Here are today’s top cybersecurity stories for Friday, April 24, 2026.
CISA and NCSC Confirm FIRESTARTER Backdoor on Federal Cisco Firepower Device
CISA and the UK National Cyber Security Centre jointly published a malware analysis report on FIRESTARTER, a Linux backdoor implanted by state-sponsored threat actor UAT-4356 on Cisco Firepower and Secure Firewall appliances. The malware exploits CVE-2025-20333 and CVE-2025-20362, survives standard software reboots, and was confirmed on a US federal civilian agency device. Only a hard power cycle removes the implant. An updated Emergency Directive requires all FCEB agencies to audit Cisco firewall infrastructure and submit device memory snapshots by April 25. CISA
LMDeploy CVE-2026-33626 SSRF Flaw Exploited Within 13 Hours of Disclosure
A Server-Side Request Forgery vulnerability in LMDeploy (CVE-2026-33626, CVSS 7.5), an open-source large language model deployment toolkit, was exploited in the wild within 13 hours of its public disclosure on April 21. Attackers used the vision-language image loader as an SSRF primitive to port-scan internal networks and probe AWS metadata services, Redis, and MySQL endpoints. Sysdig honeypot telemetry documented the attack chain. Version 0.12.3 patches the issue. The Hacker News
Checkmarx KICS Official Docker Repository Poisoned in Supply Chain Attack
Threat actors authenticated to Docker Hub using valid Checkmarx credentials on April 22 and pushed malicious images to the official checkmarx/kics repository, overwriting existing tags and adding a rogue release. The modified KICS binary collected and exfiltrated infrastructure-as-code scan results — which often contain credentials and secrets — to an external endpoint. Researchers linked the attack to TeamPCP. Checkmarx has restored the repository and suspended the compromised account. The Hacker News
Two Unpatched Windows Defender Zero-Days Now Actively Exploited in Attacks
Huntress Labs confirmed all three Windows Defender zero-days released by researcher Chaotic Eclipse are now exploited in the wild. BlueHammer (CVE-2026-33825) was patched in April Patch Tuesday. RedSun and UnDefend — a local privilege escalation and a Defender update-blocking flaw respectively — remain without patches, CVEs, or a public Microsoft fix timeline. Exploitation was observed as part of broader intrusions with suspected Russian infrastructure involvement. BleepingComputer
GopherWhisper: New China-Aligned APT Targets Mongolian Government With Go Backdoors
ESET Research disclosed GopherWhisper, a previously undocumented China-aligned APT group active since at least November 2023. The group infected 12 systems at a Mongolian government entity using a custom Go-based backdoor toolkit and abused Microsoft 365 Outlook, Slack, and Discord as command-and-control channels. The toolset includes loaders, injectors, and exfiltration utilities. ESET assessed the group is relatively new to malware development. The Hacker News
Oracle Releases 481 Security Patches in April 2026 Critical Patch Update
Oracle’s April 2026 Critical Patch Update includes 481 new patches across 28 product families addressing roughly 450 distinct vulnerabilities. More than 300 are remotely exploitable without authentication. Oracle Communications received the largest share with 139 patches. Financial Services Applications and Fusion Middleware also received significant updates. Oracle urges customers to apply patches immediately given the volume of unauthenticated remote exploitation paths. SecurityWeek
Google Rolls Out Device Bound Session Credentials in Chrome 146 for Windows
Google activated Device Bound Session Credentials (DBSC) in Chrome 146 for Windows, a protocol that cryptographically binds authentication sessions to device hardware via the Trusted Platform Module. DBSC issues short-lived session cookies that require proof of device possession before renewal, directly countering infostealer malware that exfiltrates long-lived cookies. macOS support is planned for a subsequent Chrome release. The Hacker News
Rituals Cosmetics Discloses Data Breach Affecting Global Membership Database
Dutch cosmetics retailer Rituals confirmed a data breach after attackers exfiltrated records from its “My Rituals” membership database. Exposed data includes names, email addresses, phone numbers, dates of birth, gender, and home addresses for customers across the EU, UK, and parts of the US. The company counts 41 million members globally. No passwords or payment information were accessed. Rituals said it contained the breach quickly and notified relevant data protection authorities. BleepingComputer
UK Legal Aid Agency Confirms Cyberattack and Data Breach
The UK Legal Aid Agency confirmed a cyberattack on its online digital services on April 23, through which legal aid providers log work and receive government payments. Sensitive applicant data — including criminal histories, domestic abuse records, financial details, dates of birth, and bank account information — may have been exposed for individuals who applied for legal aid since 2010. The affected system was taken offline and an investigation is underway. SecurityWeek
Canadian Centre for Cyber Defence Launches in Ajax, Ontario
369 Global Inc. launched the Canadian Centre for Cyber Defence (C3D), a not-for-profit cybersecurity institution in Ajax, Ontario. C3D’s mandate covers digital forensics, threat intelligence, immersive corporate training, tabletop exercises, and public cyber awareness programming. The centre is inviting government agencies, Crown corporations, financial institutions, health authorities, and energy operators as strategic partners, positioning itself as a national collaborative platform for government, industry, and academia. Newswire Canada
Stay tuned for today’s in-depth analysis posts.
