Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Finland Warns Russia ...

 Governance

Finland is facing a growing intelligence challenge as Russia and China cyberespionage targeting Finland continues to expand across the country’s technology sector, research institutions, and government networks. The warning comes from Finland’s Security and Intelligence Service (SUPO), which released a new   show more ...

national security overview highlighting the persistent threat from foreign intelligence operations. The report suggests cyber espionage against Finland is not limited to isolated incidents. Instead, it involves a combination of cyber intrusions, traditional espionage, and influence operations designed to collect sensitive information and shape political or economic decisions. The warning about Russia and China cyberespionage targeting Finland reflects that countries are no longer focused only on military secrets but also targeting technology development, economic strategies, and innovation ecosystems. Russia and China Cyberespionage Targeting Finland’s Technology Sector According to the SUPO national security overview, the most frequent intelligence operations linked to foreign states originate from Russia and China. These activities increasingly focus on Finland’s technology sector and research institutions, areas that play a key role in the country’s economic and strategic future. The report notes that Russia and China cyberespionage targeting Finland often involves penetrating digital systems to access research data, proprietary technologies, and policy discussions. In several cases, state-backed actors have successfully infiltrated the networks of Finnish start-ups. This trend highlights a worrying reality: smaller technology companies, despite driving innovation, often lack the cybersecurity resources needed to defend against sophisticated state-backed cyber espionage campaigns. For intelligence agencies, start-ups represent valuable targets. Early-stage research and emerging technologies can provide strategic advantages long before products reach the market. Russia’s Intelligence Interest in Finland Remains Strong SUPO also warns that Russia’s intelligence interest in Finland will likely intensify in the coming years. Even if geopolitical tensions change, Russia and China cyberespionage targeting Finland is expected to remain a long-term concern. Russia’s intelligence capacity across Europe has been affected by its ongoing war in Ukraine. However, the report suggests that Moscow is already preparing to rebuild its intelligence networks, including operations focused on Finland. Finland’s geopolitical position makes it particularly relevant. As a NATO member located between the Baltic Sea and the Arctic region, the country holds strategic importance for both security and economic activities in northern Europe. SUPO Director Juha Martelius warned that if relations between Russia and Western countries partially normalize in the future, intelligence operations could become even more diverse. Russia may increasingly rely on proxy actors and remote intelligence gathering while maintaining pressure through cyber operations. China’s Long-Term Intelligence Strategy Alongside Russia, China continues to maintain a strong intelligence interest in Finland. The report states that Russia and China cyberespionage targeting Finland includes Chinese cyber operations that are both persistent and long-term. Chinese intelligence activity has traditionally focused on foreign policy and security matters, but it is increasingly expanding into areas such as critical infrastructure and advanced technologies. This reflects China’s broader strategy of securing technological advantages and strengthening control over global supply chains. The SUPO report notes that control over critical minerals, raw materials, and manufacturing technologies gives countries significant geopolitical leverage. For Finland, this means that protecting innovation and industrial development has become closely tied to national security. Economic Security and Cyber Threats Are Now Linked One of the key messages from the assessment is that economic competitiveness and national security are becoming deeply interconnected. Technology development, supply chains, and access to raw materials are now strategic assets in global power competition. As a result, Russia and China cyberespionage targeting Finland is increasingly aimed at gathering economic intelligence. By accessing technological research or industrial plans, foreign intelligence services can gain advantages in emerging industries. This is why Finland’s intelligence services are paying closer attention to the role of the private sector in national security. Protecting companies working on advanced technologies is no longer only about business interests—it is about safeguarding strategic capabilities. A Persistent Cyberespionage Threat The SUPO report makes it clear that Russia and China cyberespionage targeting Finland is unlikely to disappear. As technological competition intensifies worldwide, intelligence agencies will continue to pursue information that strengthens their countries’ strategic positions. At the same time, Finland must maintain an open research environment and international partnerships that drive innovation. Balancing security with openness remains one of the country’s biggest challenges.

image for Iran’s Fake “She ...

