Apr 7 Digest: Medusa Ransomware Surge, FBI $21B Record, DPRK $280M Drift Heist, APT28 Disrupted

This Week in Cybersecurity

Issue 16 arrives against a backdrop defined by one recurring theme: speed. Attackers are compressing timelines to the point where traditional detect-and-respond strategies are structurally insufficient — and this week's headlines make the case more starkly than ever.

The dominant story is Medusa ransomware and its China-linked affiliate Storm-1175, which Microsoft's threat intelligence team has documented running entire ransomware kill chains — from zero-day exploitation to encrypted systems — in under 24 hours. The implication for defenders is stark: a group that can breach, move laterally, exfiltrate, and encrypt in less than a working day has already won the race against alert triage. The patch window has effectively collapsed to zero where Storm-1175 is operating with pre-disclosure zero-day capability.

The FBI's IC3 annual report lands with equally sobering numbers: American victims reported $21 billion in losses to cyber-enabled crime in 2025 — an all-time record. Cryptocurrency pig-butchering scams and business email compromise drove the surge, while deepfake-powered fraud is beginning to supercharge BEC attacks against corporate executives.

In the DeFi space, Drift Protocol's post-mortem of its $280 million hack confirms what threat researchers suspected: North Korea's Lazarus Group spent six months building a trusted presence inside the Drift ecosystem — attending in-person events, participating in governance — before seizing control of the protocol's security council and executing the theft. The incident fundamentally challenges the assumption that governance mechanisms protect against technical exploits.

On the law enforcement front, an international coalition disrupted APT28's FrostArmada campaign, which had hijacked DNS on compromised MikroTik and TP-Link routers across NATO member states to intercept Microsoft 365 credentials at scale. And researchers at the University of Toronto disclosed GPUBreach, a Rowhammer attack on GDDR6 GPU memory that escalates from an unprivileged CUDA context to root on the host — with no fix available for consumer GPUs.

Top Stories

Storm-1175 Deploys Medusa Ransomware in Sub-24-Hour Zero-Day Campaigns

Microsoft's threat intelligence team has identified Storm-1175 — a financially motivated, China-linked cybercrime group — as one of the most operationally aggressive Medusa ransomware affiliates currently active. The group's distinguishing characteristic is its operational velocity: Storm-1175 monitors vulnerability disclosures and moves to weaponize flaws within hours, runs parallel mass exploitation campaigns, and has completed full ransomware kill chains from initial access to encrypted systems in under 24 hours in the fastest documented incidents.

Critically, Storm-1175 exploits zero-day vulnerabilities — attacking before patches exist, making patch management alone an insufficient defense. The group focuses on internet-facing edge devices, VPN gateways, managed file transfer platforms, and identity infrastructure, maximizing lateral movement potential from initial access. Medusa deploys double extortion: data is exfiltrated before encryption, and victims face both recovery costs and public exposure via Medusa's Tor-based leak site.

Defensive priorities against Storm-1175 shift away from alert response toward structural controls: zero-trust architecture, microsegmentation, air-gapped immutable backups, and automated isolation capabilities that can quarantine compromised segments in minutes rather than hours.

Full story →

FBI: Americans Lost a Record $21 Billion to Cybercrime in 2025

The FBI's Internet Crime Complaint Center (IC3) has published its 2025 annual report: US victims lost nearly $21 billion to cyber-enabled crime — an all-time record, significantly up from prior years, across more than 800,000 complaints. The surge is driven primarily by cryptocurrency pig-butchering scams, in which victims are groomed over weeks or months into investing life savings in fraudulent platforms, and by Business Email Compromise (BEC), which continues to cost organizations billions as attackers redirect wire transfers and payroll through spoofed executive emails.

The FBI highlights a troubling new vector: AI-generated deepfake audio and video is now being used in BEC attacks to impersonate executives during video calls and authorize fraudulent wire transfers — a capability that has moved from theoretical to documented in 2025 incidents. Tech support fraud targeting older Americans remains another top driver, with per-victim losses among the highest of any fraud category. Cryptocurrency was involved in losses exceeding $9 billion, primarily through investment fraud. Victims over 60 filed the most complaints and suffered the highest total losses.

Full story →

Drift $280M Crypto Theft Confirmed as Six-Month DPRK In-Person Infiltration

Drift Protocol's definitive post-mortem of its $280+ million hack confirms the most significant detail: North Korea's Lazarus Group spent approximately six months constructing a functional operational presence inside the Drift ecosystem before executing the theft — including fabricating a professional identity, participating in governance discussions and community channels, and reportedly attending in-person team events to establish credibility.

