Cyber Threat Intelligence 07 April 2026
-
Healthcare Sector
- Shadow AI In Healthcare Is Here To Stay
"The healthcare industry must get ahead of pervasive shadow AI risks that only exacerbate recovery challenges when ransomware and other disruptive cyberattacks inevitably hit. Physicians, doctors, and clinicians use unsanctioned artificial intelligence (AI) tools and chatbots to boost efficiency in a job where shaving a second off could mean saving someone's life. But security teams can't monitor for potentially damaging threats if they don't know the tools are running in the environment; hence the term "shadow AI.""
https://www.darkreading.com/cyber-risk/shadow-ai-in-healthcare-is-here-to-stay
Vulnerabilities
- CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2026-35616 - Fortinet FortiClient EMS Improper Access Control Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/04/06/cisa-adds-one-known-exploited-vulnerability-catalog
https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-fortinet-flaw-exploited-in-attacks-by-friday/
https://therecord.media/singapore-us-warn-of-fortinet-bug-exploited
https://www.theregister.com/2026/04/06/forticlient_ems_bug_exploited/ - New GPUBreach Attack Enables System Takeover Via GPU Rowhammer
"A new attack, dubbed GPUBreach, can induce Rowhammer bit-flips on GPU GDDR6 memories to escalate privileges and lead to a full system compromise. GPUBreach was developed by a team of researchers at the University of Toronto, and full details will be presented at the upcoming IEEE Symposium on Security & Privacy on April 13 in Oakland. The researchers demonstrated that Rowhammer-induced bit flips in GDDR6 can corrupt GPU page tables (PTEs) and grant arbitrary GPU memory read/write access to an unprivileged CUDA kernel."
https://www.bleepingcomputer.com/news/security/new-gpubreach-attack-enables-system-takeover-via-gpu-rowhammer/
https://gpubreach.ca/ - Disgruntled Researcher Leaks “BlueHammer” Windows Zero-Day Exploit
"Exploit code has been released for an unpatched Windows privilege escalation flaw reported privately to Microsoft, allowing attackers to gain SYSTEM or elevated administrator permissions. Dubbed BlueHammer, the vulnerability was published by a security researcher discontent with how Microsoft’s Security Response Center (MSRC) handled the disclosure process. Since, the security issue has no official patch and there is no update to address it, the flaw is considered a zero-day by Microsoft's definition."
https://www.bleepingcomputer.com/news/security/disgruntled-researcher-leaks-bluehammer-windows-zero-day-exploit/
https://deadeclipse666.blogspot.com/2026/04/public-disclosure.html - AI Agents Found Vulns In This Popular Linux And Unix Print Server
"In the latest chapter on leaky CUPS, a security researcher and his band of bug-hunting agents have found two flaws that can be chained to allow an unauthenticated attacker to remotely execute code and achieve root file overwrite on the network. CUPS - or the Common Unix Printing System, as it is less commonly known - is the standard way to submit files for printing over Linux and other Unix-like systems. It's also a favorite target for security researchers because a) making printers do bad things is fun, and b) as the default printing system for Apple device operating systems and most Linux distributions, any CUPS security flaw has a wide blast radius."
https://www.theregister.com/2026/04/06/ai_agents_cups_server_rce/
https://heyitsas.im/posts/cups/
Malware
- Storm-1175 Focuses Gaze On Vulnerable Web-Facing Assets In High-Tempo Medusa Ransomware Operations
"The financially motivated cybercriminal actor tracked by Microsoft Threat Intelligence as Storm-1175 operates high-velocity ransomware campaigns that weaponize N-days, targeting vulnerable, web-facing systems during the window between vulnerability disclosure and widespread patch adoption. Following successful exploitation, Storm-1175 rapidly moves from initial access to data exfiltration and deployment of Medusa ransomware, often within a few days and, in some cases, within 24 hours. The threat actor’s high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, United Kingdom, and United States."
https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/
https://www.bleepingcomputer.com/news/security/microsoft-links-medusa-ransomware-affiliate-to-zero-day-attacks/
https://therecord.media/medusa-ransomware-group-zero-days-microsoft - Drift $280M Crypto Theft Linked To 6-Month In-Person Operation
"The Drift Protocol says that the $280+ million hack it suffered last week was the result of a long-term, carefully planned operation that included building "a functioning operational presence inside the Drift ecosystem." On April 1st, the Solana-based trading platform detected unusual activity that was followed by confirmation that funds had been lost in a sophisticated attack that allowed hijacking of the Security Council administrative powers. Blockchain intelligence firms Elliptic and TRM Labs attributed the heist to North Korean hackers, who took about 12 minutes to drain user assets."
