Issue #194 - April 13, 2026
- Apr 13
- 2 min read
EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses
Source: Dark Reading
EDR killers, once a rarity in the threat landscape, are now linchpins of perplexing ransomware attacks, leaving enterprise security teams scrambling for answers. Over the past year, security researchers have observed an expansion of the ecosystem around these tools, which can disable endpoint detection and response (EDR) platforms and other threat detection products in a targeted environment. EDR killers typically accomplish this through a technique known as bring-your-own-vulnerable-driver (BYOVD).
Adobe Patches Reader Zero-Day Exploited for Months
Source: SecurityWeek
Adobe released an emergency out-of-band patch for a critical Acrobat and Reader zero-day (CVE-2026-34621, CVSS 9.6) that had been actively exploited since at least November 2025, months before discovery. Linked to an APT group using Russian-language PDF lures referencing Russia’s oil and gas sector, the flaw allows arbitrary code execution via a maliciously crafted PDF with no user interaction beyond opening the file. Adobe has since revised the CVSS to 8.6, though the vulnerability remains a high-severity threat requiring immediate patching across Acrobat DC and Acrobat 2024.
Cisco Patches Four Critical Identity Services, Webex Flaws Enabling Code Execution
Source: The Hacker News
Cisco disclosed four critical vulnerabilities across its Webex Services and Identity Services Engine platforms, including a CVSS 9.8 flaw (CVE-2026-20184) allowing unauthenticated remote attackers to impersonate any Webex user by exploiting improper certificate validation in the SSO integration, and three CVSS 9.9 vulnerabilities in ISE enabling remote code execution and arbitrary OS command execution by authenticated attackers. While Cisco has patched the cloud-based Webex issue server-side, customers using SSO must manually upload a new IdP SAML certificate to Control Hub to avoid service disruption.
Researchers Spot Surge in Brute-Force Attacks from Middle East
Source: Infosecurity Magazine
Security researchers at Barracuda detected a sharp rise in brute-force attempts targeting SonicWall and Fortinet devices, with 88% of attacks appearing to originate from servers in the Middle East — a timing that researchers linked to escalating hostilities involving Iran-affiliated hackers. The attacks were mostly unsuccessful, blocked by security tools or directed at invalid usernames, but the surge reflects a blurring of the line between state-backed cyber operations and financially motivated cybercrime, as seen in the re-emergence of the Pay2Key ransomware group.
Data Breach at Edtech Giant McGraw Hill Affects 13.5 Million Accounts
Source: BleepingComputer
The ShinyHunters extortion group leaked data from 13.5 million McGraw-Hill user accounts after breaching the educational publisher’s Salesforce environment earlier in April through a misconfiguration — rather than a direct platform vulnerability. McGraw-Hill confirmed the breach, stating the attackers exploited the misconfigured Salesforce environment and that the incident did not affect courseware, customer databases, or internal systems. Over 100GB of stolen data was publicly distributed, containing email addresses, names, physical addresses, and phone numbers, making affected users potential targets for follow-on phishing campaigns.