Krypteia Sec
Back to Threat Intel
TLP:CLEARCTI-2026-0427

Daily Threat Intelligence Brief - April 27, 2026

April 27, 202622 min read
ctivulnerabilitiesransomwareai-securityagentic-aithreat-actors

Executive Summary

  • Computer Weekly, Bleeping Computer, and Infosecurity Magazine confirm Scattered Spider as the operator behind the Marks & Spencer cyber attack, with DragonForce ransomware deployed against VMware ESXi hosts on April 24 after the threat actor stole the NTDS.dit Active Directory database via a third-party service desk social engineering call (Computer Weekly, Bleeping Computer, Infosecurity Magazine).
  • UK security authorities classified the M&S, Co-op, and Harrods attacks as a "Category 2 cyber hurricane," with M&S online ordering, contactless payments, and Click and Collect taken offline since April 21 and recovery costs already running into hundreds of millions of pounds (Computer Weekly, Picus Security).
  • CISA set April 27, 2026 as the Federal Civilian Executive Branch deadline for six exploited flaws spanning Fortinet, Microsoft, and Adobe products, including CVE-2026-32201 (SharePoint spoofing) and CVE-2026-35616 (FortiClient EMS, CVSS 9.8) (The Hacker News, Tenable).
  • CISA added CVE-2026-20133, an information disclosure flaw in Cisco Catalyst SD-WAN Manager, to KEV on April 21 after evidence of unauthenticated file system traversal in the wild; Cisco shipped patches in 20.9.8.2, 20.12.5.3, 20.15.4.2, and 20.18.2.1 with a federal deadline of April 24 (Help Net Security, Bleeping Computer).
  • The Anthropic MCP design vulnerability remains unpatched at the protocol layer one week after disclosure: Anthropic continues to characterize the STDIO behavior as expected, leaving 7,000+ public servers, 150M+ SDK downloads, and roughly 200,000 instances exposed across LiteLLM, LangChain, LangFlow, Flowise, LettaAI, and LangBot consumers (The Hacker News, The Register, OX Security).
  • Microsoft Defender zero-days RedSun (LPE) and UnDefend (anti-tamper bypass) remain without vendor patches; sibling flaw BlueHammer (CVE-2026-33825) was added to KEV on April 22 with a federal deadline of May 6, 2026 (SecurityWeek, Cybersecurity News, Help Net Security).
  • Iranian-affiliated CyberAv3ngers (Storm-0784, CL-STA-1128) continue exploiting Rockwell Automation PLCs at U.S. critical infrastructure operators under joint advisory AA26-097A, with operational disruption and financial loss documented across water, energy, and government sites (CISA AA26-097A, Unit 42).
  • ShinyHunters extended an aggressive April extortion campaign with a claim against Rockstar Games following earlier claims against Carnival (8.7M), Inditex (9M), Amtrak (2.1M), Abrigo (1.75M), and Udemy (1.4M) (SharkStriker, Privacy Guides).
  • Researchers continue to document indirect prompt injection at scale: Unit 42 catalogued ten in-the-wild payload families with steady growth through Q1 2026, and Sombra reported an estimated 73% of production AI deployments remain vulnerable to prompt injection while only 34% of enterprises have AI-specific controls in place (Unit 42, Sombra, Security Boulevard).

Critical Vulnerabilities

CVE-2026-20133: Cisco Catalyst SD-WAN Manager Information Disclosure

CVE-2026-20133 is an unauthenticated information disclosure vulnerability in Cisco Catalyst SD-WAN Manager that lets a remote attacker traverse the file system and read arbitrary files. The flaw stems from insufficient file system access restrictions in the product's API. CVSS 6.5. Cisco confirms active exploitation in the wild. CISA added the bug to KEV on April 21, 2026, with a Federal Civilian Executive Branch patch deadline of April 24, 2026. Cisco shipped fixes in versions 20.9.8.2, 20.12.5.3, 20.15.4.2, and 20.18.2.1. Defenders should treat any unpatched SD-WAN Manager instance as a presumed credential and configuration leak source (Help Net Security, SecurityOnline, Cisco Advisory, Rapid7).

