Daily cybersecurity briefing for CISOs and security leaders.

🎧 Listen to this episode

Today's episode covers 9 stories across 6 topic areas, including: A dozen allied agencies say China is building covert hacker networks out of everyday routers; Surveillance campaigns use commercial surveillance tools to exploit long-known telecom vulnerabilities; In a first, a ransomware family is confirmed to be quantum-safe.

CyberScoop · Apr 23 · Relevance: █████████░ 9/10

Why it matters to CISOs: A joint advisory from 12+ allied agencies describing China's tactical shift to botnet-based covert networks demands immediate review of edge device hygiene, network visibility, and threat hunting for SOHO router compromises across your environment.

📖 Read full article

CyberScoop · Apr 23 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: First-ever mapping of attack traffic to mobile signaling infrastructure exposes how commercial surveillance vendors exploit SS7/Diameter weaknesses—CISOs with mobile-dependent executives or operations in sensitive regions face direct espionage risk.

📖 Read full article

Ars Technica Security · Apr 23 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: Ransomware operators adopting post-quantum cryptography before most enterprises do is a stark wake-up call—this eliminates any future hope of decrypting seized ransomware payloads and reinforces the urgency of resilient backup and recovery strategies.

📖 Read full article

CyberScoop · Apr 23 · Relevance: ████████░░ 8/10

Why it matters to CISOs: Vercel's expanding breach scope—now confirmed to affect additional customers and downstream third-party systems—is a concrete supply-chain risk for any enterprise running applications on Vercel infrastructure, requiring immediate assessment of exposure.

📖 Read full article

BleepingComputer · Apr 23 · Relevance: ████████░░ 8/10

Why it matters to CISOs: A compromise of security tooling itself—Checkmarx KICS Docker images and IDE extensions—represents a nightmare scenario where the tools CISOs rely on for code analysis become attack vectors, demanding immediate verification of developer tool integrity.

📖 Read full article

Risky Business News · Apr 24 · Relevance: ████████░░ 8/10

Why it matters to CISOs: CISA leadership vacuum continues to deepen—Plankey's withdrawal after a year of chaotic interim leadership raises serious questions about federal cyber coordination, incident response partnership, and the reliability of government threat intelligence sharing for the private sector.

📖 Read full article

BankInfoSecurity · Apr 24 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: A $72M Series C for artifact-level supply chain security signals strong market validation for the category—CISOs evaluating software composition and artifact trust solutions should track Cloudsmith's expanding capabilities in policy enforcement and real-time package risk.

📖 Read full article

BankInfoSecurity · Apr 24 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: Cisco's potential $250-350M acquisition of Astrix Security validates non-human identity as a critical enterprise gap—CISOs should consider how service accounts, API keys, and machine identities are governed ahead of likely platform consolidation.

📖 Read full article

CyberScoop · Apr 23 · Relevance: █████████░ 9/10

Why it matters to CISOs: FIRESTARTER malware persisting on Cisco ASA/Firepower devices even after patching means CISOs must go beyond patch management—integrity verification and forensic examination of perimeter firewalls is now urgent, especially given CISA confirmed a federal agency was compromised.

📖 Read full article

Jordan: Patching your Cisco firewall isn't enough anymore. CISA confirmed a federal agency had a backdoor sitting on their perimeter device for months — and it survived the patch. Let that sink in for a second before your morning coffee kicks in.

Alex: Welcome to Cleartext. It's Friday, April 25th, 2026. I'm Alex Chen.

Jordan: And I'm Jordan Reeves.

Alex: Big week. We're covering a 12-agency warning about China industrializing router botnets, FIRESTARTER malware that laughs at your patch management program, the Vercel and Checkmarx breaches expanding in ways that should concern every CISO with a modern software supply chain, quantum-safe ransomware — yes, really — SS7 surveillance campaigns finally mapped to real infrastructure, CISA's leadership vacuum getting worse, and two market signals worth tracking. Let's get into it.

Jordan: Let's start with what I'd call the week's most strategically significant story, and it's a two-header. First: CISA, NCSC-UK, and ten other allied agencies dropped a joint advisory on China-linked groups systematically compromising consumer and SOHO routers to build covert proxy networks. We're talking about industrialized botnet infrastructure built out of the kind of hardware sitting in your employees' home offices, your branch locations, and your OT-adjacent networks. The tactical logic here is sound from their perspective — commodity hardware, hard to attribute, blends into legitimate traffic.

Alex: And the board-level read on this is straightforward. If your visibility stops at the enterprise perimeter, you're blind to traffic routing through these networks. The advisory has specific defensive recommendations, and I'd encourage your team to treat this as a hunting trigger, not a reading exercise. Edge device hygiene, firmware integrity, network telemetry on anomalous egress patterns. The sophistication here isn't in the malware — it's in the operational concept. They're using your ISP's forgotten hardware against you.

Jordan: Layer that on top of the second geopolitical story this week, and you start to see a coherent espionage doctrine. Researchers published what they're calling the first-ever mapping of commercial surveillance tool traffic to mobile operator signaling infrastructure. SS7 and Diameter vulnerabilities aren't new — we've known about them for a decade. What's new is seeing the commercial surveillance industry actually fingerprinted in real attack traffic, with vendors posing as legitimate carriers to track physical locations.

Alex: If you have executives traveling in sensitive regions, or mobile-dependent operations anywhere with contested geopolitical exposure, this is not an abstract problem. The attack surface is the phone your CFO carries to Singapore. The mitigations are limited — encrypted messaging apps help for comms, but location tracking via SS7 doesn't care about your Signal installation. This is a risk conversation you need to have with your board, particularly around executive protection programs.

