulse with the risks and opportunities that shape tomorrow.

👉 Join our Telegram channel for your daily update — stay informed, stay ready.

Cybersecurity News Digest — Daily Briefings

Latest News

all posts →

April 21, 2026

Weaponizing macOS Primitives for Movement and Execution

🔐 Talos demonstrates how adversaries can repurpose legitimate macOS features to achieve remote execution and lateral movement across enterprise fleets. By weaponizing Remote Application Scripting (RAE) and abusing Spotlight Finder comments as a staging area, attackers can bypass static file analysis and traditional SSH-focused telemetry. The research validates multiple native transfer channels—including SMB, netcat, Git, TFTP, and SNMP—and urges defenders to emphasize process lineage, IPC anomalies, and strict MDM controls.

Lateral Movement Remote Code Execution Defense Evasion Threat Research

April 21, 2026

Identity: The New Foundation of Digital Transformation

🔐 Identity-centric systems have evolved from simple login mechanisms into the operational backbone of digital enterprises. By replacing the old network perimeter with a person- and device-centric model, modern identity frameworks enable fine-grained access control, real-time authorization and auditable accountability across cloud, mobile and distributed workforces. They also power customer personalization and fraud detection, helping teams move faster while reducing operational and security risk.

Identity Security Zero Trust IAM

April 21, 2026

Vercel Confirms Cyber Incident After Third-Party Compromise

🔒 Vercel has confirmed a cyber incident in which a "highly sophisticated" attacker exploited the third-party tool Context.ai after an employee authorized the app. The adversary used that access to take over the employee's Vercel Google Workspace account and accessed several environments and environment variables not marked as sensitive; sensitive variables are stored unreadable and show no evidence of access. Vercel says npm packages and major projects like Next.js were not compromised, has engaged Mandiant to investigate, and is notifying affected customers while advising MFA, rotation of exposed variables, and strengthened deployment protections.

Supply Chain Compromise Cloud Account Compromise OAuth App Abuse Incident Response

April 21, 2026

Top Techniques Attackers Use to Infiltrate Systems

🔒 Much reporting on cyber risk focuses on AI, but frontline incidents remain grounded in social engineering and identity exploitation. Experts say attackers increasingly abuse legitimate tools — including trojanized RMM clients — and target network security appliances, OAuth flows, and machine identities to bypass defenses. Techniques like ClickFix, phishing, token theft and supply‑chain worms enable lateral movement and ransomware. Defenders should combine user training, RMM allowlists and layered, phishing‑resistant authentication.

ClickFix Token Theft Ransomware

April 21, 2026

NGate Android Malware Hides in Trojans of HandyPay App

🔒 A new NGate variant is delivered inside a trojanized version of HandyPay, a legitimate NFC payments app, to steal payment card data from Android devices. Researchers at ESET say the campaign has been active since November 2025 and primarily targets users in Brazil, using fake Google Play pages and a malicious APK distribution chain. The trojan asks victims to set it as the default NFC payment app, collect card PINs and card taps, and exfiltrates data via a hardcoded email address.

Malware Infostealer Supply Chain Compromise Data Exfiltration

April 21, 2026

Handala, CyberAv3ngers and Iran’s Proxy Cyber Ops Activities

🔍 US authorities issued an April 7 advisory warning that Iranian-affiliated APTs could be conducting infrastructural cyberattacks, citing links to 2023 water and wastewater incidents attributed to CyberAv3ngers. The article examines two prominent groups — Handala Hack Team and CyberAv3ngers — and argues they function as proxy or false-flag operations likely tied to Iran’s Ministry of Intelligence. It describes a broader pattern of gray warfare, where state actors obscure involvement to retain plausible deniability while exerting persistent pressure on adversaries.

