Cybersecurity News | Daily Recap [10 Apr 2026]

hendryadrian.com

hendryadrian.com

News:

Vulnerabilities & Patches

• Juniper released fixes for nearly three dozen Junos-related flaws including a default high‑privileged account (CVE-2026-33784) that could allow privilege escalation or RCE – Juniper Patches
• GitLab patched 12 vulnerabilities including a high‑severity websocket bug (CVE-2026-5173) and urged immediate upgrades for self‑managed instances – GitLab Fixes
• Orthanc DICOM flaws can crash servers and enable RCE in medical imaging stacks, necessitating urgent updates – Orthanc Bug
• A critical unauthenticated RCE in Marimo (CVE-2026-39987) was weaponized within ~9 hours of disclosure to exfiltrate credentials and SSH keys; upgrade to 0.23.0+ – Marimo RCE
• An EngageLab SDK flaw in v4.5.4 could let apps bypass the Android sandbox and exposed up to 50M users (including ~30M crypto wallets); Google Play removals and an EngageLab patch (v5.2.1) followed – EngageLab Leak
• Google API key misuse in Android apps risks exposing Gemini endpoints and unauthorized access to LLM backends — developers should audit embedded keys – Google API Leak
• Microsoft’s new Recall feature has a trust‑boundary bug exploited by TotalRecall Reloaded to extract decrypted screenshots and metadata via DLL injection into AIXHost.exe — users should apply mitigations – TotalRecall Gap

Malware & Campaigns

• Researchers tracked a new Lua‑based modular backdoor, LucidRook, used by cluster UAT-10362 in targeted spear‑phishing against NGOs and universities in Taiwan via passworded archives and DLL sideloading – LucidRook, UAT-10362
• A supply‑chain compromise of CPUID’s side API served trojanized installers (HWiNFO_Monitor_Setup) in place of CPU‑Z/HWMonitor, using in‑memory loaders and advanced evasion over ~6 hours on April 9–10 – CPUID Supply
• WordPress/Joomla sites were pushed a backdoored Smart Slider 3 Pro update (v3.5.1.35) that installed persistent backdoors and created hidden admin accounts; affected sites should restore clean backups or update to v3.5.1.36 and follow full cleanup guidance – Smart Slider, Smart Slider
• A new phishing‑as‑a‑service, VENOM, targets C‑suite Microsoft credentials using personalized lures, Unicode QR codes, double Base64 URL fragments and AiTM/device‑code proxying to capture MFA/session tokens – VENOM Phish
• Financially motivated group Storm‑2755 ran payroll‑pirate attacks on Canadian employees, using malicious Microsoft 365 sign‑in pages and AiTM frameworks to hijack salaries and change direct deposit details – Payroll Pirate
• SOHO routers are being mass‑compromised by Russia‑linked Forest Blizzard to hijack DNS (dnsmasq) and conduct large‑scale MitM surveillance against services like Outlook and Microsoft 365 – Forest Blizzard
• Healthcare IT vendor ChipSoft was hit by ransomware, taking HiX EHR services offline and impacting multiple hospitals while Z‑CERT responded to containment and recovery efforts – ChipSoft Ransom
• ThreatsDay bulletin flagged a resilient hybrid P2P botnet (Phorpiex/Twizt), new stealer families and chained ActiveMQ flaws, stressing rapid patching and AI‑adjacent exploit risks – ThreatsDay

Phishing & Credential Theft

• Executive‑targeting and enterprise credential theft surged via sophisticated phishing toolkits and AiTM proxies—examples include VENOM C‑suite campaigns and Storm‑2755 payroll hijacks that capture OAuth/session tokens and bypass legacy MFA – VENOM Phish, Payroll Pirate

Nation‑state Activity & Geopolitics

• The US warned of Iran‑linked actors compromising ICS/OT—including abuse of Rockwell’s Studio 5000 to manipulate PLC logic—and industry urged segmentation and zero‑trust controls to protect critical infrastructure – Iran ICS
• The UK exposed covert operations by Russian naval units (including GUGI subs) near undersea fibre‑optic cables north of the UK, warning such attacks would threaten connectivity and national security – Russian Submarine
• Escalation around Iran has raised Gulf cybersecurity risks to ports, energy and finance, prompting the UAE and neighbors to fold cyber into national defense and regional cooperation efforts – Gulf Risks
• Russia detained a former Radio Free Europe freelancer on treason allegations tied to Telegram channels reportedly aiding Ukrainian cyber operations—part of broader probes into virtual payments and banned org links – Russia Journalist
• Analysis of DPRK operations describes a mature “portfolio model” (e.g., Lazarus, Kimsuky, Andariel) that compartmentalizes missions to resist attribution while sharing tooling—complicating defensive attribution and response – NK Portfolio

