Cybersecurity Weekly Update: 6-13 April 2026

1. APT28 Router Exploitation Campaign (NCSC Advisory)

Russian state-linked group APT28 has been actively exploiting vulnerable routers to conduct DNS hijacking and credential harvesting attacks. (ncsc.gov.uk)

Why it matters: This campaign targets network infrastructure rather than endpoints, enabling attackers to intercept traffic and steal credentials (including email and cloud authentication tokens) at scale. This is particularly concerning for distributed organisations and remote work environments.

Action: Audit all edge devices (especially routers), apply firmware updates, disable default credentials, and monitor DNS configurations for unauthorised changes.

2. Microsoft April 2026 Patch Tuesday Fixes 167 Vulnerabilities

Microsoft’s April Patch Tuesday addressed 167 vulnerabilities, including multiple critical remote code execution flaws. (bleepingcomputer.com)

Why it matters: The scale and severity of vulnerabilities—particularly RCE flaws—highlight the continued reliance of attackers on unpatched enterprise systems.

Action: Prioritise patching across Windows, Office, and SharePoint environments, especially internet-facing systems.

3. Microsoft Warns of OAuth Device Code Phishing Campaign

Microsoft reported a sophisticated phishing campaign abusing the OAuth device code flow to gain persistent access to user accounts without stealing passwords. (microsoft.com)

Why it matters: This technique bypasses traditional MFA protections and is particularly dangerous for organisations relying heavily on cloud identity platforms.

Action: Implement conditional access policies, monitor unusual authentication flows, and educate users on device code phishing risks.

4. Google Introduces New Chrome Protection Against Infostealers

Google introduced Device Bound Session Credentials (DBSC) to prevent attackers from reusing stolen session cookies. TechRadar Google Chrome rolls out a new tool to try and stop infostealer malware in its tracks 5 days ago (techradar.com)

Why it matters: Session hijacking is a common way to bypass MFA. This new control aims to make stolen session cookies unusable without the original device.

Action: Ensure browsers are up to date and evaluate session security controls in enterprise environments.

Key Recommendations

• Prioritise rapid patching of critical and internet-facing systems to reduce exposure to known vulnerabilities.

• Strengthen identity and access controls with MFA, conditional access, and monitoring of authentication activity.

• Harden network and remote access infrastructure, including routers and VPNs, to prevent initial access.

• Enhance ransomware resilience through tested backups, segmentation, and incident response readiness.

• Improve overall visibility and monitoring across endpoints, networks, and cloud environments.