 Cyber News

When your phone rings and the caller ID shows the Israeli military's emergency command number, most people would listen — and that is precisely the point. Israel's National Cyber Directorate issued an urgent public advisory Tuesday, warning citizens about a wave of fraudulent automated phone calls   show more ...

impersonating the Israel Defense Forces' Home Front Command, the military body responsible for issuing missile alerts and civil defense guidance. This is part of Iran's emerging psychological cyber warfare playbook. The advisory, published on the Israeli government's official portal shows how Iran and its proxies weaponize civilian communications infrastructure against a population already under physical threat. The Cyber Directorate said it received dozens of reports over a 24-hour period about calls appearing to originate from an official Home Front Command number. The automated messages instructed recipients to "prepare for an emergency" and, in some cases, directed them to visit a website for further instructions. Also read: Israel Claims it ‘Struck’ Iran’s Cyber Warfare Headquarters This is caller ID spoofing — a technique where attackers falsify the originating phone number to make a call appear as though it comes from a legitimate, trusted source. In a conflict environment where citizens have been conditioned to respond immediately to official emergency alerts, the damage does not require malware or a data breach. Panic is the payload. Separately, fraudulent text messages circulated from a spoofed sender labeled "OREFAlert" — a name designed to mimic Israel's official rocket alert system — falsely warning recipients of potential terrorist attacks inside bomb shelters and urging them to avoid shelters until further notice. A second fake message warned that fuel supplies would be suspended nationwide for 24 hours from midnight. The strategic logic is coldly effective. If citizens hesitate to enter shelters during an actual missile strike because they distrust official alerts, the kinetic weapon becomes exponentially more lethal. Disinformation, deployed at the right moment, functions as a force multiplier. Also read: Cyber-Kinetic Warfare Escalates as Iran, US, and Israel Clash Across Military and Digital Fronts Israeli authorities attributed the campaign to Iranian or pro-Iranian groups operating as part of a broader psychological warfare effort during Israel's military campaign against Iran, known as Operation Rising Lion. These campaign patterns are part of a psychological cyber warfare playbook that Iran has long been using. In 2025, Check Point reported more than 2,000 threatening emails targeting Israeli universities, municipalities, and healthcare organizations, with messages containing explicit threats of violence. Radware recorded a 700% surge in cyberattacks against Israel within the first two days of the conflict compared to the period before it. The firm's VP of Cyber Threat Intelligence attributed the spike to coordinated retaliation by Iranian state actors and pro-Iranian hacker groups, spanning DDoS attacks, critical infrastructure infiltration attempts, data theft, and malware distribution. The Cyber Directorate confirmed the fraudulent calls formed part of a coordinated misinformation effort and stressed that the Home Front Command does not contact citizens by phone with emergency instructions unless the individual initiates contact first. That clarification alone signals how effectively the adversary exploited an assumed behavioral norm. Also read: Israel-Iran Conflict Sparks Wider Cyber Conflict, New Malware The broader campaign fits a well-documented Iranian doctrine of combining kinetic operations with cognitive attacks on civilian populations. Earlier this year, the Shin Bet internal security agency and the Cyber Directorate reported a significant rise in phishing attempts linked to Iranian operatives, targeting senior defense officials, politicians, academics, journalists, and public sector figures, using fake mobile apps, spoofed websites, and malware disguised as legitimate documents. Israel's Cyber Directorate head Yossi Karadi had warned publicly that his agency handled more than 26,000 cyberattacks in 2025 — a 55% increase over 2024 — and framed the trajectory in stark terms: "Cyber is no longer supporting the battlefield. Cyber is the battlefield." For security practitioners and network defenders operating in any geopolitically sensitive environment, the Israeli case delivers a precise lesson. The most dangerous attack vector in a conflict may not target a firewall. It targets the split-second decision a civilian makes when an alarm sounds. The Cyber Directorate urged the public to rely exclusively on the Home Front Command's official website, mobile application, and verified social media channels, and to report suspicious calls immediately to authorities.

image for FBI Flags Phishing C ...

 Cyber Essentials

A new planning and zoning permit phishing scam is raising concerns across the United States as cybercriminals impersonate city and county officials to trick individuals and businesses into paying fraudulent permit fees. The warning, issued by the FBI, highlights how attackers are exploiting publicly available   show more ...

