#CyberWeekly

ShinyHunters stole 350GB from the European Commission — including DKIM keys that let attackers forge official @ec.europa.eu emails.

• What was stolen: mail server data, databases, contracts, SSO user directory, DKIM signing keys, and AWS config snapshots — 90GB already published
• Why DKIM keys matter: an attacker can now send emails that pass all authentication checks as @ec.europa.eu — NIS2 notices, procurement messages, regulatory warnings
• Belgian angle: with 16 days to the NIS2 deadline, any urgent EC email about your compliance submission deserves a call-back to verify before clicking

The practical response: check that your email gateway is enforcing DMARC verification on inbound mail, not just outbound. And brief your team that even authenticated-looking emails from .eu addresses can be forged this month.

This week we launched the Assessment Hub — plan, track, and close compliance gaps from one place, starting with a structured assessment rather than a flat list of 34 controls.

• Three views: Matrix (gap analysis at a glance), Kanban (drag findings through Open → In Review → Closed), and Roadmap (timeline by CyFun function area)
• Findings and actions linked: a finding documents a gap; an action closes it. Both are linked to the relevant control with status tracking and due dates — no spreadsheet needed
• CyFun Basic templates pre-loaded: common finding types and recommended actions for all 34 controls, ready to use out of the box
• Controls and Compliance unified: one view, grouped by the five CyFun function areas. Your program is no longer split across two sections

With 16 days to the April 18 deadline, the Assessment Hub is the fastest way to turn a self-assessment into a structured gap list. Read the compliance roadmap to understand what the CCB expects.

A critical memory overread bug in Citrix NetScaler ADC and Gateway (CVSS 9.3) has been actively exploited since at least March 27, leaking authenticated session IDs to unauthenticated attackers — with no login required. CISA added it to its Known Exploited Vulnerabilities catalog and ordered US federal agencies to patch by April 2.

• What it does: an attacker sends a crafted SAML authentication request to the /saml/login endpoint. The appliance mishandles the missing AssertionConsumerServiceURL field and leaks memory contents — including live authenticated session tokens — in the response cookie. The attacker can then replay those tokens to access whatever that session had access to
• Who is at risk: organisations using NetScaler as a SAML Identity Provider (IDP) for SSO. This covers many VPN, remote-desktop, and cloud access setups. If your remote-work gateway is a Citrix ADC or Gateway, check your configuration. Versions before 14.1-60.58 and 13.1-62.23 are affected
• Reconnaissance already underway: security honeypots detected systematic probing of /cgi/GetAuthMethods endpoints from known threat actor IPs beginning March 27 — attackers are fingerprinting which appliances have SAML enabled before targeting them
• Fix: update to 14.1-60.58+, 13.1-62.23+, or 13.1-37.262+. If you cannot patch immediately, disable SAML IDP functionality until you can. Audit your NetScaler access logs for unusual /saml/login requests with empty AssertionConsumerServiceURL parameters

If patching feels like it always comes at the worst possible moment, the patch management guide covers how to build a lightweight process that makes critical updates a routine, not an emergency.

April 18, 2026 is not a suggestion — it is the hard deadline for Belgian NIS2 entities to submit their CyFun self-assessment or ISO 27001 documentation to the CCB. After that date, the CCB can begin enforcement proceedings, including personal liability for board members.

• What you must submit by April 18: either a Verification Statement showing your CyFun Basic or Important level assessment has been completed, or your ISO 27001 information security policy, scope, and Statement of Applicability (SoA). Both must be submitted directly to the CCB via the NIS2 portal
• Who this applies to: organisations with 50+ employees or €10M+ turnover operating in one of 18 critical sectors (healthcare, energy, transport, finance, public administration, digital infrastructure, ICT services, and more). Your supply chain partners may also be in scope as important entities
• The penalties are real: non-compliance exposes you to fines of up to €10 million or 2% of global annual turnover — whichever is higher. Belgian law adds personal director liability: board members can be held individually responsible for failing to ensure compliance was implemented
• What "registered but not ready" looks like: of the 2,410+ organisations registered with the CCB, an estimated 25% have done the registration without completing the underlying structured implementation. Registration is not compliance. The April 18 submission is the evidence that you have actually done the work

The NIS2 guide explains the full scope and what the CCB actually checks. The CyberFundamentals framework guide maps out which controls you need at Basic vs Important level. And if you need to move fast, the Assessment Hub in ECP is specifically built for exactly this situation.