RadioCSIRT - English Edition cover art

RadioCSIRT - English Edition

RadioCSIRT - English Edition

By: Marc Frédéric GOMEZ
Listen for free

About this listen

🎙 Marc Frédéric Gomez, cybersecurity expert, brings you daily insights into the latest threats, attacks, and defense strategies you need to know.

🔎 On the agenda:
✔️ Analysis of cyberattacks and critical vulnerabilities
✔️ Strategic intelligence for CSIRTs, CERTs, and cybersecurity professionals
✔️ Sources and references to dive deeper into each topic

💡 Why listen to RadioCSIRT?
🚀 Stay up to date in just a few minutes a day
🛡️ Anticipate threats with reliable, technical information
📢 An essential intelligence source for IT and security professionals

🔗 Listen, share, and secure your environment!
📲 Subscribe and leave a ⭐ rating on your favorite platform!

Marc Frédéric GOMEZ Politics & Government
Episodes
  • RadioCSIRT English Edition – Adobe ZeroDay - CVE-2026-34621 - Ep.78

    RadioCSIRT English Edition – Adobe ZeroDay - CVE-2026-34621 - Ep.78
    Apr 12 2026
    On April 9, 2026, researcher Haifei Li, founder of EXPMON — a sandbox-based exploit detection system — publicly disclosed the existence of a zero-day vulnerability in Adobe Acrobat Reader actively exploited in the wild for at least five months. Adobe was notified on April 7. The vulnerability has since been confirmed by Adobe, assigned CVE-2026-34621, rated Critical at CVSS 9.6, and addressed in emergency security update APSB26-43. All Adobe Reader users must apply this patch immediately.The attack vector is a specially crafted PDF requiring no user interaction beyond opening the file. Heavily obfuscated JavaScript executes automatically, abusing two sandboxed Acrobat APIs outside their expected context: util.readFileIntoStream to collect local files and sensitive system data, and RSS.addFeed to exfiltrate that data to a C2 server and receive additional AES-encrypted JavaScript payloads. The exploitation chain has three identified phases. Phase one — confirmed — performs system fingerprinting: OS version, language settings, local file paths, Adobe Reader version, transmitted to the C2 for server-side victim filtering. Sandbox environments receive empty C2 responses and leave no trace; only real targets proceed. Phase two — confirmed — enables local file exfiltration on systems the operator determines are of interest. Phase three — remote code execution combined with sandbox escape — is not yet confirmed but assessed as probable by the research community.Two known samples define the campaign timeline. Version one, uploaded to VirusTotal on November 28, 2025: prototype phase, lighter obfuscation, C2 on a bare IP, broad OS targeting, initial detection rate of two out of sixty-four VirusTotal engines. Version two, uploaded March 23, 2026: production phase, hardened obfuscation, domain-based C2, focused Windows 10 targeting. A third version is inferred from an observed /S12 endpoint targeting Reader version 25.x — which runs on Windows 11 — confirming active ongoing development at the time of disclosure. The lure documents contain Russian-language content referencing current events in Russia's oil and gas sector, consistent with targeted energy sector espionage rather than commodity malware distribution.The confirmed C2 IP is 188.214.34.20 on port 34123 — currently offline. The network-level behavioral IOC to block is any outbound HTTP request whose user-agent header contains the string adobe synchronizer. Known malicious filenames include Invoice540.pdf alongside generic decoy names. SHA-256 hashes for both confirmed samples are published in the EXPMON and N3mes1s forensic reports. The retroactive threat hunting window is November 2025 to the present — five months of potential undetected exposure in organizations where PDF workflows are standard.Immediate actions: apply Adobe emergency patch APSB26-43 covering CVE-2026-34621. Block outbound HTTP traffic with user-agent containing adobe synchronizer. Block C2 IP 188.214.34.20 on port 34123. Monitor for outbound network connections initiated by AcroRd32.exe or Acrobat.exe toward non-standard ports. Run retroactive IOC search in SIEM and EDR covering the full five-month exposure window. Alert staff to the risk of PDF attachments regardless of sender — lure documents in this campaign are contextually plausible invoices and sector-relevant content.SourcesEXPMON / Haifei Li – EXPMON detected sophisticated zero-day fingerprinting attack targeting Adobe Reader users : https://justhaifei1.blogspot.com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.htmlBleepingComputer – Hackers exploiting Acrobat Reader zero-day flaw since December : https://www.bleepingcomputer.com/news/security/hackers-exploiting-acrobat-reader-zero-day-flaw-since-december/Security Affairs – Malicious PDF reveals active Adobe Reader zero-day in the wild : https://securityaffairs.com/190558/hacking/malicious-pdf-reveals-active-adobe-reader-zero-day-in-the-wild.htmlDon't think, patch!Your feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.com WeeklyNewsletter: https://radiocsirtenglishedition.substack.com/#RadioCSIRT #CyberSecurity #ThreatIntelligence #CTI #AdobeReader #ZeroDay #CVE202634621 #PDF #EXPMON #Malware
    Show More Show Less
    12 mins
  • RadioCSIRT English Edition - Update about Cyber situation on middle East - Ep. 77

