← All threat briefs
Threat Brief

Weekly Situation Report — 4/27/26

Executive summary

This week’s developments for partners and clients: breaches, vulnerabilities, research, threat actor activity, and mitigation guidance.

Key takeaways

  • Threat actors deploy malicious document sharing and meeting invites as phishing lures to distribute ScreenConnect remote access tool
  • A Vercel security incident claimed by fake ShinyHunters group resulted in possible supply-chain compromise
  • CISA issued urgent warnings about critical SD-WAN vulnerabilities actively exploited to compromise network infrastructure
  • Updated guidance released regarding Defender vulnerabilities (Nightmare-Eclipse) with known wild exploitation
  • Bitwarden npm package distribution compromised in supply chain attack, potentially exposing users to malware or credential theft
  • Critical serial-to-IP converter flaws bypass security controls and enable unauthorized operational technology access

1. Phishing Lures Use Meeting Invites to Drop ScreenConnect RAT

Summary

Phishing domains mimicking Teams, Zoom, Adobe, and Docusign serve ScreenConnect RAT payloads through fake invites and shared links.

Category

Threat Actor Activities

Industry

Multiple (primarily North America and Europe)

Sources

https://sublime.security/blog/advanced-fake-zoom-installer-used-for-delivering-malware/

https://www.netcraft.com/blog/remote-access-delivery-via-fake-meetings

https://www.malwarebytes.com/blog/scams/2026/02/fake-zoom-meeting-update-silently-installs-surveillance-software

https://www.huntress.com/blog/uptick-bomgar-exploitation

Analyst comments

OSec observed threat actors using phishing sites mimicking popular meeting applications and services to serve RMM software for command-and-control activities. This likely relates to known exploitation active since February. Analyzed sites impersonate Zoom, Teams, Google Meet, Docusign, and Adobe Reader.

Research indicates initial access primarily through phishing emails containing fake meeting invites or document-sharing links. These lures redirect users to download malicious files disguised as installers claiming software is outdated. Upon execution, a preconfigured ScreenConnect version installs with attacker-controlled callback locations establishing C2 connectivity.

The cluster consistently uses Shock Hosting (ASN395092) for network infrastructure. Phishing landing pages utilize various PHP endpoints, predominantly invite.php and download.php, the latter serving malicious RMM payloads.

Callback domains typically used screenconnect[.]com with custom company names. Public sources and malware data show increased ScreenConnect submissions with notable spikes April 18-21. Broader RMM tool exploitation is increasing, with recent reports noting compromised Bomgar instances in active attacks.

Actionable guidance

  • Detect differing RMM software versions or installations not attributable to administrator activity; treat with elevated urgency
  • Restrict software installation for non-IT users by blocking .exe and .msi downloads unless explicitly required
  • Restrict local administrator privileges to prevent RMM-based privilege escalation and credential access
  • Block Shock Hosting ASN to reduce attack success likelihood with minimal operational disruption

2. Vercel Breach Claimed by Fake ShinyHunters Group

Summary

Vercel experienced a security breach after third-party AI tool Context.ai was compromised, allowing attackers to access an employee’s Google Workspace and some internal systems and non-sensitive data.

Category

Supply Chain Risk

Industry

Technology

Sources

https://securityaffairs.com/191031/data-breach/third-party-ai-hack-triggers-vercel-breach-internal-environments-accessed.html

https://vercel.com/kb/bulletin/vercel-april-2026-security-incident

https://vercel.com/docs/environment-variables/sensitive-environment-variables

https://www.reddit.com/r/webdev/comments/1sqy1k4/holy_crap_vercel_got_hacked_rotate_your_keys_if/

Analyst comments

Vercel experienced a breach through compromised third-party AI tool Context.ai, leading to attacker access of an employee’s Google Workspace and limited internal systems and non-sensitive data. The attacker demonstrated significant technical skill with rapid, effective infrastructure movement. Sensitive environment variables remained uncompromised due to secure storage methods.

