CTI Daily Brief: 2026-04-13 - Microsoft April Patch Tuesday (167 flaws, 2 zero-days incl. actively-exploited SharePoint); Interlock ransomware exploits Cisco FMC zero-day
Microsoft April 2026 Patch Tuesday addresses 167 vulnerabilities including an actively-exploited SharePoint spoofing zero-day (CVE-2026-32201) and a publicly-disclosed Defender EoP (CVE-2026-33825). Interlock ransomware group is exploiting a Cisco FMC zero-day, and ransomware operators Qilin, DragonForce and The Gentlemen remain the most active brokers. Phishing campaigns tied to McGraw-Hill extortion and a fake Ledger Live App Store listing ($9.5M crypto theft) round out the day.
| Reporting Period | Classification | Generated |
|---|---|---|
| 2026-04-13 (24h) | TLP:CLEAR | 2026-04-14 |
1. Executive Summary
The pipeline processed 256 reports across 14 sources in the last 24 hours, dominated by Microsoft’s April 2026 Patch Tuesday disclosures (189 Microsoft advisories) and a sustained volume of ransomware victim postings (35 RansomLock entries). The headline item is Microsoft’s April bulletin: 167 flaws, including an actively-exploited Microsoft SharePoint Server spoofing zero-day (CVE-2026-32201) and a publicly-disclosed Microsoft Defender elevation-of-privilege zero-day (CVE-2026-33825). Adobe also patched an actively-exploited Reader/Acrobat zero-day in the same window. AI correlation flagged the Interlock ransomware group exploiting a Cisco FMC zero-day as the critical trend of the day, against a backdrop of McGraw-Hill extortion-linked data breach and a fake Ledger Live App Store listing that stole $9.5M in cryptocurrency via phishing. Qilin (53 reports), The Gentlemen (45) and NightSpire (37) remain the most prolific ransomware brokers pipeline-wide.
2. Severity Distribution
| Severity | Count | Key Drivers |
|---|---|---|
| 🔴 CRITICAL | 66 | Microsoft Patch Tuesday CVEs (SharePoint zero-day, Windows Kernel, Word RCE, Active Directory RCE, UEFI Secure Boot bypass, BitLocker, Azure Monitor Agent) |
| 🟠 HIGH | 145 | Ransomware victim postings (Qilin, DragonForce, shadowbyt3$); RCE trend across Windows platforms; McGraw-Hill and Ledger-Live phishing campaigns |
| 🟡 MEDIUM | 26 | Chromium extension abuse analysis; Q1 malware stats for Windows DB servers |
| 🟢 LOW | 2 | Routine OSINT notes |
| 🔵 INFO | 17 | Vendor KB/documentation items, background correlation analysis |
3. Priority Intelligence Items
3.1 Microsoft April 2026 Patch Tuesday — 167 Flaws, 2 Zero-Days (1 Actively Exploited)
Source: BleepingComputer, BleepingComputer (Windows 10 KB5082200 ESU), Microsoft MSRC (189 individual advisories)
Microsoft’s April 2026 bundle fixes 167 vulnerabilities: 93 elevation-of-privilege, 20 remote code execution, 21 information disclosure, 13 security-feature-bypass, 10 denial-of-service and 9 spoofing flaws. Eight are rated Critical (seven RCE, one DoS). Two zero-days are called out:
- CVE-2026-32201 — Microsoft SharePoint Server Spoofing, actively exploited in the wild. Improper input validation allows an unauthenticated attacker to spoof content over the network, affecting confidentiality and integrity. Microsoft has not disclosed the attacker or attribution.
- CVE-2026-33825 — Microsoft Defender Elevation of Privilege, publicly disclosed. Grants SYSTEM-level privileges; addressed in Defender Antimalware Platform update 4.18.26050.3011 (automatic rollout).
