FIRESTARTER Backdoor Found in Federal Agency's System; CISA KEV Adds Four Flaws Disclosed >1 Year ago

The US Cybersecurity and Infrastructure Security Agency (CISA) alongside the UK National Cyber Security Centre (NCSC) is directing federal agencies to take new steps for threat hunting, mitigation, and reporting of persistent malware introduced by the exploitation of flaws in Cisco Firepower and Secure Firewall products with Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. While investigating suspicious network connections, CISA discovered Line Viper malware and a backdoor called FIRESTARTER on an unnamed Federal Civilian Executive Branch agency's (FCEB's) systems, allowing a threat actor to maintain persistence. "Although Cisco’s patches addressed [the vulnerabilities], devices compromised prior to patching may remain vulnerable because FIRESTARTER is not removed by firmware updates." FCEBs must consult V1: ED 25-03 for mitigation, which includes instructions to collect and submit core dumps to the Malware Next Generation platform, report the submission, and await further direction from CISA. All other organizations are urged to hunt using provided YARA rules against a disk image or core dump, report findings to CISA or the NCSC, and conduct incident response if compromise is confirmed. Cisco's concurrent advisory "strongly recommends reimaging and upgrading the device using the fixed releases," as well as checking for the malicious lina_cs process as an indicator of compromise (IoC).

Cisco first disclosed and released patches for CVE-2025-20333 (CVSS 9.9, buffer overflow allowing remote code execution) and CVE-2025-20362 (CVSS 8.6, missing authorization allowing privilege escalation) in September 2025. At the time the flaws were also added to CISA's Known Exploited Vulnerabilities catalog (KEV) with a 24-hour mitigation deadline for FCEBs; both had reportedly been exploited since May. Nonetheless, exploitation continued, and CISA updated its guidance in November, also warning that several agencies had incorrectly reported vulnerable devices as patched. The products affected, regardless of configuration, are Firepower 1000, 2100, 4100, and 9300 series, and Secure Firewall 200, 1200, 3100, 4200, and 6100 series devices.

On Friday, April 24, the US Cybersecurity and Infrastructure Security Agency (CISA) added four CVEs to the Known Exploited Vulnerabilities (KEV) catalog. All four have mitigation deadlines of Friday, May 8, 2026 for Federal Civilian Executive Branch (FCEB) agencies. Two of the vulnerabilities affect SimpleHelp remote support software v5.5.7 and earlier: a critical privilege elevation vulnerability (CVE-2024-57726) and a high-severity arbitrary code execution vulnerability (CVE-2024-57728), both initially disclosed in early January 2025. The third is a high-severity improper limitation of a pathname to a restricted directory vulnerability (CVE-2024-7399) in Samsung MagicINFO 9 Server version prior to 21.1050, initially disclosed in August 2024. The fourth is a high-severity command injection vulnerability (CVE-2025-29635) in D-Link DIR-823X 240126 and 240802 which was disclosed in early 2025. The Akamai Security Intelligence and Response Team (SIRT) recently detected this vulnerability being actively exploited.

Researchers from SentineOne's SentinelLABS have deciphered a cyber sabotage framework they are tracking as “fast16,” which "selectively targets high-precision calculation software, patching code in memory to tamper with results." The core components of fast16 date back to 2005, making it at least five years older than Stuxnet. When the malware propagates across a facility, it will produce "equivalent inaccurate calculations" on all affected systems; the effect could range from tainted research to serious physical damage. The researchers, Vitaly Kamluk and Juan Andrés Guerrero-Saade, initially "set out to trace the earliest sophisticated use of an embedded Lua engine in Windows malware." The existence of fast16 code first emerged in the Shadow Brokers 2017 NSA leak.

On April 24, 2026, home security provider ADT confirmed that it experienced a data breach on April 20. The company detected unauthorized access to "certain cloud-based environments" containing data belonging to current and prospective customers, and responded by immediately activating response protocols, "terminating the intrusion, launching a forensic investigation with leading third-party cybersecurity experts, and notifying law enforcement." The data accessed included names, phone numbers, and addresses, with a subset also including dates of birth and the last four digits of Social Security numbers or Tax IDs, and all affected individuals have been notified directly. ADT characterizes the scope of the attack as "limited," and has not verified any threat actor's claims, but the breach listing on Troy Baker's havibeenpwned estimates the affected accounts at 5.5 million.

Personal health data of more than 500,000 UK Biobank volunteers is being sold online. Biobank is a biomedical research database that comprises genome sequences, detailed bloodwork results, data gathered from scans and monitors, and details about lifestyles and habits. The organization says it is "the world’s most detailed study for tracking the long-term health of people as they age." Biobank volunteers had agreed to make their data available for research. The de-identified information is used by more than 22,000 researchers around the world, and participating researchers are prohibited from "publish[ing] any material which could lead to the identification (inadvertent or otherwise) of an individual." The breach has been traced to researchers at three participating institutions, and their access to Biobank data has been suspended. Biobank is temporarily suspending access to all their data while they put more stringent protection measures in place.