Vercel collaborated with cybersecurity firms and law enforcement. The company rotated credentials and keys, finding no evidence of package repository tampering. However, exposed repository credentials may now be stale. This likely affects customers using Vercel who haven’t rotated environment keys, particularly those storing secrets in unmarked environment variables.

Actionable guidance

  • Organizations using Vercel must immediately rotate keys, especially if secrets are in unmarked environment variables
  • Create inventory or SBOM (Secure Bill of Materials) and implement enhanced monitoring of Vercel and Next.js packages
  • Investigate OAuth applications matching identified IoCs; may warrant incident response activation

3. CISA Flags SD-WAN Flaws as Actively Exploited in Attacks

Summary

Cisco Catalyst SD-WAN vulnerabilities CVE-2026-20133, CVE-2026-20122, and CVE-2026-20128 were added to CISA’s Known Exploited Vulnerabilities catalog.

Category

Known Exploited Vulnerabilities

Industry

Public Sector, Government Administration, Multiple

Sources

https://www.bleepingcomputer.com/news/security/cisa-flags-new-sd-wan-flaw-as-actively-exploited-in-attacks/

https://www.reddit.com/r/sysadmin/comments/1rm660l/cisco_catalyst_sd_wan_just_got_hit_with_active/

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v

https://www.vulncheck.com/blog/cisco-sd-wan-manager-vulns

https://www.darkreading.com/vulnerabilities-threats/fake-pocs-risks-cisco-sd-wan

Analyst comments

CISA mandated that government agencies secure systems against actively exploited Catalyst SD-WAN Manager vulnerabilities. Exploited vulnerabilities include:

CVEDescriptionCVSS
CVE-2026-20122Cisco Catalyst SD-WAN Manager API File Overwrite5.4 (Medium)
CVE-2026-20128Cisco Catalyst SD-WAN Manager DCA User Takeover7.5 (High)
CVE-2026-20133Cisco Catalyst SD-WAN Manager API Information Disclosure7.5 (High)

Public honeypot data shows exploitation spikes two months ago, primarily March 3-20. CVE-2026-20128 and CVE-2026-20122 exploitation began March 5, 2026. Cisco PSIRT advisories updated this week reflecting current exploitation and CVE-2026-20133 addition, likely exploited in earlier attacks.

Actionable guidance

  • Apply vendor patches immediately
  • Implement geoblocking, as exploitation IPs traced to Russia-based sources
  • Examine web logs for .dca file navigation attempts and suspicious “viptela-reserved-dca” user logins if compromise suspected
  • Immediately isolate confirmed compromise hosts and trigger incident response investigation
  • Review activity within March 1 to April 1 timeframe based on honeypot data
  • Expect multiple threat actors actively exploiting across regions

4. UPDATE: Trio of Local Windows Defender Bugs Exploited in the Wild

Summary

Threat actors exploited recently disclosed bugs from security researcher Nightmare-Eclipse, including two local privilege escalation (LPE) and one Denial of Service (DoS) proof-of-concept targeting Defender.

Updated April 27th, 2026 with new in-the-wild exploitation data.

Category

Critical Vulnerabilities

Industry

Multiple

Sources

https://securityaffairs.com/190887/hacking/ai-platform-n8n-abused-for-stealthy-phishing-and-malware-delivery.html

https://www.huntress.com/blog/nightmare-eclipse-intrusion

Internal OSec Research

Analyst comments

Security researcher NightMare-Eclipse disclosed three Windows bugs affecting Microsoft Defender. Two vulnerabilities (BlueHammer and RedSun) result in local privilege escalation; the third (UnDefend) causes Defender denial of service. All three have been exploited in the wild according to security researcher reports.

BlueHammer is the only vulnerability with available patches (released April Patch Tuesday as CVE-2026-33825). RedSun and UnDefend currently lack patches. Public PoC code exists and in-the-wild exploitation is confirmed. No specific threat actor attribution available, though multiple groups likely exploited disclosed vulnerabilities.

