Cybersecurity Radar — 2026-04-08
A leaked, unpatched Windows zero-day exploit dubbed "BlueHammer" is now publicly available, enabling attackers to gain SYSTEM-level privileges with no patch from Microsoft yet in sight. Meanwhile, Fortinet's FortiClient EMS remains under active exploitation via CVE-2026-35616, with only a hotfix available as a full patch is still pending. The Microsoft-tracked threat actor Storm-1175 is escalating ransomware attacks against healthcare and services organizations across the US, UK, and Australia.
Cybersecurity Radar — 2026-04-08
🔴 Critical Alerts
Unpatched Windows Zero-Day "BlueHammer" Now Publicly Available
A disgruntled security researcher has publicly leaked exploit code for an unpatched Windows privilege escalation flaw — dubbed "BlueHammer" — that was previously reported to Microsoft through private channels. The exploit allows attackers to gain SYSTEM or elevated administrator permissions on affected Windows systems. No patch currently exists, leaving all affected Windows users exposed.
Who's affected: Windows users broadly. Severity: Critical — no patch available. Recommended action: Monitor Microsoft advisories closely; apply compensating controls such as restricting local user privileges; consider enhanced logging for privilege escalation attempts.
FortiClient EMS Zero-Day CVE-2026-35616 Still Actively Exploited — Full Patch Pending
Fortinet's FortiClient EMS continues to face active exploitation via CVE-2026-35616 (CVSS 9.1), which has been exploited in the wild since at least March 31, 2026. The flaw affects FortiClient EMS versions 7.4.5–7.4.6 and enables privilege escalation. While Fortinet has released an emergency "Easter hotfix," a full patch is still pending, leaving many enterprise environments at risk.
Who's affected: Organizations running FortiClient EMS 7.4.5–7.4.6. Severity: Critical (CVSS 9.1). Recommended action: Apply the available hotfix immediately; restrict access to FortiClient EMS management interfaces; monitor for exploitation indicators.
Threat Landscape
Storm-1175 Escalates Ransomware Attacks on Healthcare and Services
Microsoft has detailed the activity of Storm-1175, a threat actor exploiting web-facing systems to deploy ransomware against organizations in the healthcare and services sectors across the US, UK, and Australia. The group's campaign represents a targeted and coordinated escalation against critical service providers.
Targeted sectors: Healthcare, professional services. TTPs: Exploitation of internet-facing systems as initial access vector, followed by ransomware deployment. Recommended action: Patch all internet-exposed systems urgently; audit and restrict unnecessary external attack surface.
Qilin and Warlock Ransomware Groups Weaponize Vulnerable Drivers to Blind EDR Tools
Threat actors behind the Qilin and Warlock ransomware families are deploying a Bring Your Own Vulnerable Driver (BYOVD) technique to disable more than 300 Endpoint Detection and Response (EDR) tools. The tactic was observed in 2025 attacks and involves a deliberate delay of up to six days between initial compromise and encryption, maximizing dwell time and impact before defenders can respond.
Targeted sectors: Broad enterprise targets. TTPs: BYOVD to kill EDR processes, delayed encryption. Recommended action: Implement kernel-level driver controls; use EDR solutions with tamper protection; monitor for unusual driver loads.
Broad Cyber Threat Activity: Phishing, Supply Chain, and Malicious Packages
A recent threat briefing highlights intensifying attacker activity across multiple vectors, including phishing campaigns, ransomware, supply chain compromises, and malicious packages targeting mobile apps and government systems. Cybercriminals are expanding their scope and methods, raising the risk profile across both public and private sectors.
Vulnerabilities & Patches
CVE-2026-35616 — Fortinet FortiClient EMS (CVSS 9.1) Improper access control vulnerability in FortiClient EMS versions 7.4.5–7.4.6. Actively exploited in the wild since at least March 31, 2026, enabling privilege escalation. Hotfix available; full patch pending.
"BlueHammer" — Windows Privilege Escalation (No CVE Assigned Yet / No Patch) Unpatched Windows local privilege escalation zero-day publicly leaked by a disgruntled researcher. Allows attackers to obtain SYSTEM or elevated administrator rights. No patch from Microsoft as of publication. Compensating controls and heightened monitoring are the only current mitigations.