Two major suppliers of technology for utilities and medicine, respectively, have disclosed cyberattacks, both filing form 8-K with the US Securities and Exchange Commission (SEC). Itron is based in the US state of Washington and offers services and technology to support utilities and infrastructure for energy, water, gas, transportation, and other resources, counting over 8,000 utilities and cities in more than 100 countries among its clients. Itron activated its cybersecurity response plan on April 13, 2026 upon being notified of unauthorized third-party access to its systems, and also notified law enforcement and engaged external advisors "to assess, mitigate, remediate, and contain the unauthorized activity." Since removing the unauthorized access, Itron has not observed any further such activity in its corporate or customer-hosted systems. The company reports that its contingency plans and backup systems have allowed operations to continue, and anticipates that direct costs will be reimbursed by insurers, stating that the incident is unlikely to have a material impact. Medtronic is a medical technology company headquartered in Galway, Ireland, and Minneapolis, Minnesota, and is the largest medical device company in the world by revenue, exceeding Johnson & Johnson, Medline Industries, Siemens Healthineers, and Stryker. Medtronic disclosed on April 24 that its corporate IT systems were accessed by an unauthorized third party, prompting the company to contain the access, activate incident response protocols, and begin investigation and remediation with external cybersecurity experts. The company will notify and offer support services to any individuals whose personal information may have been accessed. There has been no identified impact to products, patient safety, connections to customers, manufacturing and distribution, financial reporting systems, or service to patients. Medtronic does not expect the incident to materially impact its business or financials.

On March 31, 2026, Canadian authorities arrested three men and confiscated three SMS blasters, believed to be the first known use of this technology in Canada. As described in the Toronto Police Service (TPS) press release, "an SMS blaster works by mimicking a legitimate cellular tower," intercepting mobile traffic by tricking devices in range to connect to the SMS blaster instead, allowing attackers to send "fraudulent text messages that appear to come from trusted organizations," including links for conducting SMS phishing. A TPS investigation dubbed "Project Lighthouse" began in November 2025, and led to the discovery of vehicles operating SMS blasters in multiple locations in the Greater Toronto Area. Detective Sergeant Lindsay Riddell estimated that tens of thousands of devices had connected to the blaster, causing over 13 million network disruptions in legitimate cell tower connections, potentially impacting access to 911 services. TPS seized "a large quantity of electronic evidence" in addition to the blasters themselves, and arrested two suspects; the third suspected conspirator turned himself in to the police three weeks later. TPS credits the work of the Coordinated Cyber Centre within its Intelligence Unit, as well as assistance from the Royal Canadian Mounted Police (RCMP) National Cybercrime Coordination Centre, RCMP’s Ontario Division, York Regional Police, Hamilton Police Service, and financial institutions and telecommunications providers. The press release reminds the public to never follow links or share personal information in unexpected text messages, to be wary of messages requesting payment, to access known apps and type trusted websites directly, and to report fraud incidents to the police.

The US Federal Communications Commission (FCC) has clarified that the agency's ban on routers made outside the country includes mobile hotspots. While the FCC made no formal announcement, it did add information to the "Is my device a consumer-grade router under the National Security Determination?" section on an FAQ page dedicated to the ban. The section clarifies that "consumer-grade portable or mobile MiFi Wi-Fi or hotspot devices for residential use [and] LTE/5G CPE devices for residential use" are considered consumer grade routers. Mobile phones with hotspot capabilities do not fall under the designation. Companies that manufacture mobile hotspots will be required to apply for an exemption if they wish to import and sell devices that have not received prior governmental approval. The device ban applies to consumer-grade devices, but industrial, enterprise, and military equipment are not subject to the ban.

Authorities in Italy have extradited a Chinese national to the US to face charges of wire fraud, aggravated identity theft and unauthorized access to protected computers. Xu Zeiwei appeared in US District Court in Houston, Texas on Monday, April 27, 2026. A November 2023 indictment alleges that Xu had a role in cyber intrusions that were part of the HAFNIUM campaign, which infected thousands of machines worldwide, and intrusions targeting COVID-19 research. The HAFNIUM campaign exploited vulnerabilities in Microsoft Exchange Server. The indictment also alleges that while working at a company called Shanghai Powerock Network Co. Ltd., Xu was directed by intelligence services in the People's Republic of China (PRC) to conduct these operations. Xu was arrested in Milan in July 2025. Xu's alleged accomplice, Zhang Yu, remains at large.