Both LPE vulnerabilities generate EICAR-related detections before full execution, serving as exploitation indicators. Known post-exploitation activity includes typical reconnaissance consistent with common threat actor behavior. All Windows versions likely affected, with greater risk to Windows 10 and 11 workstations.

New in-the-wild exploitation data

Threat actors targeting Fortinet devices also use these vulnerabilities in attack chains, observed following Fortigate SSL VPN compromise. Recorded indicators:

212.232.23[.]69 - Singapore - AS215381 ROCKHOSTER PRIVATE LIMITED
179.43.140[.]214 - Switzerland - AS51852 Private Layer INC
78.29.48[.]29 - Russia - AS8369 Intersvyaz-2 JSC
staybud.dpdns[.]org - Used for proxy tunneling traffic over 443

Attackers also exploit ActiveMQ vulnerabilities (CVE-2026-34197) recently added to CISA KEV catalog. While threat actors attempted all three vulnerabilities (RedSun, BlueHammer, and UnDefend), reported attempts were unsuccessful.

Actionable guidance

  • Keep Microsoft Defender and Windows systems updated with latest protections and hotfixes
  • Look for disabled Defender instances or EICAR detections in protection history if compromise suspected
  • Focus investigation on events involving TieringServiceEngine.exe binary
  • Check for other indicators like credential reuse, phishing activity, or exploitation methods
  • Isolate confirmed compromised hosts through formal incident response procedures
  • Block newly identified malicious network locations

5. Checkmarx Supply Chain Attack Impacts Bitwarden npm Distribution Path

Summary

Bitwarden CLI version 2026.4.0 was compromised in the Checkmarx supply chain attack, incorporating malicious code harvesting sensitive data. Only users installing during a brief window were affected; no vault or production data was compromised.

Category

Supply Chain Risk

Industry

Technology, Financial and Fintech, Public Sector and Government Administration

Sources

https://securityaffairs.com/191215/uncategorized/checkmarx-supply-chain-attack-impacts-bitwarden-npm-distribution-path.html

https://www.aikido.dev/blog/shai-hulud-npm-bitwarden-cli-compromise

https://thehackernews.com/2026/04/bitwarden-cli-compromised-in-ongoing.html

https://community.bitwarden.com/t/bitwarden-statement-on-checkmarx-supply-chain-incident/96127

Analyst comments

Bitwarden CLI was compromised in a Checkmarx supply chain attack, with malicious code in bw1.js introduced through a compromised GitHub Action. Affected version @bitwarden/cli 2026.4.0 contained a malicious preinstall hook triggering automatically during npm installation.

Malicious files bw_setup.js and bw1.js employ credential harvesting with worm-like propagation behavior. The malware steals sensitive data including SSH keys, cloud credentials, and npm tokens, exfiltrating to a fake Checkmarx domain. Bitwarden removed the malicious package and initiated remediation, confirming no compromised vault or production data evidence.

The supply chain incident likely causes further downstream disruption. Stolen credentials from recent campaigns will identify and access additional GitHub or package repositories for continued exploitation. These attacks typically pre-position for major organization compromise.

Attribution points to Team PCP and Checkmarx compromise; however, code found includes “Shai-Hulud: The Third Coming” string pointing to earlier supply-chain compromise campaigns. Malware behavior aligns more closely with Shai Hulud tactics while Team PCP associated domains suggest collaboration or overlap. The objective steals credentials and secrets:

  • SSH
  • Git
  • Npm
  • Env
  • Bash and shell history
  • AWS, GCP
  • Claude, MCP

Malicious commits included strings “LongLiveTheResistanceAgainstMachines” or “beautifulcastle” along with “gh auth token” shell commands checking for active Github CLI tokens.

Actionable guidance

The compromise occurred April 22nd (approximately 5:57 PM – 7:30 PM ET) with an exploitation window of 90-93 minutes. While potentially limited exposure, substantial time existed to infect multiple users, packages, and repositories.