Other Critical items in the bundle that warrant prioritisation include: CVE-2026-33826 (Windows Active Directory RCE), CVE-2026-33120 (SQL Server RCE), CVE-2026-33095 / CVE-2026-33114 (Microsoft Word RCE, exploitable via preview pane), CVE-2026-33824 (Windows IKE Service Extensions RCE), CVE-2026-32221 (Windows Graphics Component RCE), CVE-2026-32156 (Windows UPnP Device Host RCE), CVE-2026-0390 / CVE-2026-32220 (UEFI Secure Boot bypass) and CVE-2026-27913 (Windows BitLocker security-feature bypass). Windows 10 ESU customers receive the fixes through KB5082200, which also introduces new RDP-file phishing warnings and Secure Boot certificate rollout status indicators in Windows Security.
Adobe, Apache (ActiveMQ Classic 13-year-old RCE), Apple and Cisco all released aligned updates in the same window; Adobe’s Reader/Acrobat update fixes an actively-exploited zero-day.
MITRE: T1068 (Exploitation for Privilege Escalation), T1193 (Spoofing), T1203 (Exploitation for Client Execution), T1566 (Phishing via .rdp).
SOC Action: Prioritise external-facing SharePoint servers for CVE-2026-32201 patching within 72 hours; if patching is delayed, restrict anonymous access and front SharePoint with authenticated reverse proxies. Deploy Defender platform update 4.18.26050.3011 fleet-wide and verify via
Get-MpComputerStatus | Select AMEngineVersion,AMProductVersion. For Word RCE CVEs (33095/33114), disable Outlook/Explorer preview pane via GPO until patched, and hunt EDR forwinword.exespawningcmd.exe,powershell.exe,mshta.exeorrundll32.exe. Block inbound.rdpfile delivery at the mail gateway and treat any KB5082200-pre-install RDP file as suspicious.
3.2 Interlock Ransomware Group Exploiting Cisco FMC Zero-Day (Q1 2026 Retrospective)
Source: AlienVault — March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day (URL not available in pipeline data)
AI correlation flagged this as the single critical trend for the reporting cycle: ransomware groups are now chaining zero-days in security-infrastructure products. Interlock is named by the source as exploiting a Cisco Firepower Management Center (FMC) zero-day during March 2026; no hedging in the source. Correlated with Q1 2026 Windows database-server malware statistics on shared TTPs (T1078 — Valid Accounts; IT-services targeting).
SOC Action: Audit all internet-exposed Cisco FMC instances for unexpected admin sessions, newly-created local accounts, or unexpected configuration pushes; confirm FMC is on the latest Cisco advisory level and restrict the FMC management interface to jump-host IPs only. Where Interlock activity is plausible, hunt for T1078 valid-account abuse in EDR across perimeter-management infrastructure and require step-up MFA on all FMC and equivalent security-tool admin accounts.
3.3 Fake Ledger Live App on Apple App Store — $9.5M Crypto Theft
Source: BleepingComputer (referenced via correlation batch 68; direct URL not surfaced in the batch data)
A counterfeit “Ledger Live” application made it onto Apple’s App Store and drained approximately $9.5M in cryptocurrency from users. The fake app solicited seed phrases through a phishing flow indistinguishable from the genuine hardware-wallet companion. Correlation batch 68 links this to the McGraw-Hill extortion incident on shared phishing TTPs (T1566).
MITRE: T1566 (Phishing).
SOC Action: Push an advisory to employees who self-custody crypto that Ledger Live should only be installed from ledger.com; add
ledgerandledger-livekeyword alerting to corporate mobile-device-management app-install telemetry. Where MDM allows, restrict App Store installs on corporate iOS devices to a managed allow-list.
3.4 McGraw-Hill Confirms Data Breach Following Extortion Threat
Source: BleepingComputer (referenced via correlation batch 68; direct URL not surfaced)
McGraw-Hill has confirmed a data breach after receiving an extortion threat. Source attribution to a named threat actor is not present in the pipeline data for this cycle — preserve hedging. AI correlation links the incident to the broader phishing-driven financial/IT-services campaign pattern and to CVE-2026-32201 SharePoint exposure in the IT-services sector (shared T1566 TTP).
