Issue #003 · April 30, 2026
Cyber Threat Brief — Issue #003
What's active. What matters. What to do about it.
Active Campaigns
DragonForce is actively exploiting vulnerabilities in SimpleHelp remote monitoring and management software to gain administrative access to MSP environments, then using that foothold to push ransomware to every client endpoint connected to the compromised provider. The attack turns a single MSP breach into simultaneous ransomware deployment across dozens of downstream organizations. Two SimpleHelp flaws — an authorization bypass and a companion path traversal — were added to the CISA Known Exploited Vulnerabilities catalog after confirmed use in DragonForce intrusions. Claimed victims include a Massachusetts state economic development agency and a U.S. technology consulting firm.
CyberAv3ngers, operating under Iran's Islamic Revolutionary Guard Corps Cyber Electronic Command, has been targeting internet-exposed industrial controllers used by water utilities and energy providers to cause physical operational disruptions. Attackers access Rockwell Automation and Allen-Bradley programmable logic controllers and manipulate settings and display data on the systems used to manage physical processes. A joint advisory from six U.S. agencies — including the FBI, CISA, NSA, and U.S. Cyber Command — confirmed the campaign and attributed it to IRGC-CEC. Activity has increased in the context of current U.S.–Iran geopolitical tensions.
A sustained supply chain campaign has compromised a series of widely used open-source packages including a popular vulnerability scanner, an infrastructure-as-code security tool, and an AI model gateway library by embedding credential-stealing code that silently exfiltrates cloud keys, SSH credentials, and Kubernetes configuration files. The attack cascaded through automated dependency management — a well-known password manager's command-line tool was briefly compromised via an automated update pulling in a tainted dependency. Stolen credentials have been observed handed off to ransomware groups for follow-on intrusions. Affected packages were distributed across npm, PyPI, and Docker Hub simultaneously.
CVE Watch
PRODUCT: SimpleHelp Remote Monitoring and Management
WHAT IT MEANS:
A missing authorization check allows any technician-level account to escalate to full administrator access without additional credentials or approval. An attacker with low-privilege access to an MSP's SimpleHelp instance — obtained through phishing, credential stuffing, or purchase on criminal markets — can immediately promote themselves to administrator and take control of all connected client environments. DragonForce has confirmed use of this vulnerability in active ransomware campaigns targeting managed service providers. CISA added it to the Known Exploited Vulnerabilities catalog with a federal remediation deadline of May 8, 2026.
ACTION:Update SimpleHelp to v5.5.8 or later immediately and audit technician account activity for unauthorized privilege changes.
PRODUCT: Fortinet FortiClient EMS (versions 7.4.5–7.4.6)
WHAT IT MEANS:
A pre-authentication API vulnerability in recent versions of Fortinet's endpoint management server allows attackers to bypass login requirements, escalate privileges, and move laterally through managed environments without valid credentials. Exploitation began before the vulnerability was publicly disclosed, and broad active exploitation has been confirmed across multiple organizations. The flaw is particularly dangerous because FortiClient EMS holds management authority over large numbers of endpoints — compromising it delivers an administrative foothold across an entire managed fleet. CISA added it to the KEV catalog with a federal remediation deadline of May 12, 2026.
ACTION:Upgrade FortiClient EMS to v7.4.7 or later immediately — exploitation is confirmed in the wild; restrict API access to known management IPs while patching.
PRODUCT: ConnectWise ScreenConnect
WHAT IT MEANS:
A maximum-severity authentication bypass in ConnectWise ScreenConnect allows unauthenticated attackers to take complete control of affected servers. The flaw is being actively chained with a companion path traversal vulnerability to achieve remote code execution. Microsoft has attributed confirmed exploitation to Storm-1175, a China-aligned threat actor deploying Medusa ransomware as a secondary payload. ScreenConnect is widely used by IT support teams and managed service providers, meaning one compromised server exposes every client environment accessed through that tool. CISA has this vulnerability on its KEV catalog.
ACTION:Upgrade to ScreenConnect 23.9.8 or later immediately; take the server offline if patching cannot happen within 24 hours.
