Cisco Firewalls Breached by 'Firestarter' Malware; Critical RCE Flaw Hits Hugging Face AI

The new article provides additional context on the NCSC's SilentGlass device, including a quote from Stephen Kines, co-founder of Goldilock Labs, emphasizing its role as a 'physical kill switch' for display connections. It also highlights the partnership with Sony UK Technology Centre for manufacturing, reinforcing the focus on hardware integrity. The article further elaborates on the device's importance for Critical National Infrastructure (CNI) and includes 'Cyber Observables' for hunting hardware-level threats, such as monitoring for unexplained USB devices or anomalous network traffic.

Microsoft has confirmed active exploitation of CVE-2026-32202, a Windows Shell spoofing vulnerability, patched in April 2026. This flaw is an incomplete fix for CVE-2026-21510, which was previously weaponized by APT28 (Forest Blizzard/Fancy Bear). Crucially, CVE-2026-21510 was used by APT28 in an exploit chain alongside CVE-2026-21513, a vulnerability mentioned in the original report on the PRISMEX malware. This update highlights APT28's continued focus on Windows Shell vulnerabilities for initial access, demonstrating their agility in bypassing patches and maintaining their exploit capabilities. Organizations are urged to apply the latest Microsoft updates immediately to mitigate this actively exploited threat.

The OT-ISAC advisory reveals that the threat to critical infrastructure, exemplified by the Iran-affiliated PLC exploitation, is now spreading to a wider range of distributed energy resources (DER), remote sites, and OT-adjacent systems. This expansion of the attack surface, coupled with recent destructive attacks in Poland, signifies a deteriorating threat landscape for the energy sector. Defenders must now address risks beyond central control rooms, as the overall impact and potential for disruption have increased due to the broader targeting of distributed assets.

The UK government and its communications regulator, Ofcom, have issued a coordinated alert to businesses, specifically communications and technology providers, warning of the escalating cybersecurity threats posed by frontier AI models. The alert highlights Anthropic's 'Claude Mythos Preview' as capable of autonomously discovering and exploiting vulnerabilities, a development deemed 'catastrophic' by security experts. This official warning underscores the urgent need for AI-native defenses and adherence to UK security standards to counter the rapid speed and scale of potential AI-driven attacks.

A joint report by CISA and NCSC provides further insights into the Firestarter malware. New information indicates initial access was achieved through compromised credentials and dormant user accounts, leading to unauthorized VPN sessions, rather than solely through CVE exploitation. The LINE VIPER post-exploitation tool is now specifically identified as facilitating these unauthorized VPN sessions by bypassing multi-factor authentication. This update clarifies the full attack chain and highlights additional methods used by APT actors to gain and maintain persistent access to Cisco firewalls, emphasizing the critical need for robust credential management and MFA enforcement.