The goal of the six-month investment was a seat on Drift's security council — the multisig body that holds emergency governance authority over the protocol. Once the attacker achieved majority signing authority on the council, they used that access to authorize the transfer of $280M in assets. The attack is not a smart contract exploit; it is a governance layer attack that subverted the very mechanism designed to protect against technical hacks. The incident surfaces a structural weakness in DeFi: smart contracts can be audited, but governance attacks exploit the human trust layer.

Emerging recommendations include timelocked governance actions (mandatory 48–72 hour delays before execution), KYC or cryptographic identity verification for security council positions, and behavioral anomaly monitoring for sudden changes in governance voting patterns.

Full story →

APT28's FrostArmada Disrupted After Hijacking Routers to Steal Microsoft 365 Credentials

An international law enforcement coalition has dismantled FrostArmada, a campaign attributed to APT28 (Fancy Bear / Forest Blizzard) that compromised MikroTik and TP-Link routers — primarily in home offices and small businesses — to redirect Microsoft 365 authentication traffic to attacker-controlled servers. Victims attempting to sign in to Outlook, Teams, and SharePoint were silently routed to convincing phishing pages that captured credentials, session tokens, and in targeted cases, real-time MFA codes via relay attacks.

The campaign leveraged default router credentials, unpatched firmware vulnerabilities, and credential stuffing against router management interfaces to gain footholds. Once DNS was manipulated on compromised routers, APT28 gained persistent access to victims' Microsoft 365 tenants for email surveillance, document exfiltration, and lateral movement — primarily targeting government ministries, defense contractors, political organizations, and journalists across multiple NATO member states. The takedown involved sinkholing of malicious DNS infrastructure, C2 server seizures, and coordination with ISPs and device manufacturers for victim remediation.

Immediate action: verify your router's DNS settings are pointing to expected resolvers, apply firmware updates, and change any default management credentials.

Full story →

GPUBreach: Rowhammer Attack on GPU GDDR6 Memory Achieves Full System Takeover

Researchers from the University of Toronto have published GPUBreach, a novel hardware attack that exploits Rowhammer bit-flips in GPU GDDR6 memory to escalate from an unprivileged CUDA context to root on the host CPU — bypassing IOMMU protections entirely. The three-stage attack uses a CUDA hammering kernel to flip bits in GPU page table entries, leverages the corrupted PTEs for arbitrary GPU memory access, then exploits memory-safety vulnerabilities in the NVIDIA GPU driver to pivot to host-level privilege escalation.

Validated on the NVIDIA RTX A6000, GPUBreach is particularly significant for cloud and AI workloads: multi-tenant GPU environments where multiple customers share physical hardware may be vulnerable to a malicious tenant achieving host access or reading co-located workloads' GPU memory. Consumer GPUs lacking ECC memory are fully unmitigated — no hardware fix is available. Full technical details will be presented at the IEEE Symposium on Security and Privacy (Oakland 2026) on April 13. Organizations running sensitive workloads on shared GPU infrastructure should treat this as a live risk requiring architectural review.

Full story →

Security Corner

10 CVEs are newly published to the Security Advisories section this week. Key advisories to action immediately:

CVE-2026-1114 — lollms JWT Weak Secret Key, Admin Takeover (CVSS 9.8 Critical) The open-source lollms LLM server (parisneo/lollms) signs JWTs with a weak, predictable secret key that can be recovered offline via brute-force using GPU-accelerated tools like hashcat. An attacker with any valid low-privilege JWT can crack the key offline — no rate limiting applies — forge an admin token, and take full control of the lollms instance: accessing stored conversations, connected API keys for OpenAI/Anthropic/etc., uploaded files, and potentially OS-level functionality. If you run a self-hosted lollms instance, update immediately, rotate the JWT secret, and do not expose lollms to the public internet without network access controls. Full advisory →

CVE-2026-26026 — GLPI Template Injection Enables Authenticated RCE (CVSS 9.1 Critical) GLPI versions 11.0.0 through 11.0.5 contain a server-side template injection vulnerability in the administrator interface allowing authenticated admins to achieve remote code execution. Fixed in GLPI 11.0.6 — update immediately if you run GLPI for IT asset management or service desk operations. Full advisory →

CVE-2026-35392 — goshs Path Traversal, Unauthenticated File Write (CVSS 9.8 Critical) A critical path traversal in goshs (a SimpleHTTPServer written in Go) allows unauthenticated attackers to write arbitrary files via the PUT upload endpoint. Fixed in version 2.0.0-beta.3. Any internet-exposed goshs instance should be updated immediately. Full advisory →

Also published this week:

• CVE-2026-5637 — SQL Injection in projectworlds Car Rental System 1.0 → Advisory →
• CVE-2026-4896 — WCFM WooCommerce Plugin IDOR, Unauthorized Order Manipulation → Advisory →
• CVE-2026-3445 → Advisory →
• CVE-2026-28815 → Advisory →
• CVE-2019-25662 → Advisory →
• CVE-2026-5575 → Advisory →
• CVE-2026-5555 → Advisory →

