Cyber Threat Intelligence 13 March 2026
-
Industrial Sector
- Stop Fixing OT Security With IT Thinking
"In this Help Net Security interview, Ejona Preçi, Group CISO at Lindal Group, discusses the specific cybersecurity challenges in manufacturing environments. The conversation covers why standard IT security practices break down on shop floors, where PLCs and decade-old firmware were never designed to be networked. She explains how nation-state actors quietly settle into industrial networks, using stale accounts and compromised workstations to map environments without triggering alarms. She addresses patch management in OT, where production lines cannot simply be taken offline, and describes how security teams use compensating controls to manage risk without breaking operations."
https://www.helpnetsecurity.com/2026/03/12/ejona-preci-lindal-group-ot-cybersecurity-manufacturing/
Vulnerabilities
- Veeam Warns Of Critical Flaws Exposing Backup Servers To RCE Attacks
"Data protection company Veeam Software has patched multiple flaws in its Backup & Replication solution, including four critical remote code execution (RCE) vulnerabilities. VBR is enterprise data backup and recovery software that helps IT administrators to create copies of critical data for quick restoration following cyberattacks and hardware failures. Three RCE security flaws patched today (tracked as CVE-2026-21666, CVE-2026-21667, and CVE-2026-21669) allow low-privileged domain users to execute remote code on vulnerable backup servers in low-complexity attacks."
https://www.bleepingcomputer.com/news/security/veeam-warns-of-critical-flaws-exposing-backup-servers-to-rce-attacks/
https://www.veeam.com/kb4830 - A Major Security Flaw Could Affect 1 In 4 Android Phones - Here's How To Check Yours
"A hardware security flaw found in many Android phones allowed white hat hackers to gain entry in under a minute, according to a new report. From there, they accessed sensitive user data, including messages and crypto wallet seed phrases. The flaw can be exploited by simply connecting an affected Android device to a laptop via a USB cable, according to a Wednesday report published by Donjon, the research division of crypto security hardware company Ledger. The phone's PIN could then be automatically brute-forced, its storage decrypted, and seed phrases from popular crypto wallets like Kraken Wallet and Phantom extracted."
https://www.zdnet.com/article/security-flaw-affects-1-in-4-android-phones-how-to-check-yours/
https://www.malwarebytes.com/blog/news/2026/03/this-android-vulnerability-can-break-your-lock-screen-in-under-60-seconds - Splunk, Zoom Patch Severe Vulnerabilities
"Splunk and Zoom this week announced security updates that resolve multiple critical- and high-severity vulnerabilities across their product portfolios. Zoom has addressed a critical-severity flaw in Workplace for Windows that could allow unauthenticated, remote attackers to elevate their privileges over the network. The issue impacts the Mail feature of the product and was addressed in Workplace for Windows version 6.6.0 and Workplace VDI Client for Windows versions 6.4.17, 6.5.15, and 6.6.10."
https://www.securityweek.com/splunk-zoom-patch-severe-vulnerabilities/ - Cisco Patches High-Severity IOS XR Vulnerabilities
"Cisco on Wednesday published its semiannual IOS XR software security advisory bundle, which includes three advisories detailing four high-severity vulnerabilities. The most severe of these issues are CVE-2026-20040 and CVE-2026-20046 (CVSS score of 8.8), two bugs that could be exploited to execute arbitrary commands as root or gain administrative control of a device. CVE-2026-20040 exists because user arguments passed to specific CLI commands are not sufficiently validated, allowing a low-privileged attacker to supply crafted commands at the prompt."
