HARDENED Cybersecurity Intelligence Daily Briefing · Tuesday, May 5, 2026 · hardened.news |
> The signal. Not the noise. — For teams that defend. |
Lead Story | High — Nation-State / CISA KEV | Enterprise · Cloud+DevOps |
|
APT28 Exploits Incomplete Windows Shell Fix — Kimsuky Weaponizes ScreenConnect — Both Hit CISA KEV
Akamai Security Research found the April Patch Tuesday fix for a Windows Shell flaw was incomplete — crafted LNK files still coerce NTLM credential hashes from any user who opens the folder. Separately, Kroll attributed active exploitation of a 2024 ConnectWise ScreenConnect path traversal to Kimsuky, deploying a polymorphic backdoor. CISA added both CVEs to the Known Exploited Vulnerabilities catalog, confirming active exploitation.
CVE-2026-32202 is an incomplete fix. Akamai Security Research confirmed this week that the bypass technique attributed to APT28 against the original Windows Shell flaw (CVE-2026-21510) remains viable after the April Patch Tuesday update: a crafted LNK file still coerces NTLM authentication from any user who opens the containing folder, leaking a credential hash to an attacker-controlled SMB server. That hash enables relay attacks and offline cracking. Microsoft’s original CVSS rating of 4.3 — reflecting only credential exposure — was marked incorrect and updated on April 27. CVE-2026-21510 was attributed to APT28 by Microsoft’s threat intelligence teams in campaigns targeting Ukraine and EU countries in late 2025.
Separately, Kroll researchers attributed active exploitation of CVE-2024-1708 — a path traversal in ConnectWise ScreenConnect first patched in February 2024 — to Kimsuky, a DPRK-linked group. An unauthenticated attacker can upload a crafted zip file that writes a payload to the web root, achieving RCE. Kroll identified the group using this access to deploy ToddlerShark, a polymorphic malware variant built to evade signature detection. Organizations below ScreenConnect version 23.9.8 remain exposed.
→ Key Takeaway Apply the April 2026 Patch Tuesday update for CVE-2026-32202 and block outbound SMB (port 445) at the perimeter to prevent NTLM hash exfiltration — the patch narrows but does not fully close the coercion vector per Akamai’s analysis. Upgrade ConnectWise ScreenConnect to version 23.9.8 or later and audit connection logs for anomalous inbound sessions as a ToddlerShark indicator. |
Quick Hits
| 01 |
ShinyHunters Claims Vishing Defeated ADT’s Okta MFA — ADT Files SEC Breach Disclosure, ShinyHunters Claims 5.5M Records
ADT filed an 8-K with the SEC on April 24, disclosing it had detected unauthorized access to cloud-based environments on April 20; ShinyHunters claimed responsibility on April 23, alleging it used vishing to compromise an employee’s Okta SSO account and extracted data from ADT’s Salesforce instance across what it claims are 5.5 million customer records. ADT’s own filing confirms names, phone numbers, and addresses were exposed, with last four digits of Social Security numbers or Tax IDs in a small percentage of cases — the 5.5 million figure and the Okta vishing method are ShinyHunters’ claims and have not been independently confirmed by ADT. The attack pattern — vishing to defeat push-notification MFA, then SaaS data extraction — is the same method ShinyHunters used against Booking.com and Snowflake-connected targets; push-notification MFA is not a sufficient control where social engineering is the threat model. Bleeping Computer →
| High — Confirmed Breach | Enterprise |
|
CVE Watch
|
CVE Watch
CVE-2024-7399 / CVE-2025-4632 — Samsung MagicINFO 9 Server: Version 21.1050 Is Not the Fix — You Need 21.1052
CVE-2024-7399 is a path traversal in Samsung MagicINFO 9 Server that allows unauthenticated file writes with SYSTEM authority. Samsung patched it in August 2024 with version 21.1050 — but Huntress confirmed that 21.1050 remains exploitable. Samsung issued a second fix in May 2025 (version 21.1052) for CVE-2025-4632, a CVSS 9.8 follow-on that is the actual bypass. Mirai botnet operators have been exploiting the unpatched chain; CISA added CVE-2024-7399 to the Known Exploited Vulnerabilities catalog on April 24. MagicINFO deployments are common in retail, healthcare, hospitality, and transit environments — a compromised display server is a network pivot point, not just a nuisance. Organizations upgrading from MagicINFO v8 must step through 21.1050 before applying 21.1052.
| Vendor: Samsung · CVEs: CVE-2024-7399 (CVSS 9.8 per NVD) / CVE-2025-4632 (CVSS 9.8) · Affected: MagicINFO 9 Server < 21.1052 (21.1050 is incomplete) · Fix: Upgrade to 21.1052 or later · Exploitation: Active — Mirai botnet; CISA KEV confirmed April 24, 2026 |
|
Compliance Tip of the Day
|
NIST CSF 2.0 — PR.AA-03 — Protect: Identity Management, Authentication, and Access Control
Vishing Defeats Push-Notification MFA — FIDO2 Is the Upgrade
ShinyHunters claims the ADT access began with a single vishing call that convinced an employee to approve a fraudulent Okta push notification — a technique that defeats push-notification MFA and SMS OTP because the approval step is social, not cryptographic. FIDO2 keys and passkeys are bound to the relying party’s origin and cannot be used by an attacker who socially engineers a user into authorizing from a different endpoint. Concrete action (PR.AA-03): Migrate SSO gateway authentication to FIDO2-compliant hardware keys or device-bound passkeys — prioritize accounts with access to SaaS platforms containing customer PII. nist.gov/cyberframework →
|
|
HARDENED | This newsletter does not constitute professional security advice. Security configurations and threat landscapes vary by organization. Consult a qualified security professional for implementation guidance specific to your environment. How we work: HARDENED uses AI agents for research, drafting, and automation. Every issue is reviewed by humans before publication. If you spot an error, reply directly — we correct the record promptly. Sources: Akamai Security Research (“Incomplete Patch of APT28’s Zero-Day Leads to CVE-2026-32202”), akamai.com · The Hacker News (“Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202”), thehackernews.com · CISA KEV Catalog — CVE-2026-32202, CVE-2024-1708 (added April 25, 2026; federal deadline May 12), cisa.gov · SecurityOnline (“CISA KEV: Kimsuky, APT28 Exploitation — CVE-2024-1708, CVE-2026-32202”), securityonline.info · Huntress (“CVE-2024-1708: ScreenConnect Zip Slip Vulnerability”), huntress.com · ADT newsroom (“ADT detects cybersecurity incident”), newsroom.adt.com · Bleeping Computer (“Home security giant ADT data breach affects 5.5 million people”), bleepingcomputer.com · Kroll (“TODDLERSHARK: ScreenConnect Vulnerability Exploited to Deploy BABYSHARK Variant”), kroll.com · CISA KEV Catalog — CVE-2024-7399 (added April 24, 2026; federal deadline May 8), cisa.gov · SecurityWeek (“Improperly Patched Samsung MagicINFO Vulnerability Exploited by Botnet”), securityweek.com · Arctic Wolf (“Follow-Up: Samsung Patches Zero-Day Vulnerability in MagicINFO 9 Server (CVE-2025-4632)”), arcticwolf.com · Huntress (“Rapid Response: Samsung MagicINFO 9 Server Flaw”), huntress.com · NIST CSF 2.0 (PR.AA-03), nist.gov/cyberframework |
|
|