government data to make phishing emails appear legitimate. The scam targets people who have active applications for planning and zoning permits, particularly those involved in land-use projects or property development. By using accurate permit details, criminals create convincing emails that pressure victims to transfer money for fake administrative fees. Planning and Zoning Permit Phishing Scam Targets Active Applications Unlike generic phishing attempts that rely on vague messages, this scam is highly targeted. Criminals gather information from publicly available sources related to planning and zoning permit applications, including property addresses, application numbers, and the names of local officials. Armed with this data, they send emails to applicants posing as planning and zoning board representatives. The emails typically claim that additional fees are required to process or approve the permit. Victims are instructed to make payments through wire transfers, peer-to-peer payment services, or cryptocurrency—methods that are difficult to trace or recover once the money is sent. What makes this planning and zoning permit phishing scam particularly effective is its timing. Emails may arrive while applicants are actively communicating with local government offices about their permits, making the fraudulent request appear routine. Why the Zoning Permit Scam Looks So Real The success of this planning and zoning permit phishing scam lies in its attention to detail. Many phishing campaigns fail because they are poorly written or obviously suspicious. This one is different. The fraudulent emails often contain: Accurate property addresses and zoning case numbers Names of real city or county officials Professional language mirroring official government correspondence Attachments such as PDF invoices listing itemized fees The emails may also use formatting and visual elements that resemble legitimate municipal communications, including references to regulatory compliance or planning commission procedures. However, a key red flag is the email domain. While the sender’s name may resemble a government official, the email address often originates from non-government domains such as “@usa.com” instead of official municipal domains. Another tactic involves discouraging verification. Victims may be told to request payment instructions through email rather than by phone, supposedly to maintain an “audit trail.” In reality, this discourages them from contacting the city office directly. Public Data and Trust This planning and zoning permit phishing scam highlights a broader cybersecurity issue—how publicly accessible government data can be weaponized. Permit records and zoning applications are often publicly available to maintain transparency in local governance. But criminals are increasingly exploiting this information to craft targeted attacks. In this case, the scam works because it combines accurate data with institutional trust. Most applicants assume that communications about permit fees will come from government offices, and the emails mimic that expectation convincingly. The result is a form of government impersonation phishing that is harder for victims to detect than traditional scams. Lessons from the Planning and Zoning Permit Phishing Scam The rise of this planning and zoning permit phishing scam offers several lessons for businesses, property owners, and local governments. First, legitimate-looking emails should never be trusted solely based on branding or professional formatting. Attackers can easily replicate logos, signatures, and official language. Second, payment requests, especially those involving wire transfers or cryptocurrency—should always be verified through official channels. Experts recommend contacting the relevant city or county office directly using the phone number listed on the government’s official website rather than responding to an email. Applicants should also carefully examine the sender’s domain and watch for subtle misspellings or unusual characters. Reporting Permit Payment Fraud Authorities are urging victims of the planning and zoning permit phishing scam to report incidents to the FBI’s Internet Crime Complaint Center (IC3). Reports should include details such as: The sender’s email address and date of the message Any phone numbers included in the communication The project’s scheduled hearing date, if applicable The amount requested and the payment method demanded Reporting these scams helps investigators identify patterns and disrupt criminal networks running permit payment fraud schemes. The emergence of the planning and zoning permit phishing scam is another reminder that cybercriminals are increasingly exploiting real-world processes—not just digital vulnerabilities. When administrative systems move online and data becomes public, attackers adapt quickly. For applicants and businesses, the safest approach remains simple: verify first, pay later. In today’s threat landscape, even a routine permit email deserves a second look.

image for Microsoft Patch Tues ...

 Firewall Daily

The Microsoft Patch Tuesday March 2026 release introduces security updates addressing 79 vulnerabilities, including two publicly disclosed zero-day vulnerabilities and several high-risk issues tied to remote code execution. The monthly security rollout includes fixes across multiple Microsoft products such as   show more ...

SQL Server, .NET, Microsoft Office, SharePoint Server, and Azure services.  Among the vulnerabilities patched in the Microsoft Patch Tuesday March 2026, three have been categorized as “Critical.” Two of these critical issues involve remote code execution, while the third is an information disclosure of vulnerability affecting Microsoft Excel. Although two zero-day vulnerabilities were publicly disclosed before the update, Microsoft reported no evidence that attackers had exploited them in real-world attacks.  Microsoft Patch Tuesday March 2026 Breakdown The Microsoft Patch Tuesday March security updates address a wide range of vulnerabilities across multiple categories. In total, Microsoft fixed 46 elevation of privilege vulnerabilities, 18 remote code execution vulnerabilities, 10 information disclosure vulnerabilities, four denial of service vulnerabilities, four spoofing vulnerabilities, and two security feature bypass vulnerabilities.  The significant number of remote code execution flaws is particularly concerning because these types of vulnerabilities can allow attackers to run malicious code on targeted systems. As a result, applying the Microsoft Patch Tuesday March updates quickly is critical to reducing the risk posed by these security issues.  Two Zero-Day Vulnerabilities  Two zero-day vulnerabilities were publicly disclosed before patches became available. Microsoft defines a zero-day vulnerability as a flaw that becomes publicly known or actively exploited before an official fix is released.  CVE-2026-21262 – SQL Server Elevation of Privilege Vulnerability  One of the zero-day vulnerabilities fixed during Microsoft Patch Tuesday March affects SQL Server. The flaw allows attackers with authorized access to escalate privileges over a network and potentially obtain SQL administrator permissions.  Microsoft explained: “Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network.”  Security researcher Erland Sommarskog discovered the issue and previously discussed it in an article titled “Packaging Permissions in Stored Procedures.” The vulnerability carries a CVSS score of 8.8 and could allow attackers to gain SQL sysadmin privileges once logged in to a vulnerable system.  CVE-2026-26127 – .NET Denial of Service Vulnerability  The second publicly disclosed zero-day vulnerability affects Microsoft .NET. It stems from an out-of-bounds read that could allow an unauthenticated attacker to cause a denial-of-service condition remotely.  Microsoft stated: “Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network.”  The flaw was reported by an anonymous researcher. Despite being publicly disclosed, Microsoft indicated that exploitation appears unlikely.  Critical Remote Code Execution Bugs in Microsoft Office  The Microsoft Patch Tuesday March release also addresses two critical remote code execution vulnerabilities in Microsoft Office:  CVE-2026-26110: Type confusion vulnerability  CVE-2026-26113: Untrusted pointer dereference vulnerability  Both vulnerabilities could allow attackers to execute malicious code locally and can be triggered through the Preview Pane, meaning a user might not need to open a file for exploitation to occur. Because of the remote code execution risk, Microsoft recommends prioritizing updates for Office installations.  Another Office-related issue, CVE-2026-26109, is an “Important” vulnerability in Excel caused by an out-of-bounds read. Successful exploitation could allow attackers to execute code locally and compromise affected systems.  Excel Vulnerability Raises Data Exfiltration Concerns  One of the most notable issues patched during Microsoft Patch Tuesday March is CVE-2026-26144, a critical information disclosure vulnerability affecting Microsoft Excel with a CVSS score of 7.5.  The vulnerability stems from improper neutralization of input in Excel, potentially allowing attackers to extract sensitive information through a zero-click attack involving Microsoft Copilot.  Microsoft explained: “An attacker who successfully exploited this vulnerability could potentially cause Copilot Agent mode to exfiltrate data via unintended network egress, enabling a zero-click information disclosure attack.”  The flaw does not use the Preview Pane as an attack vector and currently has no known exploit code, with Microsoft assessing exploitation as unlikely.  However, security analysts from Project Overwatch warned about the potential implications. They described the issue as an unusual attack technique that leverages AI features:  “CVE-2026-26144 is unlike anything I’ve seen in 15 years of cybersecurity. This isn’t just another Office vulnerability. It’s a zero-click attack that weaponizes Copilot Agent to silently exfiltrate sensitive data from Excel spreadsheets.”  According to their analysis, the attack could manipulate Copilot into sending sensitive data outside an organization through unintended network connections.  And don't miss our bug of the month! Each patch Tuesday we'll be selecting our very favorite patch to highlight. This month, it CVE-2026-26144 - a Critical-rated info disclosure in Excel that uses the Copilot Agent to exfiltrate data. Neat! pic.twitter.com/2UC9cOz15c — TrendAI Zero Day Initiative (@thezdi) March 10, 2026 TrendAI Zero Day Initiative also noted its take on the vulnerability. According to a video posted on X, the researchers stressed that “CVE-2026-26144 is a critically rated Excel info disclosure. And how do you get Excel info disclosure that is critical-rated? Well, you open an Excel doc, and then it allows Copilot to exfiltrate data out of your network. As Microsoft says, it’s a zero-click data exfiltration. Which is crazy. I count it as one click because you do have to open the doc. Preview pain is not an attack vector here, but it’s crazy. It’s really cool to see a bug that could use the AI component to do things that you don’t want to do. “  SharePoint and Azure Security Issues  The Microsoft Patch Tuesday March update also includes fixes for remote code execution vulnerabilities affecting Microsoft SharePoint Server:  CVE-2026-26106: Improper input validation  CVE-2026-26114: Deserialization of untrusted data  Both vulnerabilities allow authenticated attackers with Site Member permissions to execute code remotely on a SharePoint Server.  Another issue, CVE-2026-26118, affects Azure MCP Server Tools. This elevation-of-privilege vulnerability is caused by server-side request forgery (SSRF). Attackers could exploit it by sending crafted input to a Model Context Protocol server tool, potentially capturing a managed identity token and accessing resources associated with that identity.  Additional Privilege Escalation Risks  Several vulnerabilities rated “Important” were also marked as more likely to be exploited, including issues affecting:  Windows Graphics Component  Windows Kernel  Windows Accessibility Infrastructure (ATBroker.exe)  Windows SMB Server  WinSock Ancillary Function Driver  Winlogon  One such flaw, CVE-2026-26128, affects Windows SMB Server and allows attackers to gain SYSTEM privileges if successfully exploited. 

image for BeatBanker and BTMOB ...

 Threats

To achieve their malign aims, Android malware developers have to address several challenges in a row: trick users to get inside their smartphones, dodge security software, talk victims into granting various system permissions, keep away from built-in battery optimizers that kill resource hogs, and, after all that,   show more ...

make sure their malware actually turns a profit. The creators of the BeatBanker — an Android-based malware campaign recently discovered by our experts — have come up with something new for each one of these steps. The attack is (for now) aimed at Brazilian users, but the developers’ ambitions will almost certainly push them toward international expansion, so it’s worth staying on guard and studying the threat actor’s tricks. You can find a full technical analysis of the malware on Securelist. How BeatBanker infiltrates a smartphone The malware is distributed through specially crafted phishing pages that mimic the Google Play Store. A page that’s easily mistaken for the official app marketplace invites users to download a seemingly useful app. In one campaign, the trojan disguised itself as the Brazilian government services app, INSS Reembolso; in another, it posed as the Starlink app. The malicious site cupomgratisfood{.}shop does an excellent job imitating an app store. It’s just unclear why the fake INSS Reembolso appears all of three times. To be extra sure, perhaps?! The installation takes place in several stages to avoid requesting too many permissions at once and to further lull the victim’s vigilance. After the first app is downloaded and launched, it displays an interface that also resembles Google Play and simulates an update for the decoy app — requesting the user’s permission to install apps, which doesn’t look out-of-the-ordinary in context. If you grant this permission, the malware downloads additional malicious modules to your smartphone. After installation, the trojan simulates a decoy app update via Google Play by requesting permission to install applications while downloading additional malicious modules in the process All components of the trojan are encrypted. Before decrypting and proceeding to the next stages of infection, it checks to ensure it’s on a real smartphone and in the target country. BeatBanker immediately terminates its own process if it finds any discrepancies or detects that it’s running in emulated or analysis environments. This complicates dynamic analysis of the malware. Incidentally, the fake update downloader injects modules directly into RAM to avoid creating files on the smartphone that would be visible to security software. All these tricks are nothing new and frequently used in complex malware for desktop computers. However, for smartphones, such sophistication is still a rarity, and not every security tool will spot it. Users of Kaspersky products are protected from this threat. Playing audio as a shield Once established on the smartphone, BeatBanker downloads a module for mining Monero cryptocurrency. The authors were very concerned that the smartphone’s aggressive battery optimization systems might shut down the miner, so they came up with a trick: playing an all-but-inaudible sound at all times. Power consumption control systems typically spare apps that are playing audio or video to avoid cutting off background music or podcast players. In this way, the malware can run continuously. Additionally, it displays a persistent notification in the status bar, asking the user to keep the phone on for a system update. Example of a persistent system update notification from another malicious app masquerading as the Starlink app Control via Google To manage the trojan, the authors leverage Google’s legitimate Firebase Cloud Messaging (FCM) — a system for receiving notifications and sending data from a smartphone. This feature is available to all apps and it’s the most popular method for sending and receiving data. Thanks to FCM, attackers can monitor the device’s status and change its settings as needed. Nothing bad happens for a while after the malware is installed: the attackers wait it out. Then they trigger the miner, but they’re careful to throttle it back if the phone overheats, the battery starts dipping, or the owner happens to be using the device. All of this is handled via FCM. Theft and espionage In addition to the crypto miner, BeatBanker installs extra modules to spy on the user and rob them at the right moment. The spyware module requests Accessibility Services permission, and if this is granted, begins monitoring everything that’s happening on the smartphone. If the owner opens the Binance or Trust Wallet app to send USDT, the malware overlays a fake screen on top of the wallet interface, effectively swapping the recipient’s address for its own. All transfers go to the attackers. The trojan features an advanced remote control system and is capable of executing many other commands: Intercepting one-time codes from Google Authenticator Recording audio from the microphone Streaming the screen in real-time Monitoring the clipboard and intercept keystrokes Sending SMS messages Simulating taps on specific areas of the screen and text input according to a script sent by the attacker, and much more All of this makes it possible to rob the victim when they use any other banking or payment services — not just crypto payments. Sometimes victims are infected with a different module for espionage and remote smartphone control — the BTMOB remote access trojan. Its malicious capabilities are even broader, including: Automatic acquisition of certain permissions on Android 13–15 Continuous geolocation tracking Access to the front and rear cameras Obtaining PIN codes and passwords for screen unlocking Capturing keyboard input How to protect yourself from BeatBanker Cybercriminals are constantly refining their attacks and coming up with new ways to profit from their victims. Despite this, you can protect yourself by following a few simple precautions: Download apps from official sources only, such as Google Play or the app store preinstalled by the vendor. If you find an app while searching the internet, don’t open it via a link from your browser; instead, head to the Google Play app or another branded store on your smartphone to search for it there. While you’re at it, check the number of downloads, the app’s age, and look at the ratings and reviews. Avoid new apps, apps with low ratings, and those with a small number of downloads. Check any permissions you grant. Don’t grant permissions if you’re not sure what they do or why that specific app requires them. Be extra careful with permissions like Install unknown apps, Accessibility, Superuser, and Display over other apps. We’ve written about these in detail in a separate article. Equip your device with a comprehensive anti-malware solution. We, naturally, recommend Kaspersky for Android. Users of Kaspersky products are protected from BeatBanker — detected with the verdicts HEUR:Trojan-Dropper.AndroidOS.BeatBanker and HEUR:Trojan-Dropper.AndroidOS.Banker.*. Regularly update both your operating system and security software. For Kaspersky for Android, which is currently unavailable on Google Play, please review our detailed instructions on installing and updating the app. Threats to Android users have been going through the roof lately. Check out our other posts on the most relevant and widespread Android attacks and tips for keeping you and your loved ones safe: The perfect storm of Android threats Brain drain: vulnerabilities in mental health apps Pixnapping vulnerability: unblockable screenshots of your Android phone NFC skimming attacks A new layer of anti-phishing security in Kaspersky for Android

image for Microsoft Patch Tues ...

 Security Tools

Microsoft Corp. today pushed security updates to fix at least 77 vulnerabilities in its Windows operating systems and other software. There are no pressing “zero-day” flaws this month (compared to February’s five zero-day treat), but as usual some patches may deserve more rapid attention from   show more ...

organizations using Windows. Here are a few highlights from this month’s Patch Tuesday. Image: Shutterstock, @nwz. Two of the bugs Microsoft patched today were publicly disclosed previously. CVE-2026-21262 is a weakness that allows an attacker to elevate their privileges on SQL Server 2016 and later editions. “This isn’t just any elevation of privilege vulnerability, either; the advisory notes that an authorized attacker can elevate privileges to sysadmin over a network,” Rapid7’s Adam Barnett said. “The CVSS v3 base score of 8.8 is just below the threshold for critical severity, since low-level privileges are required. It would be a courageous defender who shrugged and deferred the patches for this one.” The other publicly disclosed flaw is CVE-2026-26127, a vulnerability in applications running on .NET. Barnett said the immediate impact of exploitation is likely limited to denial of service by triggering a crash, with the potential for other types of attacks during a service reboot. It would hardly be a proper Patch Tuesday without at least one critical Microsoft Office exploit, and this month doesn’t disappoint. CVE-2026-26113 and CVE-2026-26110 are both remote code execution flaws that can be triggered just by viewing a booby-trapped message in the Preview Pane. Satnam Narang at Tenable notes that just over half (55%) of all Patch Tuesday CVEs this month are privilege escalation bugs, and of those, a half dozen were rated “exploitation more likely” — across Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server and Winlogon. These include: –CVE-2026-24291: Incorrect permission assignments within the Windows Accessibility Infrastructure to reach SYSTEM (CVSS 7.8) –CVE-2026-24294: Improper authentication in the core SMB component (CVSS 7.8) –CVE-2026-24289: High-severity memory corruption and race condition flaw (CVSS 7.8) –CVE-2026-25187: Winlogon process weakness discovered by Google Project Zero (CVSS 7.8). Ben McCarthy, lead cyber security engineer at Immersive, called attention to CVE-2026-21536, a critical remote code execution bug in a component called the Microsoft Devices Pricing Program. Microsoft has already resolved the issue on their end, and fixing it requires no action on the part of Windows users. But McCarthy says it’s notable as one of the first vulnerabilities identified by an AI agent and officially recognized with a CVE attributed to the Windows operating system. It was discovered by XBOW, a fully autonomous AI penetration testing agent. XBOW has consistently ranked at or near the top of the Hacker One bug bounty leaderboard for the past year. McCarthy said CVE-2026-21536 demonstrates how AI agents can identify critical 9.8-rated vulnerabilities without access to source code. “Although Microsoft has already patched and mitigated the vulnerability, it highlights a shift toward AI-driven discovery of complex vulnerabilities at increasing speed,” McCarthy said. “This development suggests AI-assisted vulnerability research will play a growing role in the security landscape.” Microsoft earlier provided patches to address nine browser vulnerabilities, which are not included in the Patch Tuesday count above. In addition, Microsoft issued a crucial out-of-band (emergency) update on March 2 for Windows Server 2022 to address a certificate renewal issue with passwordless authentication technology Windows Hello for Business. Separately, Adobe shipped updates to fix 80 vulnerabilities — some of them critical in severity — in a variety of products, including Acrobat and Adobe Commerce. Mozilla Firefox v. 148.0.2 resolves three high severity CVEs. For a complete breakdown of all the patches Microsoft released today, check out the SANS Internet Storm Center’s Patch Tuesday post. Windows enterprise admins who wish to stay abreast of any news about problematic updates, AskWoody.com is always worth a visit. Please feel free to drop a comment below if you experience any issues apply this month’s patches.

image for Iran-Backed Hackers ...

 A Little Sunshine

A hacktivist group with links to Iran’s intelligence agencies is claiming responsibility for a data-wiping attack against Stryker, a global medical technology company based in Michigan. News reports out of Ireland, Stryker’s largest hub outside of the United States, said the company sent home more than   show more ...

5,000 workers there today. Meanwhile, a voicemail message at Stryker’s main U.S. headquarters says the company is currently experiencing a building emergency. Based in Kalamazoo, Michigan, Stryker [NYSE:SYK] is a medical and surgical equipment maker that reported $25 billion in global sales last year. In a lengthy statement posted to Telegram, an Iranian hacktivist group known as Handala (a.k.a. Handala Hack Team) claimed that Stryker’s offices in 79 countries have been forced to shut down after the group erased data from more than 200,000 systems, servers and mobile devices. A manifesto posted by the Iran-backed hacktivist group Handala, claiming a mass data-wiping attack against medical technology maker Stryker. “All the acquired data is now in the hands of the free people of the world, ready to be used for the true advancement of humanity and the exposure of injustice and corruption,” a portion of the Handala statement reads. The group said the wiper attack was in retaliation for a Feb. 28 missile strike that hit an Iranian school and killed at least 175 people, most of them children. The New York Times reports today that an ongoing military investigation has determined the United States is responsible for the deadly Tomahawk missile strike. Handala was one of several Iran-linked hacker groups recently profiled by Palo Alto Networks, which links it to Iran’s Ministry of Intelligence and Security (MOIS). Palo Alto says Handala surfaced in late 2023 and is assessed as one of several online personas maintained by Void Manticore, a MOIS-affiliated actor. Stryker’s website says the company has 56,000 employees in 61 countries. A phone call placed Wednesday morning to the media line at Stryker’s Michigan headquarters sent this author to a voicemail message that stated, “We are currently experiencing a building emergency. Please try your call again later.” A report Wednesday morning from the Irish Examiner said Stryker staff are now communicating via WhatsApp for any updates on when they can return to work. The story quoted an unnamed employee saying anything connected to the network is down, and that “anyone with Microsoft Outlook on their personal phones had their devices wiped.” “Multiple sources have said that systems in the Cork headquarters have been ‘shut down’ and that Stryker devices held by employees have been wiped out,” the Examiner reported. “The login pages coming up on these devices have been defaced with the Handala logo.” Wiper attacks usually involve malicious software designed to overwrite any existing data on infected devices. But a trusted source with knowledge of the attack who spoke on condition of anonymity told KrebsOnSecurity the perpetrators in this case appear to have used a Microsoft service called Microsoft Intune to issue a ‘remote wipe’ command against all connected devices. Intune is a cloud-based solution built for IT teams to enforce security and data compliance policies, and it provides a single, web-based administrative console to monitor and control devices regardless of location. The Intune connection is supported by this Reddit discussion on the Stryker outage, where several users who claimed to be Stryker employees said they were told to uninstall Intune urgently. Palo Alto says Handala’s hack-and-leak activity is primarily focused on Israel, with occasional targeting outside that scope when it serves a specific agenda. The security firm said Handala also has taken credit for recent attacks against fuel systems in Jordan and an Israeli energy exploration company. “Recent observed activities are opportunistic and ‘quick and dirty,’ with a noticeable focus on supply-chain footholds (e.g., IT/service providers) to reach downstream victims, followed by ‘proof’ posts to amplify credibility and intimidate targets,” Palo Alto researchers wrote. The Handala manifesto posted to Telegram referred to Stryker as a “Zionist-rooted corporation,” which may be a reference to the company’s 2019 acquisition of the Israeli company OrthoSpace. Stryker is a major supplier of medical devices, and the ongoing attack is already affecting healthcare providers. One healthcare professional at a major university medical system in the United States told KrebsOnSecurity they are currently unable to order surgical supplies that they normally source through Stryker. “This is a real-world supply chain attack,” the expert said, who asked to remain anonymous because they were not authorized to speak to the press. “Pretty much every hospital in the U.S. that performs surgeries uses their supplies.” John Riggi, national advisor for the American Hospital Association (AHA), said the AHA is not aware of any supply-chain disruptions as of yet. “We are aware of reports of the cyber attack against Stryker and are actively exchanging information with the hospital field and the federal government to understand the nature of the threat and assess any impact to hospital operations,” Riggi said in an email. “As of this time, we are not aware of any direct impacts or disruptions to U.S. hospitals as a result of this attack. That may change as hospitals evaluate services, technology and supply chain related to Stryker and if the duration of the attack extends.” This is a developing story. Updates will be noted with a timestamp. Update, 2:54 p.m. ET: Added comment from Riggi and perspectives on this attack’s potential to turn into a supply-chain problem for the healthcare system.

 Feed

Cybersecurity researchers have discovered five malicious Rust crates that masquerade as time-related utilities to transmit .env file data to the threat actors. The Rust packages, published to crates.io, are listed below - chrono_anchor dnp3times time_calibrator time_calibrators time-sync The crates, per Socket, impersonate timeapi.io and were published between late February and early March

 Feed

Microsoft on Tuesday released patches for a set of 84 new security vulnerabilities affecting various software components, including two that have been listed as publicly known. Of these, eight are rated Critical, and 76 are rated Important in severity. Forty-six of the patched vulnerabilities relate to privilege escalation, followed by 18 remote code execution, 10 information disclosure, four

 Feed

A threat actor known as UNC6426 leveraged keys stolen following the supply chain compromise of the nx npm package last year to completely breach a victim's cloud environment within a span of 72 hours. The attack started with the theft of a developer's GitHub token, which the threat actor then used to gain unauthorized access to the cloud and steal data. "The threat actor, UNC6426, then used this

 Feed

Meta on Wednesday said it disabled over 150,000 accounts associated with scam centers in Southeast Asia as part of a coordinated effort in partnership with authorities from Thailand, the U.S., the U.K., Canada, Korea, Japan, Singapore, the Philippines, Australia, New Zealand, and Indonesia. The effort also led to 21 arrests made by the Royal Thai Police, the company said. The action builds upon

 Feed

SAP has released security updates to address two critical security flaws that could be exploited to achieve arbitrary code execution on affected systems. The vulnerabilities in question listed below - CVE-2019-17571 (CVSS score: 9.8) - A code injection vulnerability in SAP Quotation Management Insurance application (FS-QUO) CVE-2026-27685 (CVSS score: 9.1) - An insecure deserialization

 Feed

“You knew, and you could have acted. Why didn’t you?”  This is the question you do not want to be asked. And increasingly, it’s the question leaders are forced to answer after an incident. For years, many executive teams and boards have treated a large vulnerability backlog as an uncomfortable but tolerable fact of life: “we’ve accepted the risk.” If you’ve ever seen a report showing

 Feed

Agentic web browsers that leverage artificial intelligence (AI) capabilities to autonomously execute actions across multiple websites on behalf of a user could be trained and tricked into falling prey to phishing and scam traps. The attack, at its core, takes advantage of AI browsers' tendency to reason their actions and use it against the model itself to lower their security guardrails, Guardio

 Feed

Cybersecurity researchers have disclosed details of two now-patched security flaws in the n8n workflow automation platform, including two critical bugs that could result in arbitrary command execution. The vulnerabilities are listed below - CVE-2026-27577 (CVSS score: 9.4) - Expression sandbox escape leading to remote code execution (RCE) CVE-2026-27493 (CVSS score: 9.5) - Unauthenticated

2026-03
Aggregator history
Wednesday, March 11
SUN
MON
TUE
WED
THU
FRI
SAT
March