From the Iranian war front,

• Cybersecurity Dive reports on April 23,
  • “Iran, long considered a steady and persistent cyber threat to the U.S., has raised its game in the months since the two nations went to war in February. 
  • “Iranian-backed cyber threat groups, which range from state-sponsored actors to pro-Iranian hacktivists and financially motivated hackers, appear to have evolved some of their motivations and capabilities in cyber, according to analysts and security researchers. 
  • “What we are seeing are attacks that are aiming to have a more destructive effect,” Annie Fixler, director of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies told Cybersecurity Dive. 
  • Specifically, Iran-linked actors have increased the use of data wiping malware in recent attacks against Israel and demonstrated greater capability to evade detection, according to researchers at Palo Alto Networks. 
  • “In another alarming development, Darktrace last week published an analysis of a malware strain called ZionSiphon, to potentially tamper with chlorine levels and pressure controls in Israeli water facilities. The malware was embedded with pro-Iran and Palestinian messaging for additional psychological impact.”
    
• Federal News Network commentator shares “what federal leaders need to know about Iran’s cyber campaign.”
  • “To understand the cyber implications of this conflict, federal leaders need to understand how Iran uses cyber as a strategic instrument.”

From the cybersecurity policy and law enforcement front,

• Cyberscoop reports,
  • “Sean Plankey, the long-sidelined nominee to lead the Cybersecurity and Infrastructure Security Agency, asked President Donald Trump on Wednesday to withdraw his nomination.
  • “At this point in time, I am asking the President to remove my nomination from consideration,” he said in a notification letter seen by CyberScoop. “After thirteen months since my initial nomination, it has become clear that the Senate will not confirm me.”
  • “Plankey’s request comes weeks after the Senate confirmed MarkWayne Mullin to lead the Department of Homeland Security, CISA’s parent agency.”
• and
  • “House Republicans unveiled on Wednesday Congress’ latest effort to tackle comprehensive digital privacy legislation for Americans.
  • “The Secure Data Act would allow consumers to opt out of data collection for individual businesses for the purposes of targeted advertising, selling to third parties or for use in automated decisionmaking.
  • “It would also require companies to inform consumers when their personal data is being collected or used, provide them with a portable version of that data, and give consent rights to parents over the data collection of teenagers.”

• Per a NIST news release,
  • “The National Institute of Standards and Technology (NIST), in collaboration with the Department of Health and Human Services Office for Civil Rights (HHS OCR), announced the Safeguarding Health Information: Building Assurance through the Health Insurance Portability and Accountability Act (HIPAA) Security 2026 conference, scheduled for September 2–3, 2026, at the NIST campus in Gaithersburg, Maryland. The event will examine the current healthcare cybersecurity landscape and the HIPPA Security Rule, which establishes federal standards to protect the confidentiality, integrity, and availability of electronic protected health information. The conference will highlight practical strategies, tips, and techniques for implementing the HIPAA Security Rule, including required administrative, physical, and technical safeguards for covered entities and their business associates. Sessions will address best practices for managing risks to electronic health information and ensuring technical assurance, along with topics such as cybersecurity risk management, current threats to the healthcare community, and cybersecurity considerations for Internet of Things technologies in healthcare environments. The event will be offered in both in-person and virtual formats, with separate registration fees and timelines for each option. For additional details, visit the Safeguarding Health Information: Building Assurance through HIPAA Security 2026 event page.”
     
• Per an April 23, 2026, HHS news release,
  • “Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced settlements with four regulated entities following separate ransomware investigations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. Ransomware is malicious software that blocks access to data—typically by encrypting it with a key known only to the attacker—until a ransom is paid. The resolutions announced mark 19 completed investigations from ransomware breaches and 13 completed investigations in OCR’s Risk Analysis Initiative.” * * *
  • “The settlements follow investigations into separate ransomware breaches that collectively affected over 427,000 individuals and involved the exposure of unsecured ePHI. The types of ePHI affected include demographic data, Social Security numbers (SSNs), financial information, lab results, medications, and diagnoses or conditions. Under the settlements, the regulated entities have agreed to implement corrective action plans subject to OCR monitoring for two years and paid a total of $1,165,000 to OCR.”

• Per an April 20, 2026, Justice Department news release,
  • “A Florida man, formerly employed as a ransomware negotiator, pleaded guilty to conspiring to commit ransomware attacks against U.S. companies in 2023.
  • “According to court documents, Angelo Martino, 41, of Land O’Lakes, Florida, collaborated with the operators of the Blackcat/ALPHV (“BlackCat”) ransomware variant used by cybercriminals to attack and extort institutions and companies. Beginning in April 2023, Martino abused his role at a U.S.-based cyber incident response company to assist BlackCat actors. Working as a negotiator on behalf of five different ransomware victims, Martino provided BlackCat attackers with confidential information about the negotiating position and strategy of his company’s clients without the clients’ or his employer’s knowledge or permission. This confidential information assisted the ransomware actors and maximized the ransoms that the victims were required to pay. The confidential information included the victims’ insurance policy limits and internal negotiation positions. The BlackCat actors paid Martino for this confidential information.” * * *
  • “To date, law enforcement has seized $10 million of assets from Martino, including digital currency, vehicles, a food truck, and a luxury fishing boat that Martino obtained using proceeds of the offense or acquired as a result of the offense.”
    
• Cyberscoop adds,
  • “A core leader of the hacker subset of The Com responsible for a series of high-profile phishing attacks and cryptocurrency thefts from September 2021 to April 2023 pleaded guilty to federal charges, the Justice Department said Friday. 
  • “Tyler Robert Buchanan of Dundee, Scotland, pleaded guilty to conspiracy to commit wire fraud and aggravated identity theft. The 24-year-old was arrested by Spanish police in Palma in 2024 as he attempted to board a charter flight to Naples, Italy. 
  • “Buchanan has been in federal custody since April 2025 and faces up to 22 years in federal prison at his sentencing, which is scheduled for August 21. 
  • “The British national and his co-conspirators, including Noah Michael Urban, who was sentenced to a 10-year federal prison sentence last year, harvested thousands of credentials via phishing and stole more than $8 million in cryptocurrency from U.S. residents via SIM-swapping attacks.”

From the cybersecurity breaches and vulnerabilities front,

• Cybersecurity Dive reports,
  • “The Cybersecurity and Infrastructure Security Agency on Monday [April 20] released guidance related to the axios supply chain compromise originally disclosed in late March. 
  • “A suspected North Korean actor compromised the node package manager account for an axios maintainer last month. Axios is a Javascript library used widely across the software industry with millions of downloads per week. 
  • “CISA is urging security teams to monitor and review code depositories as well as continuous integration/continuous delivery pipelines that ran npm install or npm update on the compromised axios version, according to the guidance released Monday. 
  • “Security teams should search for cached versions of the affected dependencies in artifact repositories along with dependency management tools, according to the guidance. 
  • “If compromised dependencies are found during the search, organizations should revert the environment back to a known safe state, CISA said.” 
• and
  • “Vercel, a cloud development platform, said that some of its internal systems were accessed after a third-party tool called Context.ai was compromised while being used by one of Vercel’s employees, according to a blog post released Sunday [April 20].
  • “Vercel is widely known as the creator of Next.js, which is the open-source framework for React. 
  • “The attacker was able to take over the employee’s Vercel Google Workspace account and access certain company “environments and environment variables” that were not designated as “sensitive.”
  • “Vercel said that a limited number of customers had their credentials compromised during the attack, and that they have been notified. They were urged to immediately rotate credentials. 
  • “The company said it believes the attacker is highly sophisticated, based on an assessment of their “operational velocity and detailed understanding of Vercel’s systems.”
• and
  • “Hackers working for the Chinese government are increasingly hiding their attacks behind ready-made networks of hacked routers and other networking equipment, the U.S. and several allies said on Thursday [April 23].
  • “Attackers’ use of these so-called covert networks is not new, the agencies said in a joint advisory, “but China-nexus cyber actors are now using them strategically, and at scale.”
  • “By funneling their activity through compromised networking equipment — mostly small office and home office (SOHO) routers, but also internet of things devices — hackers can obfuscate their origins and make it harder for defenders to spot reconnaissance, malware deployment and data exfiltration.”

• Cyberscoop adds,
  • “A state-sponsored hacking group has implanted a custom backdoor on Cisco network security devices that can survive firmware updates and standard reboots, U.S. and British cybersecurity authorities disclosed Thursday, marking a significant escalation in a campaign that has targeted government and critical infrastructure networks since at least late 2025.
  • “The Cybersecurity and Infrastructure Security Agency and the United Kingdom’s National Cyber Security Centre jointly published a malware analysis report identifying the backdoor, code-named Firestarter. Cisco’s threat intelligence division, Talos, attributed the malware to a threat actor it tracks as UAT-4356. The company attributed the same group to a 2024 espionage campaign called ArcaneDoor, which focused on compromising network perimeter devices.
  • “CISA confirmed it discovered Firestarter on a U.S. federal civilian agency’s Cisco Firepower device after identifying suspicious connections through continuous network monitoring. The finding prompted an updated emergency directive issued Thursday, requiring all federal civilian agencies to audit their Cisco firewall infrastructure and submit device memory snapshots for analysis by Friday.”

• CISA added fourteen known exploited vulnerabilities (KVEs) to its catalog this week.
  • April 20, 2026
    • CVE-2023-27351 PaperCut NG/MF Improper Authentication Vulnerability
    • CVE-2024-27199 JetBrains TeamCity Relative Path Traversal Vulnerability
    • CVE-2025-2749 Kentico Xperience Path Traversal Vulnerability
    • CVE-2025-32975 Quest KACE Systems Management Appliance (SMA) Improper Authentication Vulnerability
    • CVE-2025-48700 Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability
    • CVE-2026-20122 Cisco Catalyst SD-WAN Manager Incorrect Use of Privileged APIs Vulnerability
    • CVE-2026-20128 Cisco Catalyst SD-WAN Manager Storing Passwords in a Recoverable Format Vulnerability
    • CVE-2026-20133 Cisco Catalyst SD-WAN Manager Exposure of Sensitive Information to an Unauthorized Actor Vulnerability
      • The Cybersecurity Express discusses these KVEs here.
      • Cybersecurity Dive discusses the Cisco KVEs here.
  • April 22, 2026
    • CVE-2026-33825 Microsoft Defender Insufficient Granularity of Access Control Vulnerability
      • Bleeping Computer discusses this KVE here.
  • April 23, 2026
    • CVE-2026-39987 Marimo Remote Code Execution Vulnerability
      • Resecurity discusses this KVE here.
  • April 24, 2026
    • CVE-2024-7399 Samsung MagicINFO 9 Server Path Traversal Vulnerability
    • CVE-2024-57726 SimpleHelp Missing Authorization Vulnerability
    • CVE-2024-57728 SimpleHelp Path Traversal Vulnerability
    • CVE-2025-29635 D-Link DIR-823X Command Injection Vulnerability 
      • The Hackers News discusses these KVEs here.

• Cybersecurity Dive informs us,
  • “Phishing was the most common way hackers breached their targets in the first quarter of 2026, after nearly a year out of the top spot, Cisco’s Talos threat intelligence team said in a report published on Wednesday.
  • “Nearly 20% of Cisco’s incident-response engagements involved the preliminary stages of a ransomware attack, according to the report — significantly lower than in the first two quarters of 2025, when it was 50%.
  • “Cisco also said it saw hackers using AI to improve phishing attacks.”
• and
  • “Companies using AI to write code are creating serious security risks that not all organizations feel prepared to handle, according to a reportreleased Wednesday by the security testing firm ProjectDiscovery. 
  • “Security personnel want audit trails and access limitations before they integrate AI into their processes, ProjectDiscovery found. “They are not opposed to the technology, but they need it to earn its place.”
  • “The report highlights one of the most fraught aspects of the AI revolution in the corporate world: the tension between AI-assisted coders and the people responsible for protecting their work.”

• Dark Reading points out,
  • “AI agents can now carry out end-to-end cloud attacks with minimal human guidance, exploiting known misconfigurations and vulnerabilities at a speed no human attacker can match. 
  • “That’s the central finding of a new proof-of-concept (PoC) study by Palo Alto Networks’ Unit 42, where researchers built an autonomous multi-agent system that carried out a complete cloud attack chain in a live environment, using a single natural-language prompt.
  • “The study suggests an intrusion campaign that Anthropic uncovered last year, when a Chinese state-affiliated cyber-espionage group used the company’s Claude AI to automate large portions of an attack chain, was more a preview of things to come rather than an exception.”

• Cyberscoop notes,
  • “Attackers rarely exploit an edge-device vulnerability indiscriminately. Typically, they first test how widely the flaw can be used and how much access it can provide, then move on to steal data or disrupt operations.
  • “Pre-attack surveillance and planning leaves a lot of noise in its wake. These signals — particularly spikes in traffic that are hitting specific vendors — can act as an early-warning system, often preceding public vulnerability disclosures, according to research GreyNoise shared exclusively with CyberScoop prior to its release. 
  • “Roughly half of every activity surge GreyNoise detected during a 103-day study last winter was followed by a vulnerability disclosure from the same targeted vendor within three weeks, GreyNoise said in its report.
  • “Researchers determined that the median warning of an impending vulnerability disclosure arrived nine days before the targeted vendor issued a public alert to its customers.”

From the ransomware front,

• Bleeping Computer reports,
  • “Home security giant ADT has confirmed a data breach after the ShinyHunters extortion group threatened to leak stolen data unless a ransom is paid.
  • “In a statement shared today, the company said it detected unauthorized access to customer and prospective customer data on April 20, after which it terminated the intrusion and launched an investigation.
  • “This investigation determined that personal information was stolen during the breach.”
  • “The investigation confirmed that the information involved was limited to names, phone numbers, and addresses,” ADT told BleepingComputer.
  • “In a small percentage of cases, dates of birth and the last four digits of Social Security numbers or Tax IDs were included. Critically, no payment information — including bank accounts or credit cards — was accessed, and customer security systems were not affected or compromised in any way.”
• and
  • “Recently observed Trigona ransomware attacks are using a custom, command-line tool to steal data from compromised environments faster and more efficiently.
  • “The utility was emplayed in attacks in March that were attributed to a gang affiliate, likely in an effort to avoid publicly available tools, such as Rclone and MegaSync, that typically trigger security solutions.
  • “Researchers at cybersecurity company Symantec believe that the shift to a custom tool may indicate that the attacker is “investing time and effort in proprietary malware in a bid to maintain a lower profile during a critical phase of their attacks.”
• and
  • “A new Kyber ransomware operation is targeting Windows systems and VMware ESXi endpoints in recent attacks, with one variant implementing Kyber1024 post-quantum encryption.
  • “Cybersecurity firm Rapid7 retrieved and analyzed two distinct Kyber variants in March 2026 during an incident response. Both variants were deployed on the same network, with one targeting VMware ESXi and the other focusing on Windows file servers.
  • “The ESXi variant is specifically built for VMware environments, with capabilities for datastore encryption, optional virtual machine termination, and defacement of management interfaces,” explains Rapid7.”

• Dark Reading relates,
  • “A ransomware gang known as “The Gentlemen” has made a name for itself, claiming hundreds of victims in a matter of months.
  • “The Gentlemen is a ransomware-as-a-service (RaaS) outfit that first popped up in mid-2025. While it operates fairly typical double extortion attacks (using both encryption and data leaking as extortion levers), The Gentlemen is known for sophisticated tactics, techniques, and procedures (TTPs), such as antivirus killers and complex infection chains.
  • “Check Point Research this week published its latest findings concerning the gang, noting that it has claimed hundreds of victims and uses malware including something called SystemBC, which researchers described as “a proxy malware frequently leveraged in human‑operated ransomware operations for covert tunneling and payload delivery.”

From the cybersecurity defenses front,

• TechTarget discusses,
  • “Beyond awareness: Human risk management metrics for CISOs
  • “Traditional security training isn’t keeping threat actors out. As employee awareness programs fall short, Forrester Research suggests a better approach.” * * *
  • “With cybersecurity threats evolving so swiftly, organizations cannot afford to rely on outdated security awareness programs that fail to address the root causes of human vulnerabilities. Human risk management offers a transformative approach, shifting the focus from mere awareness to actionable behavior change.”

• Dark Reading points out,
  • “When Anthropic announced Project Glasswing this month, most coverage landed on the headline numbers: a 27-year-old OpenBSD vulnerability, a 16-year-old FFmpeg flaw, a Linux kernel exploit chain assembled without human steering. The coalition behind it, including AWS, Apple, Cisco, CrowdStrike, Google, Microsoft, Palo Alto Networks, and others, isn’t there for the optics; they’re there because the model’s capabilities are real, and the coordinated disclosure pipeline matters.
  • “The part worth dwelling on is the FFmpeg result specifically. At least five million automated fuzzer testing passes hit that vulnerable line of code and not one caught it. Mythos Preview read the code, understood what it was doing, and found the flaw.
  • That gap highlights a fundamental security misconception of the past two decades.
  • The industry built enumerators. It needed readers.
  • Automated security tooling has almost always worked the same way at its core: define a pattern, scan to identify the pattern, flag the match. SIEMs ingest event logs and match rules. Static analysis tools check code against known signatures. Vulnerability scanners compare software versions against CVE databases, and so on. These are mostly based on enumeration, and enumeration can only find what you already know to look for.
  • “Five million passes with the industry standard tools, zero catches. These tools knew how to count. But they didn’t know how to read.
  • “Mythos Preview succeeded because it approached the code the way a skilled human analyst would: with an understanding of intent, of relationships between components, of what a sequence of operations does, rather than what it superficially looks like. Security at that depth has been the exclusive domain of rare, expensive human expertise. A model that replicates it at scale is genuinely a different kind of thing, and the industry is right to pay attention.”
    
• Here is a link to Dark Reading’s CISO Corner.

From the Iranian war front,

• The New York Times reports on April 16,
  • “The exchange of bombs and missiles in the Middle East between Iran and its foes has been paused for more than a week now. Iran’s hackers, however, have remained active on the digital battlefield.
  • “Iran has continued its cyberspace operations since the cease-fire with the United States began on April 8, according to Western cybersecurity experts and former U.S. intelligence officials. In doing so, Tehran is trying to keep up pressure on the United States and Israel but also positioning itself to mount a bigger retaliation if peace talks do not resume.” * * *
  • “This is a time, more than ever, we should worry about Iran,” said Evan Peña, a co-founder of the cybersecurity firm Armadin. “In cyberwarfare there isn’t really a cease-fire.”
  • “Mr. Peña said that if the cease-fire or negotiations collapsed, Iran would want to be in a strong position to retaliate, potentially by attacking critical infrastructure in the United States. Tehran has done so in the past but generally with limited impact. More than a decade ago, Iranian hackers targeted a small dam in upstate New York, but by happenstance the dam’s sluice-gate controls had been taken offline for maintenance, much to the relief of U.S. investigators at the time.
  • “Iran, Mr. Peña said, is going to be more aggressive and devote more resources to trying to get access to American companies as the war rages on.” * * *
  • “Josh Zweig, the chief executive of Zip Security, which secures small and midsize enterprises, said Iran was specifically looking for less well-defended targets, like municipal-run water and energy facilities.
  • “He also said small firms that make investment decisions for wealthy individuals and families have been targeted.”

From the cybersecurity policy and law enforcement front,

• Cyberscoop reports,
  • “National Cyber Director Sean Cairncross expects more executive orders coming from the White House as part of implementing the national cybersecurity strategy, he said Wednesday [April 15].
  • “Staffers on Capitol Hill and others in the cyber world have been awaiting the implementation guidance the Trump administration had proclaimed would come to accompany the strategy  published last month.
  • “Asked at a Semafor event about whether that would include executive orders, Cairncross answered, “I think that that’s the case.”
  • “Cairncross touted American ingenuity for producing an artificial intelligence model like Anthropic’s Claude Mythos, rather than it developing under U.S. cyber rivals like China or Russia. He acknowledged reports about the administration holding meetings about the cyber risks and benefits of something like Mythos — “the model right now that everyone’s talking about” — adding that the administration is looking to balance the dangers and positive capabilities of AI in cyberspace.”
• and
  • “The federal agency tasked with analyzing security vulnerabilities is overwhelmed as it and other authorities struggle to keep pace with a flood of defects that grows every year. The National Institute of Standards and Technology announced Wednesday that it has capitulated to that deluge and narrowed the priorities for its National Vulnerability Database.
  • “NIST said it will only prioritize analysis for CVEs that appear in the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog, software used in the federal government and critical software defined under Executive Order 14028.
  • “The federal agency’s goal with the change is to achieve long-term sustainability and stabilize the NVD program, which has encountered previous challenges, notably a funding lapse in early 2024 that forced NIST to temporarily stop providing key metadata for many vulnerabilities in the database.” * * *
  • “NIST said CVEs that don’t fit its more narrow criteria will still be listed in the NVD, but they won’t be automatically enriched with additional details. 
  • “This will allow us to focus on CVEs with the greatest potential for widespread impact,” the agency said. “While CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in the prioritized categories.”

• Dark Reading adds,
  • [C]ybersecurity teams will need to move to make up for the loss of enrichment data, according to Shane Fry, chief technology officer at RunSafe Security. 
  • “Anthropic’s Mythos highlights why NIST is making this move in the first place,” Fry says. “They have already seen a surge in CVE submissions over the past year and have not been able to keep up. Mythos and other tools for AI-assisted vulnerability will only add to the volume of vulnerabilities disclosed. It’s a problem the industry has been aware of for some time.” 
  • “So without the ability to keep up with the sheer volume of CVEs cyber teams need to pivot, Fry adds. 
  • “The way forward will have to emphasize building defenses into software itself to prevent the exploit of bugs and zero-days even before patches are available or the vulnerability is disclosed,” he advises.” 

• Federal News Network tells us,
  • “The [U.S.] Office of Personnel Management announced this week that it will be expanding its Tech Force hiring program to include opportunities for agencies to hire cybersecurity specialists. That’s on top of the program’s existing recruitment efforts for software engineers, data scientists and product managers.
  • “The newly added cybersecurity roles will focus on “protecting critical systems, strengthening federal cybersecurity capabilities and safeguarding the digital infrastructure relied on by millions of Americans,” OPM said in a press release.
  • “The federal government depends on strong cybersecurity to protect critical systems and maintain public trust,” OPM Director Scott Kupor said Monday. “Through Tech Force, we’re recruiting highly skilled cybersecurity professionals to take on real challenges and strengthen the government’s defenses where it matters most.”

• Cyberscoop informs us,
  • “Authorities from 21 countries took down 53 domains and arrested four people allegedly involved in distributed denial-of-service operations used by more than 75,000 cybercriminals, Europol said Thursday. 
  • “The globally coordinated effort dubbed “Operation PowerOFF” disrupted booter services and seized and dismantled infrastructure, including servers and databases, that supported the DDoS-for-hire services, officials said.
  • “Law enforcement agencies obtained data on more than 3 million alleged criminal user accounts from the seized databases, and ultimately sent more than 75,000 emails and letters to participants, warning them to halt their activities.”
• and
  • “Two New Jersey men were sentenced Wednesday for facilitating North Korea’s long-running scheme to plant operatives inside U.S. businesses as employees, generating more than $5 million in illicit revenue for the regime, the Justice Department said. 
  • “The U.S. nationals — Kejia Wang, also known as Tony Wang, and Zhenxing Wang, also known as Danny Wang — were part of a years-long conspiracy that placed operatives in jobs at more than 100 U.S. companies, including many Fortune 500 companies, based in 27 states and the District of Columbia. * * *
  • “Both men previously pleaded guilty to an assortment of crimes. Kejia Wang was sentenced to nine years in prison for conspiracy to commit wire and mail fraud, money laundering and identity theft. Zhenxing Wang was sentenced to 92 months in prison for conspiracy to commit wire and mail fraud and money laundering. 
  • “The pair were also ordered to forfeit a combined $600,000, of which two-thirds has already been paid, officials said.”

From the cybersecurity breaches and vulnerabilities front,

• Health Exec reports,
  • “Healthcare IT infrastructure and electronic health record company CareCloud confirmed in a regulatory filing that it’s suffered a data breach, said to have impacted one of its six patient record stores, with hackers inside its network for “approximately eight hours.”
  • “The “cybersecurity incident” was disclosed in a filing with the U.S. Securities and Exchange Commission, and said the incident occurred on March 16. The company said that, while intruders did access patient medical records, it wasn’t clear if any data was stolen.
  • “An investigation into the data breach is still ongoing, and CareCloud said it’s working with a third-party cybersecurity organization to gather the details. After some downtime, CareCloud said it believes the invasion has been thwarted and that criminals no longer have a way inside its network.
  • “Systems were taken down and restored the same day. Details such as how the cyberattack was conducted and if any ransomware was deployed was not revealed. It’s also not clear if any notable cybercrime syndicate was behind the data breach, nor whether those responsible made any demands. 
  • “The filing with the SEC was released on March 24, and there hasn’t been any real update from the company since.”

• The Cybersecurity and Infrastructure Security Agency added ten known exploited vulnerabilities (KVEs) to its catalog this week.
  • April 13, 2026
    • CVE-2012-1854 Microsoft Visual Basic for Applications Insecure Library Loading Vulnerability
    • CVE-2020-9715 Adobe Acrobat Use-After-Free Vulnerability
    • CVE-2023-21529 Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability
    • CVE-2023-36424 Microsoft Windows Out-of-Bounds Read Vulnerability
    • CVE-2025-60710 Microsoft Windows Link Following Vulnerability
    • CVE-2026-21643 Fortinet SQL Injection Vulnerability
    • CVE-2026-34621 Adobe Acrobat and Reader Prototype Pollution Vulnerability
      • Security Week discusses these KVEs here.
  • April 14, 2026
    • CVE-2009-0238 Microsoft Office Remote Code Execution Vulnerability
    • CVE-2026-32201 Microsoft SharePoint Server Improper Input Validation Vulnerability 
      • Security Week discusses both KVEs here.
      • Cybersecurity Dive discusses the Microsoft SharePoint KVE here.
    • April 16, 2026
      • CVE-2026-34197 Apache ActiveMQ Improper Input Validation Vulnerability
        • Bleeping Computer discusses this KVE here.

• Cybersecurity Dive tells us,
  • “Hackers are attempting to exploit a high-severity flaw found in several end-of-life routers from TP-Link, according to a blog post published Friday [April 17] by Palo Alto Networks’ Unit 42. 
  • “Researchers warn the observed payloads share similarities to those found in malware used in Mirai-like botnets. Such activity would involve attempts to download the malware and execute on vulnerable devices, according to researchers. 
  • “The vulnerability was originally disclosed in June 2023, and proof of concept exploits appeared prior to the disclosure, wrote Unit 42 researchers. 
  • “The Cybersecurity and Infrastructure Security Agency previously added the command injection vulnerability, tracked as CVE-2023-33538, to its Known Exploited Vulnerabilities catalog in July 2025.” 

From the ransomware front,

• The HIPAA Journal reports,
  • Brockton Hospital in Massachusetts is continuing [as of April 15] to grapple with a cybersecurity incident that took many of its electronic systems offline on April 6, 2026, and forced the hospital to divert ambulances to alternate facilities and cancel scheduled cancer treatments. An investigation into the cyberattack is ongoing, and the hospital is working with federal and state officials. While some systems have been brought back online, the hospital is continuing to use its downtime procedures, with staff members working off paper rather than computers. A Signature Healthcare spokesperson told Boston 25 News that the hospital would continue under downtime procedures for the next two weeks. * * *
  • “The Anubis ransomware-as-a-service group claimed responsibility for the attack. Anubis engages in double extortion, stealing data and encrypting files. A ransom must be paid to prevent the release of stolen data and obtain the keys to recover encrypted files. According to SuspectFile, which was contacted by a member of the Anubis group, files were encrypted in the attack. The Anubis spokesperson told SuspectFile that only non-critical systems were encrypted, and 2TB of data was stolen in the attack, including a large volume of patient data.
  • “Anubis is attempting to pressure Signature Healthcare into paying the ransom by adding the hospital to its data leak site, along with a countdown clock when the stolen data will be published. Signature Healthcare has yet to confirm the extent of data theft, which may not be known for some time. The priority continues to be patient care, remediating the attack, and bringing systems back online when it is safe to do so.”

• Govtech relates,
  • “Ransomware continues to pose a serious threat to U.S. critical infrastructure, with more than 2,100 related incidents reported to federal authorities in 2025, according to the latest FBI Internet Crime Complaint Center (IC3) report.
  • “To put that number in perspective, IC3 reported roughly 1,100 data breach threats to critical infrastructure, which includes sectors such as health care, critical manufacturing, financial services, energy and agriculture, among others. Ransomware attacks directed at critical infrastructure are serious, possessing as they do the potential to disrupt operations, expose sensitive data and affect the delivery of public services.
  • “Those incidents have implications for state and local government organizations, which operate or support many of these systems. The nation’s critical infrastructure spans 16 sectors whose disruption would have a debilitating effect on the United States. Of these, the health-care and public health services sector reported the highest number of incidents, the report shows.”

• SC Media adds,
  • “Analysis by Check Point researchers showed that out of the 672 ransomware attacks reported in March 2026, Qilin alone accounted for 20%, followed by Akira, which was responsible for 12% of the attacks, and Dragonforce RaaS, which was responsible for 8% of the incidents, reports Infosecurity News.”
• and
  • “Suspected former Black Basta ransomware affiliates are ramping up targeting of senior-level executives with social-engineering attacks designed to deploy remote monitoring and management (RMM) software, ReliaQuest reported Tuesday.
  • “Black Basta, a previously notorious Russia-linked ransomware-as-a-service (RaaS), became defunct last year following leaked chats exposing its infrastructure and techniques. However, attacks leveraging the group’s distinct tactics, techniques and procedures (TTPs) have continued into 2026, with ReliaQuest noting an accelerating volume and increased targeting of company leadership.
  • “For example, Microsoft Teams-based phishing — a staple of Black Basta’s playbook — is becoming more prevalent, with 56% of all Teams phishing over the last year occurring within the last quarter, and nearly a third happening in March 2026 alone.”
    
• Industrial Cyber notes,
  • “New data from Cyfirma disclosed that ransomware activity in March reflects a continuation of the sector’s shift toward structured, repeatable extortion models, where encryption is paired with data theft to maximize pressure on victims. The findings show that growing fragmentation of extortion groups suggests that smaller or emerging threat actor groups could adopt automation, AI-assisted reconnaissance, and data-driven victim profiling to scale operations efficiently. These campaigns rely heavily on coercive messaging, warning against third-party recovery attempts and reinforcing the risk of permanent data loss, underscoring how psychological pressure remains central to payment conversion strategies. 
  • “At the operational level, ransomware actors in March continue to refine rather than reinvent their tactics, prioritizing efficiency, scalability, and consistency across attacks. Cyfirma assesses that groups are likely to enhance encryption speed, standardize extortion workflows, and expand double extortion practices, while relying on common intrusion vectors such as phishing and exposed services. The broader trajectory points to incremental evolution within a mature ecosystem, where innovation is less about novel techniques and more about optimizing execution and monetization across a globally opportunistic threat landscape.” 

• Security Boulevard informs us,
  • “Double extortion is bad enough—that’s the current tactic favored by ransomware groups—but the emerging quadruple extortion promises to further complicate mitigation and response by targeted organizations, prompting an escalation in extortion payments.  
  • “Yet that’s just one piece of evidence that ransomware continues to evolve despite high-profile takedowns by law enforcement—they just reincarnate or rebrand as new groups, new research by Akamai shows. Of course, the biggest game-changer is GenAI, as RasS operators like Black Basta and FunkSec press LLMs into service to generate code and greatly improve the social engineering techniques that give bad actors a foot in the door and to scale up attacks, opening the door for even less sophisticated actors to execute damaging attacks. 
  • “Ransomware groups continue to seek additional ways to generate profit, such as by pressuring victims and weaponizing compliance,”  researchers at Akamai note in their Ransomware Report 2025. 
  • “Noting that ransomware tactics have moved “away from traditional encryption-centric ransomware tactics towards more sophisticated and advanced extortion methods,” Nathaniel Jones, vice president, security and AI strategy and field CISO at Darktrace, says, “rather than relying solely on encrypting a target’s data for ransom, threat actors will increasingly employ double or even triple extortion strategies, encrypting sensitive data but also threatening to leak or sell stolen data unless their ransom demands are met.” 

From the cybersecurity defenses front,

• The Wall Street Journal reports,
  • “The software bug was capable of crashing an operating system used by firewalls, servers and network appliances. It went undetected for over 27 years.
  • “Last month, it was caught by Mythos, the latest AI model from Anthropic that has spooked the White House, banking executives and cybersecurity professionals around the world.
  • Welcome to the bug armageddon. AI models like Mythos and others are finding bugs in older software at a rate never seen before.
  • “While most of the coding issues may be minor, their sheer volume has amplified the risk that smaller software developers will become overwhelmed with reports of bugs such as the one Mythos found. Thanks to AI, hackers will be able to leverage those bugs more quickly than ever before.
  • “The 1998 bug in the OpenBSD operating system was one of thousands Mythos found last month. Anthropic said last week that it is working with about 50 technology companies and organizations to find and fix bugs and currently has no plans to release Mythos to the general public.
  • “We need to know that we can release it safely, and it’s not exactly clear how we can do that with full confidence,” said Logan Graham, the head of Anthropic’s Frontier Red Team, which evaluates AI for risks.”

• Security Week relates,
  • “To help security teams prepare for this future, the Cloud Security Alliance has developed and published The ‘AI Vulnerability Storm’: Building a ‘Mythos-ready’ Security Program. The report does not provide a solution, but it will help readers understand what is coming, and what they must do in preparation.
  • “Mythos will not fundamentally change the nature of cybersecurity. It primarily provides a step change in the pace of attacks, and the biggest single change will be the asymmetric advantage to the attacker increasing dramatically. Cybersecurity itself doesn’t change – it just needs to cope with a new ferocious pace. Best practice fundamentally remains the same, but its importance becomes more critical.
  • “Focus on the basics and harden your environment further,” say the CSA report authors. “Segmentation, egress filtering, multifactor authentication, and defense-in-depth/breadth all increase the difficulty for attackers.” Nothing there is new, but many firms have not done it adequately – and must rapidly start doing it effectively”
• and
  • “OpenAI announced that it’s scaling its Trusted Access for Cyber program to thousands of verified defenders and hundreds of security teams. They will be given access to GPT-5.4-Cyber, a fine-tuned variant of GPT-5.4 that relaxes the usual guardrails for legitimate cybersecurity work. 
  • “GPT-5.4-Cyber also provides new capabilities such as binary reverse engineering, which enables users to analyze compiled executable software for vulnerabilities and malicious behavior.
  • “The new AI model is initially being offered on a limited, iterative basis to vetted security vendors, organizations, and researchers.
  • “Individual defenders who want to enroll into the Trusted Access for Cyber program and test GPT‑5.4‑Cyber can apply through chatgpt.com/cyber via an identity verification process, while enterprise teams must go through their OpenAI account representative.” 

• Cyberscoop adds,
  • “A joint report from the Cloud Security Alliance (CSA), the SANS Institute and the Open Worldwide Application Security Project (OWASP) concludes that in the near term, organizations are “likely to be overwhelmed” by threat actors using AI to find and exploit vulnerabilities faster than defenders can patch them.
  • “While those organizations can use AI tools to speed up their own defenses, attackers “still face a heavier relative burden due to the inherent limitations of patching. This in turn leads to “asymmetric benefits” for attackers who can afford to adopt the technology without the same caution and bureaucracy as a multi-billion dollar business.
  • “The cost and capability floor to exploit discovery is dropping, the time between disclosure and weaponization is compressing toward zero, and capabilities that previously required nation-state resources are now becoming broadly accessible,” wrote Robert Lee, SANS Institute’s Chief AI Officer, Gadi Evron, CEO of Knostic and Rich Mogull, chief analyst at CSA, who served as the primary authors.”

• TechTarget tells us, “How CIOs can beat AI challenges: A top researcher’s view.”
  • “CIOs are grappling with moving AI from the pilot stage to genuine implementation, and many are encountering organizational pitfalls that are stalling the delivery of real value.”

• Healthexec informs us,
  • “Hospitals have always had to rely on multitudes of healthcare vendors to keep operations humming. In recent years the arrangement’s inherent management challenge has only grown more complex. 
  • “That’s largely because myriad AI technologies have changed daily life for provider organizations and industry partners alike. Arguably the biggest single difficulty to emerge from the transformation is the risk of cybersecurity breaches. 
  • “The Health Sector Coordinating Council (HSCC) is taking a crack at helping cybersecurity leaders, teams and stakeholders clear a path through the thicket. The assistance comes in the form of a 109-page document titled Third-Party AI Risk and Supply Chain Transparency Guide.
  • “The guidebook is authored by members of an HSCC working group focused on cybersecurity. The team’s guiding aim for the project was to “address the growing gaps in discovery and disclosure processes that make AI supply chain risk so difficult to manage.”

• A NIST press release announced
  • “NIST SP 800-133 Rev. 3 (Initial Public Draft) Recommendation for Cryptographic Key Generation
  • “Proposed changes in this revision include the following:
    • “Asymmetric key-pair generation has been expanded to include methods for deriving randomness during key-pair generation.
    • “Key-pair generation now has options for derivation similar to symmetric keys and new methods for “seed expansion,” which allows for the limited use of SHAKE and deterministic random bit generators (DRBGs).
    • “Key-encapsulation mechanisms (KEMs) are discussed as a key-establishment option for symmetric key generation, and post-quantum cryptography (PQC) references have been added throughout (e.g., the new PQC signatures).
    • “Text has been reworded to address random number generation in alignment with SP 800-90C.
  • “Comments are especially requested regarding:
    • “Hardware security module (HSM) design — How do these requirements align with common practice and existing systems using a root seed/secret value?
    • “PQC implementations and protocol — How do these requirements fit with storing keys as seeds (e.g., for ML-KEM) and performing hybrid (i.e., combined classical and post-quantum) implementations?”

• Here is a link to Dark Reading’s CISO Corner.

From the Iranian War front,

• Dark Reading reports,
  • With the US and Iran having reached a fragile ceasefire this week, security researchers and executives are left wondering whether there will be a commensurate pause in the cyberwarfare that has ramped up around the war.
  • The day after the temporary truce was announced, Iran’s most high-profile false-flag hacktivist operation, Handala, offered that it would participate in a temporary pause in hostilities. But even if one takes that group at its word, history suggests that ceasefires rarely stop or slow cyberactivity surrounding kinetic wars. In fact, in the absence of more effective ways of fighting, cyberattacks tend to flare significantly.
  • “Historical data and recent intelligence analysis indicate that a military ceasefire rarely equates to a ‘digital stand-down,'” warns Austin Warnick, director of Flashpoint’s National Security Intelligence Team. Instead, he tells Dark Reading, “Cyber operations often remain steady or even flare up as an asymmetric pressure valve while kinetic hostilities are paused.”

• Cyberscoop adds,
  • “The fallout and potential exposure from Iran’s state-backed targeting of U.S. critical infrastructure extends to more than 5,200 internet-connected devices, researchers at Censys said in a threat intelligence brief Wednesday [April 8]. 
  • “Of the programmable logic controllers manufactured by Rockwell Automation/Allen-Bradley that Censys identified as potentially exposed to Iranian government attackers, nearly 3,900, or about 3 out of every 4, are based in the United States. 
  • “The cybersecurity firm identified the devices based on details multiple federal agencies shared in a joint alert Tuesday, and published additional indicators of compromise, including operator IPs and other threat hunting queries.
  • “Federal authorities earlier this week warned that Iranian government attackers have exploited devices that control industrial automation processes and disrupted multiple sectors during the past month. Some victims also experienced financial losses as a result of the attacks, officials said.” 

• MedTech Dive tells us,
  • “Stryker is now fully operational after a[n Iranian] cyberattack took down its manufacturing, ordering and shipping operations.
  • “The medtech company’s global manufacturing and commercial, ordering and distribution systems have been fully restored, according to a Thursday [April 9] filing with the Securities and Exchange Commission.
  • “Stryker said that the attack had a material impact on its operations, which will affect the company’s financial results for the first quarter of 2026. However, Stryker does not expect a material impact on its full-year guidance of 8% to 9.5% organic sales growth and adjusted earnings per share of $14.90 to $15.10.
  • “The company did not detail the expected financial impact on the first quarter.”

From the cybersecurity policy and law enforcement front,

• The Wall Street Journal reports,
  • “Top White House officials are racing to address potential cybersecurity threats posed by the latest artificial-intelligence models, highlighting how AI’s perils are becoming a top priority for the Trump administration.
  • “National Cyber Director Sean Cairncross is leading the administration’s response, convening officials across agencies to identify security weaknesses in critical infrastructure and bolster government systems that could be exploited by AI, people familiar with the matter said. The administration is working with the private sector to make sure Americans are safe when new models are released, White House officials said.
  • “In recent days, the administration has held discussions featuring Vice President JD Vance and Treasury Secretary Scott Bessent with leading tech and financial executives about coordinating the private sector’s response to potential cyberattacks and preparing online systems, the people said. 
  • “The moves come during an intensifying race among the top AI companies to release more powerful models that could cause widespread online disruptions if put to work by bad actors. 
  • Anthropic said this week its new AI model Mythos was so good at finding and exploiting software bugs that the company has no plans to release it to the general public. Instead, Anthropic has made a preview version of the model available to roughly 50 companies and organizations that run critical infrastructure, including leading tech companies such as Apple, Amazon.com and Google. The aim is to find and fix bugs in hardware and software before the model is publicly released. 
  • ​​”The company has also held discussions with government officials about the model’s cyber capabilities. 
  • “OpenAI and other model developers are also expected to release powerful tools in the weeks ahead.” 
• and
  • “Over the past six months, cybersecurity researchers have become increasingly worried that AI systems are not only becoming better at finding bugs, but that they are also shrinking the window of time between when a bug is disclosed and when it can be exploited with working attack software.
  • “Late last year, researchers at Stanford University found that AI software was almost as good as humans at finding and exploiting bugs on a real-world network. 
  • “And earlier this year Anthropic’s Claude Opus 4.6 model found more high-severity bugs in the Firefox browser in two weeks than the rest of the world typically reports in two months. 
  • When measuring dollar cost to find a bug, Mythos is about 10 times as efficient as previous AI models, Graham said.  Details of Mythos’s capabilities were previously reported by Fortune.”

• HIPAA Journal lets us know,
  • “To help HIPAA-regulated entities manage risks and vulnerabilities, OCR has recorded a risk management video. In the video, Nicholas Heesters, OCR’s Senior Advisor for Cybersecurity, explains the HIPAA risk management requirements and provides examples of potential risk management violations identified during OCR’s investigations of data breaches.
  • “In December 2025, OCR requested questions from HIPAA-regulated entities on risk management,and has provided answers to a selection of those questions in the video. The video also shares important resources to help HIPAA-regulated entities comply with this important HIPAA Security Rule requirement. You can view the video on OCR’s YouTube channel.”
    
• Cybersecurity Dive relates,
  • “The Justice Department on Tuesday [April 7] announced that it had stopped Russia’s military intelligence agency from using hacked U.S. routers to maliciously redirect internet traffic and steal data from victims that include governments and critical infrastructure operators.
  • “Operatives of the Russian GRU have spent several years breaking into TP-Link small office and home office (SOHO) routers around the world and reconfiguring them to send DNS requests through Kremlin-controlled servers, which allowed Moscow to collect internet traffic and even passwords, emails and other sensitive information from victim networks. In response, the FBI launched “Operation Masquerade,” sending commands to hacked routers that collected forensic data and reset their DNS settings to erase Russia’s foothold in the devices.
  • “DOJ announced the operation hours after Microsoft revealed Russia’s abuse of SOHO routers. “For nation-state actors like Forest Blizzard,” Microsoft said, “DNS hijacking enables persistent, passive visibility and reconnaissance at scale.”

From the cybersecurity breaches and vulnerabilities front,

• Bleeping Computer reports,
  • “Bitcoin Depot, which operates one of the largest Bitcoin ATM networks, says attackers stole $3.665 million worth of Bitcoin from its crypto wallets after breaching its systems last month.
  • “The company manages more than 25,000 Bitcoin ATMs and BDCheckout locations worldwide and reported revenue of $615 million in 2025.
  • “As revealed in a filing with the U.S. Securities and Exchange Commission, the company discovered the attack on March 23 after detecting suspicious activity on some of its IT systems.”
  • “While it took immediate measures to contain the breach, the attackers had time to steal credentials to digital asset settlement accounts and transfer over 50 Bitcoin from Bitcoin Depot’s wallets before their access was blocked.”

• Dark Reading discusses how “Russia’s ‘Fancy Bear’ APT Continues Its Global Onslaught.”
  • “Victims don’t need to match the cyber espionage group’s technical sophistication, experts say. But patching and some form of zero trust are now non-negotiable.”

• The Cybersecurity and Infrastructure Security Agency added two known exploited vulnerabilities to its catalog this week.
  • April 6, 2026
    • CVE-2026-35616 Fortinet FortiClient EMS Improper Access Control Vulnerability
      • Cybersecurity Dive discusses this KVE here.
  • April 8, 2026
    • CVE-2026-1340 Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
      • Cybersecurity Dive discusses this KVE here.

• Bleeping Computer advises,
  • “Analysis of CISA’s Known Exploited Vulnerabilities over the past four years shows critical vulnerabilities still open at Day 7 worsened from 56% to 63% despite teams closing 6.5x more tickets. Staffing cannot solve this.
  • “Of the 52 tracked weaponized vulnerabilities in our study, 88% were patched more slowly than they were exploited — half were weaponized before any patch existed.
  • “The problem is not speed. It is the operational model itself.
  • “Cumulative exposure, not CVE counts, is the true risk metric that security teams now need to measure. While dashboards reward the sprint to get patches implemented, breaches exploit the tail. AI is not another attack surface — instead, the transition period where AI-powered attackers face human defenders is the industry’s most dangerous window.
  • “In response, defenders have to implement their own autonomous, closed-loop risk operations.”
• and tells us,
  • “Attackers have been exploiting a zero-day vulnerability in Adobe Reader using maliciously crafted PDF documents since at least December.
  • “The attacks have been discovered by security researcher Haifei Li (the founder of the sandbox-based exploit-detection platform EXPMON), who warned on Tuesday that the attackers are using what he described as a “highly sophisticated, fingerprinting-style PDF exploit” to target an undisclosed Adobe Reader security flaw.
  • “Li also said that these attacks have been targeting Adobe users for at least 4 months, stealing data from compromised systems using privileged util.readFileIntoStream and RSS.addFeed Acrobat APIs, and deploying additional exploits.
  • “This ‘fingerprinting’ exploit has been confirmed to leverage a zero-day/unpatched vulnerability that works on the latest version of Adobe Reader without requiring any user interaction beyond opening a PDF file,” Li warned.
  • “Even more concerning, this exploit allows the threat actor to not only collect/steal local information but also potentially launch subsequent RCE/SBX attacks, which could lead to full control of the victim’s system.”

• Cybersecurity Dive informs us,
  • “A cyber threat actor is using the React2Shell vulnerability as the basis for a widespread credential-harvesting campaign that has compromised everything from AI tool API keys to cloud platform passwords.
  • “After identifying internet-facing React Server Components instances that are vulnerable to React2Shell, the hackers upload a malicious payload to the server — without the need for authentication — that lets them execute arbitrary code on the target server, researchers at Cisco’s Talos threat intelligence group said in a recent report.
  • “The payload contains a “multi-phase credential harvesting tool that harvests credentials, SSH keys, cloud tokens, and environment secrets at scale,” Cisco researchers wrote.
  • “The entire process after target identification is automated. “No further manual interaction is required to extract and exfiltrate credentials harvested from the system,” Cisco said.”

From the ransomware front,

• The American Hospital Association reports,
  • “Health care and public health was the top sector targeted for cyberthreats in 2025, according to the FBI’s latest annual report on internet crimes. There were 460 ransomware attacks and 182 data breaches, totaling 642 cyber events. Financial services was the next highest sector at 447 total events. 
  • “This report quantifies what we already knew anecdotally about the health care sector being the most targeted by ransomware attacks,” said John Riggi, AHA national advisor for cybersecurity and risk. “The vast majority are perpetrated by foreign ransomware gangs, primarily Russian-speaking groups, which specifically target health care hoping for a big payout. They know these attacks cause disruptions and delays to digitally dependent health care delivery, posing a risk to patient and community safety, thereby increasing the exigency and pressure for a potentially large ransom payment. These despicable acts are in fact threat-to-life crimes and remind us to do what we can on defense and prepare for clinical continuity not if, but when, an attack strikes.” 

• Dark Reading relates,
  • “Storm-1175 actors are running up-tempo campaigns to deliver Medusa ransomware, putting pressure on organizations to patch critical vulnerabilities faster. 
  • “In a blog post on Monday, Microsoft Threat Intelligence detailed how Storm-1175, a financially motivated cybercrime group, is conducting “high velocity ransomware campaigns” that typically exploit known vulnerabilities in the sweet spot for threat actors: the time between a vulnerability’s initial disclosure and the widespread adoption of the patch. Microsoft also tied the exploitation of several zero-day vulnerabilities to the group.”
  • “Storm-1175’s playbook appears to be predicated on speed. Attackers move quickly from vulnerability exploitation to data exfiltration and, finally, delivery of Medusa ransomware, “often within a few days and, in some cases, within 24 hours,” according to Microsoft.
  • “The threat actor’s high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, United Kingdom, and United States,” the blog post stated.”

• SC Media informs us,
  • “In March, more than a dozen CISOs and other security managers gathered online to discuss how best to handle ransomware in today’s AI-powered environments.
  • “Because the CyberRisk Collaborative roundtable discussion, sponsored by Akamai, followed the Chatham House rule, we can’t tell you who said what. But the latest CRC report, “Redefining Ransomware Containment,” summarizes what was said.
  • “The group’s main message: Ransomware is no longer just a cybersecurity issue, but a full-scale business-resilience challenge.
  • “Organizations should focus on ransomware recovery, the participants agreed. While rapid containment remains critical, stopping an attack is only part of the solution. True success against ransomware includes maintaining business operations, minimizing disruption, and lining up technical response with organizational priorities.
  • “Containment speed is important, but even a quickly halted attack can lead to substantial financial loss or reputational damage. Organizations must take a view of incident success that includes recovery timelines and customer impact alongside traditional security metrics. That’s because a ransomware incident affects the entire enterprise, not just IT systems.
  • “Because business continuity is the true benchmark of resilience, CISOs and other security managers in the roundtable discussion stressed that customers and stakeholders often care less about how quickly an attack is contained and more about whether services remain available.
  • “The CISOs said that as a result, leading organizations are folding ransomware response into broader business-continuity and disaster-recovery plans. That way, critical operations can keep going even during an active incident, and downstream impacts on customers, partners, and markets will be lessened.”

From the cybersecurity defenses front,

• The Wall Street Journal reports,
  • “Artificial intelligence giant Anthropic unveiled a partnership with cybersecurity companies Tuesday [April 7] that raises more questions about how parts of the security industry may be disrupted by the emerging technology.
  • The company said its new Project Glasswing initiative allows select companies access to its Claude Mythos2 Preview frontier model, specifically for defensive cybersecurity work. Participants include CrowdStrike, Palo Alto Networks, Microsoft, Apple, Amazon’s AWS cloud business, JPMorgan Chase, Google, Broadcom, Nvidia and the Linux Foundation.
  • “Anthropic said its new model already has found thousands of high-severity vulnerabilities, including some in every major operating system and web browser.
  • “AI models have reached a level of coding capability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities,” Anthropic said of Project Glasswing.
  • “The project shows how AI is beginning to reshape parts of the cybersecurity industry, with investors trying to anticipate which areas are built to last and which are ripe to be disrupted by automation. Cyber shares rose as some investors were encouraged by the companies’ inclusion in the Anthropic project, but uncertainty remains about how AI’s impact on the industry will play out.”

• Forrester identifies ten consequences of Project Glasswing nobody’s writing about yet.

• SC Media offers five ways to mitigate the risks of “cracked” software.
  • “The human element remains one of the top threat vectors within organizations. Well-intentioned employees trying to get their work done quickly and efficiently can sometimes unknowingly introduce new security risks in doing so.
  • “For instance, an employee needs a PDF editor or design tool, but can’t find an IT-approved option or doesn’t want to wait for access. So they download a free or “cracked” version from the web. It feels harmless. In reality, it creates a direct path into the organization’s IT environment.” * * *
  • “Security teams can reduce this risk, but it takes a shift in focus from policy to control. Taking the following five steps won’t eliminate shadow IT, but they will make it much harder for a quick download to turn into a serious incident:
    • “Block unauthorized executables at runtime: Stop unknown binaries from running, even if a user downloads them manually.
    • “Restrict local admin rights: Limit who can install or modify software so a single download can’t change the system.
    • “Apply a zero-trust approach to application control:  Allow only approved applications to run, block everything else.
    • “Use advanced endpoint protection to monitor for behavioral indicators, not just signatures:Look for patterns like manual installs, archive extraction, and unusual execution paths.
    • “Reinforce acceptable use policies and user awareness: Make expectations clear and explain the risks.”

• Here’s a link to Dark Reading’s CISO Corner.

From the Iranian war front,

• Industrial Cyber reports,
  • “New data from KELA recognizes that Iranian state-sponsored threat actors have moved well beyond traditional espionage, increasingly blurring the line between nation-state operations and financially motivated cybercrime. Rather than running large-scale ransomware cartels of their own, these groups have embedded themselves into the existing criminal ecosystem, acting as initial access brokers, collaborating with ransomware affiliates, and deploying pseudo-ransomware to mask destructive attacks as extortion campaigns.
  • “A key example is Pay2Key, an Iran-linked ransomware operation that has resurfaced as a professionalized RaaS platform operating on the anonymous I2P network, actively recruiting affiliates from Russian cybercrime forums and offering an elevated profit share, bumping the affiliate cut from 70% to 80%, for attacks on U.S. and Israeli targets. The model creates a significant compliance risk for victim organizations: paying what appears to be a routine ransom demand could unknowingly funnel money to OFAC-sanctioned Iranian entities, exposing companies to severe legal and financial penalties.
  • “The KELA Cyber Intelligence Center identified in its Monday [March 30] post that one of the more concerning developments is the growing collaboration between Iranian state-linked actors and the broader ransomware ecosystem.”

• Security Week relates,
  • The FBI has confirmed that threat actors have gained access to an email account belonging to FBI Director Kash Patel, but said no government information has been compromised. 
  • “The Iran-linked hacker group Handala on Friday [March 27] claimed to have hacked Patel’s email account, releasing files allegedly representing photos, emails, and classified documents taken from the FBI director’s inbox.
  • “The so-called ‘impenetrable’ systems of the FBI were brought to their knees within hours by our team,” the hackers wrote. 
  • However, the account does not appear to be hosted on FBI systems; it is a personal Gmail account. In addition, the stolen information does not seem to be recent.
  • It’s unclear when the account was hacked, but it may have been one of the many targeted by Iranian hackers back in 2024 as part of an operation targeting Donald Trump’s presidential campaign.” 

• Cyberscoop tells us,
  • “Medtech company Stryker says it’s back to being “fully operational,” three weeks after it became the most prominent victim to date of Iranian hackers, who said they attacked the Michigan-based company in retaliation over the conflict with the United States and Israel.
  • “A March 11 wiper attack from the pro-Palestinian, Iranian government-connected group Handala damaged the company’s order processing, manufacturing and shipping.” * * *
  • “Production is moving rapidly toward peak capacity with discipline and stability, supported by restored commercial, ordering and distribution systems,” the company wrote in an update on its website Wednesday. “Overall product supply remains healthy, with strong availability across most product lines, as we continue to meet customer demand and support patient care.”
  • “Stryker said it continues to work with outside cyber experts, government agencies and industry partners on its investigation and recovery.” * * *
  • “Iranian hackers have been busy since the U.S.-Israel strikes began, but have claimed few successes in the United States. Handala boasted this week about an attack on St. Joseph County, Indiana, where officials said they were investigating a hack of its external fax service.”

From the cybersecurity policy front,

• Cybersecurity Dive reports,
  • “President Donald Trump on Friday [April 3] proposed significantly slashing the Cybersecurity and Infrastructure Security Agency’s budget.
  • “The White House’s fiscal year 2027 budget would reduce CISA’s funding by $707 million, roughly 30% of its FY2025 budget of $2.4 billion.
  • “The administration said its proposal “refocuses CISA on its core mission” of protecting federal networks and helping critical infrastructure operators defend themselves from cyberattacks and physical threats.”

• Per a March 31 HHS news release,
  • “The U.S. Department of Health and Human Services (HHS) today announced that it is reversing a 2024 reorganization that: (1) dually titled the Office of the National Coordinator for Health Information Technology (ONC) as the Office of the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health IT (ASTP/ONC), headed by the Assistant Secretary for Technology Policy, dually titled as the National Coordinator for Health IT; (2) moved three HHS-wide technology roles to ONC from the Office of the Chief Information Officer (OCIO); and (3) shifted specific cybersecurity functions out of OCIO.
  • “Today’s action restores a unified, Department‑wide technology leadership model by returning these enterprise responsibilities to OCIO while sharpening ONC’s mission focus on nationwide health IT interoperability and data liquidity.
  • “Under this alignment, HHS has ended the Biden administration’s dual management title for the Assistant Secretary for Technology Policy, restored ONC as a singularly titled office, and shifted the roles, responsibilities, and offices of the HHS Chief Technology Officer (CTO), HHS Chief Artificial Intelligence Officer (CAIO), and HHS Chief Data Officer (CDO) back under the HHS Chief Information Officer’s leadership. This structure reinforces OCIO’s statutory responsibility for enterprise IT, cybersecurity, and data operations, while enabling ONC to concentrate on health IT policy, standards, and certification that support better care and lower costs.
  • “To better integrate policy and operations, OCIO will organize enterprise roles around three core functions: (1) strategic technology leadership and innovation, led by the CTO; (2) responsible, trustworthy artificial intelligence, led by the CAIO; and (3) enterprise data governance and analytics, led by the CDO. These leaders will work as a unified team under the CIO to deliver secure, scalable platforms and common services that support ONC’s policy work and the Department’s mission programs.
  • “This structure allows OCIO to provide an integrated backbone for cloud, cybersecurity, data, and AI that every HHS component can rely on,” said HHS Chief Information Officer Clark Minor. “By bringing CTO, CAIO, and CDO functions together under one roof, we can move faster on shared platforms, protect our systems more effectively, and support ONC and the operating divisions with the technology capabilities they need to innovate for patients.”

