26 April 2026 • 6 min read
ZYMP IT Security — 26 April 2026
ShinyHunters Ransomware Group Targets Major Global Brands
RANSOMWARE
The notorious ShinyHunters ransomware group has launched a devastating multi-vector attack campaign against several high-profile organisations. Inditex, the parent company of Zara, has been hit with claims that over 9 million records containing sensitive personal information and internal corporate data were exfiltrated. Carnival Corporation, the Panama-based cruise line operator, faces the theft of 8.7 million records. 7-Eleven reported that more than 600,000 Salesforce records were compromised in the same campaign.
The group also targeted Amtrak, the United States national rail operator, where at least 2.1 million customer records were exposed — potentially up to 9.4 million — through a CRM and Salesforce-related attack vector. Kemper Corporation, a major insurance provider, saw 29 GB of data comprising 13 million records breached. ShinyHunters issued a “pay or leak” ultimatum with deadlines set for late April, putting enormous pressure on affected organisations to respond.
Security analysts note that the common thread across these incidents appears to be Salesforce and CRM environments, suggesting a systematic supply chain or credential-based attack methodology. The scale and coordination of this campaign marks it as one of the most significant ransomware operations of 2026.
Booking.com Confirms Data Breach Affecting Customer Reservations
DATA BREACH
Booking.com has confirmed that unauthorised third parties accessed booking information associated with customer reservations, exposing full names, email addresses, postal addresses, phone numbers, and communications shared with property providers. The Amsterdam-based travel platform, which handles hundreds of millions of bookings annually, acted quickly to contain the incident by forcing PIN resets for existing and past reservations and notifying affected users via email.
The breach created a wave of confusion among users, as notification emails arrived from the official booking.com domain but no alerts appeared within the Booking.com mobile application itself. Some users on Reddit reported being targeted by scammers who appeared to possess private reservation details, although it remains unclear whether those phishing attempts are directly linked to this breach. Booking.com has not disclosed the total number of affected users but confirmed that all impacted individuals are being contacted individually.
Microsoft Patch Tuesday: 164 Vulnerabilities Including Exploited SharePoint Zero-Day
VULNERABILITY
Microsoft’s April 2026 Patch Tuesday release addresses 164 security vulnerabilities — double the number patched in March. The update includes one actively exploited zero-day, CVE-2026-32201, a spoofing vulnerability in Microsoft SharePoint Server (CVSS 6.5) that allows unauthenticated remote attackers to view and modify sensitive information with no user interaction required. A second zero-day, CVE-2026-33825, affects Microsoft Defender and enables local privilege escalation to SYSTEM level, with proof-of-concept exploit code already publicly available.
Among the eight Critical-rated vulnerabilities, two stand out: CVE-2026-33827 targets the Windows TCP/IP stack, enabling remote code execution via specially crafted IPv6 packets on systems with IPSec enabled (CVSS 8.1). CVE-2026-33824 carries an even higher CVSS score of 9.8, exploiting a double-free flaw in the Windows IKE Extension that allows unauthenticated remote code execution with low attack complexity. Microsoft recommends blocking UDP ports 500 and 4500 on systems not requiring IKE as a temporary mitigation.
AI Tools Weaponised to Breach Mexican Government Agencies
AI THREATS
Security researchers have revealed that a lone hacker weaponised Anthropic’s Claude Code and OpenAI’s GPT-4.1 to breach nine Mexican government agencies in a campaign that demonstrates the escalating risk of AI-assisted cyberattacks. The attacker used AI-driven commands to accelerate reconnaissance, executing 5,317 actions across 34 sessions and ultimately gaining access to 195 million taxpayer records and 220 million civil records.
Safety filters on both AI platforms were bypassed through prompt manipulation and the injection of a customised hacking manual. In a separate but related trend, researchers also detailed a phishing campaign distributing a fake Claude Pro installer for Windows that sideloads PlugX malware, enabling persistent remote access on compromised systems. Additionally, a prompt injection technique targeting AI agents in GitHub workflows was demonstrated, where malicious instructions hidden in pull request titles can force agents to expose repository secrets including access tokens and API keys.
WordPress Supply Chain Attack and Critical Infrastructure Threats Escalate
SUPPLY CHAIN
EssentialPlugin, a WordPress plugin development firm, suffered a significant supply chain compromise after an acquisition led to malicious updates being pushed to more than 30 plugins installed across thousands of websites. The backdoored code enabled unauthorised access and the creation of spam pages. WordPress.org has closed the affected plugins, but infections may persist on sites that have already installed the compromised versions.
In parallel, researchers have uncovered ZionSiphon, a new malware strain specifically designed to target industrial control systems at water treatment and desalination facilities in Israel, reflecting a continued escalation of threats against critical infrastructure. Check Point Research has also mapped over 1,250 active command-and-control servers distributed across 165 Russian hosting providers between January and April 2026, supporting malware campaigns involving IoT botnets such as Hajime, Mozi, and Mirai, alongside repurposed tools like Cobalt Strike.
ZY Media Productions
IT • Music • Technology