Quick Takes

• Hackers Exploit Critical Flaw in Ninja Forms WordPress Plugin: Attackers are actively exploiting a critical vulnerability in the widely-deployed Ninja Forms WordPress plugin. If you run WordPress sites with Ninja Forms installed, update immediately — this class of plugin flaw typically enables unauthenticated remote code execution or data exfiltration affecting any site still on a vulnerable version. Read more →

• German BKA Identifies REvil and GandCrab Ransomware Leaders: German federal authorities (BKA) have publicly identified the individuals behind both the REvil and GandCrab ransomware operations — two of the most prolific ransomware-as-a-service platforms in history. GandCrab alone is estimated to have extorted over $2 billion from victims before it shut down. The identifications follow years of joint intelligence work with international partners and signal continued pressure on ransomware leadership. Read more →

• Fortinet Zero-Day Under Active Exploitation With No Full Patch Yet: Fortinet customers are navigating an actively exploited zero-day vulnerability for which a complete patch is still not available. Organizations running vulnerable Fortinet products should apply available mitigations immediately, monitor Fortinet's advisory feed closely, and treat perimeter Fortinet devices as potentially compromised pending full remediation. Read more →

• Feds Disrupt IoT Botnets Behind Massive DDoS Attacks: US federal authorities disrupted multiple IoT-based botnets responsible for some of the largest distributed denial-of-service attacks observed in recent years. The operations targeted compromised routers, cameras, and other internet-connected devices weaponized into DDoS infrastructure — a reminder that unpatched consumer IoT devices remain one of the most reliably exploitable resources in the attacker ecosystem. Read more →

• LiteLLM Vulnerability Turned Developer Machines Into Credential Vaults: A security flaw in LiteLLM — a popular open-source library for accessing multiple LLM APIs through a unified interface — allowed attackers to extract stored API keys and credentials from developer machines. LiteLLM is widely used in AI development environments where it stores API keys for OpenAI, Anthropic, and other providers, making compromised instances a rich source of AI service credentials. Read more →

• Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware: This week's broader recap covers the continued fallout from the Axios npm supply chain attack, a Chrome zero-day under active exploitation, expanding Fortinet vulnerability disclosures, and new details on Paragon spyware deployments against journalists and civil society. Read more →

Upcoming

• GPUBreach Full Technical Disclosure — April 13: The University of Toronto researchers present full GPUBreach technical details at the IEEE Symposium on Security and Privacy (Oakland 2026) on April 13. This will include precise GDDR6 hammering patterns, bit-flip engineering methodology, and NVIDIA driver exploitation techniques. Cloud providers and organizations running AI/ML workloads on shared GPU infrastructure should have their architectural review and risk assessment completed before this date — once full exploit details are public, weaponization timelines compress.

• April Patch Tuesday — April 14: Microsoft's next scheduled patch cycle arrives April 14. Q1 2026 has seen an elevated volume of remote code execution disclosures across the Microsoft stack. Begin pre-patch readiness reviews now for Windows, Exchange, Office, and Edge components. Given Storm-1175's pattern of sub-day weaponization, organizations should target same-day or next-day patch deployment for any Critical-rated bulletins.

• Fortinet Full Patch — Monitor Advisory Feed: The actively exploited Fortinet zero-day does not yet have a complete patch. Watch Fortinet's PSIRT advisory feed for patch availability and treat this as a priority zero item. Fortinet vulnerabilities have a consistent history of rapid threat actor weaponization. If your Fortinet deployment cannot be mitigated, consider whether temporary removal from the internet perimeter is preferable to remaining exposed.

• Medusa / Storm-1175 — Defensive Posture Review: With Microsoft's detailed attribution and Storm-1175's sub-24-hour attack chain documented, security teams in any sector that has seen Medusa activity — healthcare, manufacturing, financial services, critical infrastructure — should use this week's reporting as a forcing function to verify: (1) immutable backup status, (2) automated network isolation capability, (3) real-time patch deployment pipeline for critical CVEs, and (4) zero-trust segmentation coverage for internet-facing systems.

• Router Credential Audit Following FrostArmada: The APT28 FrostArmada disruption is a prompt for every organization to audit the routers that connect remote workers, branch offices, and home offices to corporate networks. Confirm firmware is current, default credentials have been changed, remote management over WAN is disabled, and DNS settings match expected resolvers. If you operate a hybrid workforce, consider deploying a monitored DNS resolver (Cloudflare Gateway, Cisco Umbrella) that can detect anomalous DNS behavior across your environment.

By the Numbers

CosmicBytez Labs — IT & Cybersecurity Intelligence Hub

Unsubscribe · Privacy Policy · View in browser