Hello, stay ahead with CISO Brief 🚀

🛠️ Microsoft is rolling out a revamped Windows Insider Program to simplify channel structure and improve transparency around feature availability. The company is merging Dev and Canary into a new Experimental channel for high-risk or potentially non-shipping work, while maintaining an updated Beta channel where features in release notes will be broadly available without gradual rollouts. Experimental items may be gated behind Feature flags that users can toggle in Settings, and Microsoft is migrating Insiders in phases while shipping several preview builds and an updated Windows Update experience to give users more control over updates and reboots.

❄️UNC6692 uses social engineering and Microsoft Teams to deliver a custom malware suite dubbed Snow. The attackers combine an 'email bombing' tactic with Teams messages posing as IT helpdesk staff to lure victims into installing a fake patch. The link drops AutoHotkey scripts that load SnowBelt, a malicious Chrome extension that operates in a headless Edge session, establishing persistence and relaying commands to a Python backdoor via a WebSocket tunneler.

🔎 SentinelOne researchers have disclosed fast16, a Lua-based cyber‑sabotage framework compiled in 2005 that predates Stuxnet. The implant embeds a Lua 5.0 VM and encrypted bytecode inside a carrier binary svcmgmt.exe and pairs with a kernel driver that patches executables to corrupt high‑precision calculations. fast16 targets legacy Windows 2000/XP environments and engineering simulation tools, and its discovery revises the timeline of state-backed cyber sabotage.

⚠️ CISA added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog affecting SimpleHelp, Samsung MagicINFO 9 Server, and D-Link DIR-823X routers, citing evidence of active exploitation. The listed flaws include two SimpleHelp issues (CVE-2024-57726, CVE-2024-57728), a Samsung path traversal (CVE-2024-7399), and a D-Link command injection (CVE-2025-29635). Agencies are urged to apply fixes or retire affected devices by May 8, 2026.

🔒 ADT confirmed unauthorized access to customer and prospective customer data detected on April 20, saying it terminated the intrusion and opened an investigation. The company reported that stolen information was limited to names, phone numbers, and addresses, with a small subset including dates of birth and the last four digits of SSNs or Tax IDs. ADT emphasized no payment data or customer security systems were affected. ShinyHunters claims over 10 million records were taken after a vishing attack that allegedly compromised an employee’s Okta SSO and accessed Salesforce data.

🔒 Unit 42 describes a fundamental shift in the npm threat landscape following the September 2025 Shai‑Hulud worm and subsequent 2026 incidents. Adversaries now harvest npm and GitHub tokens to persist inside CI/CD pipelines, deploy dormant multi‑stage payloads, and automatically republish backdoored packages. The report attributes a broad, coordinated campaign to TeamPCP, documents propagation via Docker Hub, GitHub Actions and VS Code extensions, and recommends mitigations such as credential rotation, egress filtering, and dependency pinning.

🚀 AWS Lambda now offers Provisioned Mode for event source mappings that consume Apache Kafka in the Asia Pacific (Taipei) and both AWS GovCloud (US‑East) and GovCloud (US‑West) Regions. Provisioned Mode lets you provision and auto-scale a configured minimum and maximum number of event pollers so polling capacity is ready to handle sudden traffic spikes and reduce processing delays. It supports Amazon MSK and self‑managed Kafka and can be enabled via the ESM API, Console, CLI, SDKs, or CloudFormation. Usage of event pollers is billed by Event Poller Units (EPUs).

🔗 Amazon Quick now integrates with Vee, the AI assistant from Visier, via the Model Context Protocol (MCP), enabling HR, finance, and operations leaders to access governed workforce intelligence directly inside the Quick workspace. After connecting to Visier’s remote MCP server, users can ask natural-language questions about headcount, attrition, tenure, and open requisitions and receive answers grounded in Visier’s governed data model. Vee can also be invoked from automated Quick Flows to run recurring reviews or draft documents, and Quick augments responses with enterprise knowledge from Quick Spaces—such as budgets, policies, and plans—so answers reflect the broader organizational context. The Visier integration is available in all AWS Regions where Amazon Quick is offered.

🔒 Amazon announced VPC egress support for AgentCore Gateway targets and AgentCore Identity, available in managed and self‑managed configurations. The capability lets Gateways invoke private resources inside a customer VPC (for example, EKS-hosted MCP servers) and allows Identity to validate tokens from and fetch tokens for private IdPs. The release also adds private DNS resolution for managed egress resources and is available in fourteen AWS Regions.