    RadioCSIRT English Edition - Update about Cyber situation on middle East - Ep. 77
    Apr 12 2026
    In this episode: the cyber dimension of the Iran conflict — a six-week retrospective from the initial strikes of February 28 through the fragile ceasefire of April 9, 2026, covering the full evolution of Iranian and pro-Iranian cyber operations from the first hacktivist DDoS waves to confirmed exploitation of industrial control systems inside the United States.On February 28, 2026, the United States and Israel launched joint military strikes against Iranian strategic sites under Operations Epic Fury and Roaring Lion. Within hours, two things happened simultaneously in cyberspace: Iran's domestic internet connectivity collapsed to between one and four percent of normal capacity, and a coordinated multi-vector cyber counteroffensive was launched combining state APT operations with a coalition of over sixty hacktivist groups. In the first seventy-two hours, more than 149 attack claims were recorded against 110 distinct organizations across sixteen countries. Two groups accounted for seventy percent of total DDoS volume: Keymous Plus targeting GCC governments and financial institutions, and DieNet hitting Bahrain and Sharjah airports, Riyadh Bank, Bank of Jordan, and UAE infrastructure. In parallel, APT34/OilRig was conducting active credential harvesting against regional telecoms and government institutions, with confirmed exploitation of CVE-2026-22719 — a CVSS 8.1 unauthenticated command injection in VMware Aria Operations, added to the CISA KEV catalog on March 4. MuddyWater was conducting Operation Olalampo against META-region IT providers. UNC1549 was operating against defense, aerospace, and telecoms targets. APT35 and APT42 were running cloud credential theft campaigns against M365 and Google Workspace environments.A supply chain dimension emerged in week one: state actors began injecting malicious code into npm and PyPI packages, activating payloads only within production CI/CD pipelines, with AI-generated code designed to evade conventional detection tools. On March 31, the npm axios library — over one billion monthly downloads — was compromised via maintainer credential theft. Malicious versions 1.14.1 and 0.30.4 incorporated a hidden dependency, plain-crypto-js 4.2.1, executing a post-install dropper deploying a cross-platform RAT targeting Windows, macOS, and Linux. Any development environment that installed or updated axios during the compromise window should be treated as potentially affected.Also on March 31, the IRGC formally designated Western technology and financial entities as legitimate targets for retaliatory operations effective April 1. Named targets include Cisco, HP, Intel, Oracle, Microsoft, Apple, Google, Meta, IBM, Dell, Nvidia, and Palantir in the technology sector — all classified high threat level — JPMorgan Chase in finance, Boeing and General Electric in defense and industry. This designation transformed the threat from opportunistic hacktivist activity into a declared targeting posture against named Western entities.The most operationally significant escalation occurred on April 8, 2026. The FBI, CISA, NSA, EPA, Department of Energy, and USCYBERCOM published a joint advisory confirming active exploitation of programmable logic controllers in US water, wastewater, energy, and government facility sectors by Iranian-affiliated APT actors, with confirmed operational disruption and financial loss. Targeted devices include Rockwell Automation CompactLogix and Micro850 PLCs, with activity indicating possible extension to Siemens S7 devices. Actors accessed internet-facing PLCs using overseas infrastructure and Rockwell's Studio 5000 Logix Designer software, manipulating project files and HMI/SCADA displays. This is not an assessment — it is a confirmed joint government advisory with confirmed operational impact. The shift from DDoS and data exfiltration to confirmed OT/PLC exploitation with operational consequences represents a qualitative escalation in threat level that every industrial operator must integrate into their defensive posture immediately.For detection priorities: audit all npm and PyPI installations for the compromised axios versions and the plain-crypto-js dependency. Integrate the FBI/CISA/NSA April 8 IOC set into SIEM and EDR platforms, with enhanced monitoring of SCADA and ICS systems and internet-exposed OT connections on ports 44818, 2222, 102, 22, and 502. For enterprise environments: APT34 DNS hijacking and APT35/42 cloud credential theft remain active — monitor M365 and Google Workspace for anomalous authentication patterns. Any organization explicitly named in the IRGC March 31 designation should treat that condition as a confirmed elevated threat, not background risk.SourcesCISA – Joint advisory AA26-097A: Iranian-affiliated cyber actors exploit programmable logic controllers across US critical infrastructure : https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097aCybersecurity Dive – Iran-linked hackers target water and...
    Show More Show Less
    14 mins
  • RadioCSIRT English Edition –Patch Tuesday April 2026 Preview - Episode 76

