Security Leftovers, Windows TCO, and Devices That Don't Get Patched

posted by Roy Schestowitz on Apr 08, 2026

• Security Week ☛ Critical Flowise Vulnerability in Attacker Crosshairs

  The improper validation of user-supplied JavaScript code allows attackers to execute arbitrary code and access the file system.

• LWN ☛ Security updates for Tuesday

  Security updates have been issued by AlmaLinux (crun, kernel, and kernel-rt), Debian (dovecot), Fedora (calibre and nextcloud), Mageia (freerdp, polkit-122, python-nltk, python-pyasn1, vim, and xz), Red Hat (edk2 and openssl), SUSE (avahi, cockpit, python-pyOpenSSL, python311, and tar), and Ubuntu (lambdaisland-uri-clojure, linux-gcp, linux-gcp-4.15, linux-gcp-fips, linux-oem-6.17, and linux-realtime-6.17).

• Security Week ☛ Severe StrongBox Vulnerability Patched in Android

  A critical DoS vulnerability in the Framework component of Android has also been fixed with the latest update.

• Scoop News Group ☛ Cybercrime losses jumped 26% to $20.9 billion in 2025

  The FBI’s annual report on digital crimes exposes a worsening environment. Yet, an unknown number of victims still suffer in the shadows never reporting the crimes they endure.

• Scoop News Group ☛ ‘GrafanaGhost’ bypasses Grafana’s Hey Hi (AI) defenses without leaving a trace

  Noma Security researchers used indirect prompt injection to turn Grafana's own Hey Hi (AI) into an unwitting courier for sensitive corporate data.

• Security Week ☛ GrafanaGhost: Attackers Can Abuse Grafana to Leak Enterprise Data

  By targeting Grafana’s Hey Hi (AI) components, attackers can point to external resources and inject indirect prompts to bypass safeguards.

• OpenSSF (Linux Foundation) ☛ What’s in the SOSS? Podcast #58 – S3E10 Big Thoughts, Open Sources: Beyond the Hype: Brian Fox on Securing the Agentic Future of Open Source

• Silicon Angle ☛ ‘GrafanaGhost’ vulnerability allowed for silent data exfiltration through Hey Hi (AI) workflows

  A new report out today from artificial intelligence security platform company Noma Security Inc. details a recently discovered vulnerability in Grafana that allowed sensitive enterprise data to be exfiltrated silently through the platform’s Hey Hi (AI) features.

• Security Week ☛ Medusa Ransomware Fast to Exploit Vulnerabilities, Breached Systems

  The group is using zero-days, quickly weaponizes fresh bugs, and exfiltrates and encrypts data within days of initial access.

• Security Week ☛ GPUBreach: Root Shell Access Achieved via GPU Rowhammer Attack

  Researchers have demonstrated that GPU Rowhammer attacks can be used to escalate privileges.

• SWHID in Practice: SBOM Verification, CRA Compliance, and Traceability Use Cases

  Explore how SWHID is applied in real-world scenarios to improve SBOMs, support Cyber Resilience Act compliance, and enable software traceability. Discover practical use cases across telecom and automotive industries, based on insights from recent industry talks.

• SANS ☛ A Little Bit Pivoting: What Web Shells are Attackers Looking for, (Tue, Apr 7th)

  Webshells remain a popular method for attackers to maintain persistence on a compromised web server. Many "arbitrary file write" and "remote code execution" vulnerabilities are used to drop small files on systems for later execution of additional payloads. The names of these files keep changing and are often chosen to "fit in" with other files. Webshells themselves are also often used by parasitic attacks to compromise a server.

• Windows TCO / Windows Bot Nets

  • Scoop News Group ☛ Feds quash widespread Russia-backed espionage network spanning 18,000 devices

    Forest Blizzard, a threat group attributed to Russia’s GRU, hijacked network traffic to steal credentials and tokens for Abusive Monopolist Microsoft accounts and other services.

  • The Register UK ☛ Hundreds compromised daily in Microsoft device code phishes • The Register

    Hundreds of organizations have been compromised daily by a Microsoft device-code phishing campaign that uses AI and automation at nearly every stage of the attack chain to ultimately snoop through corporate email inboxes and steal financial data.

    "Since March 15, 2026, we have observed 10 to 15 distinct campaigns launching every 24 hours," Microsoft VP of security research Tanmay Ganacharya told The Register.

    "Each campaign is distributed at scale, targeting hundreds of organizations with highly varied and unique payloads, making pattern-based detection more challenging," Ganacharya said. "We continue to observe high-volume activity, with hundreds of compromises occurring daily across affected environments."

    The attackers have targeted organizations across all sectors and globally, he told us. And while the phishing expedition hasn't been attributed to a particular crew, its tooling and infrastructure share similarities with EvilTokens.

• Devices/Embedded

  • The Register UK ☛ Iran intruders disrupting US water, energy facilities

    Iran's cyber intrusions targeting critical infrastructure have been ongoing since March, according to the feds, and they aim to disrupt operational technology (OT) devices, specifically programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley.

    PLCs are used to control and monitor industrial equipment in water treatment plants, food production sites, oil refineries, power grids, and other critical facilities, and they've been a longtime favorite target of Iranian cyber crews.

  • Scoop News Group ☛ Iranian hackers launching disruptive attacks at U.S. energy, water targets, feds warn

    Iranian government hackers are launching disruptive cyberattacks on American energy and water infrastructure, U.S. government agencies “urgently” warned Tuesday.

  • Security Week ☛ Iran-Linked Hackers Disrupt US Critical Infrastructure via PLC Attacks

    Federal agencies warn attackers are manipulating PLC and SCADA systems across multiple sectors, triggering operational disruptions and raising concerns over broader OT targeting.

  • The Record ☛ FBI, Pentagon warn of Iran hacking groups targeting operational technology

    The attacks have led to “operational disruption and financial loss,” according to a new advisory from the Defense Department, FBI, National Security Agency (NSA) and other federal agencies. Officials believe the attacks escalated in response to the current military conflict between the U.S. and Iran.

    Iranian-affiliated threat actors are specifically targeting [Internet]-connected OT devices including Rockwell Automation or Allen-Bradley-manufactured programmable logic controllers (PLC). Other devices from Siemens may also be included in the campaign.