https://www.bleepingcomputer.com/news/security/drift-280m-crypto-theft-linked-to-6-month-in-person-operation/
https://www.elliptic.co/blog/drift-protocol-exploited-for-286-million-in-suspected-dprk-linked-attack
https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist
https://hackread.com/north-korean-hackers-trading-firm-drift-protocol/
https://www.securityweek.com/north-korean-hackers-target-high-profile-node-js-maintainers/ - Weaponizing Fear: Iran Conflict-Themed Phishing Uses Fake Emergency Alerts
"War in the modern era extends far beyond the physical battlefield. The ongoing conflict in the Middle East involving the United States, Israel, and Iran continues to generate widespread fear and uncertainty, particularly among civilians in affected and neighboring regions. This climate of heightened anxiety creates ideal conditions for cyber threats, as malicious actors exploit fear-driven narratives to target individuals through digital attacks such as phishing and disinformation campaigns. The Cofense Phishing Defense Center (PDC) has recently identified a phishing campaign that impersonates a government emergency alert, referencing entities such as the Ministry of Interior and Civil Defense."
https://cofense.com/blog/weaponizing-fear-iran-conflict-themed-phishing-uses-fake-emergency-alerts
https://hackread.com/missile-alert-phishing-iran-us-israel-microsoft-logins/ - Six Accounts, One Actor: Inside The Prt-Scan Supply Chain Campaign
"On April 2, 2026, security researcher Charlie Eriksen publicly identified an automated campaign exploiting GitHub's pull_request_target workflow trigger. The attacker, operating under the account ezmtebo, opened over 475 malicious PRs in 26 hours targeting repositories belonging to both prominent organizations and hobbyists. This attacker is reminiscent of hackerbot-claw, the AI powered CI/CD attacker that used five different exploitation methods across seven successful high profile attacks."
https://www.wiz.io/blog/six-accounts-one-actor-inside-the-prt-scan-supply-chain-campaign
https://www.darkreading.com/application-security/ai-assisted-supply-chain-attack-targets-github - How LiteLLM Turned Developer Machines Into Credential Vaults For Attackers
"The most active piece of enterprise infrastructure in the company is the developer workstation. That laptop is where credentials are created, tested, cached, copied, and reused across services, bots, build tools, and now local AI agents. In March 2026, the TeamPCP threat actor proved just how valuable developer machines are. Their supply chain attack on LiteLLM, a popular AI development library downloaded millions of times daily, turned developer endpoints into systematic credential harvesting operations. The malware only needed access to the plaintext secrets already sitting on disk."
https://thehackernews.com/2026/04/how-litellm-turned-developer-machines.html
General News
- German Authorities Identify REvil And GangCrab Ransomware Bosses
"The Federal Police in Germany (BKA) has identified two Russian nationals as the leaders of GandCrab and REvil ransomware operations between 2019 and 2021. According to BKA's disclosure, 31-year-old Daniil Maksimovich Shchukin and 43-year-old Anatoly Sergeevitsch Kravchuk acted as the heads of the two ransomware groups "from at least the beginning of 2019 until at least July 2021." Shchukin hid behind the monikers UNKN/UNKNOWN for years, posting on cybercrime forums and speaking as a representative of the ransomware operation."
https://www.bleepingcomputer.com/news/security/german-authorities-identify-revil-and-gangcrab-ransomware-bosses/
https://thehackernews.com/2026/04/bka-identifies-revil-leaders-behind-130.html
https://therecord.media/german-police-unmask-suspects-linked-revil-gandcrab
https://securityaffairs.com/190401/cyber-crime/bka-unmasks-two-revil-ransomware-operators-behind-130-german-attacks.html - UK Businesses Are Being Targeted Through Their Middle East Supply Chains — What To Do Now
"The conversation around cyber risk in the UK has shifted. It is no longer confined to domestic networks, internal systems, or even direct attacks on British infrastructure. The weak link sits thousands of miles away, embedded within third-party vendors, logistics partners, and digital dependencies across the Middle East. This growing exposure has created a new layer of Middle East supply chain risk, one that is proving difficult to monitor and even harder to control."
