End-of-Day report
Timeframe: Freitag 24-04-2026 18:00 - Montag 27-04-2026 18:00
Handler: Guenes Holler
Co-Handler: n/a
News
Cyber Threat Intelligence - Art, Science, something else entirely?
Is Cyber Threat Intelligence an art, science, both, or something else entirely?
https://bytesandborscht.com/cyber-threat-intelligence-art-science-something-else-entirely/
New BlackFile extortion group linked to surge of vishing attacks
A new financially motivated hacking group tracked as BlackFile has been linked to a wave of data theft and extortion attacks against retail and hospitality organizations since February 2026.
https://www.bleepingcomputer.com/news/security/new-blackfile-extortion-gang-targets-retail-and-hospitality-orgs/
ADT confirms data breach after ShinyHunters leak threat
Home security giant ADT has confirmed a data breach after the ShinyHunters extortion group threatened to leak stolen data unless a ransom is paid.
https://www.bleepingcomputer.com/news/security/adt-confirms-data-breach-after-shinyhunters-leak-threat/
Panne bei RDP-Verbindungen: Windows-Update mit kaputter Warnmeldung verteilt
Neue Warnmeldungen sollen Windows-Nutzer eigentlich vor bösartigen RDP-Dateien schützen. Doch die sind manchmal weder gut lesbar noch bedienbar.
https://www.golem.de/news/panne-bei-rdp-verbindungen-windows-update-mit-kaputter-warnmeldung-verteilt-2604-208037.html
Attacken auf Firmennetzwerke: Hacker tricksen Teams-Nutzer mit Spam aus
Google-Forscher warnen vor einer Hackergruppe, die Nutzer bei Microsoft Teams austrickst, um gefährliche Malware in Firmennetzwerke zu schleusen.
https://www.golem.de/news/attacken-auf-firmennetzwerke-hacker-tricksen-teams-nutzer-mit-spam-aus-2604-208048.html
FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has revealed that an unnamed federal civilian agency's Cisco Firepower device running Adaptive Security Appliance (ASA) software was compromised in September 2025 with a new malware called FIRESTARTER.
https://thehackernews.com/2026/04/firestarter-backdoor-hit-federal-cisco.html
Researchers Uncover Pre-Stuxnet -fast16- Malware Targeting Engineering Software
Cybersecurity researchers have discovered a new Lua-based malware created years before the notorious Stuxnet worm that aimed to sabotage Iran's nuclear program by destroying uranium enrichment centrifuges.
https://thehackernews.com/2026/04/researchers-uncover-pre-stuxnet-fast16.html
LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure
A high-severity security flaw in LMDeploy, an open-source toolkit for compressing, deploying, and serving large language models (LLMs), has come under active exploitation in the wild less than 13 hours after its public disclosure.
https://thehackernews.com/2026/04/lmdeploy-cve-2026-33626-flaw-exploited.html
Gesundheitsdaten aus UK Biobank auf Alibaba angeboten
Gesundheitsdaten der UK Biobank wurden online angeboten. Der Zugriff ist inzwischen gestoppt. Weitere Sicherheitsmaßnahmen sind geplant.
https://www.heise.de/news/Gesundheitsdaten-aus-UK-Biobank-auf-Alibaba-angeboten-11272997.html
New ClickFix attack Hides in Native Windows Tools to Reduce Detection Risk
Fake CAPTCHA ClickFix attack tricks users into running malicious commands, using cmdkey and regsvr32 to maintain persistence and avoid detection on Windows.
https://hackread.com/clickfix-variant-native-windows-tools-bypass-security/
Microsoft Entra Agent ID Flaw Enabled Tenant Takeover via Privilege Escalation
Microsoft Entra Agent ID flaw allowed privilege escalation and tenant takeover via Service Principal abuse, now fully patched by Microsoft.
https://hackread.com/microsoft-entra-agent-id-flaw-tenant-takeover/
Angriffe auf SimpleHelp, Samsung MagicINFO und D-Link DIR-823X beobachtet
Die US-Behörde CISA warnt vor beobachteten Attacken auf Schwachstellen in SimpleHelp, Samsung MagicINFO und D-Link DIR-823X.
https://heise.de/-11272629
73 Open VSX Sleeper Extensions Linked to GlassWorm Show New Malware Activations
Socket is tracking cloned Open VSX extensions tied to GlassWorm, with several updated from benign-looking sleepers into malware delivery vehicles.
https://socket.dev/blog/73-open-vsx-sleeper-extensions-glassworm?utm_medium=feed
Udemy Data Breach - ShinyHunters Claims 1.4M Records
The notorious cybercriminal group ShinyHunters posted a -Pay or Leak- warning on their data leak site on April 24, 2026, claiming the compromise of over 1.4 million records containing PII and internal corporate data from Udemy. The final deadline set for Udemy to respond is April 27, 2026, or face public exposure.
https://thecyberthrone.in/2026/04/24/udemy-data-breach-shinyhunters-claims-1-4m-records/
Operation TrustTrap Reveals 16,800 Fake Domains Exploiting User Trust
In a world where digital threats are becoming more confusing, Cyble Research and Intelligence Labs (CRIL) has uncovered one of the most extensive deceptive domain spoofing campaigns to date.
https://thecyberexpress.com/operation-trusttrap/
Fake CAPTCHA Scam Abuses Verification Clicks to Send Costly International Texts
Research from Infoblox reveals a massive Click2SMS fraud scheme using fake CAPTCHAs and back button hijacking to trick victims into sending costly international texts.
https://hackread.com/fake-captcha-pages-exploit-clicks-send-texts/
Vulnerabilities
Werbeblocker Pi-hole: Update stopft Codeschmuggel- und Rechteausweitungslücken
Die Entwickler haben den DNS-basierten Werbeblocker Pi-hole aktualisiert. Das Update stopft hochriskante Sicherheitslecks.
https://www.heise.de/news/Werbeblocker-Pi-hole-Update-stopft-Codeschmuggel-und-Rechteausweitungsluecken-11273267.html
VMware Tanzu Spring Boot: Angreifer können auf Endpoints zugreifen
Wichtige Sicherheitsupdates schließen mehrere Schwachstellen in der VMware-Tanzu-Spring-Framework-Komponente Spring Boot.
https://heise.de/-11272771
-Pack2TheRoot-: Sicherheitslücke betrifft mehrere Linux-Distributionen
Das Telekom-Sicherheitsteam hat die Sicherheitslücke -Pack2TheRoot- entdeckt, die Rechteausweitung in mehreren Distributionen ermöglicht.
https://heise.de/-11272897
LWN Security updates for Monday
https://lwn.net/Articles/1069938/
K000160994: SQLite vulnerability CVE-2025-70873
https://my.f5.com/manage/s/article/K000160994