• Cybersecurity Dive informs us,
  • “Federal government leaders are prioritizing cybersecurity improvements as they sketch out their technology-modernization agendas for the year, consulting firm EY said in a survey released this week.
  • “Roughly half of survey respondents (56%) said cybersecurity was one of their top modernization priorities, with roughly a third saying that growing cybersecurity threats “are a barrier for their agencies to achieve their modernization goals,” the survey found.
  • “EY also presented data on government leaders’ impressions of their agencies’ current security postures and their hopes for AI.”

• Bleeping Computer points out,
  • “The U.S. Federal Bureau of Investigation (FBI) warned Americans against using foreign-developed mobile applications, particularly those created by Chinese developers.
  • “In a public service announcement (PSA) issued via its Internet Crime Complaint Center (IC3) platform this Tuesday [March 31], the FBI warned of privacy and data security risks associated with these apps.
  • “As of early 2026, many of the most downloaded and top-grossing apps in the United States are developed and maintained by foreign companies, particularly those based in China,” the bureau warned.”

From the cybersecurity breaches and vulnerabilities front,

• Health Exec reports on April 2,
  • “A hospital in Texas revealed that it’s fallen victim to a data breach that exposed the personal information of more than 257,000 patients to hackers.
  • “Nacogdoches Memorial Hospital—an independent health system in Texas consisting of one emergency-capable facility, several affiliated provider practices, and a rehabilitation center—made the breach public this week.
  • “The incident occurred on Jan. 31—or at least, that’s when Nacogdoches Memorial staff became aware of an ongoing cyberattack.
  • “At that time, the hospital said it notified law enforcement, initiated an “incident response plan” and began an investigation to find out what happened. As for details such as the nature of the breach and who was responsible, neither a statement from Nacogdoches Memorial nor a report filed with the Office of the Maine Attorney General contain those details.
  • “To date, no known listing of the data trove on the dark web exists, and no hacker group has claimed responsibility for the cyberattack. Whether or not the data will eventually end up leaked onto the Internet or put up for sale remains unknown—but given the scope of the breach and the black market value of the stolen information, it’s not out of the realm of possibility.”

• Bleeping Computer relates,
  • “Telehealth giant Hims & Hers Health is warning that it suffered a data breach after support tickets were stolen from a third-party customer service platform.” * * *
  • “It is one of the most successful U.S. brands in the online pharmacy and telehealth space, with strong marketing presence, and annual revenues close to $1 billion.” * * *
  • “BleepingComputer learned last month that the ShinyHunters extortion gang conducted the breach.
  • “The data was stolen as part of a widespread campaign in which threat actors compromised Okta SSO accounts to gain access to third-party cloud storage services and SaaS platforms to steal data.
  • “In this particular attack, BleepingComputer was told that the threat actors used the Okta SSO account to access the His and Hers Zendesk instance, where they stole millions of support tickets.”

• Dark Reading notes,
  • “The impact of TeamPCP’s high-profile supply chain attacks is rapidly expanding — in more ways than one.
  • “Following last month’s spree of compromised open source projects, two victim organizations disclosed breaches related to the attacks this week. On Tuesday, AI startup Mercor said on social media platform X that it was “one of thousands of companies impacted by a supply chain attack involving LiteLLM.”
  • “And on Thursday, the EU’s Computer Emergency Response Team (CERT-EU) disclosed that a recent attack on the European Commission’s cloud and Web infrastructure stemmed from the previously reported Trivy supply chain attack,also attributed to TeamPCP. According to CERT-EU, the EC inadvertently installed a compromised version of the Trivy code-scanning security tool, which allowed threat actors to harvest credentials and secrets that they later used to access the organization’s Amazon Web Services (AWS) cloud environment.”

• CISA added three known exploited vulnerabilities to its catalog this week.
  • March 30, 2026
    • CVE-2026-3055 Citrix NetScaler Out-of-Bounds Read Vulnerability
      • Cybersecurity Dive and Security Week discusses this KVE here.
  • April 1. 2026
    • CVE-2026-5281 Google Dawn Use-After-Free Vulnerability
      • The Hacker News discuss this KVE.
  • April 2, 2026
    • CVE-2026-3502 TrueConf Client Download of Code Without Integrity Check Vulnerability 
      • CyberPress discusses this KVE here.

• The American Hospital Association News tells us,
  • “The Cybersecurity and Infrastructure Security Agency released an alert March 27 on a vulnerability in F5 BIG-IP Access Policy Manager software that is being exploited for malicious cyber activity. F5 devices and software, used widely by health care and other critical infrastructure, provide app security and management services. The vulnerability was previously disclosed in October 2025 as a denial-of-service issue but was reclassified this month due to new information that found the vulnerability allows malicious actors to perform remote code execution, according to an alert from F5. 
  • “F5 has determined that this issue is much more severe than previously thought,” said Scott Gee, AHA deputy national advisor for cybersecurity and risk. “The original patch released last year fixes the larger issue, so if you are using F5’s BIG-IP software, a very common app delivery and security service, ensure that you patch the system as soon as possible.” 
     
• Cybersecurity Dive informs us,
  • “Security researchers warn that chaining two critical vulnerabilities in Progress Software’s ShareFile service could allow an attacker to achieve remote code execution.
  • “The flaws exist in ShareFile Storage Zones Controller, which helps users manage files while they are using the ShareFile software-as-a-service interface, according to researchers at watchTowr Labs.
  • “The vulnerabilities include an authentication bypass flaw, tracked as CVE-2026-2699, and a remote code execution flaw, CVE-2026-2701. The vulnerabilities have severity scores of 9.8 and 9.1, respectively.
  • “Progress Software warned in a security bulletin released Thursday [April 2] that an attacker could access on-premises Storage Zones Controller configuration pages, allowing them to make changes in system configuration or achieve remote code execution.
  • “There is no immediate evidence of exploitation, but researchers urged users to immediately apply security updates.”
• and
  • “A North Korean threat actor is suspected to be behind a major supply chain attack against a
    Axios, a JavaScript library that is downloaded more than 100 million times per week, according to security researchers. 
  • “Earlier this week, an attacker compromised the node package manager account for an axios maintainer and introduced a malicious dependency plain-crypto-js. The malicious versions were deleted within a few hours, but, with the widespread use of axios, there was a risk that a large number of users could have downloaded the poisoned version.
  • “Researchers from Google Threat Intelligence Group said the malicious dependency is an obfuscated dropper that deploys a backdoor called Waveshaper.v2 across Windows, Linux and Mac environments.” 

• Bleeping Computer notes,
  • “Threat actors are exploiting the recent Claude Code source code leak by using fake GitHub repositories to deliver Vidar information-stealing malware.
  • “Claude Code is a terminal-based AI agent from Anthropic, designed to execute coding tasks directly in the terminal and act as an autonomous agent, capable of direct system interaction, LLM API call handling, MCP integration, and persistent memory.
  • “On March 31, Anthropic accidentally exposed the full client-side source code of the new tool via a 59.8 MB JavaScript source map included by accident in the published npm package.”
• and
  • “Device code phishing attacks that abuse the OAuth 2.0 Device Authorization Grant flow to hijack accounts have surged more than 37 times this year.
  • “In this type of attack, the threat actor sends a device authorization request to a service provider and receives a code, which is sent to the victim under various pretexts.
  • “Next, the victim is tricked into entering the code on the legitimate login page, thus authorizing the attacker’s device to access the account through valid access and refresh tokens.

• Per Cyberscoop,
  • “A new malware-based credential-stealing campaign, which researchers are calling “DeepLoad,” has been infecting enterprise business IT environments.
  • “In a report released Monday, ReliaQuest AI researchers Thassanai McCabe and Andrew Currie say the most relevant feature of this attack is the way it uses artificial intelligence and other engineering “to defeat the controls most organizations rely on, turning one user action into persistent, credential-stealing access.”
  • “DeepLoad is delivered to victims via “QuickFix” social-engineering techniques, such as fake browser prompts or error pages. If the user falls for the scheme, the malware developers — or more likely their AI tools — put a lot of work into building evasion of security technology “at every stage” of the attack chain.
  • “The loader “buries functional code under thousands of meaningless variable assignments,” and the payload runs behind a Windows lock screen process that is “overlooked by security tools” monitoring for threats. ReliaQuest said “the sheer volume” of code padding likely rules out human-only involvement.”

• Info Security discusses,
  • “A new malware-as-a-service (MaaS) platform dubbed Venom Stealer that automates credential theft and continuous data exfiltration has been identified by cybersecurity researchers.
  • “The platform is being sold on cybercrime networks and is designed to go beyond traditional credential harvesting tools by maintaining ongoing access to stolen data even after the initial infection.”

From the ransomware front,

• Cisco Talos reflects on ransomware trends in 2025.

• Cyberscoop reports,
  • “The Akira ransomware group has compromised hundreds of victims over the past year with a well-honed attack lifecycle that has whittled down the time from initial access to encryption of data in less than four hours, according tocybersecurity firm Halcyon.”
    
• Security Week relates,
  • “Like an inverted pyramid, the range of different attack modes are now built on top of the single point of identity abuse.
  • “Stolen credentials are a major threat. Legitimate credentials illegitimately acquired provide legitimate access to illegitimate actors. Once inside the network, these bad actors have greater ability to move and act in stealth. The continuing rise in ransomware attacks bears testament.
  • “The theft and resale of credentials operates on an industrial scale. Fueled by the rise of increasingly more sophisticated infostealers, stolen credentials are packaged into ‘logs’ and sold to criminals on the black market. Ontinue reports, “Listings tied to LummaC2 alone surged by 72%, with high-privilege cloud console credentials selling for $1,000–$15,000+.”
  • “Ransomware has been one of the primary beneficiaries of stolen credentials. More than 7,000 incidents and 129 active groups were tracked through 2025. At the same time, ransom payments decreased slightly from $892M in 2024 to $820M in 2025. This apparent contradiction is actually logical.
  • “Larger targets, with larger payout potential, will have seen the most aggressive corporate investment (process and technology) mitigating exposure to this attack pattern,” explains Trey Ford, chief strategy and trust officer at Bugcrowd. These larger targets are also more susceptible to government pressure to not pay ransoms, and ransomware income has consequently declined. The ransomware groups have responded with more attacks demanding smaller payments from more but smaller companies.” 

From the cybersecurity defenses front,

• Dark Reading reports,
  • “After some delay, Apple has patched the vulnerabilities associated with the DarkSword exploit chain for all affected customers, even those who aren’t updated to iOS 26 — a boon for organizations trying to get users updated to a new version all at once, and for those with patch management policies that preclude such updates.”
• and
  • “Joseph Izzo, chief medical information officer for San Joaquin General Hospital, received ransomware training during a downtime period. He practiced responding and maintaining patient care in the event that the facility is forced to operate offline. But when the hospital where he was working was actually hit with ransomware, he realized very quickly how “different it was under pressure.” 
  • “Izzo shared his story at RSAC 2026 Conference and provided key incident response (IR) recommendations for healthcare organizations, a sector frequently targeted by ransomware gangs due to highly sensitive information. Ransomware doesn’t always cripple hospitals, but partial attacks happen frequently, Izzo explained. Either way, a rapid response is necessary when serving a vulnerable population.
  • “Recommendations ranged from identity protection to being prepared to operate with pen and paper in a digital world. Preparation is what really “makes the difference” when healthcare facilities are trying to get past a ransomware incident, Izzo emphasized.” 

• Cybersecurity Dive tells us,
  • “Cybersecurity is one of the leading risks influencing corporate executives’ decisions about AI adoption, the consulting firm KPMG said in a quarterly AI pulse survey released on Tuesday.
  • “Three-quarters of senior leaders at large corporations told KPMG that they were worried about the cybersecurity and privacy risk associated with AI tools, according to the report.
  • “The survey also asked questions about governance approaches and agentic AI, offering a window into how businesses around the world are wrestling with new security challenges.”

• Here is a link to Dark Reading’s CISO Corner.

From the Iranian war front,

• Industrial Cyber reports,
  • “Following its recent cybersecurity incident, medical technology giant Stryker said it found no indication of ransomware or malware. As the investigation progressed, alongside Palo Alto Networks’ Unit 42 and other experts, the company determined that the threat actor used a malicious file to execute commands, enabling them to conceal activity within its systems. The file was not capable of spreading, either within or outside the environment.
  • “Our internal teams continue to work around the clock with external partners to make meaningful progress on our restoration efforts. We are grateful for the partnership and collaboration with government agencies and industry partners,” Stryker wrote in its latest update. “We believe the incident is contained, and we are prioritizing restoration of systems that directly support customers, ordering and shipping. Our internal teams, in partnership with third-party experts, reacted quickly to not only regain access but to remove the unauthorized party from our environment.”
  • “The update noted that, most importantly, the investigation has not identified any malicious activity directed towards customers, suppliers, vendors, or partners.” * * *
  • “Resecurity warns that the Iran conflict has rapidly evolved into a multi-domain confrontation where kinetic military operations are tightly integrated with cyber, electronic, and information warfare, marking a shift in how modern conflicts unfold. The analysis highlights sustained missile and drone strikes occurring alongside coordinated cyber campaigns driven by state-linked actors and proxy groups targeting critical infrastructure, enterprises, and government systems. This convergence is expected to persist, with cyber operations increasingly used to disrupt services, gather intelligence, and amplify geopolitical impact, even as physical hostilities continue across the region.”
    
• MedTech Dive adds,
  • “Stryker has restored most manufacturing sites and critical lines roughly two weeks after the company suffered a cyberattack.
  • “The company is working with its global manufacturing sites as “operations steadily improve towards full capacity,” a spokesperson said in a statement emailed to MedTech Dive. Stryker is making “strong progress” on restoring underlying systems that support production and fulfillment.
  • “Stryker’s electronic ordering system, which was shut down due to the attack, has been restored for customers. The Portage, Michigan-based company is “working as quickly and safely as possible to reconcile orders, manufacture products and deliver to our customers so they can continue to provide seamless patient care,” the spokesperson said.
  • “The spokesperson declined to comment on whether Stryker has a timeline for full restoration of its operations, and whether the financial and material impact on the company is yet known.”

• Cybersecurity Dive relates,
  • “An Iran-linked ransomware group targeted an unnamed U.S. healthcare provider in the lead-up to the Iran war, according to a report Tuesday [March 24] from Halcyon. 
  • “Tracked under the name Pay2Key, the group gained access to a compromised administrative account for several days and then encrypted the account. 
  • “Forensics investigators, which included Halcyon and Beazley Security, found no evidence that data was stolen. This marks a departure from the group’s previous attacks. Researchers suggest the attacker may have changed tactics to focus more on destruction rather than pure extortion. 
  • “Also, the threat group appears to have shifted its attention toward the U.S. after historically targeting Israeli systems.” 

From the cybersecurity policy and law enforcement front,

• Cybersecurity Dive reports,
  • “Members of Congress and their staffs are eagerly awaiting the Trump administration’s plan for implementing its new cybersecurity strategy and want more regular updates on how the government is helping critical infrastructure organizations guard against new Iran-linked hacking threats.
  • “Staffers from the House Homeland Security Committee and the House Oversight Committee discussed those and other cybersecurity issues during a panel at the RSAC 2026 Conference here on Tuesday [March 24].
  • “While the Democratic and Republican staffers sometimes took different approaches to the issues, they agreed on the need for more details about the strategy and about efforts to counter Iran-linked cyberattacks.”
• and
  • “The program that underpins the entire global vulnerability-fixing ecosystem is in danger of either collapsing or fading into irrelevance without major changes, according to one of the program’s leaders.
  • “I don’t think we can afford to continue at the pace [and] with the tools that we currently have in order to make real progress. We’re just gonna be left in the dust,” Katie Noble, a board member for the Common Vulnerabilities and Exposures (CVE) Program, said during a panel at the RSAC 2026 Conference here on Tuesday [March 24].” * * *
  • “Through a network of affiliated organizations, the CVE Program vets vulnerability reports and assigns each flaw a unique CVE number, which helps researchers, businesses, government agencies and information-sharing groups track the flaws and understand their impact. The program is widely considered a crown jewel of the cybersecurity community. But its fate is uncertain after the nonprofit MITRE Corporation, which runs the program, almost lost crucial federal funding last year.
  • “On top of those logistical woes, the broader CVE ecosystem is also reeling from the dramatic AI-powered increase in the number of vulnerability reports flowing into software vendors and open-source platforms.”

• Cyberscoop adds,
  • “Four former National Security Agency directors shared varying concerns about a lack of earnest and widespread response to growing threats in cyberspace during a discussion at the RSAC 2026 Conference on Tuesday.
  • “Accelerating threats posed by artificial intelligence, China and cybercriminals at large are testing the country’s resolve and determination to foster meaningful public-private collaboration, the former commanders of U.S. Cyber Command said. 
  • “While the four-star military officials remain confident in the country’s resources and people committed to defending the nation from cyberattacks, they voiced unease about challenges that could upend technological dominance and diminish a collective response to serious intrusions. 
  • “I think we’ve become numb to it,” retired Gen. Paul Nakasone said. “We continue to see these different intrusions, and intrusions have gotten to a size that the scale is just incredible to me.”
• and
  • “A year-long effort to strengthen cybersecurity and modernize tech at U.S. intelligence agencies has led to policy standards for using AI to bolster cyber defenses, a shared repository of all apps that have undergone a cybersecurity review and more, the Office of the Director of National Intelligence announced Thursday [March 26].
  • “An unclassified summary of cyber and tech modernization work under the first year of DNI Tulsi Gabbard’s stewardship states that the office has expanded the automation of threat hunting across intelligence community networks. (The Cybersecurity and Infrastructure Security Agency conducts threat hunting across federal civilian agencies.)
  • The ODNI also has developed a zero-trust strategy that shifts “to a data-centric security model that protects information regardless of location or network,” according to the summary.
  • “Over the past year, we have taken meaningful steps to begin fulfilling that responsibility through the largest IC-wide technology investment and modernization effort in history,” Gabbard said in a news release. “President Trump’s Intelligence Community is moving faster and more decisively on cybersecurity modernization and investments in IT than ever before, delivering stronger defenses, greater efficiency, and real cost savings for the American people.”   

• Tech Target shares a boatload of other insights from the RSAC conference.

• Federal News Network tells us,
  • “The Trump administration is prioritizing ensuring the government leads on adopting artificial intelligence for cyber defense, according to a top Office of Management and Budget official.
  • “The use of “AI-enabled cyber tools” is specifically called out in the new national cybersecurity strategy. The White House’s top cyber official has said the administration will launch a series of pilot programs to harden government networks under the new strategy.
  • White House officials in recent weeks convened a roundtable featuring “representatives from industry as well as agencies who are at the cutting edge of cyber defense, to talk about how we can really operationalize AI for cyber defense,” Nick Polk, branch director for cybersecurity within OMB’s Office of the Chief Information Officer, said during a Thursday webinar hosted by the Digital Government Institute.
  • “This is something where we have really decided that we want to take the mantle and have the government lead in this space,” Polk added.”
• and
  • “The Cybersecurity and Infrastructure Security Agency, after a year of workforce reductions that has left CISA’s ranks depleted, is planning to recruit more than 300 people in the coming months.
  • “The cyber agency is also loosening restrictions around flexible work schedules for its employees.
  • “Acting CISA Director Nick Andersen announced those plans in a March 23 email to staff. Andersen said Department of Homeland Security headquarters had approved CISA’s “critical hire list,” including 329 “mission critical hires” throughout the agency.
  • “During the ongoing government shutdown, CISA will only be hiring for “excepted” positions, Andersen added. Roughly two-thirds of CISA’s staff is currently furloughed due to the DHS shutdown.“

• Per a National Institute of Standards and Technology news release,
  • “NIST has released two new CSF 2.0 quick-start guides, adding to an expanding portfolio of available implementation resources offering tailored pathways for different audiences to engage with the CSF 2.0. The two new resources include:
    • “Final Version: NIST Special Publication (SP) 1308, NIST Cybersecurity Framework 2.0: Cybersecurity, Enterprise Risk Management, and Workforce Management Quick-Start Guide
    • “Open for Public Comment: NIST SP 1347 Initial Public Draft (ipd), CSF 2.0 Informative References Quick-Start Guide

• Cybersecurity Dive informs us,
  • “The Federal Communications Commission on Monday said it will no longer approve imported routers for consumer use without government review. 
  • “An interagency body convened by the White House determined that consumer-grade routers made outside the U.S. present an unacceptable risk to national security, according to FCC officials. 
  • “The Trump administration’s 2025 National Security Strategy says the U.S. should not be dependent on an outside power for core components considered vital to the nation’s economy or defense.”