CVE-2026-35616: FortiClient EMS Improper Access Control (CVSS 9.8)

CVE-2026-35616 is an improper access control vulnerability in the FortiClient Enterprise Management Server API that allows unauthenticated remote attackers to bypass authentication entirely and execute code on the underlying server. Affected versions are 7.4.5 and 7.4.6. The 7.2 branch is not affected. WatchTowr first observed exploitation against its honeypots on March 31, 2026. Fortinet released emergency hotfixes the first weekend of April. CISA added the CVE to KEV with a federal deadline tied to the April 27, 2026 batch. The vulnerability is a critical remote takeover primitive against any internet-exposed EMS console (Help Net Security, Bleeping Computer, WatchTowr, Tenable, The Hacker News).

CVE-2026-32201: Microsoft SharePoint Spoofing Zero-Day

CVE-2026-32201 is an improper input validation vulnerability in Microsoft Office SharePoint that lets an unauthenticated remote attacker spoof identity over the network. CVSS 6.5. Microsoft patched the flaw in the April 2026 Patch Tuesday cycle alongside 167 other CVEs. Bleeping Computer continues to count more than 1,300 internet-exposed SharePoint servers unpatched and under active exploitation through the latter half of April. CISA's KEV deadline is April 28, 2026 (Bleeping Computer, Tenable, Security Affairs, The Hacker News).

CVE-2026-33825: Microsoft Defender BlueHammer LPE

BlueHammer is a race-condition elevation-of-privilege flaw in Microsoft Defender's anti-malware platform that lets a local attacker escalate to SYSTEM. CVSS 7.8. Disclosed publicly by researcher Chaotic Eclipse on April 2 before a patch shipped, it was added to CISA KEV on April 22 with a federal deadline of May 6, 2026. Two related zero-days from the same researcher remain in active circulation: RedSun, a sibling LPE that also produces full SYSTEM access, and UnDefend, which lets a standard user disable Defender or block update delivery. Microsoft has not yet shipped patches for RedSun or UnDefend (SecurityWeek, Cybersecurity News, Help Net Security, The Hacker News).

CISA KEV Batch (April 20, 2026)

CISA added eight vulnerabilities to KEV on April 20 covering legacy and current product lines:

CVE Product Type CVSS
CVE-2025-32975 Quest KACE Systems Management Appliance Improper authentication 10.0
CVE-2024-27199 JetBrains TeamCity Path traversal 7.3
CVE-2025-2749 Kentico Xperience Path traversal 7.2
CVE-2023-27351 PaperCut NG/MF Authentication bypass 8.2
CVE-2026-20122 Cisco Catalyst SD-WAN Manager Authentication weakness High
CVE-2026-20128 Cisco Catalyst SD-WAN Manager Authentication weakness High
CVE-2026-20133 Cisco Catalyst SD-WAN Manager Information disclosure 6.5
Cisco SD-WAN Additional entry from same advisory See Cisco advisory High

Sources: CISA KEV Add (April 20), The Hacker News, The Cyber Express.

Anthropic MCP Design Vulnerability (Status Update)

OX Security's disclosure of an architectural weakness in the Model Context Protocol's STDIO transport remains unpatched at the protocol layer. Anthropic continues to characterize the behavior as expected, even as researchers from BlueRock Security, Adversa AI, and Trend Micro have catalogued more than 7,000 publicly accessible MCP servers, 150M+ SDK downloads, and proof-of-concept credential theft against Microsoft's MarkItDown MCP server (AWS IAM keys, secret keys, and session tokens lifted from EC2 metadata). Vulnerable downstream projects include LiteLLM, LangChain, LangFlow, Flowise, LettaAI, and LangBot. Some downstream vendors have shipped patches; the reference SDKs have not (The Register, OX Security, Adversa AI, TechRepublic).

