Cybersecurity Radar — 2026-04-09

---

🔴 Critical Alerts

Iranian-Affiliated APT Actively Disrupting U.S. Critical Infrastructure PLCs

Since at least March 2026, an Iranian-affiliated advanced persistent threat (APT) group has been disrupting programmable logic controllers (PLCs) deployed across multiple U.S. critical infrastructure sectors. U.S. agencies issued a warning on April 8, 2026 after confirming the campaign through direct engagement with victim organizations. The attacks target internet-connected PLCs, which control physical operations in industrial environments. Affected sectors have not been fully enumerated publicly, but the breadth of the campaign is described as spanning multiple sectors.

Recommended action: Immediately audit internet-facing OT/ICS assets. Isolate PLCs from direct internet exposure, apply network segmentation, enforce multi-factor authentication on all remote access paths, and review agency guidance from CISA and partner agencies upon its release.

Unpatched Windows Zero-Day "BlueHammer" Exploit Code Publicly Released

A disgruntled security researcher leaked working exploit code for an unpatched Windows privilege escalation vulnerability dubbed "BlueHammer." The flaw combines a time-of-check to time-of-use (TOCTOU) vulnerability with path confusion, enabling attackers to gain SYSTEM or elevated administrator permissions on compromised machines. As of publication, no official patch exists from Microsoft.

Severity: High — actively exploitable with public proof-of-concept code now available. Affected: Windows systems (patch status: unpatched)

Recommended action: Monitor Microsoft security channels for an emergency patch. Apply endpoint detection controls, limit local user privileges, and treat all unpatched Windows endpoints as elevated risk targets until a fix is available.

---

Threat Landscape

APT28 (Forest Blizzard) Targeting SOHO Routers in Global DNS Hijacking Campaign

The Russia-linked threat actor APT28, also tracked as Forest Blizzard, has been linked to a campaign compromising insecure MikroTik and TP-Link routers. Attackers are modifying router settings to conduct DNS hijacking operations on a global scale. The campaign was publicly reported on April 7, 2026. DNS hijacking at the router level can silently redirect victims to attacker-controlled infrastructure without triggering endpoint-level detections.

Sectors targeted: Broad; SOHO routers are used across residential, small business, and remote work environments globally. TTPs: Router exploitation, DNS record modification, persistence via firmware or configuration changes.

Medusa Ransomware (Storm-1175): Rapid Exploitation of Fresh Vulnerabilities

The financially motivated threat actor Storm-1175, operating high-velocity Medusa ransomware campaigns, continues to weaponize recently disclosed vulnerabilities for initial access. According to Microsoft's detailed April 2026 analysis, the group operates at an unusually fast pace — exploiting newly published CVEs quickly to gain footholds, exfiltrate data, and deploy Medusa ransomware.

Sectors targeted: Healthcare, professional services — with operations confirmed in the U.S., U.K., and Australia. TTPs: Exploitation of web-facing systems, rapid CVE weaponization, data exfiltration prior to encryption.

SaaS Integration Provider Breach Enables Data Theft Across Dozen-Plus Companies

According to a BleepingComputer report dated April 7, 2026, over a dozen companies suffered data theft attacks after a SaaS integration provider was breached and authentication tokens stolen. The attack vector — compromising a shared integration layer — allowed threat actors to pivot across multiple customer environments using stolen credentials, a technique consistent with supply-chain lateral movement.

Sectors targeted: Multiple; any organization relying on the affected SaaS integration platform. TTPs: Third-party/supply-chain compromise, credential/token theft, lateral movement via API authentication.

---

Vulnerabilities & Patches

CVE-2026-35616 — Fortinet FortiClient EMS (CVSS 9.1) — Actively Exploited Zero-Day

Fortinet has released an emergency hotfix for CVE-2026-35616, a critical improper access control vulnerability in FortiClient EMS versions 7.4.5–7.4.6. The flaw enables privilege escalation and has been actively exploited in the wild since at least March 31, 2026. A full patch is still pending. CISA has added this vulnerability to the Known Exploited Vulnerabilities (KEV) catalog.

Affected: FortiClient EMS 7.4.5 and 7.4.6 Action: Apply the available hotfix immediately. Do not wait for the full patch release.

"BlueHammer" — Windows Unpatched Privilege Escalation (No CVE Assigned Yet)

As detailed above in Critical Alerts, exploit code for the BlueHammer Windows local privilege escalation (LPE) flaw combining TOCTOU and path confusion has been publicly released. No patch exists. Security teams should treat this as a critical unpatched risk.

