Daily Threat Intelligence Brief - April 18, 2026
Executive Summary
- Apache ActiveMQ RCE (CVE-2026-34197) added to CISA KEV April 16: A 13-year-old flaw in the Jolokia management API allows remote code execution on ActiveMQ Classic 5.x and 6.0.0 through 6.1.1. Discovered by Horizon3.ai researcher Naveen Sunkavally with Claude assistance. Fortinet FortiGuard telemetry observed exploitation peaking April 14, delivering ransomware, coin miners, and backdoors. Federal agencies must patch by April 30
- SharePoint zero-day CVE-2026-32201 actively exploited: Microsoft's April 8 Patch Tuesday addressed 168 CVEs including a confirmed exploited SharePoint spoofing flaw. CISA added it to KEV with an April 28 federal deadline. Two additional critical Windows RCEs (CVE-2026-33824 IKE CVSS 9.8, CVE-2026-33827 TCP/IP CVSS 8.1) are trivially weaponizable
- Fortinet FortiClient EMS SQL injection (CVE-2026-21643) in KEV: Pre-authentication SQL injection via the Site HTTP header affecting v7.4.4 multi-tenant deployments. Exploitable through /api/v1/init_consts with a single crafted request. Federal deadline was April 16, extraction of admin credentials and endpoint inventory confirmed in the wild
- ShinyHunters extortion spree breaks records: 78.6 million Rockstar Games records leaked after the April 14 deadline passed, stolen via compromised Anodot analytics tokens pivoting into Snowflake. McGraw Hill confirmed 13.5 million accounts exposed, 100+ GB dumped after refused payment, traced to a Salesforce configuration issue affecting multiple organizations
- Agentic AI emerges as dominant 2026 attack surface: Unit 42 catalogs 22 distinct indirect prompt injection techniques observed in telemetry. An audit of 30 agent frameworks finds 93% use unscoped API keys and 97% lack user consent mechanisms. OpenClaw sandbox testing shows only 17% baseline defense against escape attempts
- Iranian APT targeting Rockwell PLCs in US critical infrastructure: April 7 joint advisory confirms active exploitation of internet-facing Allen-Bradley devices across energy, wastewater, transportation, and defense industrial base. Operators observed manipulating HMI and SCADA displays directly
- Qilin maintains ransomware lead: HBX Group (Spain hospitality, April 17), Limkon (Turkish beverage, April 15), Clearwater Marine Aquarium, and multiple European manufacturers added to leak site. Qilin and DragonForce combined account for 21% of weekly ransomware volume
- Operation PowerOFF seizes 53 DDoS domains: International law enforcement takedown arrested four operators tied to commercial booter services used by more than 75,000 customers
- NIST NVD enrichment policy takes effect: Starting April 15, NIST applies selective criteria to CVE enrichment in response to submission overload, shifting analysis workload to downstream vendors and operators
Critical Vulnerabilities
CVE-2026-34197: Apache ActiveMQ Jolokia RCE (CVSS 8.8, ACTIVELY EXPLOITED)
Improper input validation in Apache ActiveMQ Classic permits authenticated attackers to invoke management operations through the Jolokia API with a crafted discovery URI, triggering the VM transport's brokerConfig parameter to load a remote Spring XML application context. Because Spring's ResourceXmlApplicationContext instantiates singleton beans before BrokerService validates configuration, arbitrary code executes on the broker's JVM through bean factory methods like Runtime.exec(). On ActiveMQ 6.0.0 through 6.1.1, Jolokia is completely unauthenticated, making the flaw exploitable without credentials. The vulnerability existed for 13 years before being surfaced by Horizon3.ai researcher Naveen Sunkavally working alongside Claude.