CVE-2026-26118: Azure MCP Server SSRF (CVSS 8.8)

A server-side request forgery vulnerability in Azure MCP Server lets a low-privileged authorized attacker send a crafted URL to an MCP-backed agent, coercing the server to issue an outbound request that may include its managed identity token. Because Azure exposes metadata services at 169.254.169.254, successful SSRF can leak access tokens, credentials, and instance configuration data. Microsoft patched the flaw in its March 10, 2026 release. Defenders touching Azure-hosted agents should confirm the patch shipped and audit MCP request logs for outbound calls to metadata endpoints (SentinelOne, PointGuard AI, GitHub Advisory).

CVE-2026-5281: Chrome Dawn WebGPU Use-After-Free

Google patched a high-severity use-after-free vulnerability in Dawn, the WebGPU implementation in Chromium, after confirming an exploit existed in the wild. A remote attacker who has compromised the renderer process can execute arbitrary code via a crafted HTML page. CISA added the bug to KEV on April 1, 2026, with a federal patch deadline of April 15. Google fixed the flaw in Chrome 146.0.7680.177/178. This is the fourth Chrome zero-day exploited in 2026 (The Hacker News, Help Net Security, Security Affairs).

AI Security Threats

The week ending April 27 reinforces an emerging consensus across vendor research, offensive security teams, and government advisories: prompt injection and agentic execution are no longer emerging risks but the dominant new attack class against modern enterprise software. OWASP continues to rank prompt injection as LLM01, the top LLM application security risk for 2026, citing the same fundamental issue that has held since the first transformer LLMs shipped: models cannot reliably distinguish instruction from data (OWASP Gen AI Project, Securance).

The MCP supply chain crisis remains the headline. OX Security's disclosure landed two weeks ago and the protocol-layer fix is still absent. The blast radius is now well characterized. BlueRock Security analyzed more than 7,000 MCP servers and found 36.7% potentially vulnerable to server-side request forgery. A separate February 2026 audit found 43% of publicly available MCP servers vulnerable to command execution attacks. Trend Micro independently identified 492 MCP servers running with zero client authentication and zero traffic encryption. The compounding impact is that every developer who imported the official Anthropic SDK shipped the same defect to production, regardless of language (Cyber Desserts, Adversa AI, Gentic News).

The "lethal trifecta," a phrase Airia uses to describe combining external content ingestion, sensitive data access, and outbound network capability in a single agent, captures why so many real-world deployments are exposed: the configuration that makes agents useful is the same configuration that makes prompt injection actionable. Defenders need to treat any agent with all three capabilities as a privileged service account that requires continuous monitoring, scoped credentials, and human approval gates for destructive actions (Airia, Penligent).

Indirect prompt injection has continued its move from research curiosity to production threat through April. Unit 42 catalogued ten in-the-wild payload families across compromised web pages with three categories now dominant: destructive shell execution against coding assistants and DevOps runners, credential exfiltration via tool-use agents that hold environment variable scope, and attribution hijacking that coerces agents into recommending attacker-controlled vendors. Concealment techniques have hardened to include zero-sized DOM nodes, CSS-suppressed text, HTML attribute payloads, invisible Unicode, and split payloads reassembled at inference time. Google measured a 32% relative increase in malicious activity from November 2025 to February 2026 (Unit 42, Help Net Security, Lakera).

Three coding agent vendors recently disclosed credential leaks traced to a single shared injection technique: a poisoned source comment that the agent treated as a developer instruction. VentureBeat reports that the failure mode was anticipated in the system card of one of the vendors, who shipped a runtime audit feature in response. This is a rare positive signal: agent vendors are starting to ship auditable runtime guardrails rather than relying solely on training-time alignment (VentureBeat).

Production exploitation continues to surface in commercial platforms. Recent incidents include LLM-induced SQL injection against connected databases, RAG context-window flooding combined with developer impersonation that bypasses pricing and coupon logic, and a documented "second-order" injection in ServiceNow Now Assist where a low-privilege agent was tricked into asking a higher-privilege agent to execute restricted actions on its behalf. Microsoft 365 Copilot's EchoLeak vulnerability earlier this year demonstrated zero-click prompt injection that silently exfiltrated enterprise data, and CVE-2025-53773 documented hidden prompt injection payloads in pull request descriptions enabling RCE through GitHub Copilot at CVSS 9.6 (Sombra, TokenMix, BizTech Magazine).