🔍 Researchers from three Hong Kong universities demonstrated a method to extract acoustic information from fiber-optic cables by measuring vibration-induced changes in the optical signal. Their experiments showed that strong vibrations such as footsteps can be detected remotely, but clear human speech was not recoverable without a local audio-to-vibration converter or significant control over provider equipment. The attack relies on sending optical pulses and measuring Rayleigh scattering-related deviations, and while technically feasible, it remains an unlikely and costly targeted threat requiring access to the Optical Distribution Network or an implanted converter to amplify audio signals.

🔥 A custom backdoor named Firestarter has been observed persisting on Cisco Firepower and Secure Firewall devices running ASA or FTD software, surviving reboots, firmware updates, and security patches. U.S. CISA and the U.K. NCSC link the activity to a threat actor tracked as UAT-4356, which exploited CVE-2025-20333 and CVE-2025-20362. Cisco recommends reimaging and upgrading affected devices; administrators can check compromise with show kernel process | include lina_cs, and CISA published YARA rules and mitigation guidance.

🔎 Since February, Unit 42 has observed sustained operations by TGR-STA-1030 across multiple countries, with a pronounced concentration in Central and South America. The observed intrusions reuse the same tactics, techniques, and procedures previously attributed to this group, indicating continuity with prior espionage campaigns. Analysts reference The Shadow Campaigns: Uncovering Global Espionage for historical context, and advise organizations in affected regions to review detections and strengthen defensive controls.

📜 The House Republican proposals — the SECURE Data Act and the GUARD Financial Data Act — would establish federal privacy standards that broadly preempt stronger state laws while limiting private lawsuits and centralizing enforcement with the FTC and state attorneys general. The bills emphasize data minimization, controller-processor obligations, a federal data broker registry, and new limits on automated profiling and teen data. Critics warn the measures could weaken existing protections, impose heavy operational burdens on CIOs and CISOs, and force vendors and legal teams to rework procurement, retention, and AI training practices.

🔧 Microsoft is rolling out Windows Update improvements to give users more control over update timing and reduce disruptive restarts. Insiders will see options to skip updates during OOBE, select specific pause dates via a calendar for up to 35 days, and separate standard power actions from update-triggering commands. Driver, .NET, and firmware updates will be consolidated with monthly quality updates to minimize reboots, while users can still opt to install specific updates earlier.

🤖 Google Cloud Next '26 in Las Vegas showcased a broad enterprise push into the agentic era, with over 32,000 attendees and 260 product, partner, and customer announcements. Highlights include the new Gemini Enterprise Agent Platform, the Gemini Enterprise app, 8th-generation TPUs, and a host of agent-focused capabilities for development, runtime, memory, observability, and governance. The week emphasized production readiness, cross-cloud data integration, and strengthened security through the Wiz acquisition and Model Armor integrations.

🔐 AWS Secrets Manager now prefers hybrid post-quantum TLS (ML‑KEM) for supported clients to reduce harvest-now, decrypt-later risk. Customers using the listed clients and SDK versions can get ML‑KEM key exchange without code changes; secrets at rest remain encrypted with AWS KMS and symmetric algorithms are considered quantum-resistant. Verify client negotiation via CloudTrail tlsDetails.keyExchange == X25519MLKEM768 and check SDK/OpenSSL requirements (for example, OpenSSL 3.5+ for Python). CRYSTALS‑Kyber support is being phased out in 2026, so upgrades are recommended to avoid fallback to traditional TLS.

🔒 Tyler Buchanan has pleaded guilty in a Florida court to conspiring with others to hack company computer systems and steal at least $8 million in virtual currency. He faces sentencing later this year. Buchanan is tied to the notorious Scattered Spider group, which has used SMS phishing and colleague impersonation to target employees. Security leaders are urged to reinforce defenses and train staff against social engineering.

📞 BlackFile, a financially motivated extortion group active since February 2026, is using vishing and spoofed VoIP/CNAM calls to impersonate IT support and harvest employee credentials and one-time passcodes. Palo Alto Networks' Unit 42 and RH-ISAC report attackers register devices to bypass multifactor authentication, escalate to executive accounts, and search Salesforce and SharePoint via APIs for files containing terms like 'confidential' and 'SSN'. Stolen data is moved to attacker-controlled infrastructure and published on a dark web leak site before seven-figure ransom demands are issued; victims have also faced swatting and targeted harassment. Organizations are advised to tighten call-handling policies, enforce caller identity verification, and conduct simulation-based social engineering training.