#CyberWeekly

Within the same April 27 window the APT73 (also known as Bashe) ransomware leak site added two Belgian victims: Van Heyghen Staal, a family-owned steel-service centre in Evergem in the Ghent canal zone, and ISoSL, the Walloon healthcare intercommunale that runs psychiatric, geriatric and palliative-care facilities across the Liège basin. Two very different organisations, one shared profile: a flat network, 24/7 uptime pressure, and a limited SOC capacity that ransomware operators love.

• Van Heyghen Staal: publicly listed on the APT73 leak site April 27. The Evergem-based steel-service centre processes around one million tonnes of steel plate per year for industrial customers across north-western Europe. No public confirmation from the company yet, no sample data published
• ISoSL — Intercommunale de Soins Spécialisés de Liège: also listed April 27. ISoSL operates ~50 sites in and around Liège (mental-health hospitals including Petit Bourgogne, Agora and Le Valdor, plus geriatric and elderly-care homes), 746 employees, ~€20M revenue. Hudson Rock data on the leak listing notes prior infostealer activity hitting two ISoSL employees
• APT73 / Bashe at a glance: 141 victims since the group emerged in April 2024, runs a self-hosted leak site, sources note overlap with LockBit affiliate playbooks. Around 44% of APT73 victims show prior infostealer infections — meaning the initial access was almost certainly bought, not earned
• The shared profile: mid-size industrial SMEs and regional healthcare networks share OT/medical-device legacy, can't take downtime, and rarely have a 24/7 SOC. They are the 2026 sweet spot

For Belgian MSPs serving industrial and healthcare clients: assume infostealer-bought credentials are the front door, and treat any unusual remote-access tool the same way Temse did last week. Our ransomware basics guide covers the detection patterns that would have flagged either intrusion early.

This week we shipped the biggest product pivot since launch. The audit deliverable is now a CCB-format Excel that round-trips with the auditor, packaged inside a portable .ecpbundle.zip you can hand to the CAB. Aikido Security is the first SAST/SCA integration end-to-end, and the MSP four-tier pricing rolled out across the site. Audit season just got a much shorter feedback loop.

• CCB Excel round-trip: the auditor opens your export, types findings into the dedicated org-comment column, partner re-imports the file, and wiki pages plus auditor-finding readiness states appear automatically. No more shuttling PDFs and mismatched spreadsheets between three mailboxes
• .ecpbundle.zip as the engagement output: a single portable archive with the CCB Excel, per-control documentation and evidence index, branded with easycyberprotection.com. Local-first stays intact — clients can keep their compliance data inside their own perimeter
• Aikido Security adapter: first end-to-end integration with a SAST/SCA vendor. Aikido findings flow into the compliance program and map to CyFun controls, so vulnerability work shows up where audit work shows up
• MSP four-tier pricing live: Starter at 399 euro for solo consultants and vCISOs (up to 10 clients), Practice at 699 euro for growing partners, Firm at 1,999 euro for established MSPs, Enterprise MSP at 4,999 euro. Direct-enterprise lane for end clients without an MSP starts at 24,000 euro year-one. 10 percent off annual billing
• Missed-the-deadline rescue cluster: five new articles live in Dutch, French and English — the missed-deadline pillar, 8-week audit-preparation flagship, CAB audit cost explainer, mock-audit how-to, and the conversation script for talking to your IT partner
• Roadmap kanban, finally usable: assignee avatar chips, tag filter, inline tag editor, notes preview on cards. Risk register UI gets the same Asset Owner role and tooltip pass

The audit-doc framing is now end-to-end across the site too: the homepage was rewritten as a 5-page A4 engagement brief, and the why-ecp page is now a position paper instead of a feature list. We dropped every "audit-ready in two weeks" claim — readiness is a state you snapshot and improve, not a calendar promise.

Marks & Spencer, the Co-op and Harrods are all dealing with active cyber incidents inside a nine-day window. The UK Cyber Monitoring Centre has formally classified the M&S and Co-op pair as a single "category-2 cyber hurricane" — projected losses 270 to 440 million pounds. The DragonForce ransomware-as-a-service operation has claimed M&S, with the Scattered Spider / "The Com" English-speaking social-engineering collective acting as the affiliate.

• M&S — April 22: initial intrusion over Easter weekend. Online store closed for almost seven weeks, mass customer-password reset, "significant amount of data stolen." Profit hit estimated 376 million USD
• Co-op — April 30 (this Wednesday): developing incident, the retailer pulled IT systems offline to contain it. Tied by UK regulators to the same campaign
• Harrods: also targeted in the same window, less detail public
• NCA arrests: two 19-year-old men, a 17-year-old boy, a 20-year-old woman picked up across the West Midlands, Staffordshire and London. Same English-speaking collective behind the MGM and Caesars 2023 attacks, now reusing the helpdesk-vishing playbook
• The Belgian read: retailers across the channel run the same SaaS stack, the same identity provider, the same outsourced helpdesk. DragonForce already touched Belgium directly via Fountain Belgium in week 15. The defence is helpdesk hardening — caller-ID alone is not authentication

For MSPs serving retail clients: this is the moment to dry-run a "credential-reset request from the CFO" call with their helpdesk. Phishing basics covers the social-engineering patterns; the lesson here is that the human channel is the weakest link, and pre-agreed callback rituals beat any technical control.

April 28 was a busy day for vulnerability advisories. CISA added two flaws to its Known Exploited Vulnerabilities catalogue, Cisco published critical advisories for Identity Services Engine, and SAP closed a CVSS 9.9 SQL-injection flaw on April Patch Tuesday. If you run any of the affected stacks, this week is patch week.

• Cisco ISE — CVE-2026-20160 and CVE-2026-20093: critical remote-access and code-execution flaws in Identity Services Engine, the policy and SSO brain for Cisco-heavy enterprise networks. An admin compromise on ISE pivots into the entire authenticated network. Cisco rates these as critical, advisory published April 28
• CISA KEV April 28: CVE-2024-1708 (ConnectWise ScreenConnect path-traversal — federal agencies must patch by deadline) and CVE-2026-32202 (Microsoft Windows Protection Mechanism Failure). ScreenConnect is the one to act on for any MSP — it is the RMM tool sitting on every client endpoint
• Earlier KEV April 20-21: three Cisco Catalyst SD-WAN Manager bugs actively exploited (CVE-2026-20122, CVE-2026-20128, CVE-2026-20133) — privilege escalation through to information disclosure
• SAP April Patch Tuesday: CVE-2026-27681 — SQL injection in SAP Business Planning and Consolidation, CVSS 9.9, allows arbitrary database commands. Microsoft fixed 169 issues, including SharePoint Server spoofing CVE-2026-32201

For MSPs: ScreenConnect is the priority. Patch the agent and the server, rotate stored credentials, hunt for unfamiliar sessions back to February — the bug has been on the KEV path for that long. See our patch-management guide — "patch fast, patch together" beats "patch when the change window opens."