Vulnerabilities

Ivanti EPMM Pre-Auth Code Injection (CVE-2026-1340) Confirmed Exploited; KEV Pair Now Months Overdue

CVE-2026-1281 CVE-2026-1340

CISA confirmed active exploitation of CVE-2026-1340, a code injection in Ivanti Endpoint Manager Mobile enabling unauthenticated RCE, adding it to KEV on April 8 alongside CVE-2026-1281 — which has been KEV-listed since February 1 with EPSS of 0.718. Both CVEs are now past remediation deadlines and carry EPSS scores above 0.67. Ivanti EPMM manages enterprise mobile devices, certificates, and configuration profiles. Successful exploitation gives an attacker direct access to the MDM-enrolled fleet and provides a meaningful lateral movement surface into broader enterprise infrastructure. Ivanti's MDM product line has been actively targeted by Chinese APT actors since the MobileIron Core exploitation chain (CVE-2023-35078/35081) was weaponized against European government networks in 2023 — this is cumulative targeting momentum, not an isolated event.

Ivanti EPMM has earned its own standing escalation path at this point. Once a product family becomes established as reliably exploitable by sophisticated actors, it draws recurring targeting regardless of the specific CVE — and Ivanti has validated this pattern across multiple product lines over multiple years. Any deployment that hasn't addressed CVE-2026-1281 since February should be treated as a confirmed incident timeline.

Editorial

The throughline today is identity infrastructure under coordinated pressure from both ends of the threat spectrum. BeyondTrust PAM exploitation by APT28 *and* Medusa ransomware means your state-actor and ransomware threat models now converge on the same asset — and it's the one that grants effectively unlimited lateral movement. Pair that with Storm-2755 explicitly targeting payroll systems and their financial institution integrations via AiTM session replay, and the strategic picture is clear: actors are skipping the endpoint entirely and going straight for the systems that broker trust and move money.

The Scattered Spider helpdesk social engineering playbook showing up independently in UNC6783's operations is the kind of signal that separates a bad week from a bad quarter. When TTPs propagate across unrelated actor clusters, the technique has crossed from novel tradecraft to commodity — expect it to appear in less sophisticated hands next. Between helpdesk SE defeating human identity verification and AiTM defeating token-based authentication, anything with a human in the trust chain is being systematically dismantled; the question for leadership isn't whether these techniques will be combined, but when.

Critical

Intelligence

BeyondTrust PAM RCE (CVE-2026-1731) Linked to APT28 and Medusa Ransomware; KEV Overdue Since February

CVE-2026-1731 APT28 Medusa Ransomware Storm-1175 MEDUSA Medusa Ransomware

Cisco Talos' Threat Source newsletter documents APT28, Medusa Ransomware, and Storm-1175 in the context of CVE-2026-1731, a critical RCE in BeyondTrust Remote Support and Privileged Remote Access carrying EPSS 0.796. The KEV remediation deadline of February 16 is now nearly two months past. BeyondTrust RS/PRA is enterprise PAM and privileged remote access infrastructure — an RCE here is not just endpoint compromise but a potential master key to every privileged system in the environment. Caveat: the source is a weekly newsletter format, so the actor-to-CVE attribution may reflect co-occurrence in the same issue rather than a single attributed campaign. Regardless, the vulnerability stands on its own merits. BeyondTrust has been under active state-actor targeting since at least December 2024 when Silk Typhoon leveraged a compromised BeyondTrust API key to pivot into US Treasury workstations.

2026-04-09

1 source

+ CVE-2026-1731 · + APT28 · + Medusa Ransomware · + Storm-1175

Cisco Talos Blog

Notable

Social Engineering

Storm-2755 'Payroll Pirate' Chains AiTM Phishing with Session Token Replay for Direct Deposit Fraud

Storm-2755 LookBack

Microsoft has attributed a financially motivated campaign to Storm-2755, which uses SEO poisoning and malvertising to drive targets to adversary-controlled authentication pages, harvests session tokens alongside credentials, then replays those tokens on a scheduled basis to maintain persistence while redirecting direct deposits and establishing inbox rules. The end-goal is payroll fraud, placing HR systems, payroll applications, and their financial institution integrations directly in the blast radius. The session token replay as persistence mechanism renders standard MFA insufficient — the initial authentication was legitimate; what needs detection is the replayed session from an unexpected context. Current geographic targeting is Canada, but the technique is trivially geography-agnostic.

AiTM phishing infrastructure has been commoditizing since at least 2022 via Evilginx and EvilProxy. The payroll-pirate application is the logical evolution: shorter dwell time than ransomware, more direct monetization, and harder to attribute than wire fraud. Controls worth reviewing: session binding to device or network characteristics, out-of-band verification for payroll change requests, and anomaly detection on HR system access patterns. Expect this pattern to proliferate.

