Weekly Cyber Briefing 24.04.2026
UK health data leaks to China; three Windows zero-days are exploited in the wild; researchers warn of “silent subject” phishing campaign; Chinese hackers use proxy networks; and AI models get better at generating exploits
Half of publicly available commercial and open-source AI models can now autonomously generate working exploits, potentially giving inexperienced threat actors an advantage, according to new Forescout research. The firm tested 50 models and found the most capable – Claude Opus 4.6 and Kimi K2.5 – can now find and exploit vulnerabilities without complex prompts. All tested models were able to complete vulnerability research tasks. This compares to a year ago, when 55% of AI models failed basic vulnerability research and 93% failed exploit development tasks.
Although the focus has been on Mythos and ChatGPT-5.4, the truth is that threat actors already have the tools to find novel vulnerabilities in a range of software. And they could do so, like Forescout, using the RAPTOR agentic AI framework.
Prepare now for AI-wielding threat actors to find and exploit new vulnerabilities in your systems. Move to a continuous threat exposure management (CTEM) and an automated risk-based patching model. Use AI tools to hunt for novel vulnerabilities. Assume breach and adopt zero-trust approaches, including robust access controls, least privilege, and network segmentation.
The health records of half a million volunteers have been listed for sale on the Chinese e-commerce site Alibaba. Reports suggest that the data was anonymised but could still theoretically be used to “re-identify” the individuals. Three listings were discovered, with at least one containing sensitive data points such as age, gender, month/year of birth, assessment centre data, health measurements, lifestyle factors, socioeconomic indicators and potentially genetic/biological sample metadata. Although investigations are ongoing, three Chinese research institutions have been banned from Biobank. It’s believed the datasets were downloaded in bulk from the platform.
The case highlights the challenges of managing supply chain risks, even among ‘trusted’ partners, and of potential nation-state intelligence interest in large-scale biomedical datasets. Bulk downloads should never be allowed for sensitive datasets like these, especially amid concerns that legitimate access pathways are increasingly being exploited rather than hacked.
Follow a Trusted Research Environment (TRE) model where sensitive data never leaves the organisation. Encrypt sensitive datasets and manage access in accordance with zero-trust/least-privilege principles. Conduct regular partner/supplier audits and run continuous monitoring for suspicious behaviour.
Researchers have discovered a new phishing campaign in which VIP users receive emails with either an extremely vague subject line or no subject line at all. The “Null Subject/Empty Subject” campaigns identified by CyberProof are designed to encourage users to open emails out of curiosity, confusion, or a false sense of urgency. The emails often feature QR codes, shortened URLs or legitimate file-hosting links (e.g., Dropbox), which can help threat actors bypass security filters.
The emails may not be classed as high risk and are therefore allowed to pass through to inboxes if gateway products have no subject line to scan. They are designed to harvest credentials for initial access, followed by lateral movement. The elevated privileges of the VIP victims could cause significant damage.
Update security awareness training programmes to include the technique. Choose email security that checks email body and attachment content (including possible quishing) rather than over-relying on subject lines. Mandate phishing-resistant MFA for high-value users.
Threat actors are exploiting three recently disclosed Windows vulnerabilities to gain elevated privileges. All three were published by a disgruntled security researcher. CVE-2026-33825 (aka “BlueHammer”) is a Microsoft Defender local privilege escalation flaw which Microsoft has now patched. “RedSun” is the same category of vulnerability but has yet to be patched or receive a CVE. “UnDefend” has also yet to be patched and works as a DoS or defence-evasion flaw. Researchers spotted all three being actively exploited.
The flaws could be used to circumvent Microsoft Defender and escalate privileges for lateral movement. CISA has added CVE-2026-33825 to its KEV catalogue.
Patch BlueHammer immediately and follow zero-trust approaches (least privilege, segmentation) to limit the blast radius of a potential intrusion. Consider using an alternative EDR tool to Defender to ensure visibility into potential malicious activity.
Most Chinese-nexus threat actors now use networks of vulnerable internet-connected edge devices, such as home routers and smart devices, to hide their activity, the National Cyber Security Centre (NCSC) has warned. Often created and maintained by Chinese information security companies, these proxy networks are usually comprised of out-of-date devices, it said.
China uses these networks to steal sensitive data and maintain persistent access. Static lists of malicious IP addresses are no longer effective, as new devices are constantly being added to these networks.
Follow the NCSC’s advice: small organisations should use the free Cyber Action Toolkit, while larger ones should, at a bare minimum, seek Cyber Essentials certification and follow the Cyber Assessment Framework. MFA, continuous network monitoring, edge device mapping, IP allowlisting, and zero-trust controls are a must.
Assured Reacts 24.04.2026
The Financial Times recently reported that insurers are introducing sublimits for certain AI-related risks. Assured looks beyond the headlines to explain what these changes really mean for clients.
Assured Reacts 23.04.2026
Archie Norman, M&S Chairman, advises retailers to check their cyber insurance and insure for a catastrophe, not a minor loss
Features 21.04.2026
Ian Williams explores how a poisoned PyPI package turned an AI proxy into a shortcut to cloud, code and runtime environments