Affected: Windows (multiple versions — specifics pending Microsoft advisory) Action: Apply compensating controls; monitor for Microsoft emergency patch (Patch Tuesday or out-of-band).

Check Point Weekly Intelligence: European Commission Europa.eu Platform Compromised

Check Point Research's weekly threat intelligence bulletin for the week ending April 6, 2026 confirmed a data breach at the European Commission after its Europa.eu platform was compromised. The bulletin covers threat activity through early April 2026.

---

Breaches & Incidents

Signature Healthcare / Brockton Hospital — Day Three of Cyberattack Outage

Brockton Hospital (operated by Signature Healthcare) in Brockton, Massachusetts continued operating with electronic systems down for a third consecutive day as of April 8, 2026. Services have been disrupted and some procedures cancelled as clinical staff fall back to manual processes. The nature of the attack and any ransomware affiliation have not been publicly confirmed as of reporting time.

Scope: Full electronic system outage at a Massachusetts community hospital. Status: Active incident; recovery timeline not publicly stated. Impact: Patient care services disrupted; some procedures cancelled.

SaaS Integration Provider Breach — 12+ Downstream Victims

As noted in the Threat Landscape section, a breach of a SaaS integration provider resulted in authentication token theft that was then leveraged against over a dozen downstream customer organizations. The incident highlights supply-chain risk concentrated in shared integration and authentication infrastructure.

Status: Breach confirmed; victim notifications and remediation scope ongoing.

---

Industry & Policy

CISA-Led Advisory: Iranian APT Targeting Internet-Connected PLCs in U.S. Critical Infrastructure

The April 8, 2026 advisory from U.S. agencies regarding the Iranian-affiliated APT campaign against internet-connected PLCs represents a significant government policy action. The advisory — issued following direct engagement with victim organizations — underscores escalating concern over Iran-linked actors disrupting physical operational technology in critical infrastructure. Owners and operators of ICS/OT environments are urged to review official guidance as it is published.

APT28 Router Campaign Highlights Nation-State Use of Consumer Infrastructure

The newly reported APT28 DNS hijacking campaign targeting MikroTik and TP-Link SOHO routers reflects an accelerating trend documented in recent threat reporting: nation-state actors are increasingly weaponizing under-secured consumer and small-business network infrastructure. This circumvents many enterprise-focused defenses and complicates attribution. Organizations relying on remote workers or SOHO router deployments should treat firmware patching and default credential elimination as high priority.

Medusa Ransomware Campaign Signals Healthcare Sector Remains High-Value Target

Microsoft's April 2026 deep-dive into Storm-1175 and its Medusa ransomware operations underscores that healthcare organizations in the U.S., U.K., and Australia remain high-priority targets. The speed at which the group weaponizes new CVEs — sometimes within days of disclosure — has policy implications for vulnerability disclosure timelines and patch SLAs in critical sectors.

---

What to Watch

• BlueHammer patch timeline: Microsoft has not issued a patch for the leaked Windows LPE zero-day. Watch for an emergency out-of-band update or inclusion in an upcoming Patch Tuesday. The public availability of exploit code means attacks could scale rapidly.
• Iranian ICS/OT campaign scope: The multi-sector PLC disruption campaign is ongoing. Expect additional CISA advisories with indicators of compromise (IOCs) and specific sector guidance in the coming days; monitor CISA's advisory portal closely.
• Supply-chain token attacks expanding: The SaaS integration provider breach affecting 12+ companies is a template for further supply-chain attacks. Watch for copycat campaigns targeting similar integration layers and for additional victim disclosures.

---

Reader Action Items

1. Patch Fortinet FortiClient EMS immediately. Apply the available hotfix for CVE-2026-35616 (CVSS 9.1) without delay — exploitation has been active since March 31. If your organization runs FortiClient EMS 7.4.5 or 7.4.6, this is your top priority today.

2. Audit and isolate internet-facing OT/PLCs. In response to the Iranian APT campaign, enumerate all internet-connected PLCs and industrial control systems in your environment. Immediately remove direct internet exposure, implement network segmentation, and enforce strong authentication on all remote access paths to OT/ICS assets.

3. Rotate SaaS integration credentials and audit third-party authentication tokens. Given the breach of a SaaS integration provider, review all active integration tokens and API credentials — especially for platforms that connect multiple business applications. Revoke unused or unrecognized tokens, and implement monitoring for anomalous API activity across your SaaS stack.