Iran-nexus Critical Infrastructure Nation-State Actor Threat Research

April 21, 2026

North Korea-Linked Lazarus Suspected in $290M KelpDAO Heist

🔒 State-backed North Korean actors are the primary suspects in a roughly $293m theft from KelpDAO, which paused operations after detecting suspicious cross-chain activity involving rsETH. Attackers exploited LayerZero verifier infrastructure by poisoning downstream RPCs, swapping op-geth binaries and executing an RPC‑spoofing attack to forge a cross-chain message. They routed stolen funds through Tornado Cash, while Arbitrum's Security Council has frozen about 30,766 ETH (~$71m). LayerZero contends KelpDAO ran a single-DVN configuration against best practices; KelpDAO blames LayerZero's infrastructure.

Lazarus Group North Korea-nexus Supply Chain Compromise Data Breach

April 21, 2026

CISA Adds Eight Exploited Flaws to KEV Catalog, Fixes Needed

⚠️ CISA added eight vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation and highlighting three flaws in Cisco Catalyst SD-WAN Manager. The list includes high-impact issues such as CVE-2025-32975 (Quest KACE SMA, CVSS 10.0) and authentication, path traversal, and XSS flaws in PaperCut, TeamCity, Kentico, and Zimbra. CISA noted prior ties of CVE-2023-27351 to Lace Tempest and recent Arctic Wolf telemetry on KACE abuse; Cisco confirmed active exploitation of two SD-WAN flaws in March 2026. Federal civilian agencies are urged to remediate the three Cisco vulnerabilities by April 23, 2026, and the remaining flaws by May 4, 2026.

CISA KEV Cisco Active Exploitation Vulnerability Disclosure

April 21, 2026

Amazon Connect Adds Priority Dialing for Outbound Campaigns

📞 Amazon Web Services announced that Amazon Connect Outbound Campaigns can now dial contacts in a configurable priority order using up to 10 profile attributes for voice campaigns and voice activities in journeys. Initial attempts are prioritized over reattempts to preserve ordering during campaign execution. The capability is available in all AWS Regions where Outbound Campaigns is offered at no additional cost and is configured via Amazon Connect Customer Profiles. This enhancement helps agents focus on higher-value or time-sensitive contacts, improving campaign effectiveness and conversion rates.

AWS Product Update

April 20, 2026

KelpDAO Hit by $290M Heist, Lazarus Group Suspected

🔒 KelpDAO reported a cross-chain exploit on April 18 that resulted in the theft of roughly 116,500 rsETH (about $293 million), funds which were then routed through Tornado Cash. The attacker compromised the verifier's RPC nodes in the DVN layer, feeding falsified chain data while DDoS-ing healthy nodes to force reliance on poisoned endpoints and accept a forged cross-chain message. LayerZero, Unichain and partners assisted in the investigation, which attributed the operation to the state-sponsored Lazarus Group, and KelpDAO paused rsETH contracts across Ethereum mainnet and L2s.

Lazarus Group North Korea-nexus Data Breach Supply Chain Compromise

April 20, 2026

Chinese App Store Infiltrated by Crypto Wallet Scams

⚠️A cluster of 26 malicious apps on Apple's China App Store impersonated popular crypto wallets such as MetaMask, Coinbase, Trust Wallet, and OneKey to harvest recovery seed phrases and drain funds. The apps used typosquatting, fake branding, and were disguised as games or calculators to bypass local restrictions. They redirected victims to phishing pages that pushed trojanized wallets via abused iOS provisioning profiles; those trojans intercept mnemonics, encrypt them, and exfiltrate them. Kaspersky links the campaign, dubbed FakeWallet, to the ongoing SparkKitty operation, and Apple has removed the apps following disclosure.

Typosquatting Phishing Malware Supply Chain Compromise

April 20, 2026

Amazon EBS allows four volume modifications in Europe

🔧 Amazon Elastic Block Store (Amazon EBS) in the AWS European Sovereign Cloud (Germany) Region now supports up to four Elastic Volumes modifications per volume within a rolling 24‑hour window. Elastic Volumes lets you increase size, change type, or adjust performance without detaching volumes or restarting instances. The enhancement is automatically available and permits starting a new modification immediately after the previous one completes, improving operational agility for sudden data growth or workload spikes.

