Weekly Threat Briefing — 2026-03-16 to 2026-03-23

CVE-2026-20131, a maximum severity deserialization vulnerability in Cisco Secure Firewall Management Center, has been exploited by Interlock ransomware gang in zero-day attacks since late January. Allows unauthenticated remote attackers to execute arbitrary Java code as root.

A newly disclosed vulnerability affecting all Magento Open Source and Adobe Commerce stable version 2 installations allows unauthenticated attackers to achieve remote code execution and account takeover. Poses immediate threat to e-commerce platforms worldwide.

A critical Microsoft SharePoint vulnerability patched in January is now being exploited in attacks. CISA has added this flaw to the Known Exploited Vulnerabilities catalog, requiring federal agencies to patch immediately.

Ubiquiti patched two vulnerabilities in UniFi Network Application, including a maximum-severity flaw that may allow attackers to take over user accounts. Organizations using Ubiquiti infrastructure should patch immediately.

CVE-2025-54068 (Laravel Livewire) and CVE-2025-32432 (Craft CMS) both contain code injection vulnerabilities allowing remote code execution. Laravel flaw affects unauthenticated attackers in specific scenarios.

CVE-2025-66376, a cross-site scripting vulnerability in Zimbra Collaboration Suite Classic UI, is being actively exploited by Russian APT28 (GRU-linked) hackers targeting Ukrainian government entities. Attackers abuse CSS @import directives in email HTML.

Apple products face three critical vulnerabilities: CVE-2025-31277 (buffer overflow in Safari/iOS/macOS), CVE-2025-43520 (classic buffer overflow allowing kernel memory writes), and CVE-2025-43510 (improper locking vulnerability). These flaws could allow malicious applications or web content to cause system termination or memory corruption.

ConnectWise warns of a cryptographic signature verification vulnerability in ScreenConnect that could lead to unauthorized access and privilege escalation. This follows the SILENTCONNECT malware campaign leveraging ScreenConnect for remote access.

Google Threat Intelligence Group identified a sophisticated iOS full-chain exploit dubbed DarkSword targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine. Multiple state-level actors are using this exploit kit containing zero-day vulnerabilities to install infostealers targeting cryptocurrency wallets.

The FBI seized two websites operated by the Handala hacktivist group following a destructive cyberattack on medical technology giant Stryker that wiped approximately 80,000 devices. CISA issued warnings about Microsoft Intune exploitation used in the attack.

Crypto-powered gift card store Bitrefill attributes a recent cyberattack to North Korean hackers from the Bluenoroff subgroup of the Lazarus Group. Attack demonstrates continued DPRK focus on cryptocurrency theft operations.

The suspected India-linked SideWinder threat group is targeting governments, telecom, and critical infrastructure using spear-phishing, exploitation of old vulnerabilities, and rapidly rotating infrastructure to maintain persistent access across Southeast Asia.

Russian military intelligence (GRU) linked APT28 group is actively exploiting Zimbra Collaboration Suite vulnerabilities in targeted attacks against Ukrainian government entities, demonstrating continued cyber operations aligned with geopolitical objectives.

A new Android malware named Perseus is checking user-curated notes to steal sensitive information including passwords, recovery phrases, and financial data. Represents evolving mobile threat targeting non-traditional data storage locations.

Elastic Security Labs identified SILENTCONNECT, a sophisticated multi-stage loader leveraging VBScript, in-memory PowerShell execution, and PEB masquerading to silently deploy ScreenConnect remote management tool. Demonstrates advanced evasion techniques.

New command-and-control implant SnappyClient enables remote access with extensive capabilities including data theft and surveillance, with specific focus on cryptocurrency wallet targeting.

Multiple malicious domains identified in ClearFake social engineering campaign distributing NetSupport remote access trojan. Campaign uses fake browser update prompts to trick users into downloading malware.

Elastic Security Labs published a real-world walkthrough of TeamPCP's multi-stage container compromise, demonstrating attack chain progression and how Defend for Containers (D4C) surfaces runtime signals at each stage.

Multiple Mozi botnet malware distribution URLs detected across compromised IoT devices, delivering 32-bit ELF, ARM, and MIPS variants. Indicates continued botnet operations despite previous takedown attempts.

Multiple GitHub repositories hosting SmartLoader malware in ZIP archives. Attackers abuse legitimate code hosting platforms for malware distribution, bypassing traditional security controls.

Researchers discovered three vulnerabilities in Claude AI that can be chained together, starting with a prompt injection via Google search, to achieve data theft and potential enterprise network compromise. Highlights emerging risks in AI agent security.

Researchers discovered a font-rendering trick that can hide dangerous user instructions on websites from AI assistants, allowing attackers to inject malicious commands that appear legitimate to automated systems.

Microsoft Threat Intelligence identified widespread email campaigns using tax-related lures, W-2 forms, and government agency impersonation to harvest personal and financial data. Campaigns target both individuals and organizations during peak tax season.

Organized refund fraud operations now operate as a business model, with methods and tutorials sold to exploit return policies of major retailers for profit. Fraudsters systematically abuse refund and chargeback processes.

Security analysis reveals password reset mechanisms are often weaker than login security, creating opportunities for privilege escalation attacks. Specops Software outlines seven prevention strategies for securing reset workflows.

Attackers compromised Nordstrom's legitimate email system to send cryptocurrency scam messages disguised as St. Patrick's Day promotions, bypassing email authentication controls.

European Union imposed sanctions on companies in China and Iran for cyberattacks, prohibiting them from entering or conducting business in the EU. These entities were already sanctioned by the US and UK.

Research reveals social media tracking pixels allow Meta and TikTok to collect personal and financial information including credit card data and geolocations when users click on advertisements, raising privacy concerns.

Microsoft introduced Zero Trust for AI, adding an AI pillar to its security workshop, enhanced reference architecture, updated guidance, and a new assessment tool to help organizations secure AI systems.

OpenAI detailed how they monitor internal coding agents for misalignment using chain-of-thought analysis, studying real-world deployments to detect risks and strengthen AI safety safeguards.

Navia Benefit Solutions, Inc. disclosed a data breach exposing sensitive information of nearly 2.7 million individuals, representing one of the largest breaches during this period.

Texas-based Marquis disclosed that a ransomware attack in August 2025 resulted in data theft affecting over 670,000 individuals and disrupted operations at 74 banks across the United States.

Identity protection company Aura confirmed unauthorized access to nearly 900,000 customer records containing names and email addresses, potentially enabling targeted phishing campaigns.

Malwarebytes researchers identified criminals trading stolen tax records on dark web forums, with individual tax forms selling for as little as $20. Peak activity aligns with tax season identity theft campaigns.

Malwarebytes uncovered a sprawling network of over 20,000 fake online shops designed to steal payment details and personal data from unsuspecting consumers.