PRODUCT: Microsoft Windows Shell
WHAT IT MEANS:
Despite a low CVSS score, this Windows Shell spoofing flaw has been weaponized by APT28 — Russia's GRU-linked threat group — in active campaigns targeting government and diplomatic organizations. The vulnerability enables a zero-click NTLM credential leak via malicious LNK shortcut files, requiring no interaction beyond the victim opening a folder containing the weaponized file. Harvested credentials are used to authenticate to Microsoft 365 and Outlook accounts without triggering standard login alerts. It represents an incomplete fix of an earlier Windows vulnerability, and APT28 was exploiting it before the patch was available. CISA added it to the KEV catalog after confirmed nation-state exploitation.
ACTION:Apply April 2026 Patch Tuesday updates across all Windows systems and audit Microsoft 365 sign-in logs for anomalous credential use.
Threat Actor Activity
Confirmed exploitation of SimpleHelp RMM vulnerabilities against managed service providers, with claimed attacks against a Massachusetts state economic development agency and a U.S. technology consulting firm demonstrating the group's strategy of multiplying ransomware impact through third-party provider access.
Six U.S. government agencies issued a joint advisory confirming CyberAv3ngers' active disruption campaign against water and energy operational technology, attributing the group to Iran's IRGC Cyber Electronic Command and warning of continued attacks on U.S. critical infrastructure.
A joint U.S. and allied-nations law enforcement operation disrupted APT28's FrostArmada campaign — a router compromise network spanning 18,000 unique IPs across 120 countries used to harvest Microsoft 365 credentials from government ministries and diplomatic targets via man-in-the-middle positioning.
Microsoft attributed active exploitation of ConnectWise ScreenConnect to Storm-1175, a China-aligned threat actor using the access to deploy Medusa ransomware across organizations that rely on the remote support tool for IT management.
Preliminary attribution points to Lazarus Group in the theft of approximately $290 million from cryptocurrency exchange KelpDAO — consistent with the group's sustained targeting of digital asset platforms to fund North Korean state programs, following the $1.5 billion Bybit theft confirmed earlier in 2026.
| Actor | Status | Activity |
|---|---|---|
| DragonForce | [ ESCALATING ] | Confirmed exploitation of SimpleHelp RMM vulnerabilities against managed service providers, with claimed attacks against a Massachusetts state economic development agency and a U.S. technology consulting firm demonstrating the group's strategy of multiplying ransomware impact through third-party provider access. |
| CyberAv3ngers (IRGC-CEC) | [ ESCALATING ] | Six U.S. government agencies issued a joint advisory confirming CyberAv3ngers' active disruption campaign against water and energy operational technology, attributing the group to Iran's IRGC Cyber Electronic Command and warning of continued attacks on U.S. critical infrastructure. |
| APT28 / Forest Blizzard (GRU Unit 26165) | [ ACTIVE ] | A joint U.S. and allied-nations law enforcement operation disrupted APT28's FrostArmada campaign — a router compromise network spanning 18,000 unique IPs across 120 countries used to harvest Microsoft 365 credentials from government ministries and diplomatic targets via man-in-the-middle positioning. |
| Storm-1175 (China-nexus) | [ ACTIVE ] | Microsoft attributed active exploitation of ConnectWise ScreenConnect to Storm-1175, a China-aligned threat actor using the access to deploy Medusa ransomware across organizations that rely on the remote support tool for IT management. |
| Lazarus Group (DPRK) | [ ACTIVE ] | Preliminary attribution points to Lazarus Group in the theft of approximately $290 million from cryptocurrency exchange KelpDAO — consistent with the group's sustained targeting of digital asset platforms to fund North Korean state programs, following the $1.5 billion Bybit theft confirmed earlier in 2026. |
Key Takeaway
The most significant business risk in the current environment is the concentration of attacks on the tools that IT and security teams use to manage their own infrastructure. Remote monitoring platforms, vulnerability scanners, and remote support software have become preferred targets precisely because one successful breach gives attackers access to dozens or hundreds of organizations downstream — without ever needing to compromise those organizations directly. A company does not need to be the primary target to become a victim. Separately, Iranian government-linked hackers have confirmed active campaigns against water utilities and energy facilities in the United States, with the explicit goal of causing physical disruption rather than financial gain. Any organization operating equipment that controls physical processes — water treatment, power distribution, building systems — should treat internet exposure of that equipment as an emergency requiring immediate action, not a configuration issue to resolve in the next maintenance window.
Sources
- CISA
- FBI
- Microsoft Threat Intelligence
- BleepingComputer
- The Hacker News
- Halcyon
- ReliaQuest
- Infosecurity Magazine
- SecurityWeek
- Help Net Security