Cyber Threat Intelligence 24 March 2026
-
New Tooling
- Plumber: Open-Source Scanner Of GitLab CI/CD Pipelines For Compliance Gaps
"GitLab CI/CD pipelines often accumulate configuration decisions