• Cyberscoop points out,
  • “An operation to crack down on the widely used RedLine infostealer has netted the extradition of an Armenian man to the United States, where he made an initial appearance in a Texas court Wednesday.
  • “Authorities charged Hambardzum Minasyan with conspiracy to commit access device fraud, conspiracy to violate the Computer Fraud and Abuse Act and conspiracy to commit money laundering for his alleged role with RedLine. Infostealers thieve billions of user credentials such as passwords annually.”

• Security Week adds,
  • “Russian cybercriminal Ilya Angelov, known online as ‘Milan’ and ‘Okart’, has been sentenced to two years in federal prison for his role in the administration of a botnet used to facilitate ransomware attacks, the DOJ announced on Tuesday [March 24].
  • “According to the DOJ, Angelov was part of a threat group tracked by the FBI as Mario Kart, and by the cybersecurity community as TA-551, Shathak, Gold Cabin, Monster Libra, G0127, and ATK236.
  • “The charges against Angelov stem from activities he engaged in between 2017 and 2021, during which his cybercrime group built a botnet by distributing malware via spam email attachments.” * * *
  • “Angelov’s sentencing comes shortly after the DOJ announced that another Russian national, Aleksei Volkov, has been sentenced to 81 months in prison for his role in ransomware attacks.” 

• The Wall Street Journal notes,
  • “Global hackers are getting better at drawing lessons from online crime busts to build more resilient operations, posing a dilemma for law-enforcement officials.
  • “The problem, known as tactical exposure, is expected to deepen amid calls by the White House for more aggressive action against cybercrime and a recent wave of takedowns and disruptions of cybercrime networks and platforms.”

From the cybersecurity vulnerabilities and breaches front,

• CISA added three known exploited vulnerabilities to its catalog this week.
  • March 25, 2026
    • CVE-2026-33017 Langflow Code Injection Vulnerability
      • Bleeping Computer discusses this KVE here.
  • March 26, 2026
    • CVE-2026-33634. Aqua Security Trivy Embedded Malicious Code Vulnerability
      • CyberPress discusses this KVE here.
  • March 27, 2026
    • CVE-2025-53521 F5 BIG-IP Remote Code Execution Vulnerability
      • Help Net Security discusses this KVE here.

• Cybersecurity Dive reports,
  • “A sophisticated China-nexus threat actor has embedded digital sleeper cells into the networks of telecom firms in multiple countries, according to a report released Thursday from cybersecurity firm Rapid7.
  • “The adversary, tracked as Red Menshen, has used a stealthy, Linux-based implant called BPFdoor that is designed to function within the operating system kernel.
  • “The goal is to run an espionage campaign against critical industry segments and government agencies, maintaining a long-term presence inside these networks, Rapid7 researchers said. ‘There are similarities to campaigns previously launched by other China-nexus actors, including Volt Typhoon and Salt Typhoon, but the mechanisms have evolved and the strategic objectives of these attacks have a longer tail.”
• and
  • “The evolving threat landscape has placed identity governance at the center of cybersecurity, according to a pair of reports released this week, meaning that organizations should prioritize identity management as a way to protect sprawling computer networks from under-the-radar intrusions.
  • “Cloudflare’s report, released Wednesday, and PwC’s report, released Tuesday, both emphasize the need for companies to do a better job of monitoring user behavior and scanning for suspicious network activity.
  • “The rise of AI only makes identity governance even more important, researchers wrote, as the technology helps hackers improve their impersonation tactics.”
• and
  • “Security researchers warn that a critical vulnerability in Citrix NetScaler products might lead to a wave of exploitation that could rival the 2023 CitrixBleed crisis. 
  • “Citrix on Monday [March 23] disclosed an insufficient input validation flaw in NetScaler ADC and NetScaler Gateway application-delivery products, tracked as CVE-2026-3055, with a severity score of 9.3. 
  • “Citrix also disclosed a race condition flaw, tracked as CVE-2026-4368, in the same products. That vulnerability has a severity score of 7.7.
  • “The input validation flaw can allow an attacker to leak sensitive information, similar to the original CitrixBleed flaw, which led to a wave of high profile data theft and ransomware attacks. 
  • “NetScalers are critical solutions that have been continuously targeted for initial access into enterprise environments,” Benjamin Harris, founder and CEO of watchTowr, told Cybersecurity Dive.”

• Cyberscoop relates,
  • “Researchers and threat hunters are scrambling to contain a maximum-severity defect in Ubiquiti’s UniFi Network Application that attackers could exploit to take over user accounts by accessing and manipulating files.
  • “The path-traversal vulnerability — CVE-2026-22557 — affects software used to manage UniFi networking devices, including access points, gateways and switches. The vendor disclosed and released patches for the defect in a security advisory Wednesday [March 25].
  • “As of this morning, we have not observed any public proof-of-concept exploits or confirmed reports of exploitation in the wild,” Matthew Guidry, senior product detection engineer at Censys, told CyberScoop.
  • “However, because this is a path-traversal vulnerability, the technical complexity for an attacker is typically lower than memory-corruption or buffer-overflow bugs,” he added. “Given that the CVSS 10 rating implies low attack complexity, we anticipate that once the specific vulnerable endpoint is identified, exploitation will be trivial to automate.”

From the ransomware front,

• The Bangor Daily News reports,
  • “The Maine mental health agency AMHC was the subject of a ransomware attack this month allegedly perpetrated by a Russia-based cybercrime group. 
  • “Qilin, which analysts have cited as the world’s leading ransomware threat, added the Presque Isle-based healthcare organization to a list of victims on its dark web data leak site Tuesday, according to screenshots and reports posted by more than a dozen websites and groups that track ransomware. 
  • “AMHC is the largest behavioral healthcare provider for a large swath of rural Maine, operating in Aroostook, Hancock and Washington counties. It has more than 350 employees and over 5,500 clients between 27 service locations, according to its website. 
  • “The organization acknowledged the attack in a statement to the Bangor Daily News Wednesday, saying that it “recently experienced a network disruption,” and that it had partnered with “cyber incident specialists” to investigate.”

• Dark Reading relates,
  • “Ransomware is not only growing, threat actors are also accelerating the pace of their attacks by using offensive tools to exploit valid credentials and hit targets with speed and precision. 
  • “The practice has undergone big changes over the past five years. Initially, attacks focused on encrypting data; now, threat actors threaten to extract it to pressure victims into paying. Double-extortion tactics quickly shifted to triple-extortion threats to expose stolen data. Threat actors also transitioned from extorting companies to contacting victims directly — whatever it takes to rake in the cash.
  • “The latest shift is all about speed. Ransomware actors discovered methods to bypass endpoint detection and response (EDR) tools, and they’re increasingly using artificial intelligence (AI) to steal data more quickly. 
  • “Halcyon’s 2026 Method Survey Report reveals that while 98% of organizations use EDR tools for ransomware defense, only 25% “actually trust it to defend against today’s evolving ransomware threat.” Additionally, 78% of surveyed participants say AI made ransomware attacks more effective. Conversely, only 6% believe the tools have improved their own defenses.”  

• CSO adds,
  • “In 2025, attacker dwell time rose, voice phishing topped email phishing, and threat actors increasingly targeted backup and identity systems, according to Mandiant’s latest incident response data.
  • “Mandiant’s M-Trends 2026 report, released today at the RSA Conference, shows that attackers are moving faster, operating more collaboratively, and increasingly focusing on the systems organizations rely on to recover from breaches.
  • “The report, based on more than 500,000 hours of incident response engagements in 2025, finds that attackers are compressing key phases of the attack lifecycle, even as median dwell time increased to 14 days, up from 11 days the previous year.
  • “In addition, it reveals a change in tactics. Voice phishing accounted for 11% of initial infection vectors, making it the second most common entry point after exploits, which led at 32%. Email phishing declined to 6%, down from 14% the year before, reflecting a move toward more interactive social engineering. Together, the trends point to a shift in both how quickly attacks unfold and what attackers are trying to achieve once inside.”

• Tech Radar explains why stolen credentials continue to work even when multi-factor authentication is in place.

• Cybersecurity Dive tells us,
  • “Businesses need to think carefully about when they publicly blame a threat actor for a cyberattack, lest they invite unwanted consequences, experts said at a panel at the RSAC 2026 Conference here on Tuesday.
  • “The rush to attribute is a risky one,” Megan Stifel, the chief strategy officer at the Institute for Security and Technology, a cybersecurity think tank, said during a panel discussion.
  • “Brett Callow, a ransomware expert and senior adviser at FTI Consulting who advises cyberattack victims, called attribution “extremely risky” because “you are bringing third parties into the discussion, and those third parties may very well respond.”

From the cybersecurity defenses front,

• Cyberscoop reports,
  • “Google is accelerating its timeline for migrating its products to quantum resistant encryption to 2029, the latest sign that tech leaders are worried that they haven’t been aggressive enough in planning for a post-quantum future.
  • “In a blog posted Wednesday [March 25], vice president of security engineering Heather Adkins and senior staff cryptology engineer Sophie Schmieg said that Google and other tech companies have observed faster than expected advances in several quantum fields.
  • “This new timeline reflects migration needs for the PQC era in light of progress on quantum computing hardware development, quantum error correction, and quantum factoring resource estimates,” Adkins and Schmieg wrote.
  • “Google is replacing outdated encryption across their devices, systems and data with new algorithms vetted by the National Institute for Standards and Technology. Those algorithms, developed over a decade by NIST and independent cryptologists, are designed to protect against future attacks from quantum computers.”

• Cybersecurity Dive relates,
  • “Businesses hoping AI can automate away their security woes should think again, because the technology isn’t a cure-all and is actually introducing new risks, experts warned at the RSAC 2026 Conference here.
  • “We’re seeing advantages [with AI for defense], but we’re also seeing a lot of hiccups as we figure out how to get there,” Adam Pennington, who oversees MITRE’s ATT&CK framework, said during a panel about how AI is changing the push-and-pull between attackers and defenders.
  • “Security teams are using AI in a lot of the same ways as hackers, Pennington said, especially rapid code-writing. “There does need to be some caution, though, in using it directly in defense,” he said. “False positives have always been a problem in trying to apply machine learning and AI to defense.”
  • “The warnings from Pennington and others on the panel come as businesses rush to purchase AI security services, often with seemingly little regard for their efficacy or tradeoffs.”

• Dark Reading adds,
  • “Organizations may want to think twice before consulting with AI models on software dependency decisions.
  • “New research from Sonatype found that “frontier” models (defined as the most advanced AI models available at a given moment) often generate faulty or fabricated recommendations for software dependencies, which spells trouble for organizations that lean on AI for upgrade and patching guidance. 
  • “Sonatype’s research team analyzed 36,870 unique dependency upgrade recommendations across Maven Central, npm, PyPI, and NuGet between June and August 2025. In all, the DevSecOps company studied a total of 258,000 recommendations generated by seven AI models from Anthropic, OpenAI, and Google.”

• Here is a link to Dark Reading’s CISO Corner.

From the Iranian War front,

• The Wall Street Journal reminds us,
  • “Iran pulled off likely the most significant wartime cyberattack against the U.S. in history, leveraging its hacking powers to cause major disruptions at a global medical-equipment firm that struggled to bring itself back online in recent days.
  • “The attack brought a conflict that until now had been largely confined to the Gulf region to the American homeland and offered a preview of the potential for how Iran may broaden its response to the U.S. and Israeli military campaign.
  • “Stryker, the Michigan-based firm hit in the hack, said it experienced “global disruption” and quickly contained it. The company said it believed the incident had been limited to its internal Microsoft systems. The company added that some hospitals may be experiencing temporary pauses in transmissions of medical data, but that its connected products “are not impacted and are safe to use.” Microsoft hasn’t commented on the hack.”

• The American Hospital Association News adds,
  • “The Cybersecurity and Infrastructure Security Agency [CISA] March 18 released an alert urging U.S. organizations to harden their endpoint management systems following the March 11 cyberattack against Stryker, a U.S.-based medical technology and supply firm. The attack impacted the company’s Microsoft environment, and Stryker said there was no indication of ransomware or malware. The CISA alert provides various recommendations and resources, as well as best practices for securing Microsoft Intune.”
    
• Cybersecurity Dive informs us,
  • “The Department of Justice on Thursday [March 19] said four domains used for Iranian-backed hacking and intimidation of political opponents have been taken down in a court-ordered operation. 
  • “Two of the domains were connected to Handala, the state-linked threat group that authorities confirmed was behind the hack of Stryker, a Michigan-based medical technology giant. 
  • “A partially redacted FBI affidavit did not specifically identify Stryker by name, but the details of the attack match with the circumstances of the same incident.” * * *
  • “The sites were part of a larger effort by Iran’s Ministry of Intelligence and Security (MOIS) to intimidate dissidents, conduct malicious attacks, target Israelis and conduct violent attacks against journalists, according to court records. 
  • “Federal authorities obtained a seizure warrant Thursday, according to the FBI affidavit filed Thursday at U.S. District Court in Maryland.
  • “The FBI seizure is not expected to have a major impact on Handala’s ability to conduct attacks, said the Foundation for the Defense of Democracies (FDD).”  

• Bleeping Computer offers “a five-step playbook to stop Iranian wiper campaigns before they spread.”

From the cybersecurity policy and law enforcement front,

• Politico reports,
  • “The White House offered additional immigration enforcement concessions to Democrats Friday evening [March 20] as border czar Tom Homan met a second time with a bipartisan group of senators seeking to end the Homeland Security shutdown, according to lawmakers who attended.
  • “Leaving the private meeting, Republican senators said they hope Democrats respond over the weekend to the Trump administration’s bolstered proposal of immigration enforcement changes meant to address Democratic demands for funding DHS.”

• The Wall Street Journal adds,
  • “March 27 is a make-or-break day for TSA officers.
  • “If Congress leaves that day for a scheduled two-week recess without reaching a deal to fund the Transportation Security Administration, officers are set to miss more than a month of paychecks.” 

• Cybersecurity Dive lets us know,
  • “The Trump administration will make sure that new AI technologies are secure by design, a senior U.S. official said on Tuesday. [March 17]
  • “What we are working for in my lane is to ensure that the technical security is not seen as a barrier to that innovation, but is seen as a fundamental piece of the ability to scale it and move it as quickly as possible,” National Cyber Director Sean Cairncross said at an event hosted by the McCrary Institute for Cyber and Critical Infrastructure Security.”
  • “Cairncross addressed the audience in Washington two weeks after the Trump administration released its cybersecurity strategy, a short, high-level document that discussed critical infrastructure protection, emerging technologies and digital deterrence. Cairncross said the government wanted to work closely with the U.S. companies that operate important online infrastructure, including to counter foreign adversaries — but he stressed that the government would be the one conducting offensive operations.”

• Per a March 12 FBI news release,
  • “The Federal Bureau of Investigation (FBI) is publishing this Public Service Announcement (PSA) to raise awareness of residential proxies, the risks they pose, and steps the public can take to safeguard their devices from becoming part of a residential proxy network. Cyber threat actors use residential proxies to facilitate illicit activities, while obfuscating their true identities and locations by routing internet traffic through home and small business internet networks.”

• Per a NIST news release,
  • “The Domain Name System (DNS) plays an integral role in every organization’s security posture by translating domain names into IP addresses. It can serve as an enforcement point for enterprise security policy and an indicator of potential malicious activity on a network. A disruption or attack against the DNS can impact an entire organization.
  • “NIST Special Publication (SP) 800-81r3 (Revision 3), Secure Domain Name System (DNS) Deployment Guide, describes the different roles of DNS and gives recommendations for protecting the integrity, availability, and confidentiality of DNS services, including:
    • “The role DNS plays in supporting a zero trust architecture, such as serving as both a policy enforcement point (PEP) and a source of information when evaluating access requests
    • “The role of hosting DNS information (authoritative DNS), including guidance on protecting the integrity and authenticity of DNS information using DNSSEC
    • “The role of recursive DNS, including guidance on protecting the confidentiality of client DNS queries.”

• Cyberscoop reports,
  • “Three American men were sentenced Friday [March 20] for crimes they committed in furtherance of North Korea’s vast scheme to get operatives hired at U.S. companies, the Justice Department said.
  • “The trio — Audricus Phagnasay, 25, Jason Salazar, 30, and Alexander Paul Travis, 35 — pleaded guilty in November to wire fraud conspiracy for providing U.S. identities to remote North Korean IT workers.”
• and
  • “A 27-year-old North Carolina man was found guilty of six counts of extortion for a series of crimes he committed while working as a data analyst contractor for a D.C.-based international technology company, the Justice Department said Thursday [March 19].
  • “Cameron Nicholas Curry, also known as “Loot,” stole a trove of corporate data, including sensitive employee and compensation information, which he used to extort his employer, according to court records. Curry ultimately made off with approximately $2.5 million from the victim organization in January 2024.
  • “The insider attack underscores immeasurable risks companies accept when employees, or contractors placed in roles by a third-party recruitment company, as was the case with Curry, are allowed to access sensitive data on a company-owned laptop. Officials did not name the company.”
• and
  • “Authorities seized infrastructure powering four botnets that hijacked a combined three million devices and launched more than 300,000 DDoS attacks collectively, the Justice Department said Thursday [March 19].
  • The botnets — Aisuru, Kimwolf, JackSkid and Mossad — enabled operators to sell access to the infected devices for various cybercrimes. The aftermath spanned thousands of attacks, including some demanding extortion payments from victims, officials said.

From the cybersecurity breaches and vulnerabilities front,

• Cyberscoop reports,
  • “Russian intelligence-affiliated hackers have gained access to thousands of users’ messaging apps with a global phishing campaign, the FBI and the Cybersecurity and Infrastructure Security Agency warned in a public service announcement on Friday [March 20].
  • “The high-value targets they’re pursuing include current and former U.S. government officials, political figures, military personnel and journalists, the two agencies said in the joint PSA about the hackers’ attempts to infiltrate commercial messaging applications (CMAs).
  • “The U.S. alert comes on the heels of an earlier warning from Dutch authorities, who said last week that Russian hackers were “engaged in a large-scale global attempt” to take over WhatsApp and Signal accounts. The Dutch warning likewise followed a similar warning from Germany in February.
  • “The U.S. agencies emphasized that the hackers had not been able to bypass end-to-end encryption, instead manipulating users into giving up access. The scheme involves hackers posing as Signal help personnel, then inviting them to click a link or provide verification codes or account personal identification number.”
• and
  • “Researchers and threat hunters are scrambling to contain a maximum-severity defect in Ubiquiti’s UniFi Network Application that attackers could exploit to take over user accounts by accessing and manipulating files.
  • “The path-traversal vulnerability — CVE-2026-22557 — affects software used to manage UniFi networking devices, including access points, gateways and switches. The vendor disclosed and released patches for the defect in a security advisory Wednesday.
  • “As of this morning, we have not observed any public proof-of-concept exploits or confirmed reports of exploitation in the wild,” Matthew Guidry, senior product detection engineer at Censys, told CyberScoop.
  • “However, because this is a path-traversal vulnerability, the technical complexity for an attacker is typically lower than memory-corruption or buffer-overflow bugs,” he added. “Given that the CVSS 10 rating implies low attack complexity, we anticipate that once the specific vulnerable endpoint is identified, exploitation will be trivial to automate.”