SOC Action: For publishing/education-sector peers, assume the same phishing playbook is in rotation: enforce MFA on all externally-reachable web apps, review SharePoint tenants for suspicious sign-ins from unusual geos post-2026-04-14 (overlapping the SharePoint zero-day window), and ensure DLP rules flag bulk downloads of customer-record documents from collaboration platforms.
3.5 Browser Extension Abuse — ClickFix Banking Stealer and 108-Extension Session-Theft Cluster
Source: Pipeline correlation batch 68 (reports: “59 Victims, Zero Authentication: A ClickFix Campaign Force-Installs a Chrome Extension Banking Stealer and Leaves the Entire C2 Wide Open” and “108 Chrome Extensions Linked to Data Exfiltration and Session Theft via Shared C2 Infrastructure”)
A ClickFix social-engineering campaign force-installs a Chrome banking-stealer extension at 59 confirmed victims; the associated C2 is unauthenticated and world-readable. Separately, 108 Chrome extensions were tied together through shared C2 infrastructure and are exfiltrating session cookies and browser data. The two clusters share TTPs: T1185 (Browser Session Hijacking) and T1071.001 (Application Layer Protocol — Web Protocols).
MITRE: T1185, T1071.001, T1176 (Browser Extensions), T1539 (Steal Web Session Cookie).
SOC Action: Inventory Chrome/Edge extensions enterprise-wide via
chrome.managementAPI / Edge management and block any extension outside the approved list using theExtensionInstallAllowlistGPO. Hunt proxy logs for beacons to unauthenticated HTTP C2s fromchrome.exechild processes and forchrome_proxy.exemaking non-Google outbound DNS. Invalidate persistent session cookies for crown-jewel SaaS and require device-bound session tokens where available.
4. AI-Identified Correlation Trends
| Risk | Trend | Supporting Evidence |
|---|---|---|
| 🔴 CRITICAL | Ransomware groups leveraging zero-day vulnerabilities for high-impact attacks | March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day |
| 🔴 CRITICAL | Vulnerabilities in critical infrastructure components being actively exploited | CVE-2026-3184 util-linux access-control bypass; wolfSSL forged-certificate flaw |
| 🔴 CRITICAL | Supply-chain compromise as a prevalent attack vector | OpenAI rotates macOS certs after Axios code-signing attack; fake-recruiter RAT campaign targets crypto developers |
| 🟠 HIGH | Increased exploitation of RCE vulnerabilities across multiple platforms | Microsoft April 2026 Patch Tuesday; CVE-2026-32157 Remote Desktop Client RCE; CVE-2026-33827 Windows TCP/IP RCE |
| 🟠 HIGH | Phishing campaigns targeting financial and IT-services sectors | McGraw-Hill extortion-linked breach; fake Ledger Live App Store listing ($9.5M crypto theft) |
| 🟠 HIGH | Increased ransomware activity with diverse infrastructure and global reach | Qilin victim cluster (Alternativa de Moda SAS, PGDIS.PAPETIQUE PRO, Basalt Dentistry); DragonForce multi-sector claims |
| 🟠 HIGH | Overlapping RaaS operators targeting multiple sectors globally | shadowbyt3$ (Amplify Technology, University of Georgia); DragonForce; Coinbase Cartel (Helzberg, Ralph Lauren) |
5. Trending Entities (Pipeline-Wide)
Threat Actors
- Qilin / qilin (53 + 20 reports) — Enumeration/RaaS operator; prolific victim-posting cadence across consultancy, healthcare and manufacturing.
- The Gentlemen / the gentlemen (45 + 20 reports) — High-volume extortion site postings; persistent cadence since late March.
- NightSpire (37 reports) — Ransomware brand with steady victim stream through early April.
- TeamPCP (31 reports) — Extortion/leak-site operator; activity plateaued around 8 April.
- DragonForce / dragonforce (27 + 21 reports) — Correlated yesterday on shared government-sector targeting (je-nyc.com, Apply Capnor).
- shadowbyt3$ (20 reports) — Emerging broker since early April; claimed Amplify Technology and University of Georgia within the last 24h.