- CVSS: 8.8 (High)
- CWE: CWE-20 Improper Input Validation leading to code injection
- Affected: ActiveMQ Classic 5.x and 6.0.0 through 6.1.1 (unauthenticated path)
- Patched: Versions 5.19.4 and 6.2.3
- Exploitation status: Active exploitation peaked April 14 per Fortinet FortiGuard telemetry. Initial access followed by ransomware, crypto miners, and backdoors
- Detection: Broker logs referencing vm:// URIs with brokerConfig=xbean:http, POST requests to /api/jolokia/ containing addNetworkConnector
- Action: Patch immediately, restrict Jolokia exposure, hunt for historical compromise indicators
- Source: The Hacker News | Horizon3.ai | BleepingComputer | Help Net Security
CVE-2026-32201: Microsoft SharePoint Server Spoofing Zero-Day (CVSS 6.5, ACTIVELY EXPLOITED)
Improper input validation in Microsoft Office SharePoint allows an unauthenticated attacker to perform spoofing over the network, view sensitive information, and make unauthorized changes to disclosed data. Microsoft confirmed wild exploitation at the time of April 8 Patch Tuesday disclosure. CISA added CVE-2026-32201 to KEV on April 14 with a federal remediation deadline of April 28. Affected products include SharePoint 2016, 2019, and SharePoint Server Subscription Edition.
- CVSS: 6.5 (Medium)
- Exploitation status: Confirmed in the wild as zero-day
- Patched: Microsoft April 2026 security update rollup (April 8)
- Action: Apply April Patch Tuesday updates across all SharePoint farms, audit file and list access for spoofed content, monitor for unusual write operations
- Source: Tenable | The Hacker News | SecurityWeek | Security Affairs
CVE-2026-21643: Fortinet FortiClient EMS Pre-Auth SQL Injection (CRITICAL, ACTIVELY EXPLOITED)
Pre-authentication SQL injection in FortiClient Endpoint Management Server v7.4.4 multi-tenant deployments. The application passes the Site HTTP header directly into a database query without validation and before authentication. The /api/v1/init_consts endpoint is publicly accessible, returns database error messages, and has no lockout protections, enabling rapid data extraction with a single crafted HTTP request. Successful exploitation yields admin credentials, endpoint inventory, security policies, and managed-endpoint certificates, establishing a pivot point into every device the EMS manages.
- Severity: Critical (pre-auth RCE-adjacent data exfiltration)
- Affected: FortiClient EMS v7.4.4 multi-tenant. Single-site deployments not affected
- Patched: Version 7.4.5
- Exploitation status: Added to CISA KEV April 13, federal remediation deadline April 16
- Action: Upgrade immediately to 7.4.5, rotate admin credentials, reissue managed endpoint certificates, audit /api/v1/init_consts request logs
- Source: Bishop Fox | Picus Security | Cybersecurity News | Horizon3.ai
CVE-2026-33824: Windows IKE Remote Code Execution (CVSS 9.8)
Remote unauthenticated code execution in the Windows Internet Key Exchange service. Systems with IKE enabled for IPsec VPN or L2TP are at risk. CVSS 9.8 with network attack vector and low complexity. No confirmed exploitation at time of disclosure, but the trivial attack surface makes proof-of-concept development and weaponization likely in the coming days.
- CVSS: 9.8 (Critical)
- Exploitation status: No confirmed wild activity. PoC development expected imminently
- Action: Apply April Patch Tuesday updates, audit exposed IKE and IPsec endpoints, consider temporary UDP/500 and UDP/4500 restrictions for non-essential hosts
- Source: Cybersecurity News | BleepingComputer
CVE-2026-34621: Adobe Acrobat and Reader Prototype Pollution (CRITICAL, ACTIVELY EXPLOITED)
Prototype pollution in Adobe Acrobat and Reader permitted in-the-wild exploitation via malicious PDF files for at least four months before Adobe's April 11 patch. CISA added the flaw to KEV on April 13. Telemetry from endpoint vendors indicates targeted campaigns against legal, government, and financial sectors leveraging PDF lures with embedded JavaScript exploiting the prototype chain.
