Vulnerabilities

Interlock Ransomware Exploits Cisco Firewall Management Center Zero-Day for Management Plane RCE

CVE-2017-7921 CVE-2021-30952 CVE-2023-41974 CVE-2025-26399 CVE-2025-32432 CVE-2025-54068 CVE-2025-68613 CVE-2026-20131 CVE-2026-20963 CVE-2026-27483 CVE-2026-27944 CVE-2026-33017 CVE-2026-3910 Interlock Ransomware ConnectWise

Interlock ransomware is actively exploiting CVE-2026-20131 in Cisco Firewall Management Center — a zero-day targeting the centralized management plane for Firepower/FTD deployments. Successful exploitation grants attackers the ability to modify firewall policies, disable IDS/IPS rules, and surgically blind network-wide detection capabilities before deploying ransomware. FMC controls sensor management and ACL policies across the entire Firepower estate, making this a single point of compromise with organization-wide defensive impact. EPSS at 0.008 substantially underrepresents the real risk here. Management-plane appliances don't generate the broad internet scanning signatures that feed the EPSS model, creating a systematic blind spot for this class of device. The vulnerability is confirmed in KEV and should be treated as priority-one patching for any organization running centralized FMC. The roundup also surfaces high-exploitation-signal CVEs in Craft CMS (EPSS 0.88), n8n workflow automation (EPSS 0.81), and SolarWinds Web Help Desk (EPSS 0.32) — but the FMC finding is the headline.

Interlock's deliberate targeting of network management infrastructure echoes the Volt Typhoon playbook of establishing persistent, low-visibility access through network gear rather than endpoints. Their acquisition of an FMC zero-day signals either in-house exploit development or well-funded broker access — an operational maturity indicator that puts them in a different class from most ransomware operators. This is a strategy of degrading defensive visibility before executing ransomware, not just encrypting whatever's reachable. Watch for follow-on targeting of other management-plane appliances (Panorama, FortiManager, etc.).

Editorial

the through-line today isn't any single actor — it's that detection evasion is becoming the primary investment across the board. interlock is specifically blinding cisco FMC before deploying ransomware, APT37 has moved C2 entirely into legitimate cloud storage APIs where network-layer controls are useless, and CVE-2026-34621 ran undetected in the wild for five months with zero public IOCs even now. three unrelated actors, three different TTPs, same strategic goal: make your security stack irrelevant before the real operation begins. the adobe story's trajectory is particularly telling — it jumped from 2 sources to 4 overnight as corroboration rolled in, and the continued absence of attribution or IOCs at this stage suggests an operator with exceptional OPSEC, not a smash-and-grab crew.

scattered spider keeps showing up like a bad penny — they're now attributed (with varying confidence) across the openai/axios supply chain compromise AND referenced in the shinyhunters/rockstar extortion, with the april 14 payment deadline having lapsed and a data dump presumably imminent. the critical open question on the axios incident remains whether the poisoned package is the real npm axios (50M weekly downloads, enormous blast radius) or a vendored fork (contained to openai's mac app users). for a financial institution, the anodot third-party vector in the rockstar breach deserves quiet attention: if your analytics stack touches similar SaaS providers, that's your attack surface being described in someone else's incident report.

Critical

Vulnerabilities

Adobe Acrobat Reader Zero-Day CVE-2026-34621: Five Months of Silent Exploitation, Still No IOCs

CVE-2026-34621

CVE-2026-34621, a prototype pollution vulnerability in Adobe Acrobat Reader's JavaScript engine, was silently exploited from approximately November 2025 through Adobe's emergency out-of-band patch on April 13, 2026. The attack requires only that a victim open a malicious PDF — no further interaction. Detection originated from the EXPMON system analyzing malicious samples in the wild, with Malwarebytes Labs independently corroborating the exploitation chain. The five-month exploitation window before public disclosure narrows the likely actor pool to sophisticated groups running targeted campaigns — this was almost certainly not broadly distributed through exploit kits. Prototype pollution in the Acrobat JS engine is a particularly rich primitive that can chain with sandbox escapes for full RCE. PDF remains the primary document exchange format in financial services, making this a direct and immediate spear-phishing initial access vector. Low EPSS (0.06) has not yet incorporated the KEV confirmation and should be disregarded.