• CISA added nine known exploited vulnerabilities (KVEs) to its catalog this week.
  • March 16, 2026
    • CVE-2025-47813. Wing FTP Server Information Disclosure Vulnerability
      • Security Week discusses this KVE here.
  • March 18, 2026
    • CVE-2025-66376 Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability
      • Bleeping Computer discusses this KVE here.
  • March 18, 2026 (not a typo — two separate KVE notices in one day)
    • CVE-2026-20963 Microsoft SharePoint Deserialization of Untrusted Data Vulnerability
      • Security Week discusses this KVE here.
  • March 19, 2026
    • CVE-2026-20131 Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management Deserialization of Untrusted Data Vulnerability
      • Cybersecurity Dive, Cyberscoop, Bleeping Computer, and AWS Security Blog discuss this more urgent KVE.
  • March 20, 2026
    • CVE-2025-31277 Apple Multiple Products Buffer Overflow Vulnerability
    • CVE-2025-32432 Craft CMS Code Injection Vulnerability
    • CVE-2025-43510 Apple Multiple Products Improper Locking Vulnerability
    • CVE-2025-43520 Apple Multiple Products Classic Buffer Overflow Vulnerability
    • CVE-2025-54068 Laravel Livewire Code Injection Vulnerability
      • The Hacker News discusses the Apple KVEs here.
      • Craft CMS discusses its KVE here.
      • NIST discusses the Laravel KVE here.

• Cybersecurity Dive reports,
  • “North Korea’s remote IT worker schemes rely heavily on Western collaborators, an elaborate hierarchy of roles and the extensive use of an open-source messaging application, IBM and the cybersecurity vendor Flare said in a report published on Wednesday.
  • “The new research details the tactics and technologies that North Korean operatives use to trick companies into hiring them and fly under the radar while they funnel their salaries to Pyongyang.
  • “Flare and IBM said the report could help businesses improve their ability to root out North Korean operatives posing as legitimate employees.”
• and
  • “Threat groups are increasingly targeting critical infrastructure for malicious attacks by using direct access to cyber-physical systems, according to a report released Wednesday by Claroty, a firm that specializes in industrial security. 
  • “These attackers, which often are state-sponsored or hacktivist groups, are abusing virtual network protocol in a majority of cases to gain remote access to exposed internet-facing assets. 
  • “In two-thirds of the tracked incidents, attackers are compromising human-machine interfaces or supervisory control and data acquisition systems, which are used to control various industrial processes in factories and other operational technology environments.” 

From the ransomware front,

• The Record reports on March 17,
  • “A prominent ransomware gang has taken credit for a devastating attack on the biggest hospital in Mississippi and a large county in New Jersey. 
  • “The Medusa ransomware operation, which experts believe is run out of Russia, said recently it was behind the cyberattack on the University of Mississippi Medical Center (UMMC).” * * *
  • “The hospital fully reopened on March 2, and the Medusa ransomware gang claimed the attack last Thursday, demanding an $800,000 ransom. The hackers threatened to leak data stolen from the hospital by March 20.  
  • “A UMMC spokesperson declined to comment on the ransom threat.   
  • “Experts believe the Medusa operation is based in Russia due to its avoidance of targets in Commonwealth of Independent States, its Russian-language forum activity and the use of Cyrillic script in operational tools.” 

• Cyberscoop adds,
  • “Ransomware remains a scourge that shows some signs of relenting, but incident responders and threat hunters are busier than ever as more financially-motivated attackers lean exclusively on data theft for extortion.
  • “Attacks that only involve data theft for extortion may not be more prevalent than traditional ransomware when attackers encrypt systems, but momentum is moving in that direction, Genevieve Stark, head of cybercrime intelligence at Google Threat Intelligence Group, told CyberScoop.
  • “When you look at the actors in the English-speaking underground, those actors are almost all just focusing on data-theft extortion right now,” Stark added. This includes groups like Scattered Spider, ShinyHunters, Clop and other groups that have been responsible for some of the largest and farthest-reaching attacks over the past few years.
  • “Google Threat Intelligence Group’s research report on ransomware, which it shared exclusively and discussed with CyberScoop prior to release, underscores how the evolution and spread of cybercrime can cloud a collective understanding of ransomware, or attacks that use malware to encrypt or lock systems.” 

• eSecurity Planet explains,
  • “Why BYOD Is the Favored Ransomware Backdoor.
  • “80% of ransomware attacks come from unmanaged devices. Explore how BYOD could be ransomware’s favored method and how to protect against attacks.”
• and
  • “Ransomware’s Opening Play: Target Identity First
  • “Ransomware attackers now target identity systems like Active Directory first. Learn how identity resilience can help you prevent and recover from attacks.”

From the cybersecurity defenses front,

• Cyberscoop asks,
  • “Can Zero Trust survive the AI era?
  • “As AI increases the speed of cyber attacks, governments and businesses must weigh the tradeoffs that come with deploying semi-autonomous AI agents to stop them.”

• Cybersecurity Dive adds,
  • “Corporate cybersecurity leaders believe AI will be essential to their missions, but, so far, few are seeing big gains from agentic security products, according to a new EY survey.
  • “With AI governance dominating C-suite agendas, the survey released on Thursday found that companies are making progress in integrating risk management frameworks into their operations, even if those ways of thinking have yet to fully permeate corporate cultures.
  • “The survey findings prompted EY to make four high-level recommendations to businesses still deciding how to adopt and use AI for cybersecurity.”

• The ISACA Blog considers,
  • “A report by the Neuro-rights Foundation examined the privacy practices of around 30 compelling consumer neuro-technology companies and found that more than 90% relied on vague safeguarding language with no concrete protection of consumers’ neural data. Researchers at Bitbrainreported the possibility of neural signals being captured by attackers using man in the middle attacks, with modified information being readily re-injected since applications do not check the devices they are connected to.
  • “The enterprise security perimeter has now moved beyond networks and terminals into the brain itself as thoughts become potential attack vectors.”

• Here is a link to Dark Reading’s CISO Corner.

From the Iran War front,

• Dark Reading reports,
  • “Iranian state intelligence has been utilizing the cybercriminal underground to upgrade and provide cover for its offensive cyber activity.
  • “Iran’s Ministry of Intelligence and Security (MOIS) has long used hacktivism as a cover when it carries out cyberattacks. On March 11, for example, a wiper attack struck the Fortune 500 medical technology company Stryker. It was claimed by “Handala,” a group that positions itself as a pro-Palestine hacktivist operation, evidently itching to contribute to the ongoing US-Iran war. In fact, it’s a front for Void Manticore, an advanced persistent threat (APT) run out of Iran’s MOIS.
  • “This isn’t a new strategy. What is new, according to recent research from Check Point, is that MOIS hackers have been working with the real cybercriminals they’re pretending to be. Void Manticore, for example, has made the commercial infostealer Rhadamanthys a core element of its attack chains. Other MOIS entities have been linked to cybercrime clusters, even collaborating with ransomware-as-a-service (RaaS) operations.
  • Organizations need to be aware of this, says Sergey Shykevich, threat intelligence group manager at Check Point, “because there can be a case where a SOC or CISO will see something in their network that they associate with cybercrime activity [and label it] of low risk. And in reality, it will be an Iranian threat actor who will be able to execute destructive activities.”
    
• The Wall Street Journal tells us on March 12,
  • “Stryker said a cyberattack related to the Iranian conflict is still disrupting its operations, including order processing, manufacturing and shipping.
  • “Stryker experienced a global disruption to its Microsoft systems following a cyberattack Wednesday, which resulted in the company asking 56,000 employees to disconnect from all networks and avoid turning on company devices.
  • “The hackers behind the attack said they were retaliating on behalf of Iran, The Wall Street Journal reported Wednesday.
  • “On Thursday, Stryker said operations were still disrupted, but it doesn’t believe its patient-related services or connected products have been impacted.”

• Security Week adds,
  • “Stryker is a Fortune 500 company that specializes in the manufacturing of surgical equipment, orthopedic implants, and neurotechnology. Headquartered in Michigan, the company employs approximately 56,000 people and reported over $25 billion in revenue for 2025. Its critical role in the healthcare supply chain makes it an essential partner for hospitals worldwide.”
  • “The Iran-linked hacker group named Handala has taken credit for the attack, claiming to have struck an “unprecedented blow” to the company.”
• and
  • Like other ideologically motivated hackers, profit is not Handala’s goal, according to Ismael Valenzuela, vice president of threat intelligence at the cybersecurity company Arctic Wolf.
  • “What distinguishes this group is its clear focus on data destruction rather than financial extortion,” he said in an email.
    
• Cybersecurity Dive points out,
  • “Stryker said the cyberattack that hit the company this week has disrupted its manufacturing and shipping operations.
  • “The medtech company released the information Thursday night [March 12] in a statement posted to its website. Stryker did not detail the attack’s impact on its systems, but wrote in the statement that the incident has caused disruptions to order processing, manufacturing and shipping.
  • “However, we are working diligently to restore our systems and above all, we are committed to ensuring our customers can continue to deliver seamless patient care,” the company said.
  • Stryker maintained that the incident is contained to its internal Microsoft environment, and there is no malware or ransomware detected.”

From the cybersecurity policy and law enforcement front,

• Federal News Network reports,
  • “U.S. Cyber Command and the National Security Agency have a new permanent leader. The Senate has confirmed Gen. Joshua Rudd to serve as the next director of CYBERCOM and NSA. The two organizations have been without a permanent leader since April, when President Donald Trump fired Gen. Timothy Haugh from the role. Some Democratic lawmakers objected to Rudd’s nomination, citing his lack of cyber experience needed to immediately step into the dual leadership position. Sen. Ron Wyden (D-Ore.) said that when it comes to U.S. cybersecurity, “there is simply no time for on-the-job learning.” It’s not clear when Rudd will be sworn in.”
• and
  • “The Cybersecurity and Infrastructure Security Agency (CISA) is postponing meetings with industry on a forthcoming cyber incident reporting rule due to the ongoing Department of Homeland Security shutdown.
  • “The shutdown is also “likely” to delay the final Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) rule, CISA confirmed today [March 9].
  • “In a notice posted to its website, CISA said it won’t be able to hold planned town halls on CIRCIA due to the lapse in appropriations. The town halls were scheduled for today, March 9, through early April.”

• Cyberscoop relates,
  • “The Trump administration is plotting an interagency body to confront malign hackers, pilot programs to secure critical infrastructure across states and other steps tied to its freshly-released cyber strategy, National Cyber Director Sean Cairncross said Monday.
  • “The “interagency cell” will bring together agencies like the Justice Department, the Department of State, the FBI and the Pentagon, which will make it clear that going on cyber offense isn’t just about attacking enemies in cyberspace, Cairncross said.
  • “Sure, that’s part of it, but that’s not all of it,” he said at an event hosted by USTelecom. It will include diplomatic efforts, arrests and more, he said. “As President Trump has made clear, he expects results, and he’s empowered the team under him to go get them.
  • “A series of pilot programs will be catered to specific critical infrastructure industries in specific states, such as water in Texas and beef in South Dakota, Cairncross said. Different sectors operate at more or less mature levels, he said.”

• Cybersecurity Dive tells us,
  • “Inconsistent definitions, overly burdensome information demands and duplicative requirements are some of the problems that U.S. businesses face in dealing with cybersecurity regulations, according to a recent Government Accountability Office report.
  • “Critical infrastructure organizations want federal agencies to work together to streamline their rules, according to the March 5 summary of a GAO panel discussion with infrastructure representatives.
  • “Businesses recommended several possible solutions to the regulatory sprawl, including agencies converging on common definitions of key terms.”
• and
  • “The federal government should prioritize interoperable, risk-based standards as it develops security guidance for agentic AI systems, major businesses told the National Institute of Standards and Technology.
  • “NIST’s Center for AI Standards and Innovation is exploring ways to help AI companies and their customers protect agents from tampering or abuse, and as part of that project, it sought public comments through Monday evening. More than 930 organizations and individuals submitted comments, according to the docket, including a group of powerful industry trade groups: the American Bankers Association and the Bank Policy Institute, the software group BSA and the tech industry juggernaut TechNet.”

• Cyberscoop informs us,
  • “41-year-old South Florida man is accused of conducting at least 10 ransomware attacks and helping accomplices extort a combined $75.25 million in ransom payments while he was working as a ransomware negotiator for DigitalMint. 
  • “Five of Angelo John Martino III’s alleged victims hired DigitalMint, which assigned Martino to conduct ransomware negotiations on their clients’ behalf — putting him in a position to play both sides, as the criminal responsible for the attack and the lead negotiator for his alleged victims, according to federal court records unsealed Wednesday.
  • “Martino allegedly obtained an affiliate account on ALPHV, also known as BlackCat, and conspired with other former cybersecurity professionals to break into victims’ networks, steal and encrypt data, and extort companies for ransoms over a six-month period in 2023.
  • “Martino was an unnamed co-conspirator in an indictment filed in November 2025 against Kevin Tyler Martin, another former ransomware negotiator at DigitalMint, and Ryan Clifford Goldberg, a former manager of incident response at Sygnia. Goldberg and Martin pleaded guilty in December to participating in a series of ransomware attacks and are scheduled for sentencing April 30.”
• and
  • “Authorities from multiple countries dismantled SocksEscort, a residential proxy network cybercriminals used to commit large-scale fraud, claiming access to about 369,000 IP addresses since 2020, the Justice Department said Thursday.
  • “Europol, which aided the investigation alongside various law enforcement agencies, Lumen’s Black Lotus Labs and the Shadowserver Foundation, said the malicious proxy service compromised routers and IoT devices in 163 countries. Officials said the proxy network’s payment platform received about $5.8 million from its customers.
  • “The globally coordinated action, dubbed Operation Lightning, took down and seized 34 domains and 23 servers in seven countries. U.S. officials froze a combined $3.5 million in cryptocurrency allegedly linked to the botnet that was created from infected devices.
  • “Cybercrime thrives on anonymity,” Catherine De Bolle, executive director at Europol, said in a statement. “Proxy services like SocksEscort provide criminals with the digital cover they need to launch attacks, distribute illegal content and evade detection.”

From the cybersecurity breaches and vulnerabilities front,

• MedTech Dive reports,
  • “Intuitive Surgical was hit by a cybersecurity phishing incident that compromised customer and employee data.
  • “Information was obtained from an employee’s compromised access into Intutive’s internal business administrative network, the surgical robotics firm said in a statement posted to its website. An unauthorized third party accessed information including customer business and contact information, as well employee and corporate data.
  • “The statement was posted on Thursday [March 12], an Intuitive spokesperson said in an email to MedTech Dive.
  • “When the incident was discovered, the company activated its incident response protocols and secured all affected applications.”

• Bleeping Security adds,
  • “Starbucks has disclosed a data breach affecting hundreds of employees after threat actors gained access to their Starbucks Partner Central accounts.
  • “As the world’s largest coffeehouse chain, Starbucks has over 380,000 employees (also known as partners) and operates nearly 41,000 locations across 88 countries.
  • “In data breach notification letters filed with Maine’s Attorney General and sent to affected employees on Tuesday, the company says that it discovered the incident on February 6.

• Cyberscoop relates,
  • “Threat hunters and a collection of unconfirmed victims are responding to a series of attacks targeting Salesforce customers, which the vendor disclosed in a security advisory Saturday [March 7]. 
  • “Salesforce is actively monitoring threat activity targeting public-facing Experience Cloud sites, including attempts to take advantage of overly permissive guest user configurations,” the company said in the alert.
  • “The campaign marks the third widespread attack spree targeting Salesforce customers in about six months. 
  • “The number of victims ensnared by the latest attacks is unverified, but ShinyHunters, the threat group asserting responsibility for the attacks, claims about 100 companies have already been impacted.”
• and
  • “A maximum-severity vulnerability in pac4j, an open-source library integrated into hundreds of software packages and repositories, poses a significant security threat, but has thus far received scant attention.
  • “The defect in the Java security engine, which handles authentication across multiple frameworks, has not been exploited in the wild since code review firm CodeAnt AI published a proof-of-concept exploit last week. The company discovered the vulnerability and privately reported it to pac4j’s maintainer, which disclosed the defectand released patches for affected versions of the library within two days.
  • “Some researchers told CyberScoop they are concerned about the vulnerability — CVE-2026-29000 — because it affects a widely deployed Java security engine that attackers can exploit with relative ease.
  • “A threat actor only needs to access a server’s public RSA key to attempt exploitation,” researchers at Arctic Wolf Labs said in an email. 

• CISA added six known exploited vulnerabilities to its catalog this week.
  • March 9, 2026
    • CVE-2021-22054 Omnissa Workspace ONE Server-Side Request Forgery
    • CVE-2025-26399 SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
    • CVE-2026-1603 Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability
      • The Hacker News discusses these KVEs here.
  • March 11, 2026
    • CVE-2025-68613 n8n Improper Control of Dynamically-Managed Code Resources Vulnerability
      • Bleeping Computer discusses this KVE here.
  • March 13, 2026
    • CVE-2026-3909 Google Skia Out-of-Bounds Write Vulnerability
    • CVE-2026-3910 Google Chromium V8 Unspecified Vulnerability
      • Vulert discusses these KVEs here.

• Cybersecurity Dive points out,
  • “Prolific cybercrime gangs have begun using AI to help them generate malware, signaling a “fundamental shift of dynamics” in the threat environment, IBM’s X-Force threat intelligence team said in a report published on Thursday [March 12].
  • “The malware, which IBM called Slopoly, is “relatively unspectacular” but nonetheless a harbinger of a coming future in which automated code development can rapidly accelerate the hacking life cycle, according to the report.
  • “IBM linked the malware to Hive0163, a group of hackers who have used the Interlock ransomware in several recent major attacks.”

• Dark Reading notes,
  • “Exploitation of user-managed cloud software has overtaken credential abuse as the method by which most attackers gain initial access to cloud resources.
  • “In its semi-annual “Cloud Threat Horizons Report,” Google found attacks on user-managed software applications — such as the the React2Shell attack targeting a flaw in React Server Components — bested software vulnerabilities to become the most frequently exploited vector for initial access. Overall, “software-based entry,” which includes exploiting software vulnerabilities such as remote code execution (RCE) flaws, accounted for about 44% of all initial-access activity in Google Cloud, the company stated in the report.
  • “The shift is likely due to the company’s focus on secure-by-default strategies and cloud users taking measures to shrink the stolen credentials and misconfiguration attack surfaces, says Crystal Lister, a security adviser in the Office of the CISO at Google Cloud.
  • “As defenders address some of the initial, enduring cloud hygiene issues, attackers are being forced to focus on more sophisticated, automated paths,” she says. “It isn’t necessarily that companies are cutting corners, but rather that the defensive perimeter has moved. Attackers are now targeting the third-party user-managed software running on top of the cloud rather than the cloud infrastructure itself.”