- Exploitation status: Active for approximately four months prior to patch
- Patched: Adobe security update (April 11)
- Action: Update all Acrobat and Reader deployments, enforce Protected View, treat externally sourced PDFs as suspect pending update rollout
- Source: GBlock | The Hacker News
CISA KEV Updates - April 2026
| CVE | Product | Added | Federal Deadline |
|---|---|---|---|
| CVE-2026-34197 | Apache ActiveMQ Classic | April 16 | April 30 |
| CVE-2026-32201 | Microsoft SharePoint Server | April 14 | April 28 |
| CVE-2026-21643 | Fortinet FortiClient EMS | April 13 | April 16 |
| CVE-2026-34621 | Adobe Acrobat and Reader | April 13 | April 27 |
| CVE-2025-60710 | Microsoft Windows Link Following | April 13 | April 27 |
| CVE-2023-21529 | Microsoft Exchange Server | April 13 | April 27 |
| CVE-2023-36424 | Windows Out-of-Bounds Read | April 13 | April 27 |
| CVE-2020-9715 | Adobe Acrobat Use-After-Free | April 13 | April 27 |
| CVE-2012-1854 | Microsoft VBA Insecure Loading | April 13 | April 27 |
| CVE-2009-0238 | Microsoft Office RCE | April 14 | April 28 |
AI Security Threats
IBM Launches Enterprise Agentic AI Defense Suite
IBM announced new cybersecurity measures on April 15 targeted specifically at agentic attacks. The rollout includes agent identity provisioning, runtime behavioral monitoring, and supply-chain validation for agent capability manifests. The announcement lands amid growing recognition that agent security cannot be bolted onto existing application security programs without rethinking identity, authorization, and action authorization boundaries. IBM's framing positions 2026 as the year when autonomous AI systems move from proof-of-concept curiosity to everyday production attack surface.
- Capabilities: Per-agent identity, runtime anomaly detection, capability manifest validation
- Context: 48.9% of organizations cannot monitor agent-to-agent (M2M) traffic according to 1H 2026 State of AI and API Security Report
- Source: IBM Newsroom | Security Boulevard
Unit 42 Catalogs 22 Indirect Prompt Injection Techniques in Live Telemetry
Palo Alto Networks Unit 42 analyzed production telemetry from agent deployments and identified 22 distinct indirect prompt injection techniques actively weaponized against enterprise AI workflows. The research confirms a shift from theoretical academic attacks to in-the-wild exploitation. Categories span hidden-text injection in documents, HTML attribute poisoning for browsing agents, retrieval-augmented generation (RAG) corpus poisoning, tool-output injection, and memory persistence attacks where one malicious session contaminates future agent runs.
- Observation: Attacks moved from labs to logs. Multiple vendors confirming wild activity
- Defensive implication: Input-layer filters alone fail. Output-layer action authorization is required
- Detection baseline: Current detectors catch roughly 23% of sophisticated prompt injection attempts
- Source: BizTech Magazine | Adversa AI | Airia
Google DeepMind Maps Web Attacks on Browsing Agents
DeepMind researchers published a taxonomy of six attack categories that can be mounted via web content to hijack browsing AI agents. The paper documents "AI Agent Traps" designed to weaponize an agent's own capabilities against its operator, including forced product promotion, silent data exfiltration to attacker-controlled endpoints, and coordinated disinformation seeding through multi-step agent chains. Proof-of-concept pages successfully redirected Claude, Gemini, and GPT-4o backed agents into attacker-desired behaviors without user awareness.
- Attack categories: Behavioral hijacking, credential exfiltration, poisoned retrieval, tool abuse, persistence implants, multi-agent collusion
- Implication: Browsing agents must treat the open web as a hostile prompt source, not a trusted input
- Source: SecurityWeek | Adversa AI
OpenClaw Benchmark: 17% Baseline Defense Rate, 91.5% With HITL
Researchers tested agent sandbox escapes across 47 adversarial scenarios under the OpenClaw evaluation framework and measured only a 17% average defense rate against escape attempts. Adding a human-in-the-loop (HITL) authorization layer for risky actions raised the success rate to 91.5%. The result reinforces a growing consensus that fully autonomous agent deployments require supplemental controls for high-risk tool invocations, and that removing human approval prematurely in pursuit of throughput creates disproportionate security exposure.
- Finding: Autonomous agents remain structurally vulnerable to sandbox escape
- Mitigation: HITL gating on privileged tool calls produces measurable defense improvement
- Source: Adversa AI
Agent Framework Audit: 93% Use Unscoped API Keys
A systematic audit of 30 widely deployed AI agent frameworks reveals structural identity and consent deficits. 93% rely on unscoped API keys that grant full-account access. 0% implement per-agent identity (every agent in the same org uses the same key). 97% provide no user consent mechanism for tool invocations. The resulting blast radius for any compromised agent is effectively equivalent to account takeover, which compounds the severity of every prompt injection and supply-chain attack against the agent layer.