https://www.securityweek.com/cisco-patches-high-severity-ios-xr-vulnerabilities-2/
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-privesc-bF8D5U4W - Apple Patches Older iPhones And iPads Against Coruna Exploits
"Apple has released security updates to patch older iPhones and iPads against a set of vulnerabilities targeted in cyberespionage and crypto-theft attacks using the Coruna exploit kit. Some of these security flaws have already been addressed in earlier updates for newer iOS device models, starting in September 2023. "This fix associated with the Coruna exploit," Apple said in security advisories released on Wednesday. "This update brings that fix to devices that cannot update to the latest iOS version,""
https://www.bleepingcomputer.com/news/apple/apple-patches-older-iphones-and-ipads-against-coruna-exploits/
https://thehackernews.com/2026/03/apple-issues-security-updates-for-older.html
https://www.malwarebytes.com/blog/news/2026/03/apple-patches-coruna-exploit-kit-flaws-for-older-ios-versions
https://securityaffairs.com/189362/security/apple-issues-emergency-fixes-for-coruna-flaws-in-older-ios-versions.html
https://www.securityweek.com/apple-updates-older-ios-versions-to-patch-coruna-exploits/ - Microsoft Authenticator Could Leak Login Codes—update Your App Now
"A vulnerability in Microsoft Authenticator for both iOS and Android (CVE-2026-26123) could leak your one-time sign-in codes or authentication deep links to a malicious app on the same device. Deep links are predefined URIs (Uniform Resource Identifiers) that allow direct access to an activity in a web or mobile application when clicked. In simple terms, they are specifically constructed links used to open an app and complete actions like signing in."
https://www.malwarebytes.com/blog/news/2026/03/microsoft-authenticator-could-leak-login-codes-update-your-app-now - China’s CERT Warns OpenClaw Can Inflict Nasty Wounds
"China’s National Computer Network Emergency Response Technical Team has warned locals that the OpenClaw agentic AI tool poses significant security risks. In a Tuesday post to its WeChat account, the CERT warned that OpenClaw has “extremely weak default security configuration” and must therefore be handled with extreme care. The CERT is worried that attackers can target the tool by embedding malicious instructions in web pages, and that poisoned plugins for the agentic tool can put users at risk. China’s cyber-advisors also point out that OpenClaw has already disclosed several severe vulnerabilities that can result in credential theft and therefore enable serious attacks."
https://www.theregister.com/2026/03/12/china_cert_openclaw_security_warning/
Malware
- A Slopoly Start To AI-Enhanced Ransomware Attacks
"In early 2026, IBM X-Force discovered a likely AI-generated novel malware which we are dubbing “Slopoly,” used during a ransomware attack. The operators are part of a group tracked as Hive0163, whose main objective is extortion through large-scale data exfiltration and ransomware. Evidence of AI adoption among high-profile cybercrime groups signals the start of a fundamental shift of dynamics within the threat landscape. Although still relatively unspectacular, AI-generated malware such as Slopoly shows how easily threat actors can weaponize AI to develop new malware frameworks in a fraction of the time it used to take."
https://www.ibm.com/think/x-force/slopoly-start-ai-enhanced-ransomware-attacks
https://www.bleepingcomputer.com/news/security/ai-generated-slopoly-malware-used-in-interlock-ransomware-attack/
https://thehackernews.com/2026/03/hive0163-uses-ai-assisted-slopoly.html - Cyber Android RAT: Inside The Latest MaaS Being Sold On Underground Forums
"The market for Android malware-as-a-service has grown dramatically in recent years, lowering the technical barrier for cybercriminals who want to surveil, defraud, or steal from mobile device users. Where sophisticated attacks once required custom development, today’s threat landscape is shaped by polished, commercially packaged tools sold openly to anyone willing to pay. Certo’s research team has identified a new and particularly capable entry into this market: a full-featured Android Remote Access Trojan (RAT) advertised on clear-web hacking forums under the name Cyber Android RAT, backed by a command-and-control platform called Cyber Nebula Core."
https://www.certosoftware.com/insights/cyber-android-rat-inside-the-latest-maas-being-sold-on-underground-forums/
https://www.bankinfosecurity.com/sophisticated-surveillance-rat-marketed-for-global-buyers-a-31005 - Inside The Tehran-Linked 'Faketivist' Hacking Group Handala
"A Iranian hacking group that took credit for hacking a medical device manufacturer and a payment processing device maker has a history of wiper attacks, hack-and-leak campaigns and advancing Tehran's agenda through psychological operations. Going by the moniker "Handala," the group appears to be run out of Iran's Ministry of Intelligence, according to cybersecurity threat intel sources who track it under a variety of names, including Banished Kitten, Storm-0842 and Void Manticore."
https://www.bankinfosecurity.com/inside-tehran-linked-faketivist-hacking-group-handala-a-31001 - Payment Giant Verifone Disputes Iranian Hacking Group Hit
"A self-proclaimed hacktivist group widely suspected of being a front for Iranian intelligence claimed Wednesday to have hacked New York City-based payment device maker Verifone, saying it disrupted the organization's Israeli office and stole data. Verifone disputed the assertion. "Verifone has found no evidence of any incident related to this claim and has no service disruption to our clients," it said in a statement. The hacking claim comes from Handala, a group that cybersecurity experts say appears to be run by Iran's Ministry of Intelligence, in part to execute pro-Tehran psychological operations."
https://www.bankinfosecurity.com/payment-giant-verifone-disputes-iranian-hacking-group-hit-a-30995 - Iranian MOIS Actors & The Cyber Crime Connection
"For years, Iranian intelligence services have operated through deniable criminal intermediaries in the physical world. A similar pattern is now becoming visible in cyber space, where state objectives are increasingly pursued through criminal tools, services, and operational models. Notably, this dynamic appears with growing frequency in activity associated with actors linked to the Ministry of Intelligence and Security (MOIS). For a long time, Iranian actors sought to mask state activity behind the appearance of ordinary cyber crime, most often by posing as ransomware operators. The trend we are seeing now goes beyond imitation. Rather than simply adopting criminal and hacktivist personas to complicate attribution, some Iranian actors appear to be associating with the cyber criminal ecosystem itself, leveraging its malware, infrastructure, and affiliate-style mechanisms."
https://research.checkpoint.com/2026/iranian-mois-actors-the-cyber-crime-connection/
https://www.darkreading.com/threat-intelligence/iran-mois-criminals-cyberattacks - SecuritySnack - CloudFlare Anti-Security For Phishing
"Service platforms that provide protection and content delivery, like CloudFlare, have become a go-to for many web service hosts—including some malicious actors. These platforms offer inherent benefits like obfuscation, anti-bot, and anti-scanner tools. While excellent for defending legitimate customers, these very features can inadvertently shield malicious sites from proactive identification by security professionals and automated scanning services. This creates a challenging dynamic in the industry where a service provider's role in protecting its customer base competes with the broader community's need for effective security scanning. This report details a recent Microsoft 365 credential harvesting campaign that leverages this dynamic to delay detection and risk profiling."
https://dti.domaintools.com/securitysnacks/securitysnack-cloudflare-anti-security-for-phishing
https://hackread.com/hackers-cloudflare-human-check-microsoft-365-phishing/ - PixRevolution: The Agent-Operated Android Trojan Hijacking Brazil’s PIX Payments In Real Time
"In 2020, the Central Bank of Brazil implemented an instant payment system called PIX that significantly reformed the local payment landscape, with over 76% of the population utilizing it for immediate transfers via smartphones. The zLabs team has identified a novel Android banking trojan specifically targeting this system and implicitly targeting most Brazilian financial institutions. This new strain of malware operates stealthily within the device until the moment the victim initiates a PIX transfer. The user inputs the desired amount, enters the payee’s PIX key, and selects the send option. A familiar loading indicator, “Aguarde…” (please wait)," is displayed. Subsequently, the screen confirms the transfer's completion; however, the funds are not routed to the intended payee. Instead, they are diverted to a criminal entity that has been monitoring the victim's screen in real time."
https://zimperium.com/blog/pixrevolution-the-agent-operated-android-trojan-hijacking-brazils-pix-payments-in-real-time
https://thehackernews.com/2026/03/six-android-malware-families-target-pix.html
https://hackread.com/pixrevolution-malware-steals-brazil-pix-transfers/
https://www.infosecurity-magazine.com/news/pixrevolution-malware-brazils-pix/ - China-Nexus Threat Actor Targets Persian Gulf Region With PlugX
"On March 1, 2026, ThreatLabz observed new activity from a China-nexus threat actor targeting countries in the Persian Gulf region. The activity took place within the first 24 hours of the renewed conflict in the Middle East. The threat actor quickly weaponized the theme of the conflict, using an Arabic-language document lure depicting missile attacks for social engineering. The campaign used a multi-stage attack chain that ultimately deployed a PlugX backdoor variant. Based on the tools, techniques, and procedures (TTPs) observed, ThreatLabz attributes this activity to a China-nexus threat actor with high confidence, and assesses with medium confidence that it may be linked to Mustang Panda."
https://www.zscaler.com/blogs/security-research/china-nexus-threat-actor-targets-persian-gulf-region-plugx - How One Infostealer Infection Solved a Global Supply Chain Mystery And Unmasked DPRK Spies In U.S. Crypto
"The global cybersecurity community has spent the past year unraveling the catastrophic Polyfill.io supply chain attack, an event that compromised over 100,000 websites globally. Until now, researchers could only attribute the attack to a shadowy Chinese entity named “Funnull” and its ties to transnational organized crime. The missing link was definitive attribution. That link has just been found. An exhaustive, forensic-level analysis of browsing history, credential dumps, and operational telemetry recovered from a compromised endpoint by Hudson Rock definitively links the Polyfill.io operator to state-sponsored cyber activities aligned with the Democratic People’s Republic of Korea (DPRK)."
https://www.infostealers.com/article/how-one-infostealer-infection-solved-a-global-supply-chain-mystery-and-unmasked-dprk-spies-in-u-s-crypto/
https://www.securityweek.com/polyfill-supply-chain-attack-impacting-100k-sites-linked-to-north-korea/ - VENON: The First Brazilian Banker RAT In Rust
"In February 2026, the ZenoX threat intelligence team identified an unknown malware family during hunting activity, internally classified as VENON due to references in the code (spelled with an N). The sample was initially flagged for behavior consistent with Latin American banking trojans, particularly the use of banking overlays and active window monitoring, characteristics present in established families such as Grandoreiro and Mekotio. The fundamental difference emerged during static analysis: unlike all known families in the Latin American ecosystem, VENON does not contain a single line of Delphi code. The binary is compiled entirely in Rust, with 88 external dependencies identified from Crates."
https://zenox.ai/en/venon-the-first-brazilian-banker-rat-in-rust/
https://thehackernews.com/2026/03/rust-based-venon-malware-targets-33.html - Rogue AI Agents Can Work Together To Hack Systems And Steal Secrets
"AI agents work together to bypass security controls and stealthily steal sensitive data from within the enterprise systems in which they operate, according to tests carried out by frontier security lab Irregular. Although Irregular used some aggressive prompts that included urgent language to instruct agents to carry out assigned tasks, its experiments did not use any adversarial prompts that referenced security, hacking, or exploitation. All of the prompts and agents' responses are detailed in a Thursday report [PDF]."
https://www.theregister.com/2026/03/12/rogue_ai_agents_worked_together/
<https://irregular-public-docs.s3.eu-north-* **1.amazonaws.com/emergent_cyber_behavior_when_ai_agents_become_offensive_threat_actors.pdf> - Insights: Increased Risk Of Wiper Attacks**
"Unit 42 is tracking an increased risk of wiper attacks related to the conflict with Iran, including multiple related incidents impacting organizations in Israel and the US. For the latest intelligence on cyberattacks associated with this conflict, review our Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran. The primary vector for recent destructive operations from the Handala Hack group (aka Void Manticore, COBALT MYSTIQUE and Storm-1084/Storm-0842) reportedly involves the exploitation of identity through phishing and administrative access through Microsoft Intune. Handala Hack first emerged in late 2023. Despite initial hacktivist-aligned messaging, the group is currently assessed by the threat intelligence community to be a state-directed front for Iran’s Ministry of Intelligence and Security (MOIS)."
https://unit42.paloaltonetworks.com/handala-hack-wiper-attacks/ - Suspected China-Based Espionage Operation Against Military Targets In Southeast Asia
"We identified a cluster of malicious activity targeting Southeast Asian military organizations, suspected with moderate confidence to be operating out of China. We designate this cluster as CL-STA-1087, with STA representing our assessment that the activity is conducted by state-sponsored actors. We traced this activity back to at least 2020. The activity demonstrated strategic operational patience and a focus on highly targeted intelligence collection, rather than bulk data theft. The attackers behind this cluster actively searched for and collected highly specific files concerning military capabilities, organizational structures and collaborative efforts with Western armed forces."
