Hybrid Cloud
Cybersecurity
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Smart Cities
Public Sector
Cybersecurity Weekly Briefing, 18-24 April
Microsoft warns of attacks via Teams and Quick Assist
Microsoft has documented an increase in campaigns that exploit Microsoft Teams and Windows Quick Assist to carry out social engineering chains aimed at gaining full access to corporate environments and covertly exfiltrating data. Attackers initiate cross-tenant chats and calls in Teams, impersonating IT support staff, and convince victims to start a Quick Assist session and approve elevation requests.
Once interactive control is obtained, they conduct initial reconnaissance via cmd.exe and PowerShell, and execution is achieved through DLL sideloading using signed, legitimate binaries disguised as updates or security patches. WinRM (TCP 5985) is used for lateral movement with valid credentials, targeting high-value assets such as domain controllers.
The attackers deploy commercial RMM tools for additional persistence and use Rclone to exfiltrate selective data to cloud storage. The entire chain relies exclusively on legitimate tools.
BRIDGE:BREAK: 20 vulnerabilities in serial-to-IP converters allow RCE
Forescout has published BRIDGE:BREAK, a research report documenting 20 new vulnerabilities in Silex and Lantronix serial-to-IP converters – devices that act as a bridge between legacy serial equipment and Ethernet/IP networks in sectors such as industry, healthcare, energy and transport.
The vulnerabilities, some of which can be exploited without authentication, allow command injection, remote code execution, firmware manipulation and device takeover. Forescout demonstrated real-world impact scenarios, including the tampering of sensor readings in industrial and healthcare environments to conceal hazardous conditions, and the delivery of malicious firmware capable of disabling patient monitors, infusion pumps and surgical lighting systems.
A search on Shodan identifies nearly 20,000 devices exposed to the internet, and through OSINT it is possible to obtain internal IP addresses, models and photographs of critical infrastructure such as electrical substations or water treatment plants.
Both manufacturers have released patches.
New variant of NGate hidden in a trojanised HandyPay app steals NFC data
ESET has identified a new variant of NGate, Android malware designed to steal NFC payment data, hidden within a trojanised version of HandyPay, a legitimate mobile payment processing app. NGate captures payment card details via the device’s NFC chip and sends them to the attacker to create virtual cards used for unauthorised purchases or cash withdrawals at NFC-enabled ATMs.
The new variant uses HandyPay modified with malicious code to facilitate data exfiltration. According to ESET, the switch from NFCGate to HandyPay is likely due to financial and evasion considerations, as HandyPay requires less operational exposure and, by default, does not request permissions unless configured as the default payment app.
After installation, the app requests to be set as the default NFC app, asks for the card’s PIN and prompts the user to hold the card close to the phone to read it, sending the collected data to an email address belonging to the attacker, which is encoded within the app.
Oracle releases its April 2026 cumulative update with 481 patches
Oracle has released its second quarterly security update of 2026, addressing 481 vulnerabilities across multiple product families, including third-party dependencies integrated into its distributions. Of the 481 patches in total, 376 – approximately 78% – relate to non-Oracle CVEs present in exploitable third-party components within its products.
Oracle Communications addresses 139 vulnerabilities, of which 93 are remotely exploitable without credentials. Oracle Financial Services Applications addresses 75 vulnerabilities, 59 of which are exploitable without credentials. Oracle Fusion Middleware receives 59 patches, 46 of which are exploitable without credentials. Oracle MySQL addresses 34 vulnerabilities; some carry a risk of remote code execution.
Oracle E-Business Suite receives 18 patches.
Unit 42: AI-powered frontier models will increase attacks on the supply chain
Unit 42 warns of a qualitative shift in the offensive capabilities of state-of-the-art AI models, which have demonstrated the ability to discover zero-day vulnerabilities, chain together complex exploits and adapt in real time to hardened environments, without requiring expert human intervention.
The models demonstrate significantly superior capabilities when analysing source code compared to compiled code, exposing OSS projects to systematic exploitation beyond the reach of defenders. Unit 42 anticipates an increase in supply chain attacks similar to recent cases such as TeamPCP or the North Korean campaign against the Axios library.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