From the ransomware front,

• Spiceworks explains “why encrypted backups may fail in an AI-driven ransomware era.” Check it out.

• Healthcare IT News tells us how to stop ransomware disruption with better planning.
  • “Lessons from a LockBit ransomware attack can keep healthcare organizations running when faced with a cyberattack, said Zachary Lewis, CIO and CISO at University of Health Sciences and Pharmacy, in his HIMSS26 Cyber Forum keynote.”

• Two former federal government cybersecurity officials, writing in Cyberscoop, point out,
  • “We’ve seen ransomware cost American lives. Here’s what it will actually take to stop it.
  • “Hackers have cut their attack timelines from weeks to hours while the government spreads resources too thin. We need to stop pretending we can protect everything and start focusing on what would hurt us most.”

From the cybersecurity business and defenses front,

• Cybersecurity Dive reports,
  • “Google on Wednesday said it completed a $32 billion agreement to buy Wiz, a leading cloud and AI security platform, marking one of the largest-ever acquisitions in the cybersecurity market. 
  • “The deal will allow Google to provide a comprehensive security offering to both government and enterprise customers operating across multicloud environments. 
  • “Wiz works across the leading cloud providers, including Amazon Web Services, Microsoft Azure and Oracle Cloud. 
  • “The platform will continue to operate under its own brand name, while providing a broad range of services through its integration with Google Cloud.”

• Security Week relates,
  • “OpenAI announced this week that it’s in the process of acquiring AI security company Promptfoo.
  • “Financial terms of the acquisition have not been disclosed, but Promptfoo has raised more than $23 million and was reportedly valued at $86 million (based on PitchBook data) following an $18.4 million Series A funding round in July 2025.
  • “Promptfoo has developed a security and evaluation platform designed to systematically test LLMs and AI agents. * * *
  • “Once it completes the acquisition, OpenAI plans to integrate Promptfoo’s capabilities into its Frontier platform, which enterprises use to build and operate AI coworkers.  
  • “Promptfoo brings deep engineering expertise in evaluating, securing, and testing AI systems at enterprise scale. Their work helps businesses deploy secure and reliable AI applications, and we’re excited to bring these capabilities directly into Frontier,” said Srinivas Narayanan, CTO of B2B Applications at OpenAI.”

• Cyberscoop tells us,
  • “Artificial intelligence may be enhancing cyber threats, but the defensive approach to those AI-amplified attacks remains the same, a top FBI official said Tuesday.
  • “We have seen actors both criminal and nation-state, they’re absolutely using AI to their advantage,” said Jason Bilnoski, deputy assistant director at the FBI’s cyber division. “But the way attacks unfold have not changed. Cyberattacks still follow basic steps. It just becomes an incredible speed now.”
  • “The best way to deal with those attacks is to implement all the traditional defenses, like those the FBI has been emphasizing as part of its Operation Winter SHIELD media campaign, he said.
  • “Don’t worry about the speed and capability” of AI attacks, Biloski said at a Billington Cybersecurity conference. “If you’re focused on the basics, it’ll help prevent the actual intrusion from occurring.
  • “It’s a message that the acting director of the Cybersecurity and Infrastructure Security Agency, Nick Andersen, also shared at the conference. Sophisticated attackers are out there, he said, but the agency’s recent binding operational directive for federal agencies to get rid of unsupported edge devices was a way of shoring up basic vulnerabilities.”
    
• Dark Reading informs us,
  • “In the latest installment of our monthly “Reporters’ Notebook” video series, Dark Reading’s Tara Seals, TechTarget Search Security’s Sharon Shea, and Cybersecurity Dive’s Dave Jones discuss cybersecurity concerns around the just-concluded Winter Olympics in Milan-Cortina (and the upcoming 2026 FIFA World Cup), with an eye to what these global sports events can teach everyday businesses about incident-response preparation.” 

• Tech Target points out how to choose the best mobile hotspot for remote work.
  • “Organizations that support remote work should understand how personal hotspots and dedicated hotspot devices differ. Compare these mobile hotspot options.”

• Here’s a link to Dark Reading’s CISO Corner.

From the Iran War front,

• Security Week reports,
  • “The Iranian APT MuddyWater has hacked into the networks of several organizations in the US, including an aerospace and defense contractor, Broadcom’s Symantec and Carbon Black threat hunting team reports.
  • “The threat actor has been present in the environments of an airport, a bank, a non-governmental organization operating in the US and Canada, and a software company with a presence in Israel.
  • “According to the Broadcom experts, the APT’s activity has continued “in recent days following US and Israeli military strikes on Iran that have sparked conflict in the region”.

• Cybersecurity Dive adds,
  • “Pro-Russia threat actors have formed a loose coalition with Iran-nexus hacking groups in response to the bombing campaign launched by the U.S. and Israel on Iran. 
  • “The groups began working together Monday under the #OpIsrael campaign, with a focus on targeting critical infrastructure and exfiltration of data, according to researchers at Flashpoint.” * * *
  • “Researchers at Palo Alto Networks Unit 42 estimate that about 60 threat actors, including Iran-nexus and Russia-aligned groups, might be involved in various levels of hacking activity since the bombing campaign began.”  

• The American Hospital Association News tells us,
  • “The FBI is reminding critical infrastructure organizations to implement mitigations from a June 2025 fact sheet on potential actions by Iranian-affiliated cyber actors who may target U.S. devices and networks due to geopolitical tensions. The fact sheet explains how cyber actors often exploit targets with unpatched or outdated software with known common vulnerabilities or passwords.  
  • “In the context of the ongoing conflict with Iran, it is particularly important to ensure that we are implementing cybersecurity measures to defend against the known tactics used by Iranian state-sponsored hackers or pro-Iranian hackers acting independently,” said John Riggi, AHA national advisor for cybersecurity and risk. “Besides seeking to exploit common vulnerabilities and default passwords, they also target internet-connected operational technology and industrial control systems. These systems may be present in hospitals in the form of HVAC, water, life-safety and building automation systems. It is recommended that cyber teams closely coordinate with facilities and building engineers to identify internet-facing OT and ICS systems, assess the need for internet connectivity and ensure they are patched and secure.”

From the cybersecurity policy and law enforcement front,

• The Wall Street Journal reports,
  • “The Trump administration published its new cyber strategy Friday [March 6], framing digital security in the context of broader geopolitical issues and promising to incentivize the private sector to identify and disrupt cyber adversaries.
  • “Compared with the Biden administration’s 2023 National Cybersecurity Strategy, which ran more than 35 pages and detailed dozens of policy initiatives, the new document is far shorter at five pages and sets out broad principles for future policy decisions and priorities.”

• Cyberscoop adds,
  • “The strategy “calls for unprecedented coordination across government and the private sector to invest in the best technologies and continue world-class innovation, and to make the most of America’s cyber capabilities for both offensive and defensive missions,” the White House said in a statement accompanying its release.”
  • “Trump also signed an executive order Friday directing agencies to take action to combat cybercrime and fraud.”
    
• The Congress did not resolve the Department of Homeland Security shutdown this week.

• Fedscoop reports,
  • “The Department of Homeland Security is undergoing an overhaul of its IT and information security leadership, with multiple sources telling FedScoop there is a broad realignment underway at the department to replace key technology leaders.
  • “FedScoop has learned that at least two DHS officials are being replaced: Chief Information Security Officer Hemant Baidwan and Deputy CISO Amanda Day. 
  • “The reorg among IT officials comes as other leadership is changing at the department. President Donald Trump announced Thursday that Secretary of Homeland Security Kristi Noem will be leaving the position at the end of March. Trump has nominated Sen. Markwayne Mullin, R-Okla, as her replacement.

• Cybersecurity Dive adds,
  • “The confirmation prospects for Sean Plankey, President Donald Trump’s nominee to lead the Cybersecurity and Infrastructure Security Agency, have dimmed further following Plankey’s unceremonious departure from a job at the Department of Homeland Security.
  • “Security personnel escorted Plankey out of a DHS facility on Monday, a person familiar with the matter told Cybersecurity Dive, confirming an incident first reported by CBS News. Plankey announced on Wednesday that he had left his job as a senior Coast Guard adviser to DHS Secretary Kristi Noem, but he framed his departure as a voluntary one intended to help him focus on his nomination to serve as CISA director.”

•  Per an HHS news release,
  • “Today [March 5], the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a settlement with MMG Fusion, LLC (MMG), a Maryland software company, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules. MMG is a business associate as it receives protected health information (PHI) from HIPAA covered entities and its software is used to communicate directly with patients of covered entities.” * * *
  • “The settlement resolves an investigation that OCR initiated in March 2023 after receiving a complaint concerning an unreported security incident at MMG, and the posting of PHI on the dark web. OCR’s investigation determined that in December 2020, an unauthorized actor infiltrated MMG’s information system and accessed PHI [of 15 million people], including names, phone numbers, mailing addresses, email addresses, dates of birth, and dates and times of medical appointments.” * * *
  • “The resolution agreement and corrective action plan may be found at https://www.hhs.gov/sites/default/files/ocr-mmg-fusion-hipaa-agreement.pdf [PDF, 264 KB].”

• Cybersecurity Dive informs us,
  • “An international coalition led by Microsoft and Europol has taken down the operations of Tycoon 2FA, a notorious phishing-as-a-service platform that helped cyber criminals gain access to millions of email accounts across the globe. 
  • “Microsoft obtained a court order from the U.S. District Court from the Southern District of New York to seize 330 active domains used to back the core infrastructure of Tycoon 2FA.
  • “Taking this infrastructure offline cuts off a major pipeline for account takeovers and helps protect people and organizations from follow-on attacks such a data theft, ransomware, business email compromise and financial fraud,” Steve Masada, assistant general counsel at Microsoft’s Digital Crimes Unit, said in a blog post published Wednesday.” 

• Bleeping Computer lets us know,
  • “The FBI has seized the LeakBase cybercrime forum, a major online forum used by cybercriminals buy and sell hacking tools and stolen data.
  • This seizure action is part of an international joint operation coordinated by Europol, known as “Operation Leak,” that involved law enforcement agencies in 14 countries.
  • On March 3 and 4, the FBI and law enforcement agents shut down LeakBase by seizing two of its domains, posting seizure banners, and warning LeakBase members of the seizure after collecting further evidence.” * * *
  • Today’s [March 4] announcement follows the disruption of RaidForums in 2022 and BreachForums in 2023, two cybercrime marketplaces that preceded it, as well as the BreachForums founder’s conviction and sentencing in 2025.
• and
  • “A U.S. government contractor’s son, accused of stealing more than $46 million in cryptocurrency from the U.S. Marshals Service, was arrested Wednesday on the island of Saint Martin.
  • “The arrest was the result of a joint operation between the FBI and France’s elite Groupe d’Intervention de la Gendarmerie Nationale, FBI Director Kash Patel announced on Thursday.
  • “Last night, John Daghita – a U.S. government contractor who allegedly stole more than $46 million in cryptocurrency from the U.S Marshals Service – was arrested on the island of Saint Martin by the French Gendarmerie’s premier elite tactical unit in a joint operation with the @FBI,” Patel said.”

• Cyberscoop points out,
  • “Russian national Evgenii Ptitsyn pleaded guilty to running the Phobos ransomware outfit that extorted more than $39 million from more than 1,000 victims globally, the Justice Department said Wednesday.
  • “Ptitsyn assumed a leadership role in the Phobos ransomware group in January 2022, yet his criminal activities began by April 2019, according to court records. He continued leading the cybercrime syndicate until May 2024 when he was arrested in South Korea. Ptitsyn was extradited to the United States in November 2025.
  • “Federal prosecutors dropped multiple charges against Ptitsyn as part of a plea agreement he signed last month. He faces up to 20 years in prison for wire fraud conspiracy.
  • “Ptitsyn agreed to forfeit $1.77 million in assets and is required to pay at least $39.3 million in restitution, representing the full amount of his victims’ losses.

From the cybersecurity breaches and vulnerabilities front,

• The Wall Street Journal reports on March 6,
  • “U.S. investigators believe hackers affiliated with the Chinese government are responsible for a cyber intrusion on an internal Federal Bureau of Investigation computer network that holds information related to some domestic surveillance orders, according to people familiar with the matter.
  • “The scope and severity of the intrusion aren’t known, and the investigation is in its early stages, the people said. Any preliminary conclusions could change as investigators gather more information. 
  • “If China is confirmed to be responsible for the breach, it would signal the latest intrusion by Beijing’s hackers of computer systems related to law-enforcement surveillance orders, which contain highly sensitive material.
  • “A notification sent in recent days to some lawmakers in Congress said the FBI began investigating the matter last month, the people said. The intrusion involved hackers accessing an unclassified system that contains information about the calls and internet activity of criminal suspects and others under government surveillance. Information in the system includes incoming and outgoing calls, IP and website addresses and some routing information, but doesn’t include the contents of calls or digital communication.” 

• Cybersecurity Dive adds,
  • “A total of 90 zero-day vulnerabilities were exploited in the wild in 2025, according to a report released Thursday by Google Threat Intelligence Group.
  • “Of that total, almost half of the exploited vulnerabilities were used against enterprise-grade technology, marking an all-time high. 
  • “Exploitation from state-sponsored groups targeted networking and security tools with a strong emphasis on edge devices, which often lack endpoint detection and response capabilities, according to GTIG researchers. 
  • “China-nexus groups remain the most prolific state-sponsored groups, with a long history of detailed knowledge of vulnerable devices. 
  • “They have a significant zero-day development ecosystem that includes industry, academia, and government,” John Hultquist, chief analyst at GTIG, told Cybersecurity Dive.”

• Bleeping Computer relates,
  • “TriZetto Provider Solutions, a healthcare IT company that develops software and services used by health insurers and healthcare providers, has suffered a data breach that exposed the sensitive information of over 3.4 million people.
  • “The firm, which has been operating under the Cognizant umbrella since 2014, disclosed that it detected suspicious activity on a web portal on October 2, 2025, and launched an investigation with the help of external cybersecurity experts.
  • “The investigation revealed that unauthorized access began nearly a year before, on November 19, 2024.’ * * *
  • “Affected providers were alerted on December 9, 2025, but customer notification started in early February 2026. According to a filing Maine’s Attorney General submitted today [March 6], the number of exposed individuals is 3,433,965.
  • “TriZetto says that payment card, bank account, or other financial information was not exposed in this incident. Also, the company is not aware of any cases where cybercriminals have attempted to misuse this information.”

• CISA added seven known exploited vulnerabilities to its catalog this week.
  • March 3, 2026
    • CVE-2026-21385 Qualcomm Multiple Chipsets Memory Corruption Vulnerability
    • CVE-2026-22719 Broadcom VMware Aria Operations Command Injection Vulnerability
      • Cybersecurity News discusses the Qualcomm KVE here.
      • Bleeping Computer discusses the VM Aria KVE here.
  • March 5, 2026
    • CVE-2017-7921 Hikvision Multiple Products Improper Authentication Vulnerability
    • CVE-2021-22681 Rockwell Multiple Products Insufficient Protected Credentials Vulnerability
    • CVE-2021-30952 Apple Multiple Products Integer Overflow or Wraparound Vulnerability
    • CVE-2023-41974 Apple iOS and iPadOS Use-After-Free Vulnerability
    • CVE-2023-43000 Apple Multiple products Use-After-Free Vulnerability
      • The Hacker News discusses the Hikvision and Rockwell KVEs here.
      • Bleeping Computer discusses the Apple KVEs here.

• Cyberscoop adds,
  • “Cisco released information on a pair of max-severity vulnerabilities in its firewall management software Wednesday that unauthenticated, remote attackers could exploit to obtain the highest level of access to the underlying operating system or on affected devices.
  • “The vulnerabilities — CVE-2026-20079 and CVE-2026-20131 — affect the web-based interface of Cisco Secure Firewall Management Center (FMC) Software, regardless of device configuration, the vendor said.
  • “Cisco disclosed the critical vulnerabilities one week after it warned that attackers have been exploiting a pair of zero-days in Cisco’s network edge software for at least three years. That campaign, which is ongoing, marked the second series of multiple actively exploited zero-days in Cisco edge technology since last spring. 
  • “Both campaigns prompted the Cybersecurity and Infrastructure Security Agency to issue emergency directives months after the attacks were first detected, and both attack sprees were underway for at least a year before they were discovered.” 
• and
  • “Google disclosed one actively exploited zero-day vulnerability Monday, warning that the high-severity defect affecting an open-source Qualcomm display component for Android devices “may be under limited, targeted exploitation.”
  • “The memory-corruption vulnerability — CVE-2026-21385 — which Google’s Androidsecurity team reported to Qualcomm Dec. 18, affects 234 chipsets, Qualcomm said in a security bulletin. Qualcomm said it notified customers of the vulnerability Feb. 2.
  • “Qualcomm declined to say when the earliest known instance of exploitation occurred, how many victims have been directly impacted, and what occurred during the 10-week period between the reporting and public disclosure of the vulnerability. 
  • “We commend the researchers from Google’s Threat Analysis Group for using coordinated disclosure practices,” a Qualcomm spokesperson told CyberScoop. “Fixes were made available to our customers in January 2026. We encourage end users to apply security updates as they become available from device makers.”
• and
  • “North Korean threat groups are using artificial intelligence tools to accelerate and expand the country’s long-running scheme to get remote technical workers hired at global companies for longer durations, Microsoft Threat Intelligence said in a report Friday. 
  • “AI services are empowering North Korean operatives across the attack lifecycle. Attackers have turned AI into a “force multiplier” that bolsters and automates their efforts to conduct research on targets, develop malicious resources, achieve and maintain access, evade detection, and weaponize tools for attacks and post-compromise activities, researchers said.
  • “Microsoft said a trio of groups it tracks as Coral Sleet, Sapphire Sleet and Jasper Sleet are using AI to shorten the time it takes to create digital personas for specific job markets and roles. These groups frequently leverage financial opportunities or interview-themed lures to gain initial access.”

• The Hacker News notes,
  • “Cybersecurity researchers have disclosed details of a new phishing suite called Starkiller that proxies legitimate login pages to bypass multi-factor authentication (MFA) protections.
  • “It’s advertised as a cybercrime platform by a threat group calling itself Jinkusu, granting customers access to a dashboard that lets them select a brand to impersonate or enter a brand’s real URL. It also lets users choose custom keywords like “login,” “verify,” “security,” or “account,” and integrates URL shorteners such as TinyURL to obscure the destination URL.
  • “It launches a headless Chrome instance – a browser that operates without a visible window – inside a Docker container, loads the brand’s real website, and acts as a reverse proxy between the target and the legitimate site,” Abnormal researchers Callie Baron and Piotr Wojtyla said.”

From the ransomware front,

• The Record reports,
  • “The University of Hawaiʻi Cancer Center said up to 1.2 million people had information leaked as a result of a ransomware attack on its epidemiology division last year. 
  • “Hackers accessed records containing Social Security numbers (SSNs) and driver’s license numbers collected from the Hawaiʻi State Department of Transportation as well as City and County of Honolulu voter registration records from 1998, according to a statement released by the organization last week.” * * *
  • “In January, the university sent a report to the state legislature that said the cyber incident was first discovered on August 31, 2025.” * * *
  • “Naoto Ueno, director of the University of Hawaiʻi Cancer Center, apologized for the incident last week and said the organization was “committed to transparency.” 
  • “The university said the attackers encrypted and likely exfiltrated data, prompting them to notify law enforcement and hire cybersecurity experts to resolve the situation. The cybersecurity firm obtained a decryption tool and secured “an affirmation that any information obtained was destroyed.”  
  • “University officials claimed there is “no evidence that any of the information has been published, shared or misused.” The group responsible for the attack was not identified.”   

