78 % Exchange 0-Day Rampage in 12 h: Hospitals Piñata’d, 9-Day Patch Lag Leaves SMBs Hand-Painting Invoices

TL;DR

• Storm-1175 Exploits 16+ CVEs Including CVE-2026-23760 Zero-Day to Deploy Medusa Ransomware Across Healthcare and Finance Sectors
• Drift Protocol Suffers $285M Exploit via North Korean UNC4736, Leveraging Social Engineering and Multi-Sig Bypass
• Qilin Ransomware Group Uses BYOVD Technique to Disable 300+ EDR Solutions via Malicious DLL msimg32.dll

😈 78% Hit Rate: Storm-1175’s 16-CVE Chain Owns Hospitals in 12h

78% of Storm-1175’s 16-CVE punchline hits in 12h—same time you spend binging reruns 😈💥. Patch lag 9 days? That’s corporate constipation on free laxatives. Hospitals = piñatas. Still trusting Exchange?

Storm-1175 isn’t a weather forecast—it’s a 16-CVE sucker-punch that turns hospitals into crypto-ATMs and banks into data piñatas, all before your coffee goes cold. They crack Exchange with a zero-day still warm from Redmond’s oven, wriggle through ScreenConnect like a free trial of cancer, and detonate Medusa ransomware in 30 min flat—because who doesn’t love a 12-hour deadline when you’re on a heart-lung machine?

Privacy: 62 % of hits pillage patient files → bedside secrets sold on dark-web clearance racks.
Finance: 28 % loot transaction logs → instant insider-trading starter kits.
Dwell time: 12 h median → shorter than a TikTok trend, deadlier than a hospital-acquired infection.

How the “enterprise-grade” sausage gets made

• Exploit chain success rate: 78 %—better Vegas odds than your CISO’s career.
• Patch latency: 9 days average—just long enough for 30 TB of your data to vacation in Moldova.
• RMM tools double as Trojan horses: Atera, AnyDesk, MeshAgent—free remote admin for them, free ulcer for you.

Proletariat defense cheat-sheet (under $0 budget)

• Nuke every RMM you didn’t personally compile—yes, Karen, even the “convenience” one.
• Wrap admin creds in Credential Guard; treat LSASS like plutonium.
• Script this: if CVE age < 48 h, patch or panic—whichever is faster.
• Hunt Impacket SMB stink with open-source Zeek scripts; it’s cheaper than Mandiant and won’t flirt with your interns.

Outlook—because crystal balls are overpriced:

• Next quarter: fresh Exchange zero-day drops, same 24-h exploit stampede.
• 2027: supply-chain poison of RMM auto-updates; imagine CCleaner but it encrypts your mammograms.
• Long game: insurers price ransomware like flood coverage—if you can’t afford the premium, learn to swim in paper records.

Bottom line: the cloud you’re sold is just someone else’s ransomware buffet. Build your own damn castle with free patches, MFA, and a flaming moat of skepticism—or keep paying Storm-1175’s subscription to hurt.

💸 $285M Drift Heist: North Korea Hijacks Solana DEX in 12-Minute Governance Blitz

$285M vanishes in 12 min—NK’s Lazarus just robbed Solana’s ‘decentralized’ bank faster than you can microwave ramen 💸🔥 No timelock, 2 sigs, fake token = game over. Your LP money? Pyongyang’s new rocket fund. Still trust 2-of-5 multisig, anon? —West/US/EU

North Korean crew UNC4736 spent six months cosplaying “quant-fund bros,” dropped a mere $1 M charm deposit, then yanked 2 of 5 multisig signatures—no timelock, no problem—and ghost-drained the vault in 12 minutes flat. Pre-signed “durable nonces” (think post-dated heist checks) went live 01 Apr, a fake CarbonVote token spoofed prices, and $66.4 M USDC, $155 M JLP, plus spare change, surfed Circle’s CCTP bridge into oblivion. TVL nosedived 54 %, DRIFT token face-planted 40 %, and twenty downstream Solana apps coughed up another $6.4 M in sympathy blood.