  • Check primary exfiltration points for suspicious traffic if compromise suspected
  • Confirmed exposure victims must immediately rotate all credentials and secrets
  • Monitor repositories, packages, and accounts for unauthorized changes
  • Target individual developers primarily, but typically pre-positions for larger organization compromise
  • Implement SBOM inventory and management to audit changes and updates
  • Maintain safelist of approved packages and libraries for developer projects
  • Ensure MFA controls for sensitive accounts, passwords, or secrets if not already in place

6. Serial-to-IP Converter Flaws Expose OT and Healthcare Systems to Hacking

Summary

Serial-to-IP converters bridging legacy serial equipment to modern networks contain serious security flaws identified by Forescout Technologies enabling remote attacks, including device takeover, data tampering, and Denial of Service.

Category

Critical Vulnerabilities

Industry

Manufacturing, Healthcare, Energy, Logistics and Shipping, and environments with heavy IoT/OT use

Sources

https://www.securityweek.com/serial-to-ip-converter-flaws-expose-ot-and-healthcare-systems-to-hacking/

https://www.forescout.com/press-releases/bridgebreak-forescout-identifies-22-new-vulnerabilities-on-serial-to-ip-converters-and-finds-thousands-exposed-online/

https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-02

https://www.silex.jp/support/security-advisories/2026-001

https://www.forescout.com/resources/bridgebreak-report/

https://www.dragos.com/blog/poland-power-grid-attack-electrum-targets-distributed-energy-2025

Internal OSec Research

Analyst comments

Serial-to-IP converters bridging legacy serial equipment to modern Ethernet/IP networks suffer numerous vulnerabilities collectively known as BRIDGE:BREAK, exploitable for OS command injection, remote code execution, and firmware tampering. These devices, used across industrial, healthcare, and energy sectors, expose critical infrastructure to threats from internet-exposed systems and local network vulnerabilities.

Researchers found 20 new vulnerabilities impacting vendors like Silex and Lantronix, potentially severely disrupting operations through data tampering and denial-of-service conditions.

Silex vulnerabilities:

  • CVE-2026-32955 – SD-330AC Ver.1.42: Stack overrun in authenticated login redirect URL; memory corruption/unintended actions possible; CVSS 8.8 HIGH
  • CVE-2026-32956 – SD-330AC Ver.1.42: Heap overrun in unauthenticated login redirect URL; memory corruption/unintended actions possible; CVSS 9.8 CRITICAL
  • CVE-2026-32957 – SD-330AC Ver.1.42: File upload restriction bypass; unauthenticated arbitrary file upload to temporary memory; CVSS 5.3 MEDIUM
  • CVE-2026-32963 – SD-330AC Ver.1.42: Reflected XSS on system status page; malicious JavaScript injection via web page links; CVSS 6.1 MEDIUM
  • CVE-2026-32958 – SD-330AC Ver.1.42: Hardcoded firmware signing key; tampered firmware accepted as legitimate; CVSS 6.5 MEDIUM
  • CVE-2015-5621 – SD-330AC Ver.1.42: DoS via net-snmp vulnerability; SNMP agent can be prematurely terminated; CVSS 7.5 HIGH
  • CVE-2026-32959 – SD-330AC / AMC Manager Ver.5.0.2: Encryption using constant keystream; man-in-the-middle interception of config data; CVSS 5.9 MEDIUM
  • CVE-2026-32960 – SD-330AC / AMC Manager Ver.5.0.2: Authentication bypass via credential reuse; unauthenticated admin privilege escalation; CVSS 6.5 MEDIUM
  • CVE-2026-32961 – SD-330AC / AMC Manager Ver.5.0.2: Heap overrun via unvalidated data length; potential DoS or remote code execution; CVSS 5.3 MEDIUM
  • CVE-2026-32965 – SD-330AC / AMC Manager Ver.5.0.2: No admin password enforcement; attacker can set password and gain admin privileges; CVSS 7.5 HIGH
  • CVE-2026-32962 – SD-330AC Ver.1.42: Unauthenticated product settings tampering via Serial Device Server Setup; CVSS 5.3 MEDIUM
  • CVE-2024-24487 – SD-330AC Ver.1.42: Unauthenticated product restart via Serial Device Server Setup; DoS possible; CVSS 5.3 MEDIUM
  • CVE-2026-32964 – SD-330AC Ver.1.42: Config injection via Serial Device Server Setup; arbitrary entries insertable into system config files; CVSS 6.5 MEDIUM