Crypto & Financial Security

• The US Treasury launched a free cyber threat‑sharing initiative for eligible digital asset firms (OCCIP) after high‑value thefts including an alleged $280M heist linked to North Korean actors, aiming to improve detection and response across the crypto sector – Treasury Initiative, Treasury Initiative
• The EngageLab SDK exposure that affected ~50M Android users also risked access to ~30M crypto wallets, highlighting app‑level attack surfaces in the crypto ecosystem – EngageLab Leak

AI, Privacy & Browser Security

• RSAC researchers bypassed on‑device LLM guardrails in Apple Intelligence using prompt injection plus Unicode tricks, achieving a 76% success rate before fixes in iOS/macOS 26.4—raising concerns about local LLM protections – Apple AI Bypass
• An industry piece warned that businesses cannot yet fully trust LLMs due to hallucinations, bias and model collapse, and highlighted a growing AI security market building provenance, guardrails and drift detection – Trust AI
• Google Chrome added Device Bound Session Credentials (DBSC) in Chrome 146 (Windows) to cryptographically tie session cookies to hardware keys, reducing session theft from infostealers like LummaC2—macOS support is pending – Chrome DBSC
• iPhone notification previews (not a Signal flaw) can leak deleted message fragments from a system DB, a gap exploited in forensic extraction in a US detention‑facility case—users should review lock‑screen preview settings – iPhone Notifications

Policy, Regulation & Frameworks

• The FCC proposed stricter KYC and verification rules for originating voice/mobile/VoIP providers, longer record retention and per‑call fines to better block illegal robocalls and address enforcement gaps – FCC Robocalls, FCC Robocalls
• MITRE released a new Fight Fraud Framework to help standardize detection and response for fraud across industries and vendors – MITRE FightFraud

Research & Trends

• Qualys analysis of ~1 billion CISA KEV remediation records shows attackers weaponize critical bugs faster than orgs patch (Time‑to‑Exploit ~-7 days), urging automation and closed‑loop Risk Ops to remove human latency – KEV Analysis

Vulnerabilities & Patches

• Juniper released fixes for nearly three dozen Junos-related flaws including a default high‑privileged account (CVE-2026-33784) that could allow privilege escalation or RCE – Juniper Patches
• GitLab patched 12 vulnerabilities including a high‑severity websocket bug (CVE-2026-5173) and urged immediate upgrades for self‑managed instances – GitLab Fixes
• Orthanc DICOM flaws can crash servers and enable RCE in medical imaging stacks, necessitating urgent updates – Orthanc Bug
• A critical unauthenticated RCE in Marimo (CVE-2026-39987) was weaponized within ~9 hours of disclosure to exfiltrate credentials and SSH keys; upgrade to 0.23.0+ – Marimo RCE
• An EngageLab SDK flaw in v4.5.4 could let apps bypass the Android sandbox and exposed up to 50M users (including ~30M crypto wallets); Google Play removals and an EngageLab patch (v5.2.1) followed – EngageLab Leak
• Google API key misuse in Android apps risks exposing Gemini endpoints and unauthorized access to LLM backends — developers should audit embedded keys – Google API Leak
• Microsoft’s new Recall feature has a trust‑boundary bug exploited by TotalRecall Reloaded to extract decrypted screenshots and metadata via DLL injection into AIXHost.exe — users should apply mitigations – TotalRecall Gap