- Recommendation: Scoped credentials per agent, delegated authorization via OAuth device flows, explicit consent UX for privileged actions
- Source: Adversa AI | OWASP Top 10 for Agentic Applications
MCP Ecosystem: Cross-Tool Hijacking and Cost Amplification
Ongoing research into the Model Context Protocol ecosystem continues to surface exploitable weaknesses. A new demonstration shows a malicious MCP server injecting tool descriptions that override trusted server tool definitions, enabling email redirection to attacker-controlled addresses with less than 3% detection rate by standard defenses. A separate cost-amplification attack steers an LLM agent into prolonged tool-calling chains that silently inflate per-query costs by up to 658x, a denial-of-wallet pattern that bypasses request-rate defenses because the individual calls look legitimate.
- Prior context: 43% of public MCP servers vulnerable to command injection, 36.7% vulnerable to SSRF (Adversa AI baseline)
- Microsoft Threat Intelligence (April 2): Frontier models are accelerating every phase of the offensive lifecycle, lowering the attacker skill floor
- Source: Adversa AI | Microsoft Security Blog
Threat Actor Activity
Iranian APT: Active Exploitation of Rockwell PLCs in US Critical Infrastructure
The US government issued a joint advisory on April 7 warning that Iranian-linked APT groups are conducting ongoing cyber exploitation of internet-facing operational technology devices, including programmable logic controllers from Rockwell Automation and Allen-Bradley. Priority targets include energy, wastewater treatment, transportation, telecommunications, defense industrial base, federal contractors, and government mission-support systems. Operators have been observed maliciously interacting with project files and manipulating data displayed on HMI and SCADA screens. The campaign follows the broader escalation after the February 28 US-Israel strikes.
- Targets: Energy, wastewater, transportation, telecom, defense industrial base
- Observed behavior: PLC project file tampering, HMI/SCADA display manipulation
- Source: SC Media | Infosecurity Magazine | Trellix
Chinese State-Sponsored APT: Sustained Critical Infrastructure Access Campaign
CISA, NSA, FBI, and international partners released a joint advisory detailing ongoing malicious activity by PRC state-sponsored APT actors aimed at gaining long-term access to critical infrastructure networks worldwide to feed global espionage systems. The advisory emphasizes pre-positioning rather than immediate disruption, consistent with the pattern previously documented under Volt Typhoon and Salt Typhoon reporting. Targeted sectors span telecommunications, transportation, water, and energy, with observed use of living-off-the-land techniques that avoid traditional malware signatures.
- Tactics: Living-off-the-land, credential theft, dormant implants, network edge device abuse
- Source: CISA
ShinyHunters: Coordinated Extortion Across Salesforce and Analytics Pipelines
ShinyHunters leveraged a Salesforce environment misconfiguration affecting multiple organizations to stage extortion campaigns against education, gaming, and enterprise targets. McGraw Hill disclosed 13.5 million accounts exposed after the group dumped more than 100 GB of data following failed negotiations. In the Rockstar Games incident, ShinyHunters compromised authentication tokens for Anodot (a third-party analytics and cloud-cost monitoring platform) and pivoted into linked Snowflake data warehouses, ultimately exfiltrating 78.6 million records and leaking them after the April 14 deadline passed. The pattern highlights third-party analytics and CRM integrations as high-value pivot points.
- Rockstar Games: 78.6M records via Anodot to Snowflake pivot
- McGraw Hill: 13.5M accounts (names, phone, email, addresses) via Salesforce misconfiguration, 100+ GB leaked
- Source: The Register (McGraw Hill) | BleepingComputer | The Register (Rockstar) | Tom's Hardware
Operation PowerOFF: Commercial DDoS Service Takedown
International law enforcement seized 53 domains and arrested four operators tied to commercial distributed denial-of-service (booter and stresser) services with customer bases totaling more than 75,000 cybercriminals. The operation demonstrates continued disruption pressure on the mid-tier commercial cybercrime economy, complementing earlier takedowns against LockBit infrastructure (Operation Cronos) and marketplace operators.