Lantronix vulnerabilities:

  • CVE-2025-67034 – EDS5000 2.1.0.0R3: OS command injection via SSL credential deletion “name” parameter; root execution; CVSS 7.2 HIGH
  • CVE-2025-67035 – EDS5000 2.1.0.0R3: OS command injection on SSH Client/Server pages via delete actions; root execution; CVSS 7.2 HIGH
  • CVE-2025-67036 – EDS5000 2.1.0.0R3: OS command injection via Log Info page filename parameter; root execution; CVSS 7.2 HIGH
  • CVE-2025-67037 – EDS5000 2.1.0.0R3: OS command injection via tunnel kill “tunnel” parameter; root execution; CVSS 7.2 HIGH
  • CVE-2025-67038 – EDS5000 2.1.0.0R3: OS command injection via unsanitized username in failed auth logging; root execution; CVSS 9.8 CRITICAL
  • CVE-2025-67039 – EDS3000PS 3.1.0.0R2: Authentication bypass on management pages via URL suffix + “admin” header; CVSS 9.8 CRITICAL
  • CVE-2025-70082 – EDS3000PS 3.1.0.0R2: Admin password changeable without current password knowledge; chainable with auth bypass; CVSS 2.7 LOW
  • CVE-2025-67041 – EDS3000PS 3.1.0.0R2: OS command injection via unsanitized TFTP client host parameter; root execution; CVSS 7.2 HIGH

Current wild exploitation status is unknown. Report data confirms over 8000 Lantronix devices publicly exposed via Shodan, while only four Silex Technology devices confirmed through exposed FTP ports and banner information. Threat actors may prioritize Lantronix devices due to significantly higher exposure. Publicly available vendor research provides sufficient detail for threat actors to develop or execute exploits short-term.

Historically, threat actors leveraged these devices targeting critical infrastructure, notably Poland’s power grid. Over the past year, hacktivist groups increasingly focused on disrupting OT technology, evidenced by Telegram channel and social media discussions. Groups including noname057(16) and DDoSia volunteers, Z-Pentest-Alliance, Nullsechackers, and vulture_001 exploited OT systems and IP cameras since March. Many mentioned groups likely have direct or indirect Russia state-aligned agency links.

Actionable guidance

Both Lantronix and Silex released patches for affected devices. Given high-risk threat profile and targeted attack nature:

  • Deny public internet access; restrict to internal networks or physical connections where feasible
  • Minimize compromise risk, especially for manufacturing sectors with inconsistent or impossible patch management cycles
  • Monitor all OT network-connected technology for suspicious activity, particularly across TFTP, web, and HMI interfaces
  • Retain access logs and timestamps for auditable activity records supporting investigation confirmation
  • Prioritize Lantronix device patching given exploitation simplicity and larger online attack surface
  • Address most vulnerabilities involving OS command injection through TFTP ports and HTTP services
  • Restrict unnecessary ports on these devices

Get the Complete Report

The full Intelligence Desk brief includes exhaustive IOC lists, YARA detection rules, detailed remediation playbooks, and OSec’s original threat research. Delivered weekly to partners and clients. REQUEST ACCESS

More briefs
Weekly Situation Report — 6/15/26Jun 18, 2026Weekly Situation Report — 6/8/26Jun 11, 2026Weekly Situation Report — 6/1/26Jun 4, 2026
Talk to an expert