FIRESTARTER puts Cisco below the patch line

CISA disclosed that one unnamed US government agency applied all the right Cisco patches in September 2025 and was still hosting the FIRESTARTER back door six months later, confirmed in March 2026. The agency had done everything the patch process required.

The six-month gap shows that applying a patch and removing a compromise are no longer the same thing for this class of attack. The checklist still works; it just no longer proves what people assumed it did. Read full version ↓

Sixteen national cyber agencies, including the US, UK, Germany, the Netherlands, Japan and Australia, co-signed a document on 23 April formally stating that the lists defenders use to block hackers go out of date faster than anyone can update them. They named Flax Typhoon and a Chinese company called Integrity Technology Group as operators of a network of over 200,000 hijacked home routers.

The significance is the admission itself: sixteen governments publicly signed off that the standard hacker-blocking approach is no longer good enough against state-backed attackers. Read full version ↓

Norway's domestic security service, PST, confirmed on 23 April that Norway is a victim of the Salt Typhoon hacking campaign, which targets telecoms companies to intercept phone and internet traffic. The confirmation pushed the public count of affected countries past nine.

PST timed the announcement to the publication of the sixteen-agency advisory, a signal that other countries on the advisory's signatory list may follow with their own confirmations now the document is in print. Read full version ↓

CISA added three security flaws in Cisco's SD-WAN Manager, the system that controls branch-office routers, to its emergency patch list on 20 April and gave federal agencies until 23 April, a three-day window and the shortest deadline issued in this period.

For any organisation running Cisco's network management software, the three-day window signals confirmed real-world hacker activity rather than a theoretical risk. It lands on the same Cisco product family that is already under scrutiny for the FIRESTARTER implant. Read full version ↓

Mandiant published research on 23 April describing a hacker group called UNC6692 that sends fake IT support messages inside Microsoft Teams to trick law firm and outsourcing company employees into running malicious software. Once run, the software steals credentials and company files.

The attack works because Teams is designed for easy collaboration, not for verifying whether an IT support contact is real. The technique exploits company trust in their own communication tools rather than any software flaw. Read full version ↓

Peter Stokes, a 19-year-old dual US-Estonian national, was arrested at Helsinki airport on 10 April while trying to board a flight to Japan. US prosecutors unsealed charges on 28 April alleging he took part in at least four breaches as a member of Scattered Spider, a hacking group responsible for dozens of corporate intrusions.

The arrest shows the FBI can reach Scattered Spider members who travel through co-operating countries. Stokes is the second alleged member arrested outside the US in six months. Read full version ↓

Beazley's shareholders voted on 22 April to accept a £8.1 billion cash offer from Zurich Insurance, the largest cyber insurance deal of 2026. Beazley is the Lloyd's market's leading specialist cyber insurer, and the deal moves its decade of claims experience and incident-response operation into Swiss ownership.

Regulatory approval from the UK's Prudential Regulation Authority and Financial Conduct Authority is still required. The key question is whether UK regulators will attach conditions to the transfer of Beazley's claims data out of UK control. Read full version ↓

Airbus has agreed to buy Ultra Cyber from Cobham, bringing UK government cryptography and cyber-defence contract work under European control. Ultra Cyber holds secret-level security clearances for Ministry of Defence programmes.

The UK government's National Security and Investment Act gives ministers powers to block or attach conditions to the deal. The outcome of that review will set a precedent for whether European NATO allies are treated as sufficiently trusted owners of UK classified defence technology. Read full version ↓

NCSC, the UK government's cybersecurity agency, launched SilentGlass on 22 April: a physical device that blocks attacks delivered through HDMI and DisplayPort cables. It is the first commercial product to carry the NCSC brand. Sony UK Technology Centre makes it; Goldilock Labs sells it globally.

The launch sets a template for UK government cybersecurity IP entering the commercial market under licence, in the same week that two other UK cyber assets moved into foreign ownership. Read full version ↓

Three separate attacks hit software developer tools in thirteen days at the end of April. Official SAP packages in the npm registry, 73 VS Code editor plugins, and a Python package downloaded 1.1 million times per month were all found distributing malware. Developers who used these tools in the attack windows may have had credentials stolen.

The attacks required no mistake by developers: the malware arrived inside packages that appeared completely legitimate. The developer's own toolkit became the attack surface. Read full version ↓

ENISA, the EU's cybersecurity agency, released a new scorecard on 22 April to measure how well each of the 27 EU member countries has implemented the NIS2 cybersecurity law. The answer is poorly: only 14 countries had done so by mid-2025, and 19 are under formal EU non-compliance proceedings.

NIS2 requires companies in critical sectors to meet minimum security standards and report incidents. In most of the EU, the law that would enforce those requirements at national level does not yet exist. Read full version ↓