CISA Warns of Axios Supply Chain Attack; Ransomware Gangs Industrialize and Target EDR

Vect Ransomware Forges Alliance with BreachForums and TeamPCP to Industrialize Attacks

The Vect ransomware-as-a-service (RaaS) group has formed a strategic alliance with the BreachForums cybercrime marketplace and the TeamPCP hacking group. This partnership aims to industrialize ransomware deployment by leveraging credentials from TeamPCP's supply chain attacks and recruiting affiliates on a massive scale through BreachForums. The collaboration has already resulted in confirmed attacks, with victims like Guesty and USHA International listed on Vect's leak site, representing a new, highly scalable model for RaaS operations.

VectRaaSBreachForumsTeamPCPransomware +3 more

Data Breach

Nearly 600,000 Patients Affected by Data Breaches at Three U.S. Healthcare Providers

Data Breaches at Healthcare Organizations in Illinois and Texas Impact Nearly 600,000

Three U.S. healthcare providers have disclosed significant data breaches affecting a combined total of nearly 600,000 individuals. The North Texas Behavioral Health Authority reported a network intrusion impacting 285,000 people. In Illinois, Southern Illinois Dermatology disclosed a breach affecting 160,000, an incident previously claimed by the Insomnia ransomware group. Additionally, Saint Anthony Hospital in Chicago revealed a compromised email incident affecting 146,000. These events highlight the persistent targeting of the healthcare sector and the exposure of sensitive patient data.

healthcaredata breachHIPAAransomwareInsomnia +3 more

Data Breach

Policy and Compliance

Progress Patches Critical Command Injection Flaws in MOVEit WAF and LoadMaster

Progress Software Patches Multiple Command Injection and WAF Bypass Vulnerabilities in ADC Products

Progress Software has released patches for a suite of vulnerabilities in its Application Delivery Controller (ADC) products, including MOVEit WAF and LoadMaster. The patched flaws include several authenticated command injection vulnerabilities (CVE-2026-3517, CVE-2026-3519, CVE-2026-3518, CVE-2026-4048) that could lead to remote code execution. Additionally, a WAF policy bypass flaw (CVE-2026-21876) was addressed. While the command injection bugs require authentication, they pose a significant risk, allowing privileged users to execute arbitrary OS commands. Customers are urged to apply the updates immediately.

Progress SoftwareMOVEitLoadMastervulnerabilitycommand injection +3 more

4 min read

Progress Patches Critical Command Injection Flaws in MOVEit WAF and LoadMaster

Vulnerability

Patch Management

ShinyHunters Breach at Canada Life Exposes Data of 70,000 Customers

Canada Life Confirms Cyberattack by ShinyHunters, 70,000 Individuals Impacted

Insurance giant The Canada Life Assurance Company has confirmed a data breach affecting up to 70,000 individuals after being targeted by the ShinyHunters extortion group. The attackers gained initial access through a compromised employee account. The stolen data, which includes full names, addresses, and annual income levels, primarily belongs to members of a single large corporate benefits plan. ShinyHunters had threatened to leak the data if a ransom was not paid by April 21, 2026. Canada Life has contained the incident and is offering credit monitoring to those affected.

Canada LifeShinyHuntersdata breachextortioninsurance +2 more

ShinyHunters Breach at Canada Life Exposes Data of 70,000 Customers

Data Breach

Phishing

Qilin Ransomware Blinds Defenses with Advanced EDR Killer, Abusing Vulnerable Drivers

CRITICAL

Qilin Ransomware Uses Sophisticated EDR Killer to Disable Over 300 Security Products

The Qilin ransomware group is using a sophisticated, multi-stage attack to neutralize endpoint security solutions before encrypting systems. According to analysis by Cisco Talos, the attack uses DLL side-loading and a "bring your own vulnerable driver" (BYOVD) technique to gain kernel-level access. By abusing a legitimately signed driver (`rwdrv.sys`), the malware manipulates kernel memory to unregister the monitoring callbacks of over 300 different EDR products, effectively blinding them. This advanced defense evasion highlights a significant escalation in ransomware tactics.

