Daily Threat Intelligence Brief - April 7, 2026

Executive Summary

FortiClient EMS zero-day now in CISA KEV (CVSS 9.8): CVE-2026-35616 added to CISA KEV on April 6 after confirmed exploitation since March 31. Unauthenticated RCE via improper access control. Emergency hotfix available, full patch still pending
Azure MCP Server authentication bypass (CVSS 9.1): CVE-2026-32211 allows unauthorized access to sensitive data through AI agent MCP integrations. Disclosed April 3, affecting organizations connecting Azure services to agentic AI workflows
JBFuzz achieves 99% jailbreak success rate: New automated fuzzing framework breaks guardrails on GPT-4o, Gemini 2.0, and DeepSeek-V3 with near-perfect reliability, while ProAct defense framework counters with spoofed optimization responses
APT28 weaponizes Signal messaging app: Russian threat group deploying SlimAgent malware through compromised Signal channels targeting Ukrainian military and government personnel
Iran claims $598M Lockheed Martin data cache: Iranian APT group claims possession of F-35 blueprints and defense data totaling 598 GB. Attribution and authenticity under investigation
Qilin ransomware targets US law enforcement: Faulkner County Sheriff's Office (Arkansas) confirmed as victim. Qilin maintains dominant Q1 position with 342 victims and expanding EDR-killing capabilities
Massachusetts emergency communications disrupted: Cyberattack disabled non-emergency phone lines at Patriot Regional Emergency Communications Center, affecting multiple towns in Middlesex County
Deepfake-as-a-Service expands on underground markets: Voice cloning now requires as little as 30 seconds of audio. Microsoft's "AI as Tradecraft" report documents operationalization of AI for social engineering at industrial scale
EU AI Act compliance deadline approaching: High-risk AI system requirements take effect August 2, 2026. Colorado's AI Act activates June 30, 2026. NIST launched AI Agent Standards Initiative in February

Critical Vulnerabilities

CVE-2026-35616: Fortinet FortiClient EMS Zero-Day (CVSS 9.8, ACTIVELY EXPLOITED)

Improper access control in FortiClient Enterprise Management Server allows unauthenticated remote attackers to execute arbitrary code on the server. FortiClient EMS manages endpoint deployments across enterprise networks, making compromise a pivot point for lateral movement across all managed endpoints. Active exploitation observed since March 31, 2026. Emergency hotfix released April 4. Added to CISA KEV on April 6 with remediation deadline of April 20.

CVSS: 9.8 (Critical)
CWE: Improper Access Control
Exploitation status: Actively exploited in the wild since March 31
Patch: Emergency hotfix available (April 4). Full patch pending
Action: Apply hotfix immediately, audit EMS logs back to March 31, monitor managed endpoints for indicators of compromise
Source: Help Net Security | Cyberscoop

CVE-2026-32211: Azure MCP Server Authentication Bypass (CVSS 9.1)

Critical authentication bypass in Microsoft's Azure MCP Server allows unauthorized access to sensitive data through AI agent integrations. As organizations increasingly connect Azure services to agentic AI workflows via MCP, this vulnerability exposes cloud resources to unauthorized data access without proper credential validation. Disclosed April 3, 2026.

CVSS: 9.1 (Critical)
CWE: Improper Authentication
Exploitation status: No confirmed wild exploitation. Proof-of-concept available
Action: Review Azure MCP Server deployments, apply patches, audit agent access logs for unauthorized data retrieval
Source: Dev.to Security Analysis

CVE-2026-34838: Group-Office Insecure Deserialization (CVSS 9.9)

Insecure deserialization vulnerability in Group-Office groupware platform allows unauthenticated remote code execution. Group-Office is used by enterprises for email, calendar, project management, and CRM, providing attackers access to sensitive business data and internal communications upon exploitation.

