Cybersecurity News | Daily Recap [17 Apr 2026]

Law Enforcement Actions

• Operation PowerOFF disrupted global DDoS-for-hire networks, with authorities across 21 countries seizing 53 domains, warning over 75,000 users, and arresting multiple suspects. – PowerOFF, DDoS Takedown
• Kamerin Stokes was sentenced to 30 months for selling access to about 60,000 stolen DraftKings accounts after a credential-stuffing attack, with over $1.3 million in restitution ordered. – DraftKings Sentencing, Account Sales
• Two U.S. nationals were sentenced for helping run a North Korea laptop-farm scheme that funneled more than $5 million to the DPRK through fake remote IT jobs at over 100 companies. – Laptop Farms, IT Worker Scheme

Exploited Vulnerabilities

• nginx-ui suffers from CVE-2026-33032, an authentication bypass that can lead to full Nginx server takeover and is already being exploited in the wild. – nginx-ui Flaw
• Apache ActiveMQ was flagged by CISA as actively exploited, while leaked Windows zero-days BlueHammer, RedSun, and UnDefend are also being used in attacks to gain SYSTEM privileges. – ActiveMQ, Windows Zero-Days, RedSun PoC
• Microsoft warned that the April patch KB5082063 can trigger reboot loops on some Windows Server domain controllers due to LSASS crashes and related install issues. – Server Reboot Loops
• Cisco patched a critical Webex SSO flaw, CVE-2026-20184, that could let attackers impersonate users and requires customers to upload a new SAML certificate. – Webex Fix

Malware and Intrusions

• A suspected Russian GRU campaign tied to APT28 targeted Western logistics firms supporting Ukraine using spearphishing, exploit chains, and malware including HEADLACE and MASEPIE. – GRU Campaign
• ZionSiphon is an OT malware sample built to sabotage water treatment and desalination systems by manipulating pressure and chlorine levels, with researchers warning a small fix could make it functional. – ZionSiphon
• Attackers exploited a Marimo flaw to deploy NKAbuse malware from Hugging Face, showing how trusted developer platforms are being abused for payload delivery. – NKAbuse

Crypto and Fraud

• Grinex halted trading after a major wallet breach that stole roughly $13–15 million in USDT, with funds rapidly chain-hopped across Ethereum, Tron, and other wallets. – Grinex Breach, Weekly Roundup
• Google said Gemini ad safety blocked more than 8.3 billion policy-violating ads in 2025 and suspended nearly 25 million advertiser accounts tied to scam campaigns. – Gemini Ad Safety
• Kuwait banks launched real-time war rooms to combat rising cyber fraud threats as regional financial institutions strengthen incident response. – Kuwait Banks

AI and Security Strategy

• OpenAI expanded access to GPT-5.4-Cyber, a defender-focused model with deeper reverse-engineering capabilities, as policymakers debate how to govern fast-moving AI risks. – GPT-5.4-Cyber, AI Roundtable
• Lawmakers and experts warned that advanced AI could enable misuse of sensitive government data and deepfakes, increasing pressure for stronger safety guardrails and public-private coordination. – AI Risks, Private Sector

Breaches and Public Sector

• A targeted attack on the Northern Ireland Education Authority exposed personal data from a small number of schools, with containment underway and notifications pending. – Schools Breach
• A Tennessee hospital breach affected 337,000 people, adding to a growing wave of healthcare data incidents. – Hospital Breach

Developer and MSP Security

• Cursor had a vulnerability chain, NomShub, that could turn hidden prompts in malicious repos into remote code execution and shell access on developer machines. – Cursor Flaw
• A webinar highlighted how MSPs must rethink both security and recovery after phishing attacks to limit fallout and improve resilience. – MSP Webinar

Cybersecurity News | Daily Recap – hendryadrian.com