Jordan: Now to the story I opened with — FIRESTARTER. CISA and NCSC confirmed a backdoor on a US federal agency's Cisco ASA and Firepower devices. Active since at least September 2025. In March 2026, attackers returned to already-patched devices without re-exploiting the original vulnerability. The persistence mechanism survived standard remediation. That is not a patching failure. That is a fundamental assumptions failure.

Alex: This is the story where I want CISOs to stop and have a hard conversation with their teams. For years we've operated on the assumption that patch equals remediation. FIRESTARTER breaks that. The attacker got in, established persistence at a layer below what your standard patch touches, and waited. Your next step is not patching — it's integrity verification of your perimeter devices. Firmware hashes, configuration baselines, and frankly forensic review if you have Cisco ASA or Firepower in your environment and you haven't done a clean rebuild recently. The CISA advisory has IoCs. Use them this week.

Jordan: And speaking of assumptions that need revisiting — let's talk supply chain, because this week handed us two concrete examples of why the category keeps expanding. Vercel disclosed that the scope of their April breach is larger than initially reported. More customers affected, downstream third-party systems compromised, and — critically — the full scope of exposure is still undefined. Undefined scope is the phrase that should make your general counsel uncomfortable.

Alex: If you're running applications on Vercel infrastructure, you need an answer to two questions today. What data flows through that environment, and what downstream systems are connected to it? Supply chain breaches are particularly brutal because the blast radius is discovered in stages. Every new disclosure from Vercel is another opportunity for your organization to find itself in scope. Get ahead of it.

Jordan: The Checkmarx KICS story is arguably more insidious, because this time it's the security tooling itself. Attackers compromised Docker images and VSCode and Open VSX extensions for the KICS infrastructure-as-code analysis tool — and used those artifacts to harvest credentials and sensitive data from developer environments. Your AppSec tool became the attack vector.

Alex: This one hits differently because KICS is specifically a security product. The trust assumption was baked in. The action item here is verifying the integrity of your developer and security tooling supply chain — not just your application dependencies, but the tools your developers use every day. Hash verification, provenance checks, pull from verified sources only. And yes, that Cloudsmith Series C we'll mention in a moment is directly relevant to this problem.

Jordan: Quantum-safe ransomware. I'll give you a moment with that phrase. Researchers confirmed the first ransomware family using post-quantum cryptography. There is no practical operational benefit to this for the attacker today. Quantum computers capable of breaking current encryption don't exist at scale. So why are they doing it?

Alex: A few possibilities. It's a marketing move within ransomware-as-a-service ecosystems — differentiation for sophisticated buyers. It's future-proofing against a capability they believe is coming sooner than we do. Or it's signaling that criminal operators are tracking NIST's PQC standards as closely as your compliance team. What it means for CISOs is this: the leverage in ransomware recovery — the occasional government seizure that yields decryption keys — that leverage just got harder to apply. Resilient, tested, offline backups. That's the mitigation. It's unglamorous and it works.

Jordan: CISA governance. Sean Plankey withdrew his nomination to lead the agency. This follows over a year of interim leadership, budget turbulence, and staff departures. I'm going to be direct: CISA's effectiveness as a threat intelligence partner to the private sector is degraded right now. That doesn't mean you ignore their advisories — this week's Cisco and China router alerts are proof they're still producing valuable work. But your strategic dependence on federal coordination as a backstop for your program needs to be recalibrated. Don't plan around CISA as an active operational partner in an incident response scenario the way you might have three years ago.

Alex: Two market signals worth thirty seconds each. Cloudsmith closed a $72 million Series C for artifact-level software supply chain security — policy enforcement, auditability, real-time package risk. Given what we just said about Checkmarx KICS, the timing is almost illustrative. If you're evaluating the category, it's worth a look. And Cisco is reportedly in talks to acquire Astrix Security for $250 to $350 million. Astrix focuses on non-human identity — service accounts, API keys, machine identities. This is a category that's been underserved relative to its actual risk surface, and Cisco putting that kind of number on it is validation that platform vendors see it as table stakes. If you haven't done an audit of your non-human identity sprawl, this deal is your signal to start.

Jordan: Stepping back to the week's theme — and there is a clear one. The perimeter is lying to you. Patched Cisco firewalls are hiding backdoors. Security tooling is delivering malware. Proxy networks are routing through your employees' home routers. The adversary has methodically attacked every assumption layer we've built defenses on.

Alex: What strikes me is how much of this week's news is about persistence and concealment over speed and destruction. Whether it's FIRESTARTER waiting eight months on a firewall, or China's router botnet blending into legitimate ISP traffic, or SS7 surveillance mapped invisibly to carrier infrastructure — the strategic posture is patience. They're not blowing doors open. They're learning to live inside.

Jordan: Which means detection has to be the investment priority. Not more prevention layers. Better visibility, better hunting, better forensic capability on the things you already own. The signals are there. The question is whether you have the instrumentation and the people to see them.

Alex: That's the right note to end the week on. For CISOs, the action items are concrete: forensic review of Cisco perimeter devices, supply chain integrity verification of developer tooling, risk conversation with your board on executive mobile exposure, and a clear-eyed reassessment of your federal coordination dependencies.

Jordan: All the links are in the show notes. Have a good weekend — or at least a quiet one.

Alex: This is Cleartext. See you Monday.

Cleartext is an automated daily podcast for CISOs and security leaders. Generated 2026-04-24.

Sources are pulled from: CyberScoop, The Record, SecurityWeek, Krebs on Security, Dark Reading, Cybersecurity Dive, BleepingComputer, Wired, Ars Technica, TechCrunch, Help Net Security, VentureBeat, Risky Business News, The Hacker News, CISA, and BankInfoSecurity.