AWS AWS S3 Cloud Security Product Update

April 20, 2026

Amazon EVS Adds Microsoft Windows Server Licensing

🔔 Amazon Elastic VMware Service (Amazon EVS) now provides Microsoft Windows Server licensing entitlements, allowing customers to migrate or create Windows Server VMs in EVS and obtain licensing directly from AWS. Administrators configure an EVS connector to their VMware vCenter and supply VM IDs via the console or CLI. Licensing is charged on a per vCPU‑hour basis and can be added or removed at any time; the feature is available in all Regions where EVS is offered.

AWS VMware Product Update

April 20, 2026

Gentlemen Ransomware Uses SystemBC Botnet for Corporates

🔒 Check Point Research uncovered a SystemBC proxy botnet of over 1,570 infected hosts tied to a Gentlemen ransomware affiliate, with telemetry indicating primarily corporate victims across the US, UK, Germany, Australia, and Romania. The discovery shows affiliates pairing SystemBC SOCKS5 tunneling with Cobalt Strike for covert payload delivery and lateral movement. Check Point published IoCs and a YARA signature to help defenders identify related activity.

Ransomware Cobalt Strike Botnet Lateral Movement

April 20, 2026

AWS IoT Greengrass v2.17 Enables Non-Root Edge Runtime

🛡️ AWS IoT Greengrass v2.17 now supports running the edge runtime as a non-root user on Linux, helping organizations meet security and compliance requirements that prohibit root access. The update adds an uninstall lifecycle action for components and introduces nucleus lite optimizations — including a Secure Tunneling lite component (~4 MB), TPM 2.0 support for fleet provisioning, and a PKCS#11 interface for HSM-backed authentication — to reduce memory consumption. v2.17 is available in all Regions where Greengrass is offered.

AWS Product Update

April 20, 2026

Seiko USA Website Defaced; Hacker Claims Customer Data Theft

🔒Seiko USA's website was briefly defaced over the weekend, showing a page titled 'HACKED' in the Press Lounge that replaced normal content with an extortion notice. The attackers claimed they had accessed the company's Shopify backend and exfiltrated the entire customer database, including names, email addresses, phone numbers, order history, shipping data, and account details. The message instructed Seiko to contact a specific customer account (ID 8069776801871) and warned of a 72-hour deadline before publishing the alleged data; Seiko has removed the message and has not publicly confirmed the incident.

Data Breach Incident Response

April 20, 2026

Amazon DocumentDB Supports In-Place Major Upgrade 5.0 to 8.0

🚀 Amazon DocumentDB now supports an in-place major version upgrade from MongoDB-compatible 5.0 to 8.0 via the AWS Management Console, AWS SDK, or AWS CLI. The upgrade requires no new clusters, no endpoint changes, and no index rebuilds, reducing operational overhead and minimizing disruption. Version 8.0 delivers up to 7x faster query latency and up to 5x improved storage compression, and introduces features such as collation, views, new aggregation stages and operators, enhanced text search with text index v2, and much faster vector index builds (up to 30x). In-place MVU is available in all Regions where DocumentDB 8.0 is offered at no additional cost.

AWS Product Update

April 20, 2026

Amazon EKS Adds Seven IAM Condition Keys for Governance

🔐 Amazon EKS now supports seven new IAM condition keys for cluster creation and configuration APIs, giving organizations finer-grained governance over cluster settings. Administrators can enforce private-only API endpoints, require customer-managed KMS keys for secret encryption, restrict approved Kubernetes versions, mandate deletion protection, set control plane scaling tiers, and enable zonal shift. The keys apply to CreateCluster, UpdateClusterConfig, UpdateClusterVersion, and AssociateEncryptionConfig APIs and integrate with Service Control Policies for centralized multi-account enforcement. They are available in all Regions where EKS is offered at no additional charge.

AWS AWS EKS IAM Cloud Security