The structural mismatch between offense and defense is well captured by FireTail's April data: only 34% of enterprises have AI-specific security controls in place, even as nearly half of cybersecurity professionals identify agentic AI as their top emerging attack vector. Research from Sombra and Securance puts the share of vulnerable production AI deployments at roughly 73%. The UK National Cyber Security Centre's December 2025 warning that prompt injection "may be a problem that is never fully fixed" has become the operating assumption for security teams, with the practical implication that defense has to live in execution boundaries rather than model alignment (Security Boulevard, Sombra).

The agentic AI execution boundary is now the operative perimeter. Penligent's analysis argues that agents introduce a category of risk distinct from chatbots: agents have goals, callable APIs, persistent state, and the ability to plan and execute multi-step actions without a human in the loop, which means a single successful injection can trigger irreversible side effects. Practical defense calls for scoping credentials per-agent rather than per-user, requiring human approval for destructive or high-cost actions, allow-listing tool calls, and enforcing token binding so MCP server outbound credentials can only target pre-approved endpoints (Penligent, WorkOS).

Threat Actor Activity

Scattered Spider (DragonForce affiliate). Computer Weekly, Bleeping Computer, and Infosecurity Magazine confirm Scattered Spider as the operator behind the Marks & Spencer, Co-op, and Harrods attacks. The group used social engineering against an outsourced service desk to coerce a password reset, harvested the NTDS.dit Active Directory database to recover credential hashes, and deployed white-label DragonForce ransomware against M&S VMware ESXi hosts on April 24, three days after the initial incident disclosure. M&S Chairman Archie Norman publicly confirmed the impersonation vector. M&S engaged CrowdStrike, Microsoft, and Fenix24 for incident response. Recovery is expected to extend into July 2026 (Computer Weekly, Bleeping Computer, Specops Software, Infosecurity Magazine, Picus Security, Darktrace).

APT28 (Forest Blizzard, Russia GRU). The DOJ and FBI court-authorized takedown of APT28's FrostArmada DNS-hijacking botnet held through the week. The operation at peak controlled more than 18,000 compromised MikroTik and TP-Link routers across 120 countries, redirecting traffic through attacker-controlled resolvers to harvest Microsoft 365 OAuth tokens. APT28 also paired router takeover with the PRISMEX implant against global government targets, extending tradecraft into long-dwell access (Bleeping Computer, SecurityWeek, The Hacker News, SecPod).

CyberAv3ngers (Iran, IRGC-CEC). Joint advisory AA26-097A continues to track active exploitation of internet-exposed Rockwell Automation PLCs at U.S. water, wastewater, energy, and government facilities. The group, tracked under the aliases Shahid Kaveh, Hydro Kitten, Storm-0784, UNC5691, and Unit 42's CL-STA-1128, has shifted from earlier Unitronics targeting to Rockwell controllers and is exploiting CVE-2021-22681 to manipulate project files and HMI/SCADA displays (CISA AA26-097A, Security Affairs, Tenable).

Iran posture. Iran restored partial domestic internet on April 17 after a 47-day blackout, signaling renewed capacity for state-aligned operations conducted under the "Electronic Operations Room" formed February 28, 2026. Unit 42 expects continued OT-targeted campaigns through 2026 (Unit 42).

ShinyHunters. The extortion brand sustained April momentum with a fresh claim against Rockstar Games, layered atop earlier April claims against Abrigo Inc. (1.75M records, April 11), Carnival Corporation (8.7M, April 18), Inditex (9M), Amtrak (2.1M), and Udemy (1.4M, April 24). The group continues to favor third-party OAuth and SaaS integration compromise as a path into customer-data systems (SharkStriker, Privacy Guides).

