Here are today’s top cybersecurity stories for Thursday, April 23, 2026.
Canada Life Confirms ShinyHunters Breach Exposing 70,000 Canadians’ Data
Canada Life, one of Canada’s largest insurance and financial services companies, has confirmed a data breach after the ShinyHunters extortion group claimed access to 5.6 million Salesforce records containing policyholder and employee PII. The company states approximately 70,000 individuals had their data accessed through a compromised employee account. An April 21 ransom deadline passed, and the incident remains under investigation with external cybersecurity experts and law enforcement engaged. Canadian HR Reporter
CISA, NCSC-UK, CCCS, and Global Partners Issue Advisory on China-Nexus Covert Infrastructure Networks
CISA published advisory AA26-113A jointly with the UK NCSC, Canada’s Centre for Cyber Security (CCCS), and agencies from Australia, Germany, and Japan, warning that Chinese state-linked threat actors have fundamentally shifted tactics toward large-scale covert networks of compromised edge devices. These networks are used across every phase of the kill chain — from reconnaissance to data exfiltration — and are shared among multiple actor groups. The advisory includes detection indicators and mitigation guidance for defenders. CISA
Kyber Ransomware Debuts Post-Quantum Encryption Against Enterprise Windows and ESXi Targets
A new ransomware operation called Kyber is targeting large enterprises running Windows and VMware ESXi, with one Windows variant deploying NIST-standardized Kyber1024 post-quantum cryptography — the first confirmed production use in ransomware. Rapid7 recovered two distinct variants during a March 2026 incident response on the same network. The Linux ESXi variant uses ChaCha8 and RSA-4096 rather than post-quantum algorithms, despite the group’s marketing claims. Defense contractors and IT services firms appear to be primary targets. BleepingComputer
CISA KEV April 23 Deadline Passes — Cisco SD-WAN and Zimbra Vulnerabilities Now Overdue at Federal Agencies
The April 23 federal patching deadline set by CISA for three Cisco Catalyst SD-WAN Manager vulnerabilities (CVE-2026-20122, CVE-2026-20128, CVE-2026-20133) and Zimbra XSS CVE-2025-48700 has now passed. Federal Civilian Executive Branch agencies not yet remediated are in violation of Binding Operational Directive 22-01. The Cisco SD-WAN flaws carry CVSS scores up to 10.0 and affect management infrastructure widely deployed across government and enterprise networks. The Hacker News
North Korea’s Lazarus Group Blamed for $290M KelpDAO DeFi Heist
LayerZero has attributed the April 18 theft of approximately $290 million from KelpDAO’s cross-chain bridge to North Korea’s Lazarus Group, specifically the TraderTraitor subunit. Attackers compromised two RPC nodes and forced a failover via DDoS, tricking the bridge verifier into approving a fraudulent transaction. The exploit wiped more than $13 billion in total value locked from DeFi platforms in two days, making it the largest DeFi theft of 2026. SecurityWeek
Pro-Iran 313 Team Disrupts Bluesky in 24-Hour DDoS Attack
The pro-Iran hacktivist group 313 Team, also known as Islamic Cyber Resistance in Iraq, claimed responsibility for a sustained DDoS attack that disrupted Bluesky for approximately 24 hours. The group claimed the attack peaked at 1 terabyte per second. Bluesky confirmed no unauthorized access to private user data and restored full service. The same group attacked Mastodon.social on April 20. SecurityWeek
The Gentlemen Ransomware: Seized SystemBC C2 Server Exposes 1,570+ Victims
Check Point Research published an analysis of The Gentlemen ransomware-as-a-service operation, revealing that a SystemBC command-and-control server contained records of more than 1,570 victims. Since emerging in July 2025, the group has claimed over 320 victims on its data leak site, with 240 attacks occurring in the first months of 2026. SystemBC establishes RC4-encrypted SOCKS5 tunnels to facilitate lateral movement and payload delivery inside victim environments. The Hacker News
MajorDoMo CVE-2026-27175: CVSS 9.8 Smart Home Platform RCE Added to CISA KEV
CISA added CVE-2026-27175 to the Known Exploited Vulnerabilities catalog following confirmed in-the-wild exploitation of an unauthenticated OS command injection flaw in MajorDoMo, an open-source smart home automation platform. The vulnerability allows remote code execution without credentials through the platform’s web-accessible script execution pipeline. Operators running internet-exposed MajorDoMo instances should patch or isolate immediately. NIST NVD
1,500+ Misconfigured Perforce P4 Servers Expose Source Code From Law Enforcement, EV, Finance, and Government Orgs
Australian researcher Morgan Robertson published findings from an investigation into internet-exposed Perforce Helix Core instances, identifying more than 1,500 servers allowing unauthorized read access to sensitive source code. Among the affected organizations are a North American law enforcement software provider, an EV startup, a global industrial automation firm, and a banking software manufacturer. The default Perforce configuration allows unauthenticated users to create accounts and access repositories, with no CVE assigned despite clear vulnerability criteria being met. P4WNED Research
CISA Retires Ten Emergency Directives as KEV Catalog Assumes Enforcement Role
CISA formally retired ten Emergency Directives issued between 2019 and 2024, the largest single retirement in agency history. Seven directives addressed specific CVEs now tracked under CISA’s Known Exploited Vulnerabilities catalog via Binding Operational Directive 22-01. The remaining three were retired because their security objectives were achieved or superseded by updated federal practices. CISA
Stay tuned for today’s in-depth analysis posts.
