End-of-Day report
Timeframe: Freitag 03-04-2026 18:00 - Dienstag 07-04-2026 18:00
Handler: Felician Fuchs
Co-Handler: Alexander Riepl
News
Hackers exploit React2Shell in automated credential theft campaign
Hackers are running a large-scale campaign to steal credentials in an automated way after exploiting React2Shell (CVE-2025-55182) in vulnerable Next.js apps.
https://www.bleepingcomputer.com/news/security/hackers-exploit-react2shell-in-automated-credential-theft-campaign/
Drift $280M crypto theft linked to 6-month in-person operation
The Drift Protocol says that the $280+ million hack it suffered last week was the result of a long-term, carefully planned operation that included building "a functioning operational presence inside the Drift ecosystem."
https://www.bleepingcomputer.com/news/security/drift-280m-crypto-theft-linked-to-6-month-in-person-operation/
How often are redirects used in phishing in 2026?, (Mon, Apr 6th)
In one of his recent diaries, Johannes discussed how open redirects are actively being sought out by threat actors, which made me wonder about how commonly these mechanisms are actually misused. Although open redirect is not generally considered a high-impact vulnerability on its own, it can have multiple negative implications. Johannes already covered one in connection with OAuth flows, but another important (mis)use case for them is phishing.
https://isc.sans.edu/diary/rss/32870
China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
A China-based threat actor known for deploying Medusa ransomware has been linked to the weaponization of a combination of zero-day and N-day vulnerabilities to orchestrate "high-velocity" attacks and break into susceptible internet-facing systems.
https://thehackernews.com/2026/04/china-linked-storm-1175-exploits-zero.html
Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign
An active campaign has been observed targeting internet-exposed instances running ComfyUI, a popular stable diffusion platform, to enlist them into a cryptocurrency mining and proxy botnet.
https://thehackernews.com/2026/04/over-1000-exposed-comfyui-instances.html
The Hack That Exposed Syria-s Sweeping Security Failures
When Syrian government accounts were hijacked in March, the breach looked chaotic. But it revealed something more troubling: a state struggling with the most basic layer of cybersecurity.
https://www.wired.com/story/inside-the-hack-that-exposed-syrias-security-failures/
Germany Doxes -UNKN,- Head of RU Ransomware Gangs REvil, GandCrab
An elusive hacker who went by the handle "UNKN" and ran the early Russian ransomware groups GandCrab and REvil now has a name and a face. Authorities in Germany say 31-year-old Russian Daniil Maksimovich Shchukin headed both cybercrime gangs and helped carry out at least 130 acts of computer sabotage and extortion against victims across the country between 2019 and 2021.
https://krebsonsecurity.com/2026/04/germany-doxes-unkn-head-of-ru-ransomware-gangs-revil-gandcrab/
Das Zertifikat für die ID Austria läuft ab? Wenn Betrug und Realität verschmelzen
Tatsächlich verlieren in den nächsten Monaten rund 300.000 Zertifikate der ID Austria ihre Gültigkeit. Wer nicht rechtzeitig verlängert, muss ein neues beantragen. SMS-Nachrichten, die vor einem zeitnahen Ablaufen warnen, sind und bleiben aber weiterhin das, was sie immer schon waren: Betrugsversuche! Woran die Falle zu erkennen ist, erklärt dieser Artikel.
https://www.watchlist-internet.at/news/id-austria-laeuft-ab/
Understanding Current Threats to Kubernetes Environments
Unit 42 uncovers escalating Kubernetes attacks, detailing how threat actors exploit identities and critical vulnerabilities to compromise cloud environments.
https://unit42.paloaltonetworks.com/modern-kubernetes-threats/
Hackers threaten to leak data after cyberattack on German party Die Linke
Die Linke confirmed in late March that its IT infrastructure had been hit by what it described as a -serious cyberattack.-
https://therecord.media/hackers-threaten-to-leak-german-political-party-data
Cyberattack on telecom giant Rostelecom disrupts internet services across Russia
A -large-scale- distributed denial-of-service (DDoS) attack targeted the network of Russian state-run telecom giant Rostelecom on Monday evening, temporarily disrupting online banking, government platforms and other digital services across dozens of cities.
