2026-04-28: APT28's exploit chain targeting Windows Shell (CVE-2026-32202) is confirmed actively exploited

Show Notes - 2026-04-28 Stories Covered: - Today: - Windows Shell Spoofing Actively Exploited by APT28 (CVE-2026-32202) (https://thehackernews.com/2026/04/microsoft-confirms-active-exploitation.html) - D-Link DIR-823X RCE Deployed for Mirai Botnet, No Patch Available (CVE-2025-29635) (https://research.checkpoint.com/2026/27th-april-threat-intelligence-report/) - React2Shell Under AI-Assisted Mass Exploitation (CVE-2025-55182) (https://research.checkpoint.com/2026/27th-april-threat-intelligence-report/) - OpenSSH Root Shell Flaw, 15 Years Old, No Log Trace (CVE-2026-35414) (https://www.securityweek.com/openssh-flaw-allowing-full-root-shell-access-lurked-for-15-years/) - Bitwarden CLI Supply Chain Compromise via TeamPCP/Checkmarx Cascade (CVE-2026-33634) (https://isc.sans.edu/diary/rss/32926) - Akira Ransomware Now Drives 40%+ of Cyber Insurance Claims via SonicWall VPN Exploitation (https://databreaches.net/2026/04/27/one-ransomware-crew-now-drives-half-of-all-cyber-claims-at-bay/) - ShinyHunters Breaches ADT (5.5M Records) and Medtronic (9M Claimed) via Vishing/Okta SSO (https://www.bleepingcomputer.com/news/security/home-security-giant-adt-data-breach-affects-55-million-people/) - GlassWorm v2 Malicious VS Code Extensions in OpenVSX (https://www.bleepingcomputer.com/news/security/glassworm-malware-attacks-return-via-73-openvsx-sleeper-extensions/) - UNC6692 Uses Microsoft Teams Help Desk Impersonation to Deploy "Snow" Malware Suite (https://thehackernews.com/2026/04/weekly-recap-fast16-malware-xchat.html) - FIRESTARTER Backdoor on Cisco ASA Survives Patches and Reboots (CVE-2025-20333, CVE-2025-20362) (https://thehackernews.com/2026/04/weekly-recap-fast16-malware-xchat.html) - PyPI elementary-data Backdoored via GitHub Actions PR Comment Injection (1.1M Monthly Downloads) (https://www.bleepingcomputer.com/news/security/pypi-package-with-11m-monthly-downloads-hacked-to-push-infostealer/) - Fidelity Brokerage Fined $1.25M for 2024 IDOR Breach Affecting 77,000 Customers (https://databreaches.net/2026/04/27/regulator-fines-fidelity-brokerage-services-1-25m-over-data-breach/) - Microsoft Entra ID Agent ID Administrator Role Allowed Arbitrary Service Principal Takeover (Patched April 9) (https://thehackernews.com/2026/04/microsoft-patches-entra-id-role-flaw.html) - Windows RDP Security Warnings Display Incorrectly on Multi-Monitor Setups (April 2026 Updates) (https://www.bleepingcomputer.com/news/microsoft/microsoft-new-remote-desktop-warnings-may-display-incorrectly/) - Huntress EDR/ITDR Correlation: Infostealer on Endpoint Now Auto-Triggers Identity Lockdown (https://www.huntress.com/blog/edr-itdr-correlations) - PhantomCore Exploiting TrueConf Server Chain for Lateral Movement Across Russian Networks (https://thehackernews.com/2026/04/phantomcore-exploits-trueconf.html) - Deepfake Voice Attacks Up 680% in 2025, Finance Teams and IT Help Desks Primary Targets (https://www.bleepingcomputer.com/news/security/deepfake-voice-attacks-are-outpacing-defenses-what-security-leaders-should-know/) - Silk Typhoon (Hafnium) Contractor Extradited to US from Italy (https://www.bleepingcomputer.com/news/security/alleged-silk-typhoon-hacker-extradited-to-us-for-cyberespionage/) - Vercel Discloses Breach via Context.ai OAuth Token Theft - ASP.NET Core Cookie Forgery Enables SYSTEM-Level Access (CVE-2026-40372) (https://research.checkpoint.com/2026/27th-april-threat-intelligence-report/) - LMDeploy SSRF Exploited Within 13 Hours of Disclosure (CVE-2026-33626) (https://research.checkpoint.com/2026/27th-april-threat-intelligence-report/) - Unpatched Windows RPC Privilege Escalation (PhantomRPC, Five Exploit Paths) (https://www.darkreading.com/vulnerabilities-threats/unpatched-phantomrpc-flaw-windows-privilege-escalation) - Apple iOS/iPadOS Notification Services Flaw Retained Deleted Alerts (CVE-2026-28950) (https://research.checkpoint.com/2026/27th-ap ...