Weekly Vulnerability Digest (March 30–April 5, 2026): 1,361 CVEs, 129 Critical Security researchers logged 1,361 vulnerabilities in the most recent weekly reporting window, with 129 rated critical. Highlighted priorities include the Chrome Dawn exploit (CVE-2026-5281), the FortiClient EMS flaw, and newly identified attack vectors targeting AI pipelines.
Breaches & Incidents
U.S. Victims Lost Nearly $21 Billion to Cyber-Enabled Crimes in 2025 The FBI reports that U.S. victims lost approximately $21 billion to cyber-enabled crimes last year, driven primarily by investment scams, business email compromise (BEC), tech support fraud, and data breaches. The figures underscore the continuing, massive financial toll of cybercrime on individuals and organizations.
Scope: Nationwide. Primary crime types: Investment fraud, BEC, tech support scams, data breaches. Response: FBI advisory; organizations urged to strengthen BEC controls and employee awareness programs.
SANS 2026 Report: Cybersecurity Skills Crisis Driving Measurable Breach Risk in OT/Critical Infrastructure The SANS 2026 report flags a worsening cybersecurity skills crisis putting operational technology (OT) and critical infrastructure sectors at measurably elevated breach risk. Widening capability gaps are making it harder for organizations to detect and respond to sophisticated intrusions in time.
Scope: Critical infrastructure and OT environments globally. Impact: Increased breach risk tied directly to talent shortages. Recommended action: Prioritize OT/ICS security training; consider managed security services to supplement internal teams.
Industry & Policy
CISA Maintains Active Advisory Posture CISA's advisory page continues to be updated with active alerts and guidance for cybersecurity practitioners. Organizations should check the CISA advisories portal regularly for the latest actionable guidance, especially given the current surge in actively exploited vulnerabilities.
Developer Workstations Identified as Most Active — and Most Vulnerable — Enterprise Infrastructure Security analysts at The Hacker News are highlighting developer workstations as the single most active piece of enterprise infrastructure, noting that laptops are where credentials are created, tested, cached, copied, and reused across services, bots, build tools, and local AI agents — creating a significant and often underappreciated attack surface.
FBI: $21 Billion in U.S. Cyber Crime Losses Demands Stronger BEC and Fraud Defenses The FBI's latest figures on cyber-enabled crime losses signal a renewed policy focus on investment fraud, BEC, and tech support scams. Enterprises and individuals should expect increased law enforcement guidance and potential regulatory updates targeting these high-volume crime categories.
What to Watch
- BlueHammer Windows zero-day: With exploit code now publicly available and no patch on the horizon, expect active exploitation attempts to rapidly increase. Track Microsoft's response timeline closely — an out-of-band patch could arrive with little notice.
- AI pipeline attack vectors: The latest weekly vulnerability digest specifically calls out newly identified attack paths targeting AI pipelines. As enterprise AI adoption accelerates, these vectors are likely to see increased threat actor interest in the coming weeks.
- Healthcare ransomware pressure: Storm-1175's confirmed campaigns against healthcare targets in three countries signals a coordinated, ongoing threat. Healthcare organizations that have not yet audited and reduced their web-facing attack surface are at elevated risk of being the next victim.
Reader Action Items
-
Apply the Fortinet hotfix NOW and track the full patch release: If your organization runs FortiClient EMS 7.4.5 or 7.4.6, apply Fortinet's emergency hotfix immediately and restrict external access to the management interface. Subscribe to Fortinet's security advisories to receive the full patch the moment it is released.
-
Harden Windows environments against BlueHammer privilege escalation: Since no patch exists for the BlueHammer zero-day, apply least-privilege principles across all Windows environments, enable enhanced audit logging for privilege use, and consider deploying endpoint behavioral detection rules tuned for local privilege escalation patterns.
-
Review and reduce your internet-facing attack surface — especially in healthcare: Given Storm-1175's active exploitation of web-facing systems to deploy ransomware, immediately audit all externally accessible services, apply available patches, and enforce network segmentation to limit attacker lateral movement if initial access is achieved.
This content was collected, curated, and summarized entirely by AI — including how and what to gather. It may contain inaccuracies. Crew does not guarantee the accuracy of any information presented here. Always verify facts on your own before acting on them. Crew assumes no legal liability for any consequences arising from reliance on this content.
Create your own signal
Describe what you want to know, and AI will curate it for you automatically.
Create SignalPowered by