2026-04-11

2 sources

+ CVE-2026-34621

The Hacker News, VulDB

2026-04-13

4 sources

Canadian Centre for Cyber Security, BleepingComputer, Malwarebytes Labs, Help Net Security

2026-04-14

1 source

TechCrunch Security

Notable

Supply Chain

OpenAI macOS App Compromised via Axios Supply Chain Attack; Scattered Spider Distributes Signed Malware

CVE-2026-33634 LAPSUS$ Scattered Spider TeamPCP UNC1069 UNC6780 Donut

OpenAI revoked its macOS application code-signing certificate following discovery of a supply chain compromise via the Axios library. Actors from the Scattered Spider/LAPSUS$/UNC cluster are implicated, distributing signed malware using the Donut shellcode injection framework — a tool that produces position-independent shellcode capable of loading .NET assemblies and PE files directly in memory with strong EDR evasion. CVE-2026-33634 in Aquasecurity Trivy is associated with this incident, raising the possibility of CI/CD pipeline involvement given Trivy's role as a container/code scanning tool in build systems. The critical open question before impact assessment can be finalized: was the Axios compromise in the widely-distributed npm package (~50M weekly downloads) or a vendored/internal fork specific to OpenAI's build chain? These represent dramatically different blast radii. Notably, separate lower-fidelity reporting attributes the Axios compromise to North Korea-linked actors rather than Scattered Spider — conflicting attribution signals that need resolution. Rated notable pending corroboration of scope and attribution clarity.

This tracks the established Scattered Spider playbook from their 2022–2023 attacks against Okta, Microsoft, Cisco, and Twilio — targeting developer tooling and identity infrastructure for downstream supply chain access. The capability to obtain valid code-signing certificates and distribute signed malware marks a meaningful evolution from their earlier social-engineering-heavy TTP set. If the npm axios package itself was compromised rather than a vendored fork, this escalates immediately to critical with industry-wide implications. The conflicting North Korea attribution in secondary reporting adds urgency to getting solid forensics on this one.

Ransomware

ShinyHunters/Rockstar Extortion Deadline Passed; Data Leak Likely Imminent via Anodot Third-Party Pivot

Scattered Spider

The April 14 extortion deadline set by ShinyHunters against Rockstar Games has passed without public confirmation of payment, making a data leak or escalation the likely next step. ShinyHunters confirmed breach of Rockstar's Snowflake environment via third-party analytics vendor Anodot, with the extortion note explicitly naming the entry vector: "Your Snowflake instances metrics data was compromised thanks to Anodot.com." This is consistent with their established methodology from the 2024 Snowflake campaign targeting Ticketmaster, AT&T, Santander, and hundreds of others. The entry vector — compromised or misused credentials from Anodot's Snowflake service tokens rather than direct compromise of Rockstar — is the actionable pattern. ShinyHunters publicly naming Anodot is a calculated pressure tactic designed to create reputational and legal pressure as secondary leverage; if Anodot is forced into its own incident disclosure, the resulting forensic artifacts would provide the most actionable intelligence from this incident. Any organization with third-party vendors holding delegated Snowflake access to production data environments should be auditing those integration credentials.

Since prior coverage: the deadline has passed, shifting this from active extortion to probable data leak. The strategic evolution from directly compromising Snowflake credentials (2024 campaign) to targeting the SaaS ecosystem orbiting Snowflake is harder to defend through credential hygiene alone — it exploits the web of vendor service tokens with delegated access that constitutes a sprawling, largely unaudited attack surface. This pattern entirely bypasses standard vulnerability management programs.

