IT SECURITY
April 19, 2026 • 5 min read

This week in IT security saw three actively exploited Microsoft Defender zero-days, a massive data breach at McGraw Hill affecting 13.5 million accounts, an emergency Adobe Acrobat Reader patch for a flaw exploited since December, a state-backed cryptocurrency exchange hack, and a ransomware attack that shuttered a Minnesota school district.

Three Microsoft Defender Zero-Days Actively Exploited in the Wild

VULNERABILITY

Cybersecurity firm Huntress has warned that threat actors are actively exploiting three security flaws in Microsoft Defender, codenamed BlueHammer, RedSun, and UnDefend. The vulnerabilities were released as zero-days by a researcher known as Chaotic Eclipse (aka Nightmare-Eclipse) following a dispute over Microsoft’s handling of the disclosure process.

BlueHammer and RedSun are local privilege escalation flaws, while UnDefend can trigger a denial-of-service condition that blocks definition updates. BlueHammer (CVE-2026-33825) was patched in this month’s Patch Tuesday, but the remaining two flaws remain unpatched. Huntress observed exploitation beginning April 10, with RedSun and UnDefend proof-of-concept exploits deployed on April 16, following standard reconnaissance commands such as whoami and net group.

Affected organisations have been isolated to prevent further compromise. Microsoft has yet to confirm a timeline for patches addressing RedSun and UnDefend.

McGraw Hill Data Breach Exposes 13.5 Million User Accounts

DATA BREACH

Education technology giant McGraw Hill has confirmed a data breach affecting 13.5 million user accounts after the ShinyHunters extortion group publicly leaked over 100 GB of stolen data. The breach was traced to a misconfiguration in McGraw Hill’s Salesforce environment, which allowed unauthorised access to a hosted webpage.

The exposed data includes names, email addresses, phone numbers, and in some cases physical addresses. McGraw Hill described the incident as involving a limited dataset, though the scale of the public leak has drawn sharp criticism from security researchers. The breach has been catalogued by Have I Been Pwned, where affected users can check whether their credentials were compromised.

The incident highlights the growing risk of third-party platform misconfigurations, particularly within widely used SaaS environments like Salesforce.

Adobe Issues Emergency Fix for Acrobat Reader Zero-Day Exploited Since December

VULNERABILITY

Adobe has released an emergency security update for Acrobat and Reader, patching a critical zero-day vulnerability tracked as CVE-2026-34621. The flaw, classified as an improperly controlled modification of object prototype attributes, could allow arbitrary code execution simply by opening a malicious PDF file.

Adobe confirmed that the vulnerability has been actively exploited in the wild since at least December 2025. Affected versions include Acrobat Reader 24.001.30356, 26.001.21367, and earlier releases on both Windows and macOS. The National Vulnerability Database has published full technical details of the flaw.

Users and organisations are urged to update immediately, as PDF-based exploits remain a favoured initial access vector for threat actors targeting enterprise environments.

State-Backed Hack Forces Grinex Cryptocurrency Exchange Offline

CYBERCRIME

Kyrgyzstan-based cryptocurrency exchange Grinex, a successor to the sanctioned Garrantex platform, has halted operations following a state-sponsored cyber attack that resulted in losses exceeding $13 million. The exchange, which primarily facilitated transactions for individuals and businesses in Russia, was forced to suspend all trading.

Users have been unable to access their funds since the attack. The incident underscores the persistent targeting of cryptocurrency platforms by sophisticated threat groups, particularly those operating in or serving regions subject to international sanctions.

Ransomware Attack Shuts Down Spring Lake Park Schools in Minnesota

RANSOMWARE

Spring Lake Park School District in Minnesota was hit by a ransomware attack on April 13, forcing the district to shut down its systems and cancel classes and activities across all 12 schools serving more than 5,500 students. The district immediately activated its incident response protocols to contain the breach.

The attack caused significant operational disruption, with systems remaining offline while forensic investigations continue. Educational institutions remain a frequent target for ransomware operators due to typically limited cybersecurity budgets and the pressure to restore services quickly, making them more likely to pay ransoms.

ZY Media Productions

IT • Music • Technology