Salt Typhoon (PRC). The PRC-linked threat actor that compromised U.S. House Committee staff emails in January 2026 maintains persistent access, with operations confirmed "still very much ongoing" through Q1 2026, consistent with the 2026 ODNI Annual Threat Assessment that calls out Chinese long-dwell access into U.S. critical infrastructure as a baseline planning assumption (CISA Nation-State Threats, ODNI ATA 2026).

Interlock. Interlock claimed responsibility for the Center for Hearing and Communication ransomware attack reported during the April 14 to 20 window, continuing the operator's 2026 cadence of healthcare and adjacent sector targeting (Senthorus, SharkStriker).

Ransomware and Data Breaches

Ransomware Activity (April 2026)

Metric Value
Confirmed leak-site victims 166 (week of Apr 6 to 12)
Countries impacted 42
Active leak-site operators 36
Newly observed groups 4
Most active extortion brand ShinyHunters
Highest-impact retail attack M&S (DragonForce / Scattered Spider)

Sources: SharkStriker April 2026 Review, BlackFog State of Ransomware, Industrial Cyber.

Notable Breaches and Attacks Disclosed in April 2026

Organization Records Claimed Threat Actor Date Disclosed Data Exposed
Marks & Spencer Under review Scattered Spider / DragonForce Apr 21, 2026 AD hashes, ESXi systems encrypted
Co-op (UK) Under review DragonForce affiliate Apr 2026 Member, staff, supply chain disrupted
Harrods Under review DragonForce affiliate Apr 2026 Internal systems disrupted
French Government 600M log lines Undisclosed Apr 2026 Logs, plaintext system data
McGraw-Hill 45,000,000 Undisclosed Apr 2026 PII
France Titres (ANTS) 19,000,000 breach3d Apr 15, 2026 Names, emails, DOB, addresses, account IDs
Inditex 9,000,000 ShinyHunters Apr 2026 PII, internal data
Carnival Corporation 8,700,000 ShinyHunters Apr 18, 2026 PII, internal corporate data
SongTrivia Inc. 2,900,000 Ransomware Apr 2026 Auth tokens, emails, names, passwords
Amtrak 2,100,000 ShinyHunters Apr 2026 Emails, names, addresses, support tickets
Abrigo Inc. 1,750,000 ShinyHunters Apr 11, 2026 Financial sector PII
Udemy 1,400,000 ShinyHunters Apr 24, 2026 PII, internal corporate data
Basic-Fit 1,000,000 Undisclosed Apr 2026 Customer information
LPL Financial 1,581 clients Malware Apr 23, 2026 Advisor compromise, unauthorized trades
Rockstar Games Under review ShinyHunters Apr 2026 Internal data extortion claim
Vercel Under review Supply chain (Context.ai) Apr 19, 2026 Source, API keys via third party
Autovista Under review Ransomware Apr 2026 Eurotax, Schwacke, Glass's, Rødboka data
BePrime (Mexico) 12.6 GB Forum dump Apr 20, 2026 Plaintext credentials, transactions, audits
Booking.com Under review Phishing supply chain Apr 12, 2026 Reservation details, contact info, requests
Center for Hearing and Comm Under review Interlock Apr 2026 Healthcare communications data

Sources: SharkStriker, Privacy Guides, SC Media France Titres, Vercel KB, Bright Defense, Rankiteo M&S, Senthorus Weekly Review.

Recommended Actions

Immediate (next 24 to 72 hours)