    RadioCSIRT English Edition –Patch Tuesday April 2026 Preview - Episode 76
    Apr 12 2026

    On April 14, 2026, Microsoft releases its monthly security update cycle. This Patch Tuesday warrants direct attention from every patch management team and every operations team running Windows infrastructure. The maximum severity is critical. The primary impact is remote code execution. The affected surface covers the most widely deployed platforms in enterprise environments simultaneously: all active Windows 11 versions, the entire still-supported Windows Server range from 2016 through 2025, Remote Desktop Services, Microsoft Office, and the .NET runtime. Thirteen product families are addressed in this cycle across three deployment priority tiers.

    Seven families are classified priority one — immediate deployment. Windows 11, all active versions — 23H2, 24H2, 25H2, and 26H1 — receive critical patches with remote code execution impact. Windows Server 2025, 2022, 2019, and 2016 follow the same pattern: all rated critical, all with remote code execution impact, all priority one. Remote Desktop Services also land at critical severity with remote code execution impact and deserve specific attention beyond the standard label. The exploitation history of RDS vulnerabilities is well documented — BlueKeep and DejaBlue in 2019, both wormable, both actively exploited within weeks of disclosure. Any entity exposing RDS over the internet or through VPN concentrators should treat this component as the highest-urgency item in this cycle. Microsoft Office is priority one with critical severity — the exploitation vector is consistently phishing, the dominant initial access vector in campaigns targeting the financial sector. The .NET and .NET Framework entry is rated critical with denial of service impact: a vulnerability rated critical on .NET can crash or render unavailable any application or web service running on these runtimes without code execution — a direct availability risk that can be triggered remotely.

    Three families are priority two — deployment within seven days: SQL Server with important severity and remote code execution impact, SharePoint with important severity and spoofing impact, and Azure components with important severity and elevation of privilege impact. Three families are priority three — standard cycle: Visual Studio, Dynamics 365, and System Center, all rated important.

    Additionally, this April cycle introduces a kernel driver trust enforcement change for Windows 11 24H2, 25H2, 26H1, and Windows Server 2025: systems will no longer treat legacy cross-signed drivers as a blanket trust path. Environments with dependencies on older unsigned driver binaries should audit their driver inventory before deployment. All Windows 11 and Windows Server updates in this cycle are cumulative. Detailed CVE-level disclosure and CVSS scores will be available on the Microsoft Security Response Center from April 14.

    Sources

    • Help Net Security – April 2026 Patch Tuesday forecast: spring cleaning of a preview : https://www.helpnetsecurity.com/2026/04/10/april-2026-patch-tuesday-forecast/
    • Zecurit – Patch Tuesday April 2026: security updates and CVE analysis : https://zecurit.com/endpoint-management/patch-tuesday/
    • Microsoft Security Response Center – Security Update Guide : https://msrc.microsoft.com/update-guide/

    Don't think, patch!

    Your feedback is welcome.

    Email: radiocsirt@gmail.com
    Website: https://www.radiocsirt.com
    Weekly Newsletter: https://radiocsirtenglishedition.substack.com/

    #RadioCSIRT #CyberSecurity #PatchTuesday #Microsoft #ThreatIntelligence #CTI #Windows #RDS #Office #dotNET
    Show More Show Less
    9 mins
No reviews yet