Summary5 min read

Cybersecurity Headlines — April 27, 2026

Host: Steve Prentiss, CISO Series
Episode Theme:
A roundup of the day’s major cybersecurity events including high-profile data breaches, law enforcement action against SMS-blasting in Toronto, new info on pre-Stuxnet malware, and evolving cyber extortion tactics.

Episode Overview

This episode dives into recent and high-impact cybersecurity news, providing updates and expert insight on:

The ADT data breach and the Shiny Hunters’ extortion tactics
Canada's first SMS-blasting criminal case in Toronto
A new vishing/extortion group targeting retail and hospitality
Debunking the threat level of Zion Siphon malware in Israeli water systems
Discovery of early malware predating Stuxnet
Major Carnival Cruise Lines data breach
Microsoft's updates: Windows Insider program overhaul and Copilot uninstall for enterprise

Key Discussion Points & Insights

1. ADT Data Breach by Shiny Hunters ([00:06]–[01:12])

Incident: ADT, a leading home security company, announced a breach exposing “a limited set of customer and prospective customer information.” No payment data or actual security systems were affected.
Criminal Claim: Shiny Hunters, a well-known extortion group, claims to have stolen 10 million records and is demanding ransom.
Notable Details:
- The stolen data consists of “basic PII” (personally identifiable information).
- No evidence that home security systems themselves were compromised.
Quote:

“This consists of basic PII and no payment data was stolen...customer security systems were not affected or compromised in any way.”
— (ADT spokesperson paraphrased by Steve Prentiss, [00:16])

2. SMS Blasting Comes to Toronto ([01:12]–[02:26])

Definition: SMS blasters mimic legitimate cell towers with devices (often placed in cars) to capture active cell numbers in cities, then blast spam or phishing texts.
Action:
- Toronto police made arrests in the city’s — and Canada’s — first criminal case involving mobile SMS blasting.
- Investigation began last November after a suspicious device was detected. Two suspects were arrested in March; a third turned themselves in later.
- Authorities seized several SMS blasters and electronic equipment.
Impact: Highlights a shift of such tactics into North America from previously reported global use cases.
Quote:

“Police in Canada’s largest city have arrested three men in the country’s first known criminal case of this type.”
— Steve Prentiss, [01:35]

3. New Extortion Group: Blackfile and Vishing Surge ([02:50]–[03:37])

Threat Actor: Blackfile, a financially motivated group, is responsible for a wave of vishing (voice phishing) extortion attacks since February 2026.
Tactics:
- Targeting retail and hospitality sectors.
- Impersonates IT help desk staff to steal credentials.
- Uses spoofed VoIP numbers and fraudulent caller IDs in social engineering.
Connections: Suspected links to the COM, a broader criminal network focusing on recruiting youth for cybercrime.
Quote:

“The attackers use voice-based phishing—that’s vishing—from spoofed VoIP numbers or fraudulent caller ID names as a social engineering technique.”
— Steve Prentiss, [03:28]

4. Zion Siphon: Inoperable Water System Malware ([04:36]–[05:37])

Context: Previously covered as a critical ICS/OT-targeting malware in Israeli water infrastructure.
Update:
- Analysts now say the threat is overblown; Dragos researchers describe it as “nothing more than hype.”
- Code shows major flaws and misuse of AI-generated code, making it non-operational in actual OT environments.
- Only fewer than 10 known malware samples globally are truly capable of threatening industrial control systems; Zion Siphon is not one of them.
Quote:

“A malware analyst at Dragos called the malware nothing more than hype, stating that whoever wrote the malware appears to have little knowledge of how operational technology works.”
— Steve Prentiss, [05:02]

5. Pre-Stuxnet Sabotage Malware ‘Fast 16’ ([05:37]–[06:30])

Discovery: Sentinel One researchers found an undocumented LUA-based cyber sabotage tool built years before Stuxnet (estimated circa 2005).
Technique:
- Targeted engineering and precision calculation software to tamper results, not outright destruction.
- Named “Fast 16,” it’s earlier than Flame/Skywiper and is apparently the first Windows malware to embed a LUA engine.
Significance: Sheds light on the continuous evolution of cyber sabotage, showing nation-state interest predates Stuxnet.
Quote:

“This previously undocumented cyber sabotage framework dates back to 2005 and primarily targeted high precision calculation software to tamper with results...”
— Steve Prentiss, [05:54]

6. Carnival Cruise Lines: Loyalty Program Breach and Extortion ([06:31]–[07:04])

Incident:
- Have I Been Pwned? (Troy Hunt) flagged 7.5 million exposed email addresses from Carnival’s Holland America Line (Mariner Society).
- Data includes names, DOBs, gender, and membership status—ripe for phishing/fraud.
- Shiny Hunters posted terabytes of internal data after failed negotiations with Carnival.
Quote:

“The exposed data includes names, dates of birth, genders and membership status details—the type of personal data that attackers can easily repurpose for fraud or phishing.”
— Steve Prentiss, [06:50]

7. Microsoft Updates: Windows Insider Overhaul & Copilot Uninstall

a. Windows Insider Program Overhaul ([02:26]–[02:50])

Microsoft retools its Windows beta testing program, acknowledging previous “confusing” channel structures and a lack of real feedback integration from testers.

b. Remove Copilot from Enterprise Devices ([07:04]–[07:36])

IT admins can now uninstall Copilot AI assistant on Windows 11 Enterprise devices, available through the new April 2026 update. There are some caveats regarding installed apps and recent usage.
Quote:

“IT administrators can now uninstall the AI-powered Copilot digital assistant from enterprise devices using a new policy setting, which became available after the April 2026 Patch Tuesday.”
— Steve Prentiss, [07:10]

Notable Quotes & Memorable Moments

On SMS-blasting: “...allowing cybercriminals to drive through densely packed cities and capture thousands of active cell numbers in order to blast out spam messages.” ([01:24])
On Zion Siphon’s inoperability: “Developers used AI to generate significant portions of the code, leading to hallucinations, guesses, and errors...” ([05:21])
On Fast 16 malware: "It also precedes the earliest known samples of Flame, also known as Flamer and Skywiper, making it the first strain of Windows malware to embed a LUA engine." ([06:15])

Timestamps Table

| Segment | Topic | Timestamp | |-------------------------------|-----------------------------------------------|-------------| | 1 | ADT Data Breach | 00:06–01:12 | | 2 | Toronto SMS Blasting | 01:12–02:26 | | 3 | Windows Insider Program Overhaul | 02:26–02:50 | | 4 | Blackfile Vishing Attacks | 02:50–03:37 | | 5 | Zion Siphon Water Malware Debunked | 04:36–05:37 | | 6 | Pre-Stuxnet Malware Discovery | 05:37–06:30 | | 7 | Carnival Cruise Lines Data Breach | 06:31–07:04 | | 8 | Microsoft Copilot Uninstall for Enterprise | 07:04–07:36 |