Ransomware

UNC6783 Scattered Spider-Adjacent Helpdesk Social Engineering — Operational Detail Emerges

Scattered Spider UNC6783 Proton

Supplementing this morning's coverage: Google TIGA's formal designation of UNC6783, linked to a 'Raccoon' persona, now includes operational specifics from Austin Larsen's blog post detailing the targeting methodology across several dozen high-value corporate entities. The TTP profile remains functionally identical to Scattered Spider (UNC3944/Octo Tempest) — identity-based initial access through helpdesk impersonation, bypassing technical controls entirely. Whether UNC6783 is an independent crew or a post-disruption fragment of the Scattered Spider ecosystem is analytically unresolved. Either way, the helpdesk identity verification problem has graduated from a single-actor concern to a systemic one, with at least two distinct clusters running the same playbook.

The CISA/FBI Scattered Spider advisory from November 2023 published a remarkably detailed threat actor methodology guide. The speed at which similar TTPs have diffused to new groups is a useful, if uncomfortable, reminder that public threat intelligence advisories are dual-use documents. Financial services firms sit squarely in this targeting profile.

Malware

Smart Slider 3 Pro Update Channel Compromised to Push Multi-Backdoor Plugin to WordPress/Joomla Sites

PUNCHTRACK

Attackers compromised the update delivery mechanism for Smart Slider 3 Pro, pushing a malicious version (3.5.1.35) containing multiple backdoors to WordPress and Joomla installations with auto-update enabled. This is update-channel compromise — not repository hijacking — meaning every existing trusted installation that updated during the exposure window received the backdoored version silently. The malicious version is precisely bounded to 3.5.1.35; clean versions are 3.5.1.36 and prior. Any installation that received 3.5.1.35 should be treated as potentially compromised regardless of current version. For organizations with CMS-based web properties — including customer portals, marketing sites, and intranets — plugin inventory should be audited.

Update-channel compromise is rarer than typosquatting or dependency confusion but materially more impactful because it reaches every existing installation through a trusted mechanism. The WordPress/Joomla plugin ecosystem's attack surface is enormous relative to the security investment most plugin developers make in their distribution infrastructure.

Supply Chain

Former L3 Trenchant GM Convicted of Three-Year Zero-Day Theft Operation for Russian Broker

Attor PLEAD Proton Royal

Peter Joseph Williams, promoted to General Manager of L3 Trenchant during a three-year exfiltration of offensive zero-day exploits, has been convicted of selling stolen capabilities to a Russian broker. Kim Zetter's reporting adds that Williams' prior work for Australian intelligence — almost certainly ASD — means the stolen exploit inventory potentially included capabilities with Five Eyes operational provenance. This is a worst-case insider threat scenario: maximum institutional trust, maximum access, three years of undetected exfiltration, and promotion throughout the operation.

Williams being promoted to GM during an active exfiltration operation raises pointed questions about whether UEBA and DLP at organizations handling classified offensive tooling are calibrated for the actual threat model. The structural lesson — that offensive capability pipelines at contractors are high-value insider threat targets with limited detection controls — has direct implications for any institution managing its own red team tooling or working with offensive security contractors.

Mobile

Android EngageSDK Intent Redirection Bypasses Sandbox Across 30M+ Crypto Wallet Installations

Microsoft Security Research disclosed an intent redirection vulnerability in EngageSDK, a widely distributed Android SDK embedded in third-party cryptocurrency wallet applications with over 30 million combined installations. The flaw allows co-resident malicious applications to bypass the Android security sandbox and access private data — PII, credentials, and financial data — across application boundaries. Microsoft reports all detected vulnerable apps have been addressed, but with 30M+ installs the actual remediation coverage depends on end-user update rates across a fragmented app ecosystem. The SDK distribution model is the systemic risk — the vulnerability was replicated across many unrelated applications whose developers may not have been tracking third-party SDK advisories.

For institutions with mobile wallet integrations or BYOD environments permitting crypto wallet apps, validating EngageSDK version exposure is worth the check. The SDK-as-vector pattern keeps recurring because it amplifies a single vulnerability across an entire ecosystem of independently maintained applications.

Briefs

Geopolitical

FBI Disrupts APT28 Router-Based Infrastructure

FBI disrupted router-based infrastructure providing APT28 with persistent network access to target environments.

APT28 Clop Cyclops Blink VPNFilter

Social Engineering

Amazon Support Impersonation Credential Theft Campaign

Social engineering campaign impersonating Amazon support to steal customer account credentials.

Vulnerabilities

SSRF Vulnerability in n8n-mcp Automation Tool

Server-side request forgery vulnerability in n8n-mcp with negligible exploitation likelihood.

CVE-2026-39974

Vulnerabilities

XSS Vulnerability in LimeSurvey

Cross-site scripting vulnerability in LimeSurvey with negligible exploitation likelihood.

CVE-2025-70797 T1059.007