CVSS: 9.9 (Critical)
CWE: Insecure Deserialization
Exploitation status: No confirmed wild exploitation
Action: Patch immediately, audit Group-Office instances for unauthorized access
Source: The Hacker Wire

CVE-2025-68143/44/45: Anthropic Git MCP Server RCE via Prompt Injection

Three high-severity vulnerabilities in Anthropic's official Git MCP server allow remote code execution through prompt injection. Attackers craft malicious repository content that, when processed by an AI agent using the Git MCP server, triggers arbitrary command execution on the host system. These vulnerabilities demonstrate the structural risk of connecting AI agents to code repositories without input sanitization.

Severity: High
Attack vector: Prompt injection via malicious repository content
Action: Update Git MCP server, implement repository content scanning before agent processing
Source: Adversa AI

CISA KEV Updates

CVE	Product	Added	Deadline
CVE-2026-35616	FortiClient EMS	April 6	April 20
CVE-2026-5281	Chrome (Dawn/WebGPU)	April 1	April 15
CVE-2026-3502	TrueConf Client	April 2	April 16
CVE-2026-3055	Citrix NetScaler	March 30	April 2 (!)

Ongoing: Cisco IMC (CVE-2026-20093) and SSM On-Prem (CVE-2026-20160) remain at CVSS 9.8 with no confirmed exploitation but trivial exploitability via single HTTP request. Weaponization expected within days.

AI Security Threats

Automated Jailbreaking Reaches Near-Perfect Success Rates

JBFuzz, a new automated jailbreak fuzzing framework, achieves approximately 99% attack success rates against GPT-4o, Gemini 2.0, and DeepSeek-V3. Combined with the Nature Communications finding that reasoning models (DeepSeek-R1, Gemini 2.5 Flash) autonomously plan and execute multi-turn jailbreak strategies at 97.14% success, automated AI-on-AI attacks have reached commodity status. Defensive research is responding: the ProAct framework counters automated jailbreaking by feeding spurious responses that trick attacker optimization loops into premature termination, effectively poisoning the attack feedback cycle.

Offensive shift: Jailbreaking no longer requires specialized expertise. API access plus a reasoning model is sufficient
Defensive response: ProAct demonstrates that active defense (deceiving the attacker's model) may be more effective than passive guardrails
Source: Nature Communications | CyberArk

Azure MCP Server Flaw Exposes Agentic AI Data Pipelines

CVE-2026-32211 (CVSS 9.1) in Azure MCP Server is the first critical vulnerability specifically targeting the interface between cloud infrastructure and AI agents. As MCP adoption accelerates, with over 8,000 servers exposed on the public internet, the authentication bypass allows attackers to intercept data flowing between Azure services and AI agents without credentials. Combined with the three Anthropic Git MCP server RCE vulnerabilities (CVE-2025-68143/44/45), MCP infrastructure is emerging as a primary attack surface for agentic AI systems.

8,000+ MCP servers exposed on the public internet, 43% with at least one vulnerability
No major framework cryptographically verifies MCP payloads for authenticity, modification, or replay
CoSAI white paper (January 2026) provides MCP security guidance but adoption remains limited
Source: Adversa AI | CoSAI | Vulnerable MCP Project

Deepfake Social Engineering Goes Industrial

Microsoft's "AI as Tradecraft" report (March 6) documents how threat actors now operationalize AI for social engineering at scale. Voice cloning requires as little as 30 seconds of source audio. Deepfake-as-a-Service (DaaS) offerings are expanding on underground markets, enabling non-technical threat actors to create convincing video and audio impersonations. The Drift Protocol heist (UNC4736, $285M) used AI-enhanced social engineering as part of its six-month infiltration campaign, demonstrating nation-state adoption of these techniques.

30 seconds of audio is sufficient for convincing voice clone generation
DaaS marketplace expansion lowers the barrier for social engineering attacks to near-zero technical skill
Business email compromise (BEC) losses exceeded $2.7B in 2025, with AI-powered variants showing higher success rates
Source: Microsoft AI Tradecraft Report | HawkEye

AI Supply Chain Attacks: TeamPCP's Nine-Day Rampage

TeamPCP compromised four major open-source projects in nine days (March 19-27): Trivy (security scanner), KICS (infrastructure-as-code scanner), LiteLLM (AI proxy, 3.4M daily downloads), and Telnyx (communications). The LiteLLM attack deployed a three-stage payload: credential harvesting from environment variables, Kubernetes lateral movement, and persistent backdoor installation. Combined with the Axios npm compromise (100M weekly downloads, attributed to North Korea), March 2026 represents the most concentrated software supply chain attack period in history.