Malware & Campaigns

• Researchers tracked a new Lua‑based modular backdoor, LucidRook, used by cluster UAT-10362 in targeted spear‑phishing against NGOs and universities in Taiwan via passworded archives and DLL sideloading – LucidRook, UAT-10362
• A supply‑chain compromise of CPUID’s side API served trojanized installers (HWiNFO_Monitor_Setup) in place of CPU‑Z/HWMonitor, using in‑memory loaders and advanced evasion over ~6 hours on April 9–10 – CPUID Supply
• WordPress/Joomla sites were pushed a backdoored Smart Slider 3 Pro update (v3.5.1.35) that installed persistent backdoors and created hidden admin accounts; affected sites should restore clean backups or update to v3.5.1.36 and follow full cleanup guidance – Smart Slider, Smart Slider
• A new phishing‑as‑a‑service, VENOM, targets C‑suite Microsoft credentials using personalized lures, Unicode QR codes, double Base64 URL fragments and AiTM/device‑code proxying to capture MFA/session tokens – VENOM Phish
• Financially motivated group Storm‑2755 ran payroll‑pirate attacks on Canadian employees, using malicious Microsoft 365 sign‑in pages and AiTM frameworks to hijack salaries and change direct deposit details – Payroll Pirate
• SOHO routers are being mass‑compromised by Russia‑linked Forest Blizzard to hijack DNS (dnsmasq) and conduct large‑scale MitM surveillance against services like Outlook and Microsoft 365 – Forest Blizzard
• Healthcare IT vendor ChipSoft was hit by ransomware, taking HiX EHR services offline and impacting multiple hospitals while Z‑CERT responded to containment and recovery efforts – ChipSoft Ransom
• ThreatsDay bulletin flagged a resilient hybrid P2P botnet (Phorpiex/Twizt), new stealer families and chained ActiveMQ flaws, stressing rapid patching and AI‑adjacent exploit risks – ThreatsDay

Phishing & Credential Theft

• Executive‑targeting and enterprise credential theft surged via sophisticated phishing toolkits and AiTM proxies—examples include VENOM C‑suite campaigns and Storm‑2755 payroll hijacks that capture OAuth/session tokens and bypass legacy MFA – VENOM Phish, Payroll Pirate

Nation‑state Activity & Geopolitics

• The US warned of Iran‑linked actors compromising ICS/OT—including abuse of Rockwell’s Studio 5000 to manipulate PLC logic—and industry urged segmentation and zero‑trust controls to protect critical infrastructure – Iran ICS
• The UK exposed covert operations by Russian naval units (including GUGI subs) near undersea fibre‑optic cables north of the UK, warning such attacks would threaten connectivity and national security – Russian Submarine
• Escalation around Iran has raised Gulf cybersecurity risks to ports, energy and finance, prompting the UAE and neighbors to fold cyber into national defense and regional cooperation efforts – Gulf Risks
• Russia detained a former Radio Free Europe freelancer on treason allegations tied to Telegram channels reportedly aiding Ukrainian cyber operations—part of broader probes into virtual payments and banned org links – Russia Journalist
• Analysis of DPRK operations describes a mature “portfolio model” (e.g., Lazarus, Kimsuky, Andariel) that compartmentalizes missions to resist attribution while sharing tooling—complicating defensive attribution and response – NK Portfolio

Crypto & Financial Security

• The US Treasury launched a free cyber threat‑sharing initiative for eligible digital asset firms (OCCIP) after high‑value thefts including an alleged $280M heist linked to North Korean actors, aiming to improve detection and response across the crypto sector – Treasury Initiative, Treasury Initiative
• The EngageLab SDK exposure that affected ~50M Android users also risked access to ~30M crypto wallets, highlighting app‑level attack surfaces in the crypto ecosystem – EngageLab Leak

AI, Privacy & Browser Security

• RSAC researchers bypassed on‑device LLM guardrails in Apple Intelligence using prompt injection plus Unicode tricks, achieving a 76% success rate before fixes in iOS/macOS 26.4—raising concerns about local LLM protections – Apple AI Bypass
• An industry piece warned that businesses cannot yet fully trust LLMs due to hallucinations, bias and model collapse, and highlighted a growing AI security market building provenance, guardrails and drift detection – Trust AI
• Google Chrome added Device Bound Session Credentials (DBSC) in Chrome 146 (Windows) to cryptographically tie session cookies to hardware keys, reducing session theft from infostealers like LummaC2—macOS support is pending – Chrome DBSC
• iPhone notification previews (not a Signal flaw) can leak deleted message fragments from a system DB, a gap exploited in forensic extraction in a US detention‑facility case—users should review lock‑screen preview settings – iPhone Notifications

Policy, Regulation & Frameworks

• The FCC proposed stricter KYC and verification rules for originating voice/mobile/VoIP providers, longer record retention and per‑call fines to better block illegal robocalls and address enforcement gaps – FCC Robocalls, FCC Robocalls
• MITRE released a new Fight Fraud Framework to help standardize detection and response for fraud across industries and vendors – MITRE FightFraud

Research & Trends

• Qualys analysis of ~1 billion CISA KEV remediation records shows attackers weaponize critical bugs faster than orgs patch (Time‑to‑Exploit ~-7 days), urging automation and closed‑loop Risk Ops to remove human latency – KEV Analysis

Cybersecurity News | Daily Recap – hendryadrian.com