CyberNews: 25/04/2026 Edition

Published by Dunateo on 2026-04-25

Today’s roundup

  • CISA reports persistent FIRESTARTER backdoor on Cisco ASA device in federal network
  • 12-year-old Pack2TheRoot bug lets Linux users gain root privileges
  • CISA Adds 4 Exploited Flaws to KEV, Sets May 2026 Federal Deadline
  • NASA Employees Duped in Chinese Phishing Scheme Targeting U.S. Defense Software
  • New BlackFile extortion group linked to surge of vishing attacks
  • ADT confirms data breach after ShinyHunters leak threat
  • Researchers Uncover Pre-Stuxnet ‘fast16’ Malware Targeting Engineering Software
  • Microsoft to roll out Entra passkeys on Windows in late April

    • Summary

    CISA and the UK NCSC have revealed that the FIRESTARTER backdoor infected a U.S. federal Cisco Firepower ASA device in September 2025. This Linux ELF malware persists even after security patches, exploiting CVE-2025-20333 and CVE-2025-20362. It maintains persistence by embedding a hook in the LINA network processing engine and intercepting termination signals, requiring device re-imaging for full mitigation.

    A high-severity vulnerability, "Pack2TheRoot" (CVE-2026-41651, CVSS 8.8), affecting multiple Linux distributions through the PackageKit daemon, has been disclosed. Discovered by Deutsche Telekom's Red Team, this 12-year-old flaw allows unprivileged local users to gain root privileges by installing or removing system packages without authorization. A fix was released in PackageKit version 1.3.5 on April 22, 2026.

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, with a May 2026 federal deadline for patching. The flaws impact SimpleHelp, Samsung MagicINFO 9 Server, and D-Link DIR-823X series routers, underscoring their active exploitation.

    The NASA Office of Inspector General (OIG) reported a spear-phishing campaign orchestrated by a Chinese national who posed as a U.S. researcher. The operation targeted NASA employees, government entities, universities, and private companies to illegally acquire sensitive information pertaining to U.S. defense software, violating export control laws.

    A new financially motivated hacking group named BlackFile has emerged, linked to a surge in data theft and extortion attacks since February 2026. The group primarily targets organizations within the retail and hospitality sectors, leveraging vishing techniques to compromise their victims.

    Home security giant ADT has confirmed a data breach after the ShinyHunters extortion group threatened to leak stolen data. The intrusion, which occurred earlier in the week, resulted in the theft of a limited set of customer and prospective customer information.

    Cybersecurity researchers at SentinelOne have discovered "fast16," a previously undocumented Lua-based malware from 2005. This pre-Stuxnet cyber sabotage framework targeted high-precision calculation software with the aim of tampering with industrial systems.

    Microsoft is preparing to roll out passkey support for Windows devices in late April, introducing phishing-resistant passwordless authentication for resources protected by Microsoft Entra. This initiative aims to bolster security by offering more robust authentication methods for users.

    Want to dig deeper?

    Vulnerabilities

    CVE-2025-20333 Critical
    CVE-2025-20362 Medium
    CVE-2026-41651 High