Cascading impact: LiteLLM breach led to the Mercor compromise, affecting AI training data supplied to Anthropic, OpenAI, and Meta
Attack pattern: Social engineering of maintainer accounts, not code-level exploitation
Source: Security Boulevard | Help Net Security

Regulatory Convergence: Compliance Deadlines Approaching

Three major AI security regulatory milestones are approaching. The EU AI Act requires adversarial testing for high-risk AI systems by August 2, 2026. Colorado's AI Act takes effect June 30, 2026. NIST launched the AI Agent Standards Initiative in February 2026, establishing interoperability and security requirements for autonomous AI systems. Cyber insurers are now introducing "AI Security Riders" requiring documented red-teaming as a coverage prerequisite.

EU AI Act (August 2, 2026): Mandatory adversarial testing, risk assessments, and transparency requirements for high-risk AI
Colorado AI Act (June 30, 2026): State-level AI regulation with enforcement mechanisms
Insurance impact: Organizations without documented AI red-teaming may face coverage gaps
Source: NIST AI Agent Standards

Threat Actor Activity

APT28 (Russia): Signal Messaging Weaponization

APT28 (Fancy Bear) is deploying SlimAgent malware through compromised Signal messaging channels, targeting Ukrainian military and government personnel. The campaign exploits trust in encrypted messaging platforms by compromising legitimate Signal accounts and distributing malicious files through existing group chats. This represents an evolution from APT28's earlier Operation Neusploit (CVE-2026-21509, Microsoft Office bypass) which targeted maritime and transport organizations across nine nations.

Target: Ukrainian military and government personnel
Vector: Compromised Signal accounts distributing malicious files
Malware: SlimAgent backdoor with C2 capabilities
Source: Intel 471 via Industrial Cyber

Iranian APT: Lockheed Martin Data Claim

An Iranian APT group claims possession of approximately 598 GB of Lockheed Martin data including F-35 blueprints, defense system specifications, and classified program documentation. Attribution and data authenticity remain under investigation. This claim follows the broader Iranian cyber escalation after US-Israel strikes on February 28, 2026, during which 60+ Iranian-aligned groups activated against US and allied infrastructure. The Handala group's confirmed attack on Stryker Corp (March 11) demonstrates that Iranian groups are capable of impactful operations against major US companies.

Claimed data: 598 GB including F-35 blueprints and defense specifications
Context: Escalation following February 28 military strikes
Confirmed Iranian activity: Stryker Corp manufacturing disruption (Handala, March 11)
Source: Cybersecurity Dive | Industrial Cyber

North Korea: Capability Diversification Beyond Crypto

North Korean cyber operations are diversifying beyond cryptocurrency theft into broad software supply chain compromise. The Axios npm attack (UNC1069/Sapphire Sleet) represents the most impactful JavaScript supply chain attack in history, while the $285M Drift Protocol heist (UNC4736) demonstrates continued DeFi targeting. ODNI reports North Korea stole approximately $2 billion in cryptocurrency in 2025 alone to fund weapons programs.

