Cybersecurity Weekly Update 4-11 May 2026

1. Deepfake Attacks Continue to Surge Across Europe

New research found that over 70% of UK organizations have experienced deepfake-related attacks, including AI-generated voice impersonation, fraudulent video calls, and highly convincing phishing campaigns. (techradar.com)

Why it matters: Deepfake-enabled social engineering is rapidly becoming a major risk for finance teams, executives, and third-party suppliers. Attackers are exploiting trust in voice and video communications to bypass traditional verification controls.

Action: Implement strict callback verification procedures, strengthen approval workflows for financial transactions, and provide employee awareness training focused on AI-driven impersonation attacks.

2. Google Identifies First AI-Assisted Zero-Day Exploit in the Wild

Google Threat Intelligence Group reported this week that cybercriminals have successfully used AI to assist in developing a weaponized zero-day exploit targeting authentication systems. (csoonline.com)

Why it matters: This marks a significant shift in cyber threat capability. AI-assisted exploit development has the potential to dramatically reduce the time between vulnerability discovery and active exploitation, increasing pressure on already stretched security and patch management teams.

Action: Accelerate vulnerability remediation timelines, strengthen endpoint detection capabilities, and adopt continuous monitoring approaches to identify emerging exploitation attempts more rapidly.

3. Persistent Access Malware Targets Cisco Devices

Security agencies including CISA and the National Cyber Security Centre have confirmed ongoing activity involving FIRESTARTER malware, which is being used to maintain long-term access to compromised Cisco network devices. The malware specifically targets Cisco Firepower and Secure Firewall platforms and is notable for its ability to survive reboots, firmware upgrades, and even standard remediation attempts. In some cases, attackers are believed to have maintained access even after patching. (natlawreview.com)

Why it matters: This represents a shift from opportunistic ransomware to deep infrastructure persistence, particularly dangerous for financial services and defence environments where Cisco appliances are widely deployed.

Action: Assume compromise if devices were exposed before patching Reimage or fully rebuild affected systems Implement continuous integrity monitoring for network appliances

4. Critical Ivanti EPMM Zero-Day Exploited (CVE-2026-6973)

Ivanti has issued an emergency patch for a high-severity vulnerability in Endpoint Manager Mobile (EPMM). Attackers with administrative permissions are actively exploiting this flaw to perform remote code execution (RCE) on affected mobile management systems. (securityweek.com)

Why it matters: EPMM is heavily used in Defense and Financial Services for secure mobile access. This zero-day allows attackers to bypass controls and gain persistence on mobile gateways, potentially exposing the entire mobile device fleet of an organization.

Action: Update to version 12.8.0.0 or higher immediately. Audit all administrative logs for unauthorized IP addresses or suspicious configuration changes. Review mobile gateway access logs for signs of lateral movement.

5. Canvas LMS Breach by "ShinyHunters"

The education sector faces a major crisis following a confirmed data exfiltration from Instructure’s Canvas LMS cloud environment. The threat actor group ShinyHunters has leaked samples of sensitive student data and staff credentials on the "BreachForums" successor site, claiming access to millions of records. (bankinfosecurity.com)

Why it matters: This breach directly impacts Higher Education and Healthcare Training institutions. Beyond data theft, the compromised "API Tokens" can be used to impersonate faculty, allowing attackers to deploy malware within course modules or modify student records.

Action: Force a global reset of all Canvas API access tokens to prevent impersonation. Enforce a mandatory password update for all administrative and faculty accounts. Implement and verify Multi-Factor Authentication (MFA) across all learning management system entry points.

Key Recommendations

• Defend against deepfakes: Enforce callback verification for payments and sensitive requests, strengthen approval workflows, and train staff on AI-driven impersonation.

• Speed up patching cycles: Reduce time-to-patch as AI accelerates zero-day exploitation; improve continuous monitoring for early attack detection.

• Harden core infrastructure: Assume network device compromise, reimage affected systems, and deploy integrity monitoring for Cisco and similar appliances.

• Urgent Ivanti fix: Patch Ivanti EPMM immediately (CVE-2026-6973), audit admin activity, and check for lateral movement.

• Secure SaaS platforms: Reset Canvas LMS API tokens, enforce MFA, and monitor for credential or token misuse. Adopt “assume breach” security: Focus on identity protection, continuous monitoring, and rapid recovery over perimeter-only defenses.