LinkedIn Carousel - #CyberWeekly Week 18

After the Deadline

NIS2 D-Day passed. The audit deliverable becomes an Excel round-trip, and two Belgian SMEs land on APT73's wall.

Two Belgian SMEs on APT73's Wall in 24 Hours

Platform: Audit Bundle + Excel Round-Trip + Aikido

UK Retail's Category-2 Cyber Hurricane

Patch Now: Cisco ISE + ConnectWise on CISA KEV

Easy Cyber Protection

1/4

Two Belgian SMEs on APT73's wall in 24 hours — Van Heyghen Staal and ISoSL both listed April 27

Within the same April 27 window the APT73 (also known as Bashe) ransomware leak site added two Belgian victims: Van Heyghen Staal, a family-owned…

Van Heyghen Staal: publicly listed on the APT73 leak site April 27. The Evergem-based steel-service centre processes around one million tonnes of steel plate per year for industrial customers across north-western Europe. No public confirmation from the company yet, no sample data published
ISoSL — Intercommunale de Soins Spécialisés de Liège: also listed April 27. ISoSL operates ~50 sites in and around Liège (mental-health hospitals including Petit Bourgogne, Agora and Le Valdor, plus geriatric and elderly-care homes), 746 employees, ~€20M revenue. Hudson Rock data on the leak listing notes prior infostealer activity hitting two ISoSL employees
APT73 / Bashe at a glance: 141 victims since the group emerged in April 2024, runs a self-hosted leak site, sources note overlap with LockBit affiliate playbooks. Around 44% of APT73 victims show prior infostealer infections — meaning the initial access was almost certainly bought, not earned

ransomware.live: APT73 group profile → https://www.ransomware.live/group/apt73

2/4

Platform Spotlight: the audit deliverable goes round-trip — Excel, .ecpbundle.zip, Aikido

This week we shipped the biggest product pivot since launch. The audit deliverable is now a CCB-format Excel that round-trips with the auditor, packaged…

CCB Excel round-trip: the auditor opens your export, types findings into the dedicated org-comment column, partner re-imports the file, and wiki pages plus auditor-finding readiness states appear automatically. No more shuttling PDFs and mismatched spreadsheets between three mailboxes
.ecpbundle.zip as the engagement output: a single portable archive with the CCB Excel, per-control documentation and evidence index, branded with easycyberprotection.com. Local-first stays intact — clients can keep their compliance data inside their own perimeter
Aikido Security adapter: first end-to-end integration with a SAST/SCA vendor. Aikido findings flow into the compliance program and map to CyFun controls, so vulnerability work shows up where audit work shows up

See how it works → https://easycyberprotection.com/

3/4

UK retail's category-2 cyber hurricane — M&S, Co-op, Harrods all hit, DragonForce claims credit, four arrests

Marks & Spencer, the Co-op and Harrods are all dealing with active cyber incidents inside a nine-day window. The UK Cyber Monitoring Centre has formally classified the M&S and Co-op pair as a single "category-2…

M&S — April 22: initial intrusion over Easter weekend. Online store closed for almost seven weeks, mass customer-password reset, "significant amount of data stolen." Profit hit estimated 376 million USD
Co-op — April 30 (this Wednesday): developing incident, the retailer pulled IT systems offline to contain it. Tied by UK regulators to the same campaign
Harrods: also targeted in the same window, less detail public
NCA arrests: two 19-year-old men, a 17-year-old boy, a 20-year-old woman picked up across the West Midlands, Staffordshire and London. Same English-speaking collective behind the MGM and Caesars 2023 attacks, now reusing the helpdesk-vishing playbook

Computer Weekly: category-2 cyber hurricane → https://www.computerweekly.com/news/366626336/MS-Co-op-attacks-a-Category-2-cyber-hurricane-say-UK-experts

4/4

Patch this week: Cisco ISE root RCE (CVE-2026-20160) plus ConnectWise and Microsoft on CISA KEV

April 28 was a busy day for vulnerability advisories. CISA added two flaws to its Known Exploited Vulnerabilities catalogue, Cisco published critical advisories for Identity Services Engine, and SAP closed a CVSS 9.9…

Cisco ISE — CVE-2026-20160 and CVE-2026-20093: critical remote-access and code-execution flaws in Identity Services Engine, the policy and SSO brain for Cisco-heavy enterprise networks. An admin compromise on ISE pivots into the entire authenticated network. Cisco rates these as critical, advisory published April 28
CISA KEV April 28: CVE-2024-1708 (ConnectWise ScreenConnect path-traversal — federal agencies must patch by deadline) and CVE-2026-32202 (Microsoft Windows Protection Mechanism Failure). ScreenConnect is the one to act on for any MSP — it is the RMM tool sitting on every client endpoint
Earlier KEV April 20-21: three Cisco Catalyst SD-WAN Manager bugs actively exploited (CVE-2026-20122, CVE-2026-20128, CVE-2026-20133) — privilege escalation through to information disclosure
SAP April Patch Tuesday: CVE-2026-27681 — SQL injection in SAP Business Planning and Consolidation, CVSS 9.9, allows arbitrary database commands. Microsoft fixed 169 issues, including SharePoint Server spoofing CVE-2026-32201

CISA: Known Exploited Vulnerabilities catalogue → https://www.cisa.gov/known-exploited-vulnerabilities-catalog