108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users
Article Link: https://thehackernews.com/2026/04/108-malicious-chrome-extensions-steal.html
- A coordinated attack published over 100 malicious Chrome extensions across a variety of categories such as games and social media “fun upgrades” that infected over 20,000 users.
- These extensions appear legitimate and delivered normal functionality while covertly connecting to command-and-control servers (C2). This allowed malicious actors to steal Google account data, perform session hijacking and ad injection attacks, and install backdoors on systems.
- Attackers used these extensions to compromise accounts, steal victim data, and monetize users though ads.
- The attack campaign shows that attackers can weaponize trusted app stores with scale to exploit thousands of users before detection and removal.
Fake Ledger Live App on Apple’s App Store Stole $9.5M in Crypto
Article Link: https://www.bleepingcomputer.com/news/security/fake-ledger-live-app-on-apples-app-store-stole-95m-in-crypto/
- A fake version of the Ledger Live crypto wallet app was published on the Apple App Store, allowing malicious actors to steal about $9.5 million from about 50 victims.
- Due to the lack of an official macOS Ledger Live app the attackers were able to create an app using a fake developer identity and build credibility by creating frequent updates to move the version to 5.0 in a few weeks.
- The app prompted users to enter their seed or recovery phrases, enabling attackers to take full control of their funds across multiple cryptocurrencies, including Bitcoin, Ethereum, and Solana.
- The stolen cryptocurrency was laundered through KuCoin, which has already been accused of violating anti-money laundering laws and paying millions in penalties, and a mixing service called AudiA6 to make the funds more difficult to trace.
- Although Apple removed the app after receiving multiple user reports, millions of dollars were lost, and recovery remains uncertain.
Black Basta-Linked Attacks Target Executives via Teams Phishing
Article Link: https://www.scworld.com/news/black-basta-linked-attacks-target-executives-via-teams-phishing
- Researchers at ReliaQuest report that suspected former members of the Black Basta ransomware group continue to use the group’s playbook to launch attacks, with an increased focus on senior executives.
- A surge in Microsoft Teams-based phishing, along with other attacks leveraging the group’s tactics, techniques, and procedures (TTPs), has been used to trick victims into installing remote access tools that grant attackers system access.
- Targeting executives, who often already have privileged access, allows for faster and more efficient attacks.
- Executive-focused attacks are on the rise, highlighting the importance of role-based security training. Recommended mitigations for these attacks also include strict verification of IT support requests and stronger technical controls over the use of remote monitoring and management (RMM) tools.
- Additional information: https://reliaquest.com/blog/threat-spotlight-are-former-black-basta-affiliates-automating-executive-targeting
New ATHR Vishing Platform Uses AI Voice Agents for Automated Attacks
Article Link: https://www.bleepingcomputer.com/news/security/new-athr-vishing-platform-uses-ai-voice-agents-for-automated-attacks/
- A new cybercrime platform called ATHR is allowing attackers to perform fully automated voice phishing (vishing) attacks, utilizing AI voice agents and human operators to steal credentials. The tool comes with built-in capabilities to harvest credentials from Microsoft, Google, Yahoo, AOL, along with cryptocurrency exchanges like Coinbase, Binance, and crypto.com.
- The entire attack flow is automated and includes sending phishing emails, convincing victims to call, and then routing them to AI voice agents that impersonate support staff.
- These agents use scripted prompts to mimic human customer support to steal sensitive data while a dashboard allows attackers to launch campaigns, monitor results, and collect the stolen data.
- ATHR lowers the barrier of entry for cybercriminals and enables them to launch sophisticated and scalable attacks for a relatively low cost.
- As AI-driven phishing platforms become more advanced and harder to detect, organizations must shift toward behavioral-based detection and user awareness strategies.
Cisco Patches Four Critical Identity Services, Webex Flaws Enabling Code Execution
Article Link: https://thehackernews.com/2026/04/cisco-patches-four-critical-identity.html
- Cisco has released patches for four critical vulnerabilities affective Cisco Identity Services Engine (ISE) and Webex that could allow remote code execution and user impersonation attacks.
- The vulnerabilities are caused by improper certificate validation in Webex SSO and poor input validation in ISE.