Axios compromise: 100M weekly downloads, cross-platform RAT deployed
Drift Protocol: $285M drained in 12 minutes after 6-month social engineering operation
2025 crypto theft total: Approximately $2 billion (ODNI)
Source: Microsoft | ODNI

Ransomware & Data Breaches

Weekly Ransomware Metrics

Metric	Value
Weekly victims (April 1-7)	168 across 43 countries
Active operators	31 data-leaking groups (3 newly found)
March 2026 total	808 victims (19% jump from February)
Q1 2026 dominant group	Qilin: 342 victims, EDR-killer malware
Active ransomware groups	65 distinct operators
Annualized 2026 pace	8,660+ victims (18.5% over 2025)
2025 YoY increase	58% over 2024 (GuidePoint Security)

Notable Incidents

Target	Operator	Details
Faulkner County Sheriff (AR)	Qilin	US law enforcement targeted; data exfiltration confirmed
Patriot Regional Emergency Comms	Unknown	Non-emergency lines disabled across Middlesex County, MA
Center for Hearing and Comms	Interlock	Healthcare org; data exfiltration confirmed
French Ministry of Agriculture	Lapsus$	60.9 GB: FTP creds, SQL DBs, logs across 32 departments
Nissan Motor Corp	Everest	910 GB via third-party file transfer; dealership data
Stryker Corp	Handala (Iran)	Manufacturing and shipping disrupted March 11

Ransomware Ecosystem Trends

Qilin maintains its dominant position through Q1 2026 with advanced BYOVD (Bring Your Own Vulnerable Driver) techniques targeting over 300 EDR product drivers. Akira has risen to the number two position, absorbing affiliates from defunct groups. LockBit, while still active with 17 new victims in early April, has fallen to 35th overall after Operation Cronos disruption. The ecosystem continues expanding, with three new ransomware operators discovered in the first week of April alone. Organizations relying solely on endpoint detection face growing blind spots as anti-EDR techniques become standard practice across multiple groups.

Source: BlackFog State of Ransomware 2026 | GuidePoint Security | The Record

Recommended Actions

Immediate (24-48 Hours)

Apply FortiClient EMS hotfix: CVE-2026-35616 is actively exploited and now in CISA KEV with April 20 deadline. Audit EMS logs back to March 31 for indicators of compromise
Verify Citrix NetScaler patches: CVE-2026-3055 CISA KEV deadline (April 2) has passed. Any unpatched instances are overdue and likely targeted
Patch Cisco IMC and SSM On-Prem: CVE-2026-20093 and CVE-2026-20160 (both CVSS 9.8) are trivially exploitable via single HTTP request. Weaponization expected imminently
Verify Axios npm versions: Remove versions 1.14.1 and 0.30.4. Run npm audit and npm ls axios across all projects and CI/CD pipelines
Audit n8n deployments: CVE-2026-21858 (CVSS 10.0) with 59,500 vulnerable servers. Upgrade to v1.121.0+ and rotate all credentials

Short-Term (This Week)

Review Azure MCP Server deployments: CVE-2026-32211 (CVSS 9.1) auth bypass. Audit agent access logs and apply patches
Audit all MCP integrations: Check for Anthropic Git MCP server vulnerabilities (CVE-2025-68143/44/45). Update to latest versions
Verify LiteLLM versions: Ensure no malicious versions (1.82.7, 1.82.8) are cached. Upgrade to v1.83.0+, rotate all API keys
Prepare for April Patch Tuesday (April 14): Expect 80-100+ Microsoft CVEs. March patches had quality issues (KB5079391 pulled within 24 hours), so plan extended testing
Implement Signal security awareness: Brief personnel on APT28's Signal weaponization campaign. Verify message authenticity through out-of-band channels

Strategic

Establish MCP security posture: Audit all MCP integrations, implement payload verification, restrict exposed MCP servers. Reference CoSAI white paper for framework
Begin EU AI Act compliance planning: High-risk AI system requirements take effect August 2, 2026. Mandatory adversarial testing, risk assessments, and transparency documentation required
Deploy anti-EDR countermeasures: Qilin and other groups are killing EDR via BYOVD targeting 300+ drivers. Implement driver allowlisting and kernel-level protections
Harden software supply chain: Pin dependency versions, enable lockfile integrity checks. Both Axios and LiteLLM attacks succeeded via social engineering of maintainers, not code exploits
Evaluate deepfake detection capabilities: DaaS expansion lowers social engineering barriers. Implement voice verification protocols for financial and privileged access requests