Liquidity: $285 M vacuumed → instant $550 M → $252 M cliff-dive, LPs rekt.
Governance: 2/5 multisig now a meme; upgrade proposals sit in Twitter jail.
Reputational: “Secure” label peeled off like a cheap laptop sticker; VC decks suddenly need 40-page risk addenda.
Regulatory: Circle froze $117 M USDC; expect subpoenas, not airdrops.

Institutional response: Drift’s emergency repo is a bingo card of hack clichés—new 3-of-5 multisig, 48-h timelock, admin-key rotation, durable-nonce cremation. Solana Foundation promises a “Secure Governance Playbook,” because nothing screams safety like PDFs after the fact. FBI, Elliptic, and every chain-analytics shop are tracing; recovery odds sit south of 5 %.

• Q2 2026: timelocked governance rolls out, auditors bill seven figures, user count still down 60 %.
• Q4 2026: copy-cat North Korean phishing surges; expect two more “trusted” teams to sign their own death warrants.
• 2027: regulators mandate third-party custody for multisig signers; DeFi yields compress as compliance costs climb.

Translation for normies: imagine your co-op needs two board signatures to spend the building fund, but the janitor’s cousin “Kim” charms his way in, grabs the checkbook, and wires the roof-repair money to Macau before brunch. That’s DeFi governance in 2026—cheap, open, and spectacularly flammable.

🤡 300 Endpoint Agents Nullified: Qilin’s One-DLL Kill Switch Hits Japan

300+ EDRs KO’d by one janky DLL—your ‘next-gen’ blinked first 😂. That’s every vendor in the room eating floor. 57 % of pwned shops = mom-&-pop factories now hand-painting invoices. Still paying CrowdStrike rent? 🤡 — who’s patching this weekend Tokyo?

Qilin’s msimg32.dll side-load sucker-punches 300+ EDR drivers before the poor installer even finishes its coffee. One Foxit click → rwdrv.sys opens kernel memory like a busted vending machine → every CrowdStrike/SentinelOne/Defender callback flatlines. Result: 57 % of Japan’s SME victims last year watched their backups encrypt themselves while the console showed “all green”.

How the heist works (spoiler: it’s stupidly cheap)

• Drop: rename a legit CPU-utility driver (ThrottleStop.sys → rwdrv.sys) and sign it with a $200 stolen cert.
• Load: piggy-back on any app that calls msimg32.dll; Windows happily forks over kernel keys.
• Kill: hlpdrv.sys loops through 300+ service names, zeroing EDR callbacks in physical RAM.
• Ghost: restores original driver state, flushes ETW, exits—forensics left holding an empty bag.

Impacts – the receipts

• Visibility: 0 % endpoint telemetry for avg. 4 h 12 m → enough time to map, exfil, encrypt.
• Downtime: 11 days median for 50–249-seat shops; $210 k ransom ask, $42 k paid.
• Market: BYOVD kits rent for 0.8 % of that payout—crime now runs on SaaS margins.

Institutional response = slow-motion face-plant

Vendors promise “kernel integrity v2” by Christmas; meanwhile you can block the whole circus with three free GPO ticks: enforce driver WHQL, audit DLL loads, turn on Secure Boot. But 68 % of surveyed orgs still whitelist “whatever Foxit drags in” because updating install scripts is “change-control hell.” 🙃

Forecast – mark your bingo card

• Q3 2026: copy-cat gangs push BYOVD share past 22 % of ransomware incidents.
• 2027: three big EDR vendors ship patch that cuts success rate 40 %; prices for kits crash 70 %.
• 2028: TPM-attested VBS goes mainstream; Qilin pivot to firmware-level implants or get outpaced by AI-generated shitcoin scams.

TL;DR

A grad-school-sized DLL and a recycled gamer utility just pried open 300 commercial “next-gen” products. If your defence budget can’t cover code-signing enforcement, you’re not a customer—you’re the product being sold back to Qilin at a 200-Bitcoin discount.

In Other News

• TPS Breach Exposes 4,300 Patients’ PHI as Insomnia Leaks Data on Dark Web
• LinkedIn Accused of Spying on 6,222 Chrome Extensions via 2.7MB JavaScript File
• Handala hacker group leaks Israeli analyst Raz Zimmt’s private messages, FBI offers $10M bounty
• FBI Warns of Foreign-Developed Apps Collecting Contacts, Location, and IDs via Android and iOS