https://therecord.media/rostelecom-cyberattack-disrupts-russian-internet-access
UK exposes Russian military intelligence hijacking vulnerable routers for cyber attacks
New advisory warns cyber threat group APT28 have exploited vulnerable edge devices to support malicious operations.
https://www.ncsc.gov.uk/news/uk-exposes-russian-military-intelligence-hijacking-vulnerable-routers-for-cyber-attacks
GrafanaGhost Vulnerability Allows Silent Data Theft via AI Injection
GrafanaGhost is a critical vulnerability in Grafana-s AI components that uses indirect prompt injection and protocol-relative URL bypasses to exfiltrate data.
https://hackread.com/grafanaghost-vulnerability-data-theft-via-ai-injection/
A Cryptography Engineer-s Perspective on Quantum Computing Timelines
My position on the urgency of rolling out quantum-resistant cryptography has changed compared to just a few months ago. You might have heard this privately from me in the past weeks, but it-s time to signal and justify this change of mind publicly.
https://words.filippo.io/crqc-timeline/
Attackers Are Hunting High-Impact Node.js Maintainers in a Coordinated Social Engineering Campaign
Since we published our initial analysis of the axios compromise, a deep dive into its hidden blast radius, and a report on the maintainer confirming it was social engineering, maintainers across the Node.js ecosystem have come out of the woodwork to report that they were targeted by the same social engineering campaign. The accounts now span some of the most widely depended-upon packages in the npm registry and Node.js core itself, and together they confirm that axios was not a one-off target.
https://socket.dev/blog/attackers-hunting-high-impact-nodejs-maintainers
Getting root on on TP-Link Smart Switches using CVE-2026-1668
In the previous post, I described how we can exploit CVE-2026-1668 to gain arbitrary code execution. In this post, I go into the details of building a useful exploit payload.
https://blog.tangrs.id.au/2026/04/06/exploiting-cve-2026-1668-part-3/
Vulnerabilities
Disgruntled researcher leaks -BlueHammer- Windows zero-day exploit
Exploit code has been released for an unpatched Windows privilege escalation flaw reported privately to Microsoft, allowing attackers to gain SYSTEM or elevated administrator permissions.
https://www.bleepingcomputer.com/news/security/disgruntled-researcher-leaks-bluehammer-windows-zero-day-exploit/
Druckersystem: Cups-Lücken gefährden zahlreiche Linux-Systeme
Ein Forscher hat KI-Agenten auf das Druckersystem Cups angesetzt. Zwei entdeckte Sicherheitslücken verleihen Angreifern Root-Zugriff aus der Ferne.
https://www.golem.de/news/von-ki-agenten-entdeckt-print-server-luecken-gefaehrden-zahlreiche-linux-systeme-2604-207281.html
Jetzt updaten! Kritische FortiClient-EMS-Lücke wird attackiert
Fortinet hat Hotfixes bereitgestellt und rät Admins dringend, sie zügig anzuwenden. Sie stopfen ein angegriffenes Codeschmuggel-Leck.
https://www.heise.de/news/FortiClient-EMS-Kritische-Codeschmuggel-Luecke-wird-angegriffen-11246000.html
50,000 WordPress Sites affected by Arbitrary File Upload Vulnerability in Ninja Forms - File Upload WordPress Plugin
On January 8th, 2026, we received a submission for an Arbitrary File Upload vulnerability in Ninja Forms - File Upload, a WordPress plugin with an estimated 50,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to upload arbitrary files to a vulnerable site and achieve remote code execution.
https://www.wordfence.com/blog/2026/04/50000-wordpress-sites-affected-by-arbitrary-file-upload-vulnerability-in-ninja-forms-file-upload-wordpress-plugin/
Angreifer können Weboberfläche von WatchGuard Firebox attackieren
WatchGuard-Firewalls der Firebox-Serie und die Produkte Dimension und WebBlockerServer sind verwundbar. Sicherheitspatches sind verfügbar.
https://heise.de/-11246291
LWN Security updates for Tuesday
https://lwn.net/Articles/1066665/