Cyber Security News Daily Recap

Cybersecurity News | Daily Recap [03 Apr 2026]

admin
Cybersecurity News | Daily Recap [03 Apr 2026]

Daily Recap, Microsoft is investigating Exchange Online mailbox access issues affecting Outlook mobile and the new Outlook for Mac, while deploying a ML-driven upgrade that moves unmanaged Windows 11 24H2 devices to 25H2 ahead of end-of-support. A former engineer pleaded guilty to an extortion plot that remotely locked admins out of 254 Windows servers using TheFr0zenCrew credentials and demanding 20 bitcoin, and CERT-EU attributes a European Commission AWS breach to TeamPCP with about 90GB stolen across roughly 30 EU entities, while threat actors are publicizing the Claude Code leak to push Vidar and GhostSocks. #TheFr0zenCrew #TeamPCP #EuropeanCommission #ClaudeCode #Vidar #GhostSocks

Microsoft & Windows

  • Former engineer pleaded guilty to remotely locking admins out of 254 servers, resetting passwords to “TheFr0zenCrew!” and demanding 20 bitcoin in an extortion plot – Windows Extortion
  • Microsoft is investigating intermittent Exchange Online mailbox access affecting Outlook mobile and the new Outlook for Mac, restarting the Notification Broker as a mitigation while the root cause remains under investigation – Exchange Outage
  • Microsoft began force-upgrading unmanaged Windows 11 24H2 Home/Pro PCs to 25H2 via an ML-based rollout ahead of 24H2 end-of-support on Oct 13, 2026 (users can still pause or manually install) – Windows 25H2

Supply-Chain & Cloud Breaches

  • CERT-EU attributes the European Commission AWS breach to TeamPCP using an API key from the Trivy supply-chain attack and reports ~90GB of stolen files impacting ~30 EU entities – EU Cloud Breach
  • Weekly roundup warns of a surge in ransomware and supply-chain incidents—highlighting TeamPCP, LiteLLM, Lazarus activity, and other converging criminal and nation-state threats that stress supply-chain oversight and rapid response – Cyber Roundup

Vulnerabilities & Patches

  • Attackers exploited CVE-2025-55182 (React2Shell) in Next.js to compromise at least 766 hosts, deploying the NEXUS Listener to harvest DB credentials, SSH keys, cloud IAM tokens and API keys—organizations should rotate secrets and enforce least privilege – Next.js Breach
  • Cisco released fixes for multiple critical flaws—most notably an IMC auth bypass (CVE-2026-20093) that grants Admin access to UCS servers plus SSM/FMC RCEs tied to a reported Trivy supply-chain breach—apply patches ASAP (no mitigations) – Cisco Patches, Cisco IMC
  • Two Progress ShareFile Storage Zones Controller flaws (CVE-2026-2699, CVE-2026-2701) can be chained for pre-auth file exfiltration and RCE; update to 5.12.4 immediately – ShareFile RCE

AI Source Leak & Malware

  • A published sourcemap exposed Claude Code source and researchers reconstructed it, while Adversa AI disclosed a critical prompt-injection permission bypass that can exfiltrate credentials and risk supply-chain/cloud compromise – Claude Leak
  • Threat actors are weaponizing the Claude leak by posting fake GitHub repos that deliver the Vidar infostealer and GhostSocks proxy via disguised droppers to users seeking the leak – Claude Malware

Mobile & Active Exploits

  • Apple expanded iOS/iPadOS 18.7.7 to older devices to mitigate the DarkSword exploit kit (six iOS bugs) used by state-aligned groups and surveillance vendors to fully compromise devices – DarkSword Patch
  • ThreatsDay bulletin highlights active internet threats including the NoVoice Android rootkit and unpatched ImageMagick zero-days, urging quick checks as small bugs can scale into widescale compromises – Threats Bulletin

Crypto & DeFi Incidents

  • Drift Protocol confirmed at least $280 million stolen after attackers seized Security Council powers using pre-signed transactions and timing; blockchain analysts link the operation to North Korea (DPRK) tradecraft—protocol frozen while partners and law enforcement respond – Drift Heist, Drift Confirmation

Threat Intelligence & Espionage

  • Unit 42 exposed a three-cluster, China-aligned cyberespionage campaign against a Southeast Asian government using USB-borne loaders (USBFect/PUBLOAD), multi-payload toolkits and the Hypnosis loader delivering FluffyGh0st for long-term stealthy exfiltration – Three-Cluster Campaign

Fraud & Evasion

  • Short-lived, systematically rotated residential proxies evaded IP reputation checks in 78% of ~4B edge sessions, making malicious traffic resemble home users and urging a shift to behavior-based detection – Residential Proxies
  • Adversaries exploit vacant homes, weak identity checks and postal services to intercept and forward mail at scale for identity theft and financial fraud using tutorials on Telegram and dark web forums – Mail Intercept

Data Breaches & Recovery

  • T-Mobile says a recent breach was an isolated insider incident affecting a single account that exposed PII (including SSN and driver’s license); the PIN was reset and law enforcement notified – T-Mobile Notice
  • Medtech giant Stryker reports it is fully operational after recovering from a data‑wiping attack – Stryker Recovery

Tools & Market

  • Free infostealer monitoring service allows tracking of up to 3 emails, 3 domains, and 3 usernames for early detection of leaks – Infostealer Monitor
  • March 2026 saw 38 announced cybersecurity M&A deals in a busy market month—see the roundup for deal details – Cyber M&A

Cybersecurity News | Daily Recap – hendryadrian.com

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint