Iranian missile strikes physically destroyed AWS data centers in Bahrain and Dubai overnight — Amazon has declared "hard down" for multiple Middle East availability zones. This is the first kinetic destruction of hyperscaler infrastructure in an active interstate conflict. Combined with the ongoing Strait of Hormuz blockade, a 48-hour US ultimatum threatening Iranian energy infrastructure, and Israeli strike planning, the cyber threat posture from IRGC-affiliated groups is at its highest level since the conflict began. FortiClient EMS CVE-2026-35616 remains actively exploited with independent pre-auth RCE confirmation from runZero; still no KEV. Otherwise a quiet Sunday — the week's major threads (Axios/UNC1069, TeamPCP, OpenClaw, MFA bypass industrialization) produced no new intelligence today.
Covered by 3 sources
Iranian missile and drone strikes have physically destroyed AWS data centers in Bahrain and Dubai, with Amazon declaring "hard down" status for multiple Middle East availability zones. This is not a cyberattack — this is kinetic destruction of cloud infrastructure in an active theater of war.
The broader context has escalated significantly since the April 4 afternoon update: US special forces conducted a deep-penetration rescue of a downed F-15 crew inside Iran, involving dozens of aircraft and resulting in at least two MC-130Js and Black Hawks destroyed or self-destructed after malfunctions. Iranian drone strikes hit petrochemical facilities in Bahrain and Abu Dhabi. The Strait of Hormuz remains effectively blockaded (~20% of global oil and LNG transit). President Trump has issued a 48-hour ultimatum threatening strikes on Iranian energy infrastructure, and Israel is reportedly preparing energy facility strikes within the week. A CIA deception campaign was disclosed as part of the rescue operation. A projectile struck a perimeter building at the Bushehr nuclear plant; Rosatom has evacuated personnel.
Immediate actions:
This is the first time a major hyperscaler has lost physical data center infrastructure to state military action. The 48-hour ultimatum timeline puts the next escalation window at approximately Monday. The precedent matters beyond the immediate incident — and the cyber follow-on is the more likely vector for direct impact to US financial sector operations.
Sources: Tom's Hardware · Defense News
Since April 4: Independent technical confirmation, VulnCheck catalog addition. Still no CISA KEV.
runZero published independent analysis confirming the unauthenticated RCE vector in FortiClient EMS CVE-2026-35616 (CVSS 9.1, CWE-284, T1190). VulnCheck has added it to their known-exploited vulnerabilities catalog. CISA KEV addition has still not occurred — expect it imminently given confirmed wild exploitation by both the vendor and independent researchers. Emergency hotfixes remain available for EMS 7.4.5 and 7.4.6; permanent fix in 7.4.7. Core action unchanged from Friday: apply the hotfix now.
Sources: Decipher · Fortinet PSIRT · runZero
sfrclak[.]com,
142.11.206.73:8000).A coordinated campaign planted 36 malicious npm packages masquerading as Strapi CMS plugins. Each follows an identical three-file structure (package.json, index.js, postinstall.js) with no description or repository metadata — the calling card of coordinated typosquatting. Payloads include Redis and PostgreSQL exploitation for lateral movement, reverse shell deployment, credential harvesting, and a persistent implant (T1195.002). No attribution, no IOCs extracted. The database exploitation angle is above the typical npm poisoning tier — whoever wrote this targets environments where Strapi runs with real backend infrastructure, not dev sandboxes. Pull IOCs from the primary research.
Third npm supply chain story in a week alongside the Axios and LiteLLM compromises. The postinstall hook attack vector remains trivially effective a decade after npm first discussed restricting it.
Germany's implementation of the EU digital identity wallet (eIDAS EUDI Wallet) requires a Mobile Device Verification Mechanism (MDvm) that architecturally couples government-issued digital identity to Apple or Google platform accounts. The attack surface this creates: compromise the platform account → compromise EU legal identity. For organizations operating under eIDAS verification requirements, this means AiTM and device code phishing (both heavily industrialized this week) are direct pathways to sovereign identity compromise. Not traditional CTI but directly relevant to identity security posture and the trust model for any EU counterparty authentication. (German Federal Interior Ministry architecture doc)
itm4n published research on fveapi.dll, an undocumented Windows BitLocker API that allows low-privilege users to determine BitLocker authentication mode (TPM-only vs. TPM+PIN) — information that official tooling (manage-bde, Get-BitLockerVolume, WMI) explicitly denies them (T1082). No CVE, no patch. The red team use case is immediate: enumerate whether a target machine uses the weaker TPM-only configuration to inform attack path selection. Side finding: 7,000+ lines of private Windows FVE struct and function definitions were found shipped verbatim inside a PE resource section of bdechangepin.exe. (itm4n)
Cluster of 9 today. CrowdStrike detection guidance published April 3 remains the actionable reference. No new technical detail or exploitation evidence. EPSS 0.00045. The persistent disconnect between vendor attention (cluster_size 9 across two weeks) and measured exploitation probability suggests either detection blind spots or pre-positioning research that hasn't manifested in telemetry yet.
/bin.rar on an electrical infrastructure cloud platform.
OT-adjacent.~24 entries skipped: 19 general-section drops (6 CrowdStrike marketing posts maintaining their flawless record of contributing nothing to threat intelligence, retrocomputing nostalgia, HN front-page debris, and an LLM API research tool), 2 ransomware think-pieces with zero actionable intelligence (including a genuinely interesting DataBreaches.net essay on whether ransomware actors honor data deletion promises — worth reading, not worth briefing), 2 vulnerability entries (a HelpNetSecurity week-in-review aggregator and a 1999 Amiga Unix finger vulnerability CVE posted to HN for archaeological amusement), and 1 CBP facility codes OPSEC story misrouted from physical security.
Sunday feed, accordingly quiet. The week's established threads — DPRK supply chain operations, MFA bypass commoditization, agentic AI attack surface, TeamPCP's post-exploitation phase — all produced only rehashes today. The signal that matters is the kinetic one: the first physical destruction of hyperscaler data center infrastructure by state military action is a category of event that has been war-gamed but never realized. Whether this stays contained to the ME region or triggers IRGC cyber retaliation against US financial and energy targets is the question that should drive Monday morning's threat model conversations. The 48-hour ultimatum timeline lands approximately Monday. Iranian cyber proxy operations were already running hot (Handala/Stryker) before the strikes — the retaliatory incentive just increased by orders of magnitude. The Trivy KEV deadline on Wednesday and FortiClient EMS exploitation without a KEV entry are the two patch priorities that shouldn't get lost in the geopolitical noise.