• Cybersecurity Dive relates,
  • “Identity has replaced malware as the biggest threat vector opening the door for ransomware attacks, Cloudflare said in an annual threat report published on Tuesday.
  • “Hackers’ increasing use of legitimate credentials, rather than malicious code, is making it harder for defenders to detect and contain their attacks.
  • “Cloudflare’s new report also discussed nation-state threat actors’ behavior and how artificial intelligence is changing attacks.”

• Mobihealth News interviews Scott Doerr, virtual CISO, or vCISO, at Fortified Health Security, [who] previews his upcoming talk at the 2026 HIMSS Global Health Conference & Exposition, where he will discuss how healthcare companies can strengthen their preparedness for ransomware attacks. 

From the cybersecurity business and defenses front,

• Cyberscoop reports,
  • “CrowdStrike Holdings reported record earnings in the fiscal fourth-quarter, defying investor concerns about the rising use of agentic AI potentially curbing demand for cybersecurity software and services. 
  • “The Texas-based cybersecurity company said total revenue grew 23% on a year-over-year basis, to $1.31 billion in the quarter ended Jan. 31. 
  • “Annual recurring revenue, a closely watched metric among cybersecurity companies, grew 24%, to $5.25 billion. 
  • “The results come at a time of growing market anxiety about how AI adoption could render traditional software — including cybersecurity tools — obsolete. CrowdStrike executives acknowledged those larger industry concerns and noted the Q4 performance was a demonstration that certain companies were well-positioned to compete in the new marketplace.” 

• ZDNet adds,
  • “Anthropic, OpenAI, and Google tools can automate code debugging. 
  • “But cybersecurity is too complex a problem for these tools to solve. 
  • “AI’s biggest contribution may be to reduce avoidable software flaws. 

• Healthexec relates,
  • “In January, National Security Agency (NSA), released protocols for the U.S. Department of War to achieve “zero trust” security across the agency, meaning any access to the network must come from something continually inside it. While such a setup would be technically demanding for healthcare, the American Hospital Association (AHA) said it may be time for facilities to start moving in that direction.
  • “Zero trust security would mean radical changes for hospitals, where a countless number of devices have access to networks, including everything from EHRs to medical devices, to tablets and smartphones used for communication.
  • “What the NSA wants the Department of War to adopt is a system where no one gains access to a network from the outside, meaning no logins or passwords. In fact, even systems connected to the network from the inside are not automatically trusted.
  • “In other words, every user, device, and system must continually prove they are allowed access—and access is limited strictly to what’s necessary.
  • “The ethos of zero trust means that it’s assumed even the network itself isn’t safe, hence the continuous verification. Something like a two-factor authentication app displaying a constant active code would be required to log on.”

• The AHA News adds,
  • “The Administration for Strategic Preparedness and Response has released a new cybersecurity module for organizations to conduct risk assessments. The free module, part of ASPR’s web-based Risk Identification and Site Criticality 2.0 Toolkit, allows organizations to identify threats, assess vulnerabilities, determine consequences and criticality, and share findings with stakeholders. Users are guided through a series of questions about their policies and practices, which are scored against the National Institute of Standards and Technology’s Cybersecurity Framework 2.0 and the Department of Health and Human Services’ Cybersecurity Performance Goals. The questions are designed to help organizations identify critical gaps, prioritize investments and inform their decisions on risk mitigation.” 
    
• SC World tells us,
  • “The 2026 Zero Trust World conference kicked off here Wednesday (March 4) with a particularly optimistic keynote by futurist and TV host Jason Silva and also featured a last-minute addition in the form of a talk by former White House CIO Theresa Payton.
  • “But it was the smaller sessions, including a dark-web primer and a live Security Now! podcast broadcast featuring cybersecurity veterans Steve Gibson and Leo LaPorte, that stole the show during the first day of ThreatLocker’s annual user conference.”

• Tech Target explains “how to perform a data risk assessment, step by step.”

• Here’s a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• Cybersecurity Dive reports,
  • “The Trump administration late Thursday removed the scandal-plagued acting director of the Cybersecurity and Infrastructure Security Agency, injecting fresh uncertainty into the operations of an agency already grappling with a morale crisis as it tries to protect the U.S. from sophisticated hacking threats.
  • “The Department of Homeland Security reassigned Madhu Gottumukkala, the deputy CISA director who had led the agency in an acting capacity since last May, to a position at DHS headquarters. Nick Andersen, the executive assistant director for CISA’s Cybersecurity Division and one of the few remaining political appointees at the agency, will step in as acting director.”

• Federal News Network adds,
  • “Sen. Ron Wyden (D-Ore.) is blocking the Trump administration’s nominee to lead both U.S. Cyber Command and the National Security Agency. Wyden said Lt. Gen. Joshua Rudd, who currently serves as the deputy commander of U.S. Indo-Pacific Command, lacks the experience needed to immediately step into the dual leadership role. The lawmaker added that when it comes to U.S. cybersecurity, “there is simply no time for on-the-job learning, the threat is just too urgent for that.”

• Gov Info Security relates,
  • “A bipartisan group of senators called on the federal government to update the regulations governing healthcare cybersecurity through a Thursday vote sending a bill aimed at bolstering sector resilience to the full Senate.
  • ‘The Senate Health, Education, Labor and Pensions Committee voted 22 to 1 to advance the Health Care Cybersecurity and Resiliency Act, a bill that requires publishing cybersecurity guidance for rural medical practices and improved coordination between federal agencies.
  • It has the backing of a healthcare cybersecurity working group that includes committee Chair Bill Cassidy, R-La.
  • “The legislation would additionally bolster an apparently stalled effort to update the HIPAA Security Rule that the Department of Health and Human Services published during the final weeks of the Biden administration (see: What’s in HHS’ Proposed HIPAA Security Rule Overhaul?).
  • “The bill would enforce many of the proposed rule’s updates, including requiring HIPAA-covered organizations and business associates to adopt multifactor authentication and encryption, to conduct audits, including penetration testing. It additionally calls for “other minimum cybersecurity standards” to be determined by the HHS secretary, “in consultation with private sector organizations, based on landscape analysis of emerging and existing cybersecurity vulnerabilities and consensus-based best practices.”
  • “The fate of the Biden administration’s proposed HIPAA overhaul is uncertain at this point. The HHS Office of Civil Rights is expected to make some kind of decision in May on whether it will move forward with the proposals, or perhaps issue a revised version of proposed rulemaking.”

• The National Institute of Standards and Technology celebrated the second anniversary of the  Cybersecurity Framework (CSF) 2.0!
  • “If you haven’t migrated your cybersecurity risk management strategy to the CSF 2.0, there’s no time like the present. Where can you start?
    • “Familiarize yourself with the CSF 2.0 in PDF form or dynamically in the CSF 2.0 Tool.
    • “View our library of CSF 2.0 Quick Start Guides.
    • “Review the Cybersecurity Framework 1.1 to 2.0 Core Transition Changes Overview Supplemental Spreadsheet. 
    • “Watch or listen to the webinar recording, “Implementing CSF 2.0: The Why, What, and How“

• Cyberscoop notes,
  • “An ex-L3 Harris executive was sentenced to over seven years in prison Tuesday after pleading guilty to selling eight zero-day exploits to a Russian broker in exchange for millions of dollars.
  • “Peter Williams, 39, admitted to two counts of theft of trade secrets in U.S. District Court in Washington, D.C., last year, acknowledging he took at least eight exploits or exploit components while working at Trenchant, a specialized cybersecurity unit owned by L3Harris. Prosecutors said the materials were intended for restricted use by the U.S. government and allied partners.
  • “Authorities said Williams sold the stolen information to a broker that advertised itself as a reseller of hacking tools and described it as serving multiple customers, including the Russian government. In court, the government referred to the buyer as “Company 3,” but details read aloud during the plea hearing pointed to Operation Zero, a Russian exploit broker that publicly markets itself online as a platform for purchasing zero-day vulnerabilities.”

From the cybersecurity breaches and vulnerabilities front,

• Cybersecurity Dive reports,
  • “Federal agencies have until Friday evening [February 27] to update certain Cisco networking devices that are vulnerable to compromise, the Cybersecurity and Infrastructure Security Agency said on Tuesday [February 24].
  • “In an emergency directive about Cisco’s Software-Defined Wide-Area Networking (SD-WAN) systems, CISA said it was “aware of a cyber threat actor’s ongoing exploitation” of two vulnerabilities in Cisco Catalyst SD-WAN Manager and Catalyst SD-WAN Controller devices and called the activity “an imminent threat to federal networks.”
• and
  • “The Cybersecurity and Infrastructure Security Agency on Thursday warned that a malware variant previously used in attacks against Ivanti Connect Secure environments may remain undetected on systems. 
  • “In March 2025, CISA issued an alert about the malware, dubbed Resurge, in connection with exploitation of CVE-2025-0282, a stack-based buffer overflow vulnerability in certain versions of Ivanti Connect Secure and other Ivanti products. 
  • “The agency has since analyzed three samples from a critical infrastructure provider’s Ivanti Connect Secure device after hackers exploited the flaw to gain initial access. The analysis shows that Resurge can remain latent on a device until a remote hacker attempts to contact the device.” 

• CISA also added three known exploited vulnerabilities to its catalog this week.
  • February 24, 2026
    • CVE-2026-25108 Soliton Systems K.K. FileZen OS Command Injection Vulnerability
      • The Hackers News discusses this KVE here.
  • February 25, 2026
    • CVE-2022-20775 Cisco Catalyst SD-WAN Path Traversal Vulnerability
    • CVE-2026-20127 Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability 
      • Cyberscoop discusses these KVEs here.

• Cyberscoop adds,
  • “Would-be attackers spent 2025 swimming in a sea of more than 40,000 newly published vulnerabilities, VulnCheck said in a report released Wednesday, but only 1% of those defects, just 422, were exploited in the wild.
  • “As the deluge of vulnerabilities grows every year, and CVSS ratings lose significance for vulnerability management prioritization, some defenders are turning to research on known exploited vulnerabilities to narrow their scope of work and place more emphasis on verified risks. 
  • “The growth in CVE volume is ludicrous, not necessarily unfounded, but it’s large. Defenders don’t know what to pay attention to,” Caitlin Condon, vice president of security research at VulnCheck, told CyberScoop. “Prioritization is still a huge problem.”
  • “Too many defenders and researchers are paying attention to defects and unsubstantiated exploit concepts that aren’t worth their time, Condon added. “The indicators of risk that used to be semi reliable, now no longer are.”
• and
  • “Cyberattacks reached victims faster and came from a wider range of threat groups than ever last year, CrowdStrike said in its annual global threat report released Tuesday, adding that cybercriminals and nation-states increasingly relied on predictable tactics to evade detection by exploiting trusted systems.
  • “The average breakout time — how long it took financially-motivated attackers to move from initial intrusion to other network systems — dropped to 29 minutes in 2025, a 65% increase in speed from the year prior. “The fastest breakout time a year ago was 51 seconds. This year it’s 27 seconds,” Adam Meyers, head of counter adversary operations at CrowdStrike, told CyberScoop.
  • “Defenders are falling behind because attackers are refining their techniques, using social engineering to access high-privilege systems faster and move through victims’ cloud infrastructure undetected.”

• Cybersecurity Dive points out,
  • “Hackers are increasingly integrating artificial intelligence into all phases of the cyberattack life cycle, with the technology regularly analyzing target information, generating phishing emails and providing coding assistance, security firm ReliaQuest said in a report published on Tuesday [February 24].
  • “Other recent reports from IBM and cyber insurer Resilience similarly highlight how AI has changed the threat landscape.
  • At the same time, a new Sophos report said it was important to put in perspective AI’s ‘capabilities and impact.”

• LinkedIn informs us,
  • “One of the largest data breaches in U.S. history is even bigger than was known. The Conduent cyberattack has now affected more than 25 million Americans, according to a recent update. The January 2025 incident exposed Social Security numbers, medical records and other sensitive information. Conduent is one of the largest contractors for the U.S. government, providing mailroom, printing and payment processing services for state government benefit offices — meaning it manages “a large amount of personal information belonging to a large swath of the United States,” per TechCrunch.”

• Cybersecurity Dive adds,
  • “Hackers working for the Chinese government broke into more than 50 telecommunications companies and government agencies in 42 countries, in a campaign that exploited cloud platforms’ legitimate features to hide the attackers’ tracks.
  • “The attacker was using API calls to communicate with [software-as-a-service] apps as command-and-control (C2) infrastructure to disguise their malicious traffic as benign,” researchers at Google’s Threat Intelligence Group and Mandiant said in a report on Wednesday.
  • “Google said the “prolific, elusive” China-linked hacker team, which it tracks as UNC2814, “has a long history of targeting international governments and global telecommunications organizations across Africa, Asia, and the Americas.”

From the ransomware front,

• The Mississippi Clarion Ledger reports,
  • “Officials with the University of Mississippi Medical Center stated the hospital system is “getting closer to full functions” following a cyberattack on Feb. 19 that disrupted operations.
  • “UMMC issued a statement Friday, Feb. 27, stating after being able to access patient records, clinics statewide will resume normal operations and scheduled appointments on Monday, March 2.
  • “UMMC also stated that on March 2, clinics will begin reaching out to patients to reschedule appointments that were cancelled. Officials added that UMMC clinics will reopen with extended hours and additional days in order to accommodate patients as soon as possible.
  • “All hospitals and emergency departments located in Jackson, Madison County, Holmes County and Grenada remain open.”

• Cybersecurity Dive relates,
  • “UFP Technologies, a Massachusetts-based medical device maker, said it is investigating a cyberattack in mid-February that led to some of its company data being stolen or potentially destroyed, according to a regulatory filing. 
  • “The company said the attack, which was detected Feb. 14, impacted most of its IT network, as well as its billing and label-making capabilities for customer deliveries. The company said it was able to continue operations using data backups and implementing contingency plans.
  • “This was a classic ransomware attack that appeared to have impacted many, but not all, of our IT systems,” Ronald Lataille, chief financial officer at UFP Technologies, said Wednesday on a quarterly conference call with analysts. “Data was taken and then destroyed.”
  • “The company is still trying to figure out how much sensitive information, including personally identifiable data, may have been impacted by the attack, according to the 8-K filing with the Securities and Exchange Commission. However, the company does not currently believe the attack will have a material impact on its financial condition.”

• The Hacker News adds,
  • “The North Korea-linked Lazarus Group (aka Diamond Sleet and Pompilus) has been observed using Medusa ransomware in an attack targeting an unnamed entity in the Middle East, according to a new report by the Symantec and Carbon Black Threat Hunter Team.
  • “Broadcom’s threat intelligence division said it also identified the same threat actors mounting an unsuccessful attack against a healthcare organization in the U.S. Medusa is a ransomware-as-a-service (RaaS) operation launched by a cybercrime group known as Spearwing in 2023. The group has claimed more than 366 attacks to date.
  • “Analysis of the Medusa leak site reveals attacks against four healthcare and non-profit organizations in the U.S. since the beginning of November 2025,” the company said in a report shared with The Hacker News.”

• The Register informs us,
  • “Ransomware payments cratered in 2025, but it seems like the cybercrooks launching the attacks didn’t get the memo.
  • “That’s the headline from Chainalysis’ 2026 Crypto Crime Report, which shows total on-chain ransomware payments falling for a second straight year, even as victim counts and leak site pressure continue to climb.
  • “Ransomware gangs pulled in about $820 million in 2025, roughly 8 percent less than the year before, as the share of victims paying dropped to an all-time low of 28 percent. That drop might sound like progress if the wider picture weren’t so bleak: the median ransom demand jumped from $12,738 in 2024 to $59,556 in 2025, and the number of publicly claimed attacks climbed along with it.
  • “Despite the relative stability in total payments, ransomware attacks surged across multiple vectors in 2025, with eCrime.ch data showing a 50 percent YoY increase in claimed ransomware victims, marking the most active year on record,” Chainalysis said.”

• Help Net Security adds,
  • Intrusions continue to center on credential access and timed execution outside standard business hours. The Sophos Active Adversary Report 2026 analyzes 661 incident response and managed detection and response cases handled between November 1, 2024 and October 31, 2025, spanning organizations in 70 countries.
  • “The dataset examines how attackers gain access, how quickly they reach key systems, and when ransomware and data theft occur.” * * *
  • “Timing patterns show that the most disruptive stages of ransomware incidents often occur when organizations are operating with reduced staffing. In 88% of ransomware cases, encryption was deployed during non business hours.
  • “Data exfiltration followed a similar pattern, with 79% of theft activity also occurring outside the typical workday.
  • “Off hours deployment increases the likelihood that encryption or large scale data transfers proceed without immediate interruption. It places emphasis on monitoring coverage that extends beyond standard schedules.”

From the cybersecurity business and defenses front,

• Dark Reading reports,
  • “The cybersecurity venture capital market experienced unprecedented activity in 2025, driven primarily by the rush to AI-native security solutions and a massive surge in mergers and acquisitions that reached record levels.
  • “In 2025, VC firms invested $119 billion in cybersecurity businesses, with 400 M&A transactions accounting for the majority of funding and another 820 financing deals totaling nearly $21 billion, according to data from Momentum Cyber, a cybersecurity investment bank. The total value of M&A, financing, and IPO activity in 2025 nearly tripled that of deals in the previous year.”
• and
  • “Cybersecurity experts are calling for a major shift in how companies handle data breaches and security failures, arguing that greater transparency and specific detail disclosure about how and why they occur is essential if the industry hopes to effectively reduce cyber-risk.
  • “At the upcoming RSAC Conference, threat research experts Adam Shostack and Adrian Sanabria will make the case for greater incident transparency and the need for structured feedback loops in cybersecurity, in a session aptly titled “A Failure Is a Terrible Thing to Waste: The Case for Breach Transparency,”scheduled for Monday, March 23.”

• Cybersecurity Dive informs us,
  • “The AI era is transforming what CISOs do and how they do it, the enterprise software firm Splunk said in a report published on Tuesday [Feburary 24].
  • “Nearly all CISOs have been assigned to manage their organizations’ AI governance responsibilities, the report found, a significant expansion of “their already overwhelming mandates.”
  • CISOs interviewed in the report expressed both an awareness that they needed to use AI and a range of concerns about its potential harms.”

• Dark Reading relates,
  • “As one ransomware community shutters in RAMP, two more pop up to take its place. 
  • “Rapid7 today published an analysis of that ransomware ecosystem after US authorities seized infrastructure tied to the notorious RAMP cybercrime forum last month. For years, RAMP has been the primary vehicle for acquiring ransomware-as-a-service (RaaS) affiliates, but the Jan. 28 interagency sting led by the FBI forced many cybercrime outfits to find a new means to sell their wares. 
  • “Rapid7’s Alexandra Blia and Efi Sherman in this week’s blog post identified two potential forums where attackers might go next. The bigger takeaway, however, is that the cybercrime ecosystem is fragmenting, and defenders will need to adapt.”
• and
  • A newly developed method for gauging the impact of an OT cybersecurity incident could pave the way for more accurate measurement and response to an event, and also shine light on risk and business ramifications.
  • The Operational Technology Incident (OTI) Impact Score — which will be unveiled today [February 24] at the ICS/OT industry’s S4x26 Conference in Miami — aims to provide rapid clarity on the actual effects of OT cyber incidents, which often get over- or under-hyped, according to Dale Peterson, co-creator of the OTI model and head of ICS/OT consulting and research firm Digital Bond.
  • The OTI model, inspired by the Richter Scale used for measuring earthquake intensity and impact, is meant for OT business executives, governments, cyber insurers, the media, and the general public, according to Peterson, who is the founder and program chair of S4.

• Here is a link to Dark Reading’s CISO Corner.