- Akira (22 reports) — Continued activity through early April.
Malware Families
- RansomLock (29 reports) — Generic locker/RaaS tagging dominant in AlienVault ingestion pipeline.
- DragonForce ransomware (26 + 8 reports) — Matches DragonForce actor cluster.
- Akira ransomware (18 reports) — Persistent Q2 2026 footprint.
- PLAY ransomware (8 reports) — Stable week-over-week cadence.
- Qilin payload family (7 reports) — Co-tagged with Qilin actor.
- RaaS / raas generic tagging (13 + 7 reports) — Aggregate indicator that RaaS postings dominate the pipeline this cycle.
6. Source Distribution
| Source | Reports | URL | Notes |
|---|---|---|---|
| Microsoft | 189 | link | Patch Tuesday MSRC advisories — primary driver of Critical volume |
| RansomLock | 35 | link | Ransomware victim-posting aggregator |
| BleepingComputer | 8 | link | Patch Tuesday write-up; ESU KB; ClickFix extension reporting |
| AlienVault | 7 | link | Q1 CVE landscape + Interlock/Cisco FMC trend |
| Wiz | 3 | link | Cloud-security research |
| Schneier | 3 | link | Commentary |
| Sysdig | 2 | link | Container/runtime telemetry |
| SANS | 2 | link | Patch Tuesday diary; ISC daily |
| RecordedFutures | 2 | link | Strategic intel |
| Wired Security | 1 | link | Mainstream security reporting |
| Cisco Talos | 1 | link | Threat research |
| Elastic Security Labs | 1 | link | Detection engineering |
| RedCanary | 1 | link | Detection research |
| Unknown | 1 | — | Source attribution missing in ingest |
7. Consolidated Recommendations
- 🔴 IMMEDIATE: Patch or mitigate CVE-2026-32201 (SharePoint Server spoofing — actively exploited) on all internet-facing SharePoint instances within 72 hours; if patching is delayed, front SharePoint with an authenticated reverse proxy and restrict anonymous access. Ties to Section 3.1.
- 🔴 IMMEDIATE: Verify fleet-wide rollout of Defender Antimalware Platform 4.18.26050.3011 to close publicly-disclosed CVE-2026-33825 before weaponised PoCs circulate. Ties to Section 3.1.
- 🟠 SHORT-TERM: Deploy the full April Patch Tuesday bundle (Windows 11 KB5083769/KB5082052, Windows 10 KB5082200) with priority on Word RCE (33095/33114), AD RCE (33826), IKE RCE (33824) and UEFI Secure Boot bypass (0390/32220). Also push Adobe Reader/Acrobat updates that close an actively-exploited zero-day in the same window. Ties to Section 3.1.
- 🟠 SHORT-TERM: Audit internet-exposed Cisco FMC (and comparable security-management planes) for Interlock-style tradecraft: unexpected admin sessions, new local accounts, unscheduled config pushes. Restrict the management interface to jump-host IPs and enforce step-up MFA. Ties to Section 3.2.
- 🟡 AWARENESS: Brief end users on the fake Ledger Live App Store listing and the ClickFix Chrome-extension banking-stealer campaign; remind users seed phrases are never requested by legitimate wallet apps and that extensions should only be installed from the approved enterprise allow-list. Ties to Sections 3.3 and 3.5.
- 🟢 STRATEGIC: Treat ransomware operator activity (Qilin, DragonForce, The Gentlemen, NightSpire, shadowbyt3$) as the dominant opportunistic threat for the coming quarter; prioritise MFA coverage on all external auth, VSS-protected backups with immutable copies, and EDR coverage on domain controllers and file servers. Ties to Sections 4 and 5.
This brief was generated entirely by AI from automated threat intelligence collection and correlation pipelines, made up of 256 reports processed across 4 correlation batches. A human analyst reviewed and approved this report before publication, but AI-generated analysis may contain errors in attribution, severity assessment, or indicator extraction. Always verify IOCs, CVE details, and threat actor attribution against primary sources before taking operational action.