Here are today’s top cybersecurity stories for Tuesday, April 7, 2026.
Microsoft Links China-Backed Storm-1175 to Medusa Ransomware Zero-Day Attacks
Microsoft’s Security Blog has identified Storm-1175, a China-based financially motivated threat actor, as an affiliate deploying Medusa ransomware through rapid exploitation of zero-day and n-day vulnerabilities in web-facing systems. The group targeted healthcare, education, professional services, and finance organisations in Australia, the United Kingdom, and the United States, moving from initial access to data exfiltration in as little as 24 hours. Known exploited flaws include CVE-2026-23760 in SmarterMail and CVE-2025-10035 in GoAnywhere MFT, both used before public disclosure. Microsoft Security Blog
Progress ShareFile Pre-Auth RCE Chain Disclosed: CVE-2026-2699 and CVE-2026-2701
Researchers at watchTowr publicly disclosed a two-vulnerability chain in Progress ShareFile Storage Zones Controller enabling pre-authenticated remote code execution on April 7. CVE-2026-2699 is an authentication bypass via the admin endpoint, while CVE-2026-2701 allows arbitrary file upload to the webroot, letting attackers plant ASPX webshells without credentials. Approximately 700 internet-exposed instances remain at risk; a fix exists in ShareFile 5.12.4 released March 10. BleepingComputer
Iran-Nexus Threat Actor Targets 300+ Microsoft 365 Organisations in Israel and UAE with Password Spraying
Check Point Research has attributed a three-wave password-spraying campaign to an Iran-linked threat actor, targeting Microsoft 365 environments in government, energy, technology, and transportation sectors in Israel and the UAE. The campaign ran on March 3, 13, and 23, 2026, and also hit targets in Europe, the United States, the United Kingdom, and Saudi Arabia. Attackers used VPN exit nodes geolocated in Israel to evade geography-based access controls after gaining valid credentials. The Hacker News
Google Releases Emergency Chrome Patch for Zero-Day CVE-2026-2441 Exploited in the Wild
Google has released Chrome 145.0.7632.75/76 for Windows and Mac fixing CVE-2026-2441, a high-severity use-after-free vulnerability in the browser’s CSS component confirmed as actively exploited. Chrome 144.0.7559.75 for Linux contains the same fix. The update is part of a broader Chrome 145 release addressing 11 vulnerabilities, three of which are rated high severity. Users should update immediately via the browser’s built-in update mechanism. SecurityWeek
CISA Orders Federal Agencies to Patch FortiClient EMS CVE-2026-35616 by April 9
Following CISA’s April 6 addition of CVE-2026-35616 to the Known Exploited Vulnerabilities Catalog, CISA has issued a binding directive requiring Federal Civilian Executive Branch agencies to apply Fortinet’s emergency hotfix for FortiClient EMS by midnight April 9, 2026. The CVSS 9.1 pre-authentication API bypass has been under active exploitation since at least March 31, with Shadowserver identifying over 2,000 internet-exposed instances. BleepingComputer
Cisco Catalyst SD-WAN CVE-2026-20127 Now Widely Exploited Following Disclosure
A maximum-severity authentication bypass in Cisco Catalyst SD-WAN Controller and Manager, CVE-2026-20127 (CVSS 10.0), is under widescale exploitation following public disclosure. Cisco Talos tracks the activity as UAT-8616, assessing a sophisticated threat actor has abused this flaw since at least 2023 to add rogue peers and achieve root-level persistence. CISA has added the vulnerability to its KEV Catalog and issued Emergency Directive 26-03 requiring immediate remediation. SecurityWeek
Dell RecoverPoint Zero-Day CVE-2026-22769 Exploited by Chinese APT Since Mid-2024
Mandiant and Google Threat Intelligence Group disclosed that UNC6201, a PRC-aligned cluster overlapping with Silk Typhoon, exploited a hardcoded-credential flaw (CVE-2026-22769, CVSS 10.0) in Dell RecoverPoint for Virtual Machines since at least mid-2024. Attackers deployed the BRICKSTORM backdoor and its successor GRIMBOLT for root-level persistence and pivoted into connected VMware environments. Less than a dozen organisations have been confirmed as affected, but the full scope of the campaign remains unknown. SecurityWeek
Hims and Hers Warns Customers of Data Breach After Zendesk Social Engineering Attack
Telehealth company Hims and Hers notified customers that attackers used a social engineering attack to compromise its Zendesk customer service platform between February 4 and 7, 2026, stealing support tickets containing customer names, contact information, and personal data. Medical records and provider communications were not affected. Affected individuals are being offered 12 months of complimentary credit monitoring through Cyberscout. BleepingComputer
NoVoice Android Rootkit Distributed Through 50 Apps with 2.3 Million Downloads
Researchers have uncovered NoVoice, an Android rootkit embedded in more than 50 apps downloaded at least 2.3 million times, disguised as utilities, image galleries, and games. The malware exploits 22 Android vulnerabilities patched between 2016 and 2021 to achieve root access on devices running outdated Android versions. The campaign illustrates that legacy unpatched vulnerabilities remain effective against a large portion of the Android device population. The Hacker News
Eurail Confirms Stolen Customer Data Is Now Offered for Sale on Dark Web
Eurail has confirmed that customer data stolen in its January 2026 breach is being offered for sale on the dark web, with a sample published on Telegram. Exposed records include names, passport and ID details, IBANs, health information, and contact data for pass holders and DiscoverEU programme participants. The company has engaged external cybersecurity specialists to monitor for further misuse and is urging customers to watch for phishing attempts. SecurityWeek
Stay tuned for today’s in-depth analysis posts.