- Two of these vulnerabilities require read only admin access to executed arbitrary commands or escalate privileges to root. One Webex flaw can be exploited without authentication and allow for user impersonation.
- Once exploited these vulnerabilities can lead to compromised systems, unauthorized access to services, privilege escalation, and denial of service attacks.
- While no active exploitation has been reported, Cisco recommends immediate patching and updates to prevent potential compromise.
- Cisco Security Advisories: CVE-2026-20184: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-cui-cert-8jSZYhWL; CVE-2026-20147 and CVE-2026-20148: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-rce-traversal-8bYndVrZ; CVE-2026-20180 and CVE-2026-20186: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-rce-4fverepv
Microsoft SharePoint Server Zero-Day Vulnerability Actively Exploited in Attacks
Article Link: https://cyberpress.org/microsoft-sharepoint-server-zero-day-vulnerability/
- Microsoft has released an urgent patch for a zero-day vulnerability in an on-prem SharePoint Server that is being actively exploited in the wild.
- The vulnerability is caused by improper input validation in SharePoint that allows attackers to view data in the servers and make changes to the data.
- The attack is low complexity and does not require authentication. It can be executed remotely with exploit code already widely available.
- Although the vulnerability is rated as a medium based on CVSS score, immediate patching and enhanced monitoring are strongly recommended due to active exploitation.
- CVE-2026-32201: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32201
Data Breach at Tennessee Hospital Affects 337,000
Article Link: https://www.securityweek.com/data-breach-at-tennessee-hospital-affects-337000/
- The Cookeville Regional Medical Center (CRMC) in Tennessee was impacted by a ransomware attack linked to the Rhysida ransomware group, resulting in a large-scale data breach affecting over 300,000 individuals.
- Attackers gained access to the hospital’s network in July 2025, exfiltrating sensitive files before the breach was discovered, including both personal and medical information.
- Stolen data included sensitive records such as names, Social Security numbers, financial details, driver’s license numbers, and medical and insurance information. This information was posted on the group’s leak site after they failed to sell the data.
- The breach creates a severe long-term risk of identity theft and fraud due to the exposure of extensive personal and health data, despite no confirmed evidence of misuse so far.
- Even when ransomware groups fail to monetize stolen data directly, public data leaks can harm victims through long-term exposure and reuse of compromised information.
Security Leaders Say the Next Two Years Are Going to Be ‘Insane’
Article Link: https://cyberscoop.com/ai-cyberattacks-two-years-insane-vulnerabilities-kevin-mandia-alex-stamos-morgan-adamski-rsac-2026/
- Artificial Invigilance is enabling attackers to dramatically improve their scale and capabilities while defenders are trying to catch up.
- AI is accelerating vulnerability discovery at an exponential pace while patching and remediation remains slow. This creates an imbalance that allows malicious actors to find and exploit flaws faster than defenders can remediate them.
- AI agents can autonomously scan, exploit, and move through networks at massive scale and speed. These agents can generate exploits, evade detection, and analyze systems far beyond human capability.
- The result is a “perfect storm” favoring attackers, where exploit creation becomes faster and more accessible, legacy systems are increasingly exposed, and traditional security approaches risk becoming ineffective without major redesign.
New Jersey Men Given Lengthy Sentences for Running North Korean Laptop Farms
Article Link: https://therecord.media/new-jersey-men-sentenced-north-korean-laptop-farms
- Two New Jersey men, Kejia Wang and Zhenxing Wang, are headed to prison for nine and nearly eight years after running a “laptop farm” that helped North Korean IT workers land jobs at more than 100 U.S. companies and funnel over $5 million to the regime.
- From 2021 through October 2024, the group used stolen identities from about 80 Americans, hosted hundreds of corporate laptops in U.S. homes, and used KVM switches to give overseas operators full remote control while hiding behind shell companies.
- The scheme caused about $3 million in losses and exposed sensitive data, including ITAR-controlled defense contractor information, raising national security concerns tied to insider-level access.
- Officials point to stronger identity verification during hiring, enhanced monitoring of remote access tools, and tighter oversight of remote worker devices and locations to detect suspicious activity and block unauthorized control.
