20th April – Threat Intelligence Report

For the latest discoveries in cyber research for the week of 20th April, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Booking.com, the Amsterdam-based travel platform, has confirmed a data breach after unauthorized parties accessed reservation data linked to some customers. Exposed information included names, email addresses, phone numbers, physical addresses, and booking […] The post 20th April – Threat Intelligence Report appeared first on Check Point Research .

For the latest discoveries in cyber research for the week of 20th April, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Booking.com, the Amsterdam-based travel platform, has confirmed a data breach after unauthorized parties accessed reservation data linked to some customers. Exposed information included names, email addresses, phone numbers, physical addresses, and booking […] The post 20th April – Threat Intelligence Report appeared first on Check Point Research . For the latest discoveries in cyber research for the week of 20th April, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Booking.com, the Amsterdam-based travel platform, has confirmed a data breach after unauthorized parties accessed reservation data linked to some customers. Exposed information included names, email addresses, phone numbers, physical addresses, and booking details, creating phishing risk, while the company reset reservation PINs and notified affected users. McGraw-Hill, a global educational publisher, has disclosed a data breach following an extortion attempt after attackers accessed its Salesforce environment. Leaked data from about 13.5 million accounts includes names, email addresses, phone numbers, and physical addresses, while no payment card information was reported exposed. EssentialPlugin, a WordPress plugins development firm, has suffered a supply chain compromise that pushed malicious updates to more than 30 plugins installed on thousands of websites. The backdoored code enabled unauthorized access and spam page creation, and WordPress.org closed the affected plugins while infections may remain. Basic-Fit, Europe’s largest gym chain, has reported a data breach after attackers accessed a franchise-wide system used to track club visits. The incident exposed bank account details and personal data for about one million members across six countries, while passwords and identity documents were not affected. AI THREATS Researchers unveiled that a lone hacker weaponized Claude Code and OpenAI’s GPT-4.1 to breach nine Mexican government agencies. AI-driven commands accelerated reconnaissance, issuing 5,317 actions across 34 sessions and accessing 195 million taxpayer records and 220 million civil records, after safety filters were bypassed through prompt manipulation and an injected hacking manual. Researchers detailed a phishing campaign that impersonates Anthropic’s Claude AI with a fake Claude Pro installer for Windows. The package displays a working application to distract victims while abusing a trusted program to sideload PlugX malware, enabling remote access and persistence on compromised systems. Researchers demonstrated a prompt injection technique that hijacks AI agents used in GitHub workflows from major vendors. Malicious instructions hidden in pull request titles or comments can make the agents run commands and expose repository secrets, including access tokens and API keys, during automated development tasks. VULNERABILITIES AND PATCHES CISA warns of active exploitation of Apache ActiveMQ vulnerability CVE-2026-34197, a high-severity code injection flaw that allows remote code execution. The vulnerability carries a CVSS score of 8.8 and has been addressed by Apache in versions 5.19.4 or 6.2.3. Check Point IPS provides protection against this threat (Apache ActiveMQ Code Injection (CVE-2026-34197)) Splunk has released fixes for CVE-2026-20204, a high-severity vulnerability in Splunk Enterprise and Cloud Platform. The flaw can let a low-privileged user upload a malicious file to a temporary directory and achieve remote code execution, while two additional medium-severity issues were also addressed. As part of its Patch Tuesday, Microsoft has patched CVE-2026-33825, one of three actively-exploited Microsoft Defender zero-days dubbed BlueHammer, RedSun, and UnDefend that were revealed by a security researcher. The vulnerabilities allow local privilege escalation as well as denial of service, and researchers said exploitation began in April after the vulnerabilities were revealed. CISA has flagged the vulnerability CVE-2025-60710, a Windows Task Host privilege escalation flaw affecting Windows 11 and Windows Server 2025, as being actively exploited in attacks. The vulnerability allows a local attacker to gain SYSTEM privileges on a compromised device. THREAT INTELLIGENCE REPORTS Check Point Research have documented 2026 Q1 brand impersonation phishing focused on Microsoft, Apple, Google, and Amazon, which accounted for nearly half of observed attempts. The research shows attackers using lookalike subdomains, QR-based WhatsApp lures, and fake Adobe installers to steal credentials and compromise devices. Researchers uncovered ZionSiphon, malware designed to target industrial control environments at water treatment and desalination facilities in Israel. The report says the code is configured for operational technology systems and reflects continued attacker...