Fortinet Zero-Day Exploited, Medusa Ransomware Weaponizes Flaws in Hours, and AI Phishing Bypasses MFA

New analysis of tax season phishing campaigns reveals specific Remote Monitoring and Management (RMM) tools, such as N-able and Datto, are being leveraged as Remote Access Trojans (RATs). The update also provides a more detailed breakdown of W-2 Business Email Compromise (BEC) scam tactics, including impersonation of the IRS and executives. It further clarifies the severe organizational impacts of these W-2 breaches, which can lead to massive data breaches, regulatory fines, reputational damage, and class-action lawsuits. Detection and mitigation strategies are reinforced, emphasizing employee training and application control.

New reports confirm that Hasbro's consumer-facing digital platforms, including D&D Beyond and Hasbro Pulse, were not impacted by the recent cyberattack. This clarification indicates that while internal systems are disrupted, direct customer interaction points remain operational, potentially limiting broader reputational and financial damage related to customer-facing services. The company continues to investigate the full scope of the incident and anticipates several more weeks of recovery.

Further analysis of the 'BlueHammer' Windows zero-day exploit reveals it's a logical flaw, not memory corruption. It chains the Windows Defender update process, Volume Shadow Copy Service (VSS), and file system junctions to gain access to locked system files, specifically the SAM database. This allows attackers to dump NTLM password hashes, enabling offline cracking or Pass-the-Hash attacks, significantly enhancing credential theft capabilities. New detection strategies focus on monitoring VSS activity and SAM file access, aligning with MITRE ATT&CK T1003.003.

Microsoft research details Storm-1175, a Medusa ransomware group, capable of exploiting newly disclosed N-day and zero-day vulnerabilities to achieve full ransomware deployment in 24-48 hours. This high-velocity operation targets web-facing assets across healthcare and education, using legitimate remote management tools. The group's rapid attack cycle exemplifies the shrinking 'critical risk window' between vulnerability disclosure and exploitation, underscoring the urgent need for aggressive patch management and robust attack surface monitoring to counter these accelerated threats.

F5 has released additional Indicators of Compromise (IOCs) for the actively exploited BIG-IP RCE (CVE-2025-53521). New detection methods include monitoring `/var/log/apm` for SELinux disable entries, `/var/log/auditd` for process ID 0, and `/tmp/` for suspicious files. Scans reveal over 14,000 BIG-IP systems remain exposed online, highlighting the urgent need for patching. This update underscores the importance of reviewing patch prioritization policies, as initial lower severity ratings can quickly escalate to critical, actively exploited threats.

The CVSS score for CVE-2026-35616 has been updated from 9.1 to 9.8, reflecting a higher critical impact. Analysis reveals nearly 2,000 FortiClient EMS instances are exposed online, with initial exploitation detected around March 31, 2026. Security researchers report a significant increase in scanning and exploitation attempts. New indicators of compromise (IOCs) include specific URL patterns (/api/v1/vulnerabilities), monitoring FCTDas.exe for suspicious child processes, and scrutinizing inbound connections to EMS port 8013. Organizations are urged to apply hotfixes immediately and consider network isolation for management interfaces.