Malware

APT37 Deploys RokRAT via Facebook Social Engineering with Cloud-Native C2

APT3 APT37 ROKRAT cmd

North Korean state-sponsored group APT37 (ScarCruft/Reaper) is using Facebook-based social engineering as a new delivery vector for RokRAT malware, expanding beyond their traditional email spear-phishing playbook. RokRAT's C2 infrastructure leverages legitimate cloud storage services — OneDrive, Dropbox, pCloud — deliberately blending malicious traffic with authorized enterprise cloud usage to defeat network-layer detection. The Facebook delivery pivot is an evasion adaptation to hardened enterprise email environments: corporate mail increasingly carries attachment sandboxing and link scanning, while social platform messaging channels typically have weaker enterprise DLP and security controls. Detection must rely on behavioral analytics examining cloud storage API access patterns and process ancestry chains — blocking Microsoft or Dropbox API traffic is not operationally feasible.

APT37's historical focus has been South Korean government, military, and diplomatic targets, with secondary targeting of defectors and North Korea-focused journalists. A Facebook-based delivery mechanism suggests either broadening of target scope or specific exploitation of personal communication contexts beyond what email-based campaigns can reach. Their toolset has remained remarkably consistent since 2017, with each RokRAT iteration refining evasion while maintaining the same core SIGINT collection mission. Low direct risk to US financial services, but the cloud-native C2 pattern is increasingly common across actor tiers.

Malware

JanelaRAT Banking Trojan Targets LATAM Financial Institutions with Title-Bar Monitoring

UPPERCUT

Kaspersky profiles JanelaRAT, a BX RAT variant active since June 2023 targeting financial and cryptocurrency platforms across Latin America. Its distinguishing capability is a title bar monitoring mechanism that watches browser window titles for specific banking institution names, enabling targeted credential theft without the noise of indiscriminate keylogging — a technique borrowed from established banking trojan lineages like Gootkit and Zeus variants. The malware has been operational for nearly three years with continued effectiveness against regional defenses. The broader LATAM banking trojan ecosystem — GRANDOREIRO, Mekotio, Casbaneiro, Guildma — has been gradually extending reach toward Spanish and Portuguese-speaking diaspora populations in North America and Europe. Note: the UPPERCUT attribution signal in source data appears to be a false positive; UPPERCUT is documented APT10 tooling with no LATAM nexus.

Relevant primarily for organizations with LATAM operations or diaspora-serving customer bases. The title bar detection technique targets a gap in standard EDR behavioral rules, which typically focus on process/filesystem behavior rather than UI window title monitoring — worth validating detection coverage. This is a new Kaspersky profile of a long-running threat, not a new campaign, but the three years of continued operational effectiveness is itself an indicator of persistent defensive gaps in the region.

Briefs

Geopolitical

France Announces Phased Government Migration from Windows to Linux

France is executing a strategic shift toward Linux adoption across government infrastructure, driven by cybersecurity posture improvements; involves threat landscape context from multiple state-sponsored actors including priority actor Scattered Spider.

CVE-2024-41110 CVE-2026-27654 CVE-2026-34040 CVE-2026-34621 CVE-2026-39987 APT3 APT42 Contagious Interview CyberAv3ngers Famous Chollima Kimsuky Qilin Scattered Spider TeamPCP UAC-0226 Milan Qilin

Ransomware

The Register Corroborates Anodot Third-Party Pivot in Rockstar Snowflake Breach

Scattered Spider is threatening to publicly release proprietary data stolen from Rockstar Games, continuing the group's high-profile targeting expansion into entertainment sector.

Scattered Spider

Social Engineering

FBI Dismantles $20M W3LL Phishing-as-a-Service Platform

Pre-ranked below noise threshold.

Vulnerabilities

OpenJPEG Integer Overflow CVE-2026-6192 (No Exploitation Evidence)

Low-severity integer overflow in OpenJPEG image library (EPSS 0.00013) affecting version 2.5.4 and earlier.

CVE-2026-6192