Cybersecurity News | Daily Recap [25 Apr 2026]

AI Threats

• AI is now driving the top initial-access vector, with phishing making up 35% of Q1 2026 compromises while researchers also warn that hidden indirect prompt injection is spreading across the open web to manipulate LLM agents. – AI Phishing, Prompt Injection
• The Pentagon is grappling with securing AI as it moves toward autonomous warfare, while disputes around Anthropic and Mythos Preview highlight ongoing trust and supply-chain concerns. – Autonomous AI, Glasswing
• Microsoft is expanding passkeys and Windows Hello support for Entra on Windows, while the NCSC is urging users to ditch passwords in favor of phishing-resistant sign-ins. – Entra Passkeys, Drop Passwords

Vulnerabilities & Patches

• CISA added 4 exploited flaws to its KEV catalog, including issues in SimpleHelp, Samsung MagicINFO 9, and D-Link DIR-823X devices linked to DragonForce and Mirai activity. – KEV Update
• Pack2TheRoot (CVE-2026-41651) in PackageKit can give local Linux users root access, and the flaw has existed since 2014 before being fixed in PackageKit 1.3.5. – Pack2TheRoot
• Firestarter and FIRESTARTER malware/backdoors are proving resilient, with one variant surviving Cisco firewall updates and another persisting on Cisco Firepower devices through firmware changes and reboots. – Firestarter, FIRESTARTER
• Glasswing showed that AI can uncover obscure code flaws, finding a 16-year-old FFmpeg vulnerability that millions of fuzzing passes missed, underscoring how stale exposure often hides in plain sight. – Glasswing Code

Espionage & APTs

• China-linked groups are abusing legitimate services and compromised edge devices for stealthy operations, with GopherWhisper targeting government systems and Flax Typhoon leveraging SOHO routers, IoT gear, and covert networks. – GopherWhisper, Covert Networks
• NASA and U.S. defense-related organizations were targeted in a long-running spear-phishing campaign tied to Song Wu and AVIC, which sought aerospace modeling software and sensitive technology. – Song Wu
• U.S. officials say Iranian-linked actors favor “low and slow” intrusions using stolen credentials and social engineering rather than dramatic one-shot attacks, as seen in the Stryker incident. – Iranian Actors
• fast16, a Lua-based sabotage framework from 2005, predates Stuxnet and used a carrier process, DLL, and kernel driver to corrupt high-precision calculations across Windows 2000/XP networks. – fast16 Malware, Fast16 Link

Fraud & Extortion

• The US dismantled a major scam network tied to Myanmar and Cambodia, seizing a Telegram channel and 500+ domains while reporting nearly 9,000 crypto-fraud cases and about $562 million recovered. – Scam Ring
• ADT confirmed a data breach after ShinyHunters threatened to leak stolen records, with exposed data including names, phone numbers, addresses, and in some cases partial SSNs or Tax IDs. – ADT Breach, ADT Data
• BlackFile is using vishing, stolen credentials, and abused Salesforce and SharePoint APIs to extort retail and hospitality victims with seven-figure ransom demands. – BlackFile
• Toronto police arrested three suspects in Canada’s first known SMS blaster case, where rogue equipment impersonated cell towers, reached tens of thousands of phones, and caused over 13 million network disruptions. – SMS Blaster

Policy & Identity

• Congress only passed a 10-day extension of Section 702 of FISA, leaving critics unhappy that the latest spy power reauthorization still lacks stronger warrant protections for Americans. – Section 702
• Norway is considering a ban on social media for users under 16, with the prime minister pushing age verification rules to better protect young teens from big tech platforms. – Social Ban
• Microsoft also rolled out Windows Update controls to reduce forced restarts, including a 35-day pause option and clearer update management for users. – Update Controls

Cybersecurity News | Daily Recap – hendryadrian.com