- Scale: 53 domains seized, 4 arrests, 75,000+ downstream customers
- Source: Integrity360 Cyber News Roundup
Ransomware & Data Breaches
Weekly Ransomware Metrics (April 10-17)
| Metric | Value |
|---|---|
| Weekly leak-site postings | ~185 across 40+ countries |
| Top operators by volume | Qilin, DragonForce (combined 21% of weekly) |
| Newly observed operators | 2 additional data-leaking brands this week |
| Total active operators (YTD) | 67 distinct groups |
| Q1 2026 confirmed victims | 2,200+ (BlackFog baseline) |
| 2026 YoY pace | 18 to 22% increase projected over 2025 |
Notable Incidents This Period
| Target | Operator | Details |
|---|---|---|
| Rockstar Games (Take-Two) | ShinyHunters | 78.6M records via Anodot to Snowflake pivot, leaked April 14 |
| McGraw Hill | ShinyHunters | 13.5M accounts via Salesforce misconfig, 100+ GB dumped |
| HBX Group (Spain) | Qilin | Hospitality tech aggregator, leak site listing April 17 |
| Limkon (Turkey) | Qilin | Beverage manufacturer, listed April 15 |
| Clearwater Marine Aquarium (US) | Qilin | Non-profit conservation organization |
| Signature Healthcare Brockton (MA) | Anubis | Hospital systems disrupted, ER placed on diversion |
| Basic-Fit (Netherlands) | Unknown | ~1M members, bank details exposed |
| Booking.com customer data | Unknown | Reservation PII disclosed April 12 |
| ChipSoft (Netherlands) | Unknown | Healthcare software vendor, public services disrupted |
| Gruppo ICM SPA (Italy) | Qilin | Industrial manufacturer |
| Herth+Buss (Germany) | Qilin | Automotive parts distributor |
Ransomware Ecosystem Trends
Qilin retains its Q1 leadership position into April with BYOVD-based EDR evasion and an RaaS affiliate program that continues to absorb operators displaced by law enforcement actions against other brands. DragonForce is the fastest-climbing brand, now contributing meaningfully to weekly victim volume. Anubis, previously a lower-volume operator, surfaced this week with the Signature Healthcare Brockton Hospital attack, demonstrating the ongoing healthcare exposure. ShinyHunters continues to favor extortion-only operations built on upstream SaaS pivots (Salesforce, Snowflake, analytics platforms) rather than endpoint encryption, a pattern that evades most EDR-centric defenses entirely.
- Source: BlackFog State of Ransomware 2026 | Ransomware.live Qilin Profile | Bitdefender Threat Debrief April 2026 | SharkStriker April 2026 Breach Roundup
Recommended Actions
Immediate (24-48 Hours)
- Patch Apache ActiveMQ immediately: Upgrade to 5.19.4 or 6.2.3, audit Jolokia endpoint exposure, hunt broker logs for vm:// brokerConfig activity and POST /api/jolokia/ containing addNetworkConnector. CISA KEV federal deadline April 30
- Apply April Patch Tuesday: Prioritize SharePoint (CVE-2026-32201, exploited) and Windows IKE (CVE-2026-33824, CVSS 9.8). Test rollouts given Microsoft's March KB quality issues, but do not delay more than 72 hours
- Upgrade FortiClient EMS 7.4.4 multi-tenant: Move to 7.4.5 immediately, rotate admin credentials, reissue endpoint certificates, audit /api/v1/init_consts request history. CISA KEV deadline April 16 already passed
- Update Adobe Acrobat and Reader: CVE-2026-34621 exploited for four months. Enforce Protected View, patch all endpoints
- Rotate Salesforce integration credentials: The Salesforce misconfiguration enabling the McGraw Hill breach reportedly affects multiple organizations. Audit third-party Salesforce connectors, review external share settings, and revoke unused connected apps
Short-Term (This Week)
- Audit analytics and cost-monitoring integrations: The Anodot token compromise that led to Rockstar's 78.6M record breach demonstrates third-party analytics as high-value pivot targets. Inventory integrations, scope credentials minimally, monitor for anomalous Snowflake query volumes