https://origin-unit42.paloaltonetworks.com/espionage-campaign-against-military-targets/
Breaches/Hacks/Leaks
- Canadian Retail Giant Loblaw Notifies Customers Of Data Breach
"Loblaw Companies Limited (Loblaw), the largest food and pharmacy retailer in Canada, announced that hackers breached a portion of its IT network and accessed basic customer information. The retailer has a nationwide network of 2,500 stores (franchise supermarkets, pharmacies, banking kiosks, and apparel shops) and plans to expand with 70 new ones this year as part of a five-year plan to invest $10 billion by 2030. The company employs 220,000 people and has an annual revenue of $45 billion. Its best-known commercial banners and brands are Loblaws, Real Canadian Superstore, No Frills, Maxi, President’s Choice, PC Optimum, and Joe Fresh."
https://www.bleepingcomputer.com/news/security/canadian-retail-giant-loblaw-notifies-customers-of-data-breach/ - England Hockey Investigating Ransomware Data Breach
"England Hockey, the governing body for field hockey in England, is investigating a potential data breach after the AiLock ransomware gang listed it as a victim on its data leak site. The threat actor allegedly stole 129GB of data from the organization’s systems and announced that it will soon publish the files, unless a ransom is paid. England Hockey is aware of the threat actor’s claims and has prioritized an inquiry that involves both internal teams and external experts to determine what happened."
https://www.bleepingcomputer.com/news/security/england-hockey-investigating-ransomware-data-breach/ - Telus Digital Confirms Breach After Hacker Claims 1 Petabyte Data Theft
"Canadian business process outsourcing giant Telus Digital has confirmed it suffered a security incident after threat actors claimed to have stolen nearly 1 petabyte of data from the company in a multi-month breach. Telus Digital is the digital services and business process outsourcing (BPO) arm of Canadian telecommunications provider Telus, providing customer support, content moderation, AI data services, and other outsourced operational services to companies worldwide."
https://www.bleepingcomputer.com/news/security/telus-digital-confirms-breach-after-hacker-claims-1-petabyte-data-theft/
General News
- Authorities Dismantle Global Malicious Proxy Service That Deployed Malware And Defrauded Thousands Of U.S. Persons, Businesses, And Financial Institutions Of Millions Of Dollars In Losses
"Yesterday a court-authorized international law enforcement operation led by the U.S. Justice Department disrupted SocksEscort, a residential proxy network used to exploit thousands of residential routers worldwide and commit large-scale fraud. The U.S. government executed seizure warrants against a few dozen U.S.-registered internet domains allegedly engaged in the cyber-enabled criminal activity, U.S. Attorney Eric Grant announced. According to court documents, SocksEscort infected home and small business internet routers with malware. The malware allowed SocksEscort to direct internet traffic through the infected routers. SocksEscort sold this access to its customers."
https://www.justice.gov/usao-edca/pr/authorities-dismantle-global-malicious-proxy-service-deployed-malware-and-defrauded
https://www.bleepingcomputer.com/news/security/us-disrupts-socksescort-proxy-network-powered-by-linux-malware/
https://therecord.media/us-europol-disrupt-socksescort-network
https://cyberscoop.com/socksescort-proxy-network-botnet-takedown/
https://hackread.com/feds-dismantle-socksescort-proxy-network-fraud/
https://www.theregister.com/2026/03/12/socksescort_fraud_proxy_taken_down_fbi/ - US Charges Another Ransomware Negotiator Linked To BlackCat Attacks
"The U.S. Department of Justice charged another former DigitalMint employee for his involvement in an insider scheme in which ransomware negotiators secretly partnered with the BlackCat (ALPHV) ransomware operation. Angelo Martino has been charged with one count of conspiracy to interfere with interstate commerce by extortion after surrendering to the U.S. Marshals on March 10."
https://www.bleepingcomputer.com/news/security/us-charges-another-ransomware-negotiator-linked-to-blackcat-attacks/ - ENISA Technical Advisory For Secure Use Of Package Managers
"This document focuses on how developers can securely use package managers as part of their software development life cycle. In particular, this document, outlines common risks involved in the use of third-party packages, presents secure practices for selecting, integrating, and monitoring packages and describes approaches for addressing vulnerabilities found in dependencies."