  • Patch Cisco Catalyst SD-WAN Manager to 20.9.8.2, 20.12.5.3, 20.15.4.2, or 20.18.2.1 to close CVE-2026-20133. Audit file system access logs for unauthenticated reads of configuration files, credentials, and logs (Cisco Advisory, Help Net Security).
  • Apply the Fortinet emergency hotfix for FortiClient EMS 7.4.5 and 7.4.6 to remediate CVE-2026-35616. If hotfix application is delayed, restrict EMS API exposure to internal management networks only and audit logs back to March 31, 2026 for unauthenticated authorization bypass attempts (Bleeping Computer, WatchTowr).
  • Confirm April 2026 Patch Tuesday rollup is deployed across Windows estate, with priority on CVE-2026-32201 (SharePoint spoofing) and CVE-2026-33825 (Defender BlueHammer). For unpatched Defender RedSun and UnDefend, apply Microsoft mitigation guidance and monitor Defender service state for unexpected disablement (Bleeping Computer).
  • Rebuild service desk identity verification controls: do not allow password resets, MFA resets, or privileged role grants based on telephone callbacks alone. Require out-of-band verification through manager or video confirmation. The M&S incident chain started with a service desk impersonation call (Specops Software).
  • Inventory every Anthropic MCP SDK consumer in your stack (Python, TypeScript, Java, Rust). Apply patched downstream SDK versions where available. Treat every public MCP server as a presumed compromise pivot. Block outbound requests from MCP processes to cloud metadata IPs (169.254.169.254, fd00:ec2::254) and to internal admin networks (OX Security).

Short-Term (next 30 days)

  • Stand up indirect prompt injection detection on every agent that ingests external content: web scraping, RAG retrieval, email summarization, document parsing. Block zero-sized DOM nodes, CSS-suppressed text, invisible Unicode, and obfuscated metadata at the ingestion layer. Add a separate detection pass for split payloads reassembled at inference time (Lakera, Help Net Security).
  • Adopt explicit allow-listing for tool calls available to AI agents. Scope credentials per-agent rather than per-user, and require human approval for destructive or high-cost actions. Enforce token binding so MCP server outbound credentials can only target pre-approved endpoints (Penligent).
  • Run a focused MCP exposure sweep: identify all MCP servers in your environment, confirm authentication is required, confirm TLS is enforced, and confirm none expose privileged tool surfaces over the public internet. Trend Micro's audit found 492 servers running with zero authentication and zero encryption (Adversa AI).
  • Audit Active Directory tier-0 controls. Restrict NTDS.dit access, monitor for ntdsutil and shadow copy abuse, and rotate krbtgt twice on any suspected exposure window. Review domain controller logs for service desk-initiated privileged resets (Specops Software).
  • Validate ransomware backup recovery against ShinyHunters and DragonForce tradecraft, focusing on PII stores in customer support, ticketing, and identity systems and on VMware ESXi clusters. Confirm immutable backups exist for hypervisor configuration and tenant volumes (Picus Security, SharkStriker).
  • Audit third-party tool dependencies in CI/CD and developer tooling for supply chain exposure equivalent to the Vercel and Context.ai incident. Trace which third parties hold your access keys and which services would be reachable from a compromised dev console (Vercel KB).

Strategic (next quarter)

  • Build an AI agent security program that treats agents as privileged service accounts with auditable action logs, segmented blast radius, and red team coverage that includes second-order prompt injection chains. Treat MCP tool surfaces as you would treat internal admin APIs (Sombra, VentureBeat).
  • Move toward zero-trust segmentation between AI workloads and surrounding production services. LLM gateways, MCP servers, vector stores, and orchestration runners should not share credential scope or network reachability with general application infrastructure (Cloud Security Alliance, WorkOS).
  • Plan for sustained Iran-linked OT targeting through 2026 by reducing internet exposure of legacy PLCs, deploying network monitoring tuned to CyberAv3ngers tradecraft, and rehearsing incident response with engineering and operations leadership (CISA AA26-097A).
  • Track Russian SOHO router targeting as a recurring credential-theft vector. Even after FrostArmada was disrupted, the underlying class of attack remains viable against any unmanaged consumer-grade gear that holds enterprise traffic. Push managed routers, certificate-pinned VPN, and conditional access tied to device posture (SecurityWeek).
  • Validate egress monitoring on critical infrastructure assets and audit identity systems for living-off-the-land artifacts referenced in the 2026 Annual Threat Assessment, treating Chinese pre-positioning as a baseline planning assumption (ODNI).
  • Run a tabletop on the M&S attack chain (service desk social engineering, NTDS.dit theft, ESXi encryption) against your own environment. Identify where the chain breaks and where it succeeds, then close gaps by control class rather than by indicator of compromise (Computer Weekly, Darktrace).

Sources