- Inventory and scope MCP server deployments: Apply least-privilege credentials, verify payload authenticity, restrict exposure. Review any tool definitions accepting cross-server input
- Assess agent framework identity hygiene: Audit API key scoping, implement per-agent identity where feasible, add consent prompts for privileged tool invocations against the 97% baseline gap
- Review OT exposure to Iranian-linked TTPs: Inventory internet-facing Rockwell and Allen-Bradley PLCs, segment from IT networks, monitor HMI/SCADA log integrity
- Brief executive protection teams on ShinyHunters extortion pattern: Third-party SaaS pivot compromises bypass EDR. Incident response plans should include rapid SaaS credential rotation and Snowflake query-log forensics
Strategic
- Deploy agentic AI defense program: Evaluate IBM, Adversa, and emerging vendor offerings for agent identity, runtime monitoring, and capability manifest validation. Budget for HITL layers on privileged tool calls given the OpenClaw 17 to 91.5% defense delta
- Build indirect prompt injection detection baseline: Apply Unit 42's 22-technique taxonomy to detection engineering. Treat any external content reaching an agent context (email, docs, web pages, RAG corpus) as an untrusted prompt source
- Prepare for NIST NVD enrichment gaps: With NIST's April 15 policy narrowing CVE enrichment, vulnerability programs should establish supplemental sources (vendor-specific feeds, Horizon3, CVE.org references) to avoid coverage loss on non-enriched CVEs
- Plan for upcoming AI regulatory deadlines: Colorado AI Act (June 30, 2026), EU AI Act high-risk provisions (August 2, 2026). Mandatory adversarial testing documentation should be in draft by end of Q2
- Expand OT/ICS incident response tabletop coverage: Iranian and Chinese APT activity on PLCs and HMIs is no longer theoretical. Exercise response to manipulated sensor readings and adversary-in-the-middle SCADA scenarios
Sources
- Apache ActiveMQ CVE-2026-34197, The Hacker News
- ActiveMQ Jolokia RCE, Horizon3.ai
- CISA KEV ActiveMQ, BleepingComputer
- Claude-assisted ActiveMQ Discovery, Help Net Security
- ActiveMQ KEV, Qualys ThreatPROTECT
- SharePoint CVE-2026-32201, Tenable
- Microsoft April Patch Tuesday, The Hacker News
- SharePoint Zero-Day, Security Affairs
- April 2026 Patch Tuesday, BleepingComputer
- SharePoint Patch Analysis, SecurityWeek
- April 2026 Update Review, Zero Day Initiative
- FortiClient EMS CVE-2026-21643, Bishop Fox
- FortiClient EMS SQLi, Picus Security
- FortiClient EMS KEV, Cybersecurity News
- FortiClient EMS Research, Horizon3.ai
- Adobe Acrobat CVE-2026-34621, GBlock
- CISA KEV April Additions, The Hacker News
- CISA KEV April 13 Alert
- CISA KEV April 14 Alert
- CISA KEV April 16 Alert
- CISA KEV Catalog
- IBM Agentic AI Defense Launch
- Microsoft AI Threat Actor Blog
- Prompt Injection, BizTech Magazine
- Top Agentic AI Resources, Adversa AI
- Top GenAI Security Resources, Adversa AI
- Top MCP Security Resources, Adversa AI
- AI Agent Web Attacks, SecurityWeek
- Agentic AI Darkreading
- State of AI and API Security Report, Security Boulevard
- OWASP Top 10 for Agentic Applications 2026
- AI Security 2026 Defense Guide, Airia
- Iranian APT CNI, SC Media
- Iran-Backed CNI OT, Infosecurity Magazine
- Iranian Cyber Capability 2026, Trellix
- PRC APT Joint Advisory, CISA
- US Public Sector Q1 2026, Trend Micro
- Rockstar Games ShinyHunters, The Register
- Rockstar Games Breach, Tom's Hardware
- Rockstar Data Leak, Kotaku
- McGraw Hill Salesforce, The Register
- McGraw Hill 13.5M, BleepingComputer
- McGraw Hill Confirmation, Cybersecurity News
- Qilin Ransomware Profile, Ransomware.live
- Qilin Weekly Trends, Ransom-DB
- Qilin HBX Group, DeXpose
- Qilin Limkon, DeXpose
- BlackFog State of Ransomware 2026
- Bitdefender Threat Debrief April 2026
- Data Breach Roundup Apr 10-16, Privacy Guides
- April 2026 Data Breaches, SharkStriker
- Cyber News Roundup April 17, Integrity360
- April 2026 Cyber Incidents, PurpleOps