QilinransomwareEDRBYOVDkernel +3 more

Malware

Cyberattack

Gentlemen RaaS Expands with SystemBC Botnet for Covert Attacks

Gentlemen RaaS Gang Linked to SystemBC Botnet for Covert Proxy and Payload Delivery

The Gentlemen ransomware-as-a-service (RaaS) operation is now leveraging the SystemBC proxy malware botnet to enhance its attacks, according to research from Check Point. Affiliates of the group have been observed deploying SystemBC to create covert SOCKS5 tunnels, hiding their C2 traffic and staging ransomware payloads. The associated botnet comprises over 1,570 compromised corporate systems. Gentlemen RaaS provides multi-platform lockers for Windows, Linux, and ESXi, and the addition of SystemBC to its toolkit signals a move towards more sophisticated and evasive attack methods.

GentlemenRaaSSystemBCransomwarebotnet +3 more

Gentlemen RaaS Expands with SystemBC Botnet for Covert Attacks

Malware

Chinese APT Mustang Panda Targets Indian Banks, Korean Policy Experts in Espionage Campaign

Mustang Panda APT Targets Indian Financial Sector and Korean Policy Circles with LotusLite Backdoor

The China-linked APT group Mustang Panda (TA416) has been conducting a widespread espionage campaign targeting financial organizations in India and public policy experts in Korea and the U.S. According to Acronis, the attacks use spear-phishing and DLL sideloading to deploy a custom backdoor named LotusLite. The campaign appears focused on intelligence gathering, with malware disguised to mimic legitimate Indian banking software to deceive victims. The group's reliance on simple but effective techniques highlights the persistent threat of state-sponsored espionage.

Mustang PandaAPTTA416espionageDLL side-loading +4 more

Chinese APT Mustang Panda Targets Indian Banks, Korean Policy Experts in Espionage Campaign

Phishing

Malware

Semperis Extends Purple Knight AD Security Tool to US Government Clouds

INFORMATIONAL

Purple Knight Security Tool Adds Support for Microsoft GCC High Environments

Semperis has announced that its free identity security assessment tool, Purple Knight, now fully supports Microsoft's Government Community Cloud High (GCC High) environments. This update allows U.S. federal agencies and defense contractors to scan their Entra ID tenants within the specialized, high-compliance cloud for misconfigurations and vulnerabilities. Purple Knight, which is recommended by the Five Eyes intelligence alliance, can now provide these organizations with a unified view of their security posture across both on-premises Active Directory and cloud-based Entra ID.

SemperisPurple KnightActive DirectoryEntra IDGCC High +3 more

4 min read

Semperis Extends Purple Knight AD Security Tool to US Government Clouds

Security Operations

Policy and Compliance

Cloud Security

Ex-FBI Official Urges Terror Designations for Ransomware Gangs Attacking Hospitals

INFORMATIONAL

Former FBI Official Proposes Terrorist Designations for Ransomware Attacks on Hospitals

A former high-ranking FBI cyber official, Cynthia Kaiser, has called for the U.S. government to consider designating ransomware groups that target hospitals as terrorist organizations. In testimony before the House Homeland Security Committee, she argued that such attacks, which knowingly disrupt critical patient care, could fall under existing counter-terrorism legal frameworks like Executive Order 13224. Kaiser also proposed exploring homicide charges under the federal felony murder rule in cases where a ransomware attack directly leads to a patient's death, signaling a major potential escalation in the legal fight against cybercrime.

ransomwarehealthcarepolicylawterrorism +3 more

Ex-FBI Official Urges Terror Designations for Ransomware Gangs Attacking Hospitals

Policy and Compliance

Regulatory

Updated Articles (1)

CISA Mandates Urgent Patching for Eight Actively Exploited Flaws in Cisco, JetBrains, and More

CRITICAL

CISA Adds Eight Actively Exploited Vulnerabilities to KEV Catalog, Requiring Federal Action

Update:

CISA has provided a detailed analysis of CVE-2026-20133, a high-severity (CVSS 6.5) information disclosure vulnerability in Cisco Catalyst SD-WAN Manager. This flaw, actively exploited, allows unauthenticated remote attackers to read sensitive system information due to insufficient file system access restrictions. Affected versions include those prior to 20.9.8.2, 20.12.5.3, 20.15.4.2, and 20.18.2.1. The update includes specific hunting hints, detection methods like vulnerability scanning and log analysis, and remediation steps emphasizing immediate patching and restricting management interface access. This vulnerability is often chained with CVE-2026-20128 and CVE-2026-20122 for full compromise.

April 20, 2026

Updated: April 21, 2026