https://www.enisa.europa.eu/publications/enisa-technical-advisory-for-secure-use-of-package-managers
https://www.enisa.europa.eu/sites/default/files/2026-03/ENISA Technical Advisory - Package_Managers_Final.pdf
https://securityaffairs.com/189333/security/enisa-technical-advisory-on-secure-package-managers-essential-devsecops-guidance.html
https://www.helpnetsecurity.com/2026/03/12/enisa-package-manager-security-technical-advisory/ - Wireless Vulnerabilities Are Doubling Every Few Years
"Wireless vulnerabilities are being disclosed at a rate that has no precedent in the fifteen-year history of systematic tracking. In 2025, researchers published 937 new wireless-related CVEs, an average of 2.5 per day, according to a threat report from Bastille Networks based on data from the NIST National Vulnerability Database. The wireless CVE category has expanded from 4 disclosures in 2010 to 932 in 2025, a 230× increase. When indexed against the same 2010 baseline, wireless disclosures have grown at more than 20 times the rate of total CVE disclosures across all technology categories. Wireless CVEs now account for nearly 2% of all annual disclosures."
https://www.helpnetsecurity.com/2026/03/12/report-wireless-security-vulnerabilities-2026/
The Human IOC: Why Security Professionals Struggle With Social Vetting
"During my years working in Security Operations, we were very careful to vet anything that came our way. We vetted sources, intelligence, IOCs, TTPs (tactics, techniques, and procedures), and other information as well. The reason for this was straightforward. Leveraging anything that was not properly vetted could result in serious consequences."
https://www.securityweek.com/the-human-ioc-why-security-professionals-struggle-with-social-vetting/ - US Sanctions North Korea IT Worker Networks In Laos, Vietnam
"The U.S. Treasury Department sanctioned six people and two companies for their work supporting the North Korean IT worker scheme in multiple countries. The latest round of sanctions targeted Amnokgang Technology Development Company — a North Korean company that manages delegations of IT workers — and Quangvietdnbg International Services Company — a Vietnamese firm used by North Korean actors for currency conversion services. The Treasury Department said Quangvietdnbg converted about $2.5 million for Amnokgang between 2023 and 2025."
https://therecord.media/us-sanctions-north-korea-it-worker-networks-laos-vietnam - Navigating 2026’s Converged Threats: Insights From Flashpoint’s Global Threat Intelligence Report
"The cybersecurity landscape has reached a point of total convergence, where the silos that once separated malware, identity, and infrastructure have collapsed into a single, high-velocity threat engine. Simultaneously, the threat landscape is shifting from human-led attacks to machine-speed operations as a result of agentic AI, which acts as a force multiplier for the modern adversary."
https://flashpoint.io/blog/global-threat-intelligence-report-2026/
https://www.helpnetsecurity.com/2026/03/12/agentic-attack-chains-infostealers-criminal-markets/ - Proactive Preparation And Hardening Against Destructive Attacks: 2026 Edition
"Threat actors leverage destructive malware to destroy data, eliminate evidence of malicious activity, or manipulate systems in a way that renders them inoperable. Destructive cyberattacks can be a powerful means to achieve strategic or tactical objectives; however, the risk of reprisal is likely to limit the frequency of use to very select incidents. Destructive cyberattacks can include destructive malware, wipers, or modified ransomware."
https://cloud.google.com/blog/topics/threat-intelligence/preparation-hardening-destructive-attacks - Cyber Fallout From The Iran War: What To Have On Your Radar
"The war in Iran was less than 24 hours old when it produced a historic first: the deliberate targeting of commercial data centers. On March 1st, Iranian drones hit three Amazon Web Services (AWS) facilities in the United Arab Emirates and Bahrain, disrupting core cloud infrastructure and knocking out finance apps and enterprise tools not only across the Gulf, but also far away from the region. The attacks showed that physical distance from a conflict zone is no guarantee of insulation from the impacts of kinetic warfare."
https://www.welivesecurity.com/en/business-security/cyber-fallout-iran-war-what-have-radar/
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Stop Fixing OT Security With IT Thinking