Summary

This episode delivers swift, focused briefings on several emerging and ongoing threats within infosec, offering actionable intelligence, particularly for CISOs and practitioners. From North America’s first SMS-blasting takedown, new waves of social engineering, to revelations in malware history, the podcast concisely captures the pulse of daily cybersecurity news while contextualizing the technical and practical implications.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines
[00:07]
B
these are the cybersecurity headlines for Monday, April 27, 2026. I'm Steve Prentiss. ADT says customer data Stolen in Cyber Attack the home security company ADT stated that Monday's breach resulted in a limited set of customer and prospective customer information. This consists of basic PII and no payment data was stolen. An ADT spokesperson said customer security systems were not affected or compromised in any way. This past Thursday, the Shiny Hunters group claimed to have stolen 10 million records and threatened to leak the data if a ransom was not forthcoming. SMS Blasting comes to Toronto we have reported on SMS blasting before, but not in North America. SMS blasters operate by mimicking legitimate cellular base stations, effectively tricking nearby phones into connecting to them instead of official mobile networks, and are often fitted into cars, allowing cybercriminals to drive through densely packed cities and capture thousands of active cell numbers in order to blast out spam messages. Now, police in Canada's largest city have arrested three men in the country's first known criminal case of this type. The investigation leading to the arrest began last November after being alerted to a suspicious device operating in downtown Toronto. Over the following months, police tracked the device moving through several locations across the greater Toronto area, and two suspects were arrested in March. End quote. Authorities seized a large amount of electronic equipment, including several mobile SMS blasters, and a third person turned themselves in to police last week. Microsoft Windows Insider Program gets an Overhaul the revamped program has been announced as part of broader plans to address reliability concerns in Windows 11. The Windows Insider program is a beta testing program that allows members to test early Windows releases and provide feedback. Addressing the complaint that it had not really listened to all the feedback from testers. Microsoft is now making the program simpler and more transparent in the hope that it will help with the development of Windows 11. In its blog post, the company admitted that the current channel structure is confusing. New Extortion Group linked to surge of vishing Attacks this new and financially motivated hacking group, known as Blackfile, has has been linked to a wave of data theft and extortion attacks against retail and hospitality organizations since February of this year. According to Palo Alto Networks, unit 42, working with the Retail and Hospitality Information Sharing and Analysis center, the gang's members impersonate corporate IT help desk staff to steal employee credentials. Unit 42 says this gang is likely linked to the COM, which is a network of cybercriminals known for targeting and recruiting young people for extortion violence and other crimes. In this wave, the attackers use voice based phishing that's vishing from spoofed VoIP numbers or fraudulent caller ID names as a social engineering technique. Huge thanks to our sponsor GuardSquare. Mobile app security isn't just a tech issue, it's a revenue issue. A recent global study found that 72% of organizations experienced a mobile app security incident last year and even worse, 5% saw customer churn or uninstalls as a result. Protect your brand and your bottom line with layered mobile app protection. You can learn more@guardsquare.com that is G U A R D S Q U A r e guard square.com Zion Siphon water infrastructure threat holds no water following up on a story we covered last week, the malware called Zion Siphon, first identified by AI cybersecurity firm Darktrace and described as targeting operational technology and industrial control system environments in Israel's water infrastructure, might not be anything more than hype. A malware analyst at Dragos called the malware nothing more than hype, stating that whoever wrote the malware appears to have little knowledge of how operational technology works. At Israeli water plants, it appears the developers used AI to generate significant portions of the code, leading to hallucinations, guesses and errors, and was so riddled with logic errors and invalid assumptions that Dragos says it would have been inoperable. The company adds there are publicly less than 10 malware samples capable of threatening industrial control systems and Zion Siphon is not one of them. Researchers find pre Stuxnet malware targeting engineering software Researchers at Sentinel One have published a report on a new LUA based malware that had been created years before the famous Stuxnet worm that had aimed to sabotage Iran's nuclear program by destroying uranium enrichment centrifuges. This previously undocumented cyber sabotage framework dates back to 2005 and primarily targeted high precision calculation software to tamper with results. It has been codenamed Fast 16. It also precedes the earliest known samples of Flame, also known as Flamer and Skywiper, making it the first strain of Windows malware to embed a LUA engine. Carnival Cruise Lines suffers breach and extortion Troy Hunt's have I Been Pwned? Has potentially identified 7.5 million unique email addresses belonging to a subsidiary of the world's largest cruise company. The addresses appear to relate to the Mariner Society loyalty program run by Holland America Line, which is a subsidiary of Carnival Corporation. The exposed data includes names, dates of birth, genders and membership status details the type of personal data that attackers can easily repurpose for fraud or phishing. Carnival has acknowledged a security incident, and meanwhile the Shiny Hunters extortion crew published what it claims as terabytes of internal corporate data after negotiations with the cruise line failed. Microsoft now lets admins uninstall Copilot on enterprise devices IT administrators can now uninstall the AI powered CoPilot digital assistant from enterprise devices using a new policy setting, which became available after the April 2026 Patch Tuesday. It's called Remove Microsoft Copilot app and is available as a policy, CSP and group policy. After deploying this month's Windows Security updates on N endpoints managed via Microsoft Intune or System Center Configuration Manager, this policy will only apply to Windows 1125H2 devices where the Microsoft 365 Copilot and Microsoft Copilot are both installed. The user did not install the Microsoft Copilot app and the Microsoft Copilot app was not launched in the last 28 days. Got that? If you have some thoughts on the news from today or about this show in general, please be sure to reach out to us at feedback@cisoseries.com we would love to hear from you. I'm Steve Prentiss reporting for the CISO series.
[07:56]
A
Cybersecurity headlines are available every weekday. Head to CISoseries.com for the full stories behind the headlines.