Here are today’s top cybersecurity stories for Friday, April 17, 2026.
Three Windows Defender Zero-Days Actively Exploited — Two Remain Unpatched
Three Windows Defender vulnerabilities — BlueHammer (CVE-2026-33825), RedSun, and UnDefend — were publicly disclosed by a researcher calling themselves Chaotic Eclipse after a dispute with Microsoft over disclosure handling. Microsoft patched BlueHammer in April’s Patch Tuesday, but RedSun and UnDefend remain unpatched. Huntress Labs confirmed active exploitation of all three in the wild, with BlueHammer weaponized since April 10 and RedSun and UnDefend exploited starting April 16. Both RedSun and UnDefend allow local privilege escalation to SYSTEM on fully patched Windows 10, Windows 11, and Windows Server systems. BleepingComputer
Operation PowerOFF Seizes 53 DDoS-for-Hire Domains, Contacts 75,000 Users
A coordinated law enforcement action involving 21 countries dismantled 53 domains tied to commercial DDoS-for-hire services used by more than 75,000 cybercriminals. Europol led Operation PowerOFF alongside the FBI, Europol partners, and national agencies from Australia, Germany, the UK, and others. Four arrests were made, 25 search warrants executed, and databases containing over three million criminal user accounts were obtained. Europol says the operation has now entered a prevention phase targeting young people through search engine ads and URL takedowns. BleepingComputer
Apache ActiveMQ CVE-2026-34197 Added to CISA KEV — Patch Deadline April 30
CISA added CVE-2026-34197, a CVSS 8.8 code injection flaw in Apache ActiveMQ, to its Known Exploited Vulnerabilities catalog on April 16, requiring federal agencies to patch by April 30. The flaw affects ActiveMQ Classic versions 5.18.0–5.18.3 and 6.0.0–6.0.2, allowing remote code execution through the Jolokia API. Attackers are actively scanning for exposed instances. Users should upgrade to version 5.19.4 or 6.2.3. The Hacker News
NIST Limits CVE Enrichment After 263% Surge in Vulnerability Submissions
NIST announced on April 15 that it will only enrich CVEs appearing in the CISA KEV catalog, those used in federal government software, or those meeting Executive Order 14028 critical software criteria. CVEs outside these criteria will be listed in the National Vulnerability Database but receive no enrichment from NIST. CVE submissions grew 263% between 2020 and 2025, outpacing NIST’s capacity despite enriching 42,000 CVEs last year. Backlogged entries with a publish date before March 1, 2026 move to a “Not Scheduled” category. The Hacker News
Google Disrupts UNC2814 GRIDTIDE Chinese Espionage Campaign Across 53 Organizations in 42 Countries
Google’s Threat Intelligence Group and Mandiant disrupted UNC2814, a China-linked threat actor active since at least 2017, after the group breached 53 telecoms and government organizations across 42 countries. The attackers deployed GRIDTIDE malware, which used the Google Sheets API for command-and-control communications to blend into legitimate cloud traffic. Compromised systems contained names, phone numbers, dates of birth, voter IDs, and national identification numbers of persons of interest. Google disabled the threat actor’s cloud accounts and Sheets instances to cut off access. SecurityWeek
Rockstar Games Confirms Data Breach After ShinyHunters Publishes 78.6 Million Records
ShinyHunters published 78.6 million records stolen from Rockstar Games after the company declined to pay a ransom demanded by April 14. The breach originated through Anodot, a third-party analytics integrator, whose Snowflake authentication tokens were compromised and used to access Rockstar’s internal data warehouse. The leaked data contains GTA Online and Red Dead Online player analytics, in-game revenue metrics, and behavioral tracking data. Rockstar confirmed the incident involved “a limited amount of non-material company information” and said player accounts and live game operations were not affected. BleepingComputer
White House Rescinds Biden-Era Software Security Attestation Requirements
The Office of Management and Budget revoked M-22-18 and M-23-16, Biden administration directives requiring federal software vendors to submit security attestations aligned with NIST secure development guidelines before deploying products to government agencies. The White House cited the requirements as “unproven and burdensome.” Security professionals warn the move fragments assurance expectations across the federal enterprise and raises supply chain risk. SecurityWeek
House Democrats Decry Confirmed ICE Use of Paragon Graphite Spyware
ICE acting director Todd Lyons confirmed in a letter to Congress that the agency actively uses Paragon Solutions’ Graphite spyware, which reads encrypted Signal and WhatsApp messages through zero-click exploits. House Democrats, led by Reps. Lee, Brown, and Ansari, condemned the use of the Israeli-developed tool, citing civil liberties concerns for immigrants, journalists, and community advocates. ICE said the tool was purchased for drug trafficking investigations. The Citizen Lab at the University of Toronto previously identified journalists and humanitarian workers in Italy as Graphite targets. CyberScoop
CISA Pushes Final CIRCIA Cyber Incident Reporting Rule to May 2026
CISA delayed finalization of its Cyber Incident Reporting for Critical Infrastructure Act rule to May 2026, citing the need to harmonize requirements with other agencies’ regulations and reduce industry burden. The rule will require critical infrastructure operators to notify CISA within 72 hours of a confirmed cyber incident and within 24 hours of a ransomware payment. Industry and lawmakers had criticized the proposed version for defining covered entities more broadly than Congress intended. The delay affects energy, water, transportation, and financial services sectors. CyberScoop
Microsoft April 2026 Patch Tuesday: 167 Flaws Fixed Including SharePoint Zero-Day and Record Browser Patches
Microsoft’s April 2026 Patch Tuesday addressed 167 vulnerabilities, including CVE-2026-32201, a SharePoint Server zero-day already in CISA’s KEV catalog, and CVE-2026-33825 (BlueHammer), a Windows Defender privilege escalation flaw patched after public disclosure. Nearly 60 browser vulnerabilities were fixed in a single month, a new record. Eight vulnerabilities are rated Critical, covering remote code execution and privilege escalation. Krebs on Security notes this ranks as the second-largest Patch Tuesday in Microsoft’s history. Krebs on Security
Stay tuned for today’s in-depth analysis posts.