https://cyble.com/blog/middle-east-supply-chain-risk-uk-cyber-threats/ - OWASP GenAI Data Security Risks & Mitigations 2026
"The OWASP GenAI Data Security Risks and Mitigations 2026 guide provides a critical, forward-looking analysis of the unique data security challenges posed by the rapid, widespread adoption of Generative AI (GenAI) across enterprise environments, anticipating the landscape by 2026. This comprehensive guide moves beyond traditional software security paradigms to address the novel attack surfaces that emerge when systems process and generate information at an unprecedented scale. The paper establishes a foundational, open-source framework for securing GenAI systems, focusing intensely on the data layer—from initial training and fine-tuning datasets to user prompts and final model outputs. Security professionals must proactively integrate AI-specific security testing, constant monitoring, and robust validation from the earliest stages of model development through to deployment. Adopting and adapting a comprehensive security framework will be essential for organizations to safely harness the revolutionary capabilities of GenAI while effectively managing its profound data security risks by 2026."
https://genai.owasp.org/resource/owasp-genai-data-security-risks-mitigations-2026/
https://genai.owasp.org/download/53429/?tmstv=1773811493
https://www.darkreading.com/application-security/owasp-genai-security-project-update-matrix - CISOs Grapple With AI Demands Within Flat Budgets
"Security spending continues to edge upward across large organizations, though the changes remain gradual and tightly managed. The 2026 RH-ISAC CISO Benchmark reflects a steady environment where budgets expand in small steps, even as AI becomes a routine part of security operations. Spending levels increased during 2025 across both IT and security. Average IT spend as a share of revenue rose to 3.9% from 3.2% the year before. Security spend followed a similar path, reaching 0.75% of revenue, up from 0.57%. Security’s share of the IT budget moved slightly to 5.8%."
https://www.helpnetsecurity.com/2026/04/06/rh-isac-enterprise-security-spending-report/ -
- Google DeepMind Researchers Map Web Attacks Against AI Agents
"Malicious web content can be used to manipulate, deceive, and exploit autonomous AI agents navigating the internet, Google DeepMind researchers show. The researchers have identified six types of attacks against AI agents that can be mounted via web content to inject malicious context and trigger unexpected behavior. Web content, they explain in a research paper, allows attackers to set up ‘AI Agent Traps’ that weaponize the agents’ capabilities against themselves, allowing attackers to promote products, exfiltrate data, or disseminate information at scale."
https://www.securityweek.com/google-deepmind-researchers-map-web-attacks-against-ai-agents/
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=6372438
- Google DeepMind Researchers Map Web Attacks Against AI Agents
- FBI: Cyber Fraud Surges To $17.6 Billion In Losses As Scams, Crypto Theft Soar
"Cyber-enabled fraud accounted for the overwhelming majority of all losses reported to the FBI’s Internet Crime Complaint Center (IC3) in 2025, with a staggering $17.6 billion stolen. The center’s annual report, released on Monday, offers a snapshot of the law enforcement agency’s myriad efforts to combat digital threats, especially ransomware, which increasingly harm individuals, businesses and U.S. critical infrastructure. Cyber-enabled fraud was behind 85% of all losses reported to the hub in 2025 and constituted 45% of the 1,008,597 complaints it received overall."
https://therecord.media/cyber-fraud-surges-to-17-billion-fbi-ic3
https://www.ic3.gov/AnnualReport/Reports/2025_IC3Report.pdf - First Stalkerware Maker Prosecuted Since 2014 Receives No Jail Time
"The first stalkerware manufacturer convicted in the U.S. since 2014 received no jail time at his Friday sentencing. Bryan Fleming, founder of pcTattletale, was ordered to pay a $5,000 fine by a San Diego federal judge and will spend no time in prison beyond the one day he already served. In January, he pleaded guilty to one count of manufacturing, distributing, possessing and advertising wire, oral or electronic communication intercepting devices."
https://therecord.media/stalkerware-maker-receives-no-jail-time
https://cyberscoop.com/pctattletale-stalkerware-maker-sentence-includes-fine-supervised-release/ - Understanding Current Threats To Kubernetes Environments
"The rapid adoption of container orchestration has positioned Kubernetes as a high-value target for adversaries seeking to compromise enterprise-scale environments. Our telemetry reveals that Kubernetes-related threat actor operations, including stealing Kubernetes tokens, increased 282% over the last year. The IT sector was the most heavily targeted, representing over 78% of observed activity. We look beyond traditional container escape scenarios, and demonstrate how high-profile threat actors abuse Kubernetes identities and exposed attack surfaces to escalate privileges, pivoting from initial access to sensitive backend cloud infrastructure."
https://unit42.paloaltonetworks.com/modern-kubernetes-threats/
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Shadow AI In Healthcare Is Here To Stay
