Cyber Threat Brief — April 20 2026

1. Vercel Supply-Chain Breach via Context.ai Compromise

TL;DR: Attacker compromised Context.ai (third-party AI analytics tool), pivoted through a Vercel employee’s Google Workspace OAuth token to access Vercel internal environments and non-sensitive-marked environment variables. ShinyHunters-affiliated actor selling data for $2M; crypto projects scrambling to rotate API keys.

What’s New:

Vercel confirmed breach April 20; root cause is compromised Context.ai OAuth integration → employee Google Workspace takeover → Vercel internal environment access
Environment variables NOT marked “sensitive” in Vercel dashboard should be treated as exposed (API keys, tokens, database credentials, signing keys)
ShinyHunters-affiliated actor published 580 employee records (names, emails, account status) and demands $2M ransom
Mandiant engaged for IR; GitHub community incident response playbook published (OpenSourceMalware/vercel-april2026-incident-response)
Broad blast radius: Vercel hosts frontends for major crypto/fintech projects; downstream credential abuse expected

Actionable Intel

Artifact	Type	ATT&CK	Log Source	Action
Context.ai OAuth app grants in Google Workspace	OAuth token	T1550.001	Google Workspace Admin audit log	Audit — revoke Context.ai OAuth grants immediately
Non-”sensitive” Vercel environment variables	Exposed secrets	T1552.001	Vercel dashboard, CI/CD logs	Rotate — all API keys, DB creds, signing keys not marked sensitive
Unauthorized Vercel deployments since ~April 15	Unauthorized change	T1195.002	Vercel deployment logs, git push logs	Hunt — compare deployment hashes to expected commits
Credential reuse from leaked employee data	Credential stuffing	T1078	WAF, auth logs, IdP	Monitor — watch for stuffing attempts using leaked Vercel employee emails
vercel-april2026-incident-response repo indicators	Community IOCs	—	—	Reference — github.com/OpenSourceMalware/vercel-april2026-incident-response

Detection

Source	Rule	Gap
Splunk ESCU	None	No Vercel-specific detection; need OAuth app audit query for Google Workspace
Elastic	None	No coverage; need Google Workspace OAuth grant anomaly rule
Sigma	None	Need: Google Workspace OAuth application authorization events for suspicious apps

Sources: Vercel Security Bulletin · BleepingComputer · CoinDesk · The Hacker News

2. Microsoft Defender Triple Zero-Day — New Detection Artifacts (RedSun & UnDefend Still Unpatched)

TL;DR: Multiple threat advisories now provide concrete detection artifacts for the RedSun (LPE via Defender cloud-file rollback) and UnDefend (Defender signature update DoS) zero-days. Both remain unpatched; Huntress confirmed all three Defender exploits (BlueHammer, RedSun, UnDefend) ITW as of April 16.

What’s New:

New exact-match IOC: Cloud Files sync provider name SERIOUSLYMSFT used by RedSun exploit
Hunt targets: binaries named UnDefend.exe, FunnyApp.exe, RedSun.exe in low-priv user folders (Downloads, Pictures, Desktop)
RedSun detection pivot: monitor CfRegisterSyncRoot, CfCreatePlaceholders, CfConnectSyncRoot Windows Cloud Files API calls from non-OneDrive processes
UnDefend passive mode symptom: multiple endpoints reporting Error Code 80070643 during Defender signature updates — centralized alert recommended
Baseline C:\Windows\System32\TieringEngineService.exe SHA-256 hash enterprise-wide; RedSun overwrites this file
BlueHammer patched (CVE-2026-33825, April 14 Patch Tuesday); RedSun and UnDefend remain unpatched with no CVE assigned

Actionable Intel

Artifact	Type	ATT&CK	Log Source	Action
`SERIOUSLYMSFT` Cloud Files sync provider	Exact IOC	T1574	Sysmon EID 11, ETW CloudFiles	Alert — RedSun exploit indicator
`UnDefend.exe` / `FunnyApp.exe` / `RedSun.exe` in user dirs	File name	T1059	EDR, Sysmon EID 1/11	Alert — known PoC tool names
`CfRegisterSyncRoot` / `CfCreatePlaceholders` from non-OneDrive process	API call	T1055	ETW, kernel telemetry	Hunt — RedSun Cloud Files API abuse
Widespread `Error 80070643` on Defender signature updates	Update failure	T1562.001	SCCM/Intune, Windows Update logs	Alert — UnDefend passive mode symptom
`TieringEngineService.exe` hash mismatch from baseline	File modification	T1574.001	EDR, FIM	Alert — RedSun file overwrite
WerFault.exe spawning shell or LOLBin children with integrity elevation	Process chain	T1068	Sysmon EID 1, EDR	Alert — BlueHammer post-exploit
technoherder/BlueHammerFix 7 Sigma + 4 YARA rules	Community rules	—	—	Deploy — github.com/technoherder/BlueHammerFix

Detection

Source	Rule	Gap
Splunk ESCU	SAM Database File Access Attempt (adjacent, BlueHammer)	No rule for RedSun Cloud Files API abuse or UnDefend signature update blocking
Elastic	None specific	No coverage for any of the three Defender exploits
Sigma	technoherder: 7 rules (samlib.dll non-LSASS load, rapid password cycle, BaseNamedObjects junction, GUID temp services, RstrtMgr.dll handles, Cloud Files API abuse, LSA boot key access)	Community rules only; no official Sigma or ESCU rules for RedSun/UnDefend

Sources: Help Net Security · The Hacker News · SOCRadar · Cyderes · Picus Security

Status Updates

CVE-2026-34621 (Adobe Acrobat/Reader): ITW exploitation ongoing since Dec 2025; CISA KEV deadline May 4; no new IOCs. Original brief.
CVE-2026-3055 (Citrix NetScaler): Active exploitation ongoing via SAMLRequest and /wsfed/passive paths; Metasploit module available; federal deadline passed April 2. Original brief.
CVE-2026-4681 (PTC Windchill): Still no patch; German police physically notifying affected orgs; imminent exploitation threat persists. Original brief.
CVE-2026-35616 (Fortinet FortiClient EMS): Federal deadline passed April 9; exploitation ongoing since March 31; 7.4.7 full fix still pending. Original brief.
CVE-2026-1340/1281 (Ivanti EPMM): Mass exploitation continues; federal deadline passed April 11; RPM detection tool available. Original brief.
CVE-2026-34197 (Apache ActiveMQ): ITW exploitation ongoing; CISA KEV deadline April 30. Original brief.
CVE-2026-33032 (nginx-ui MCPwn): Mass exploitation confirmed (Recorded Future risk 94/100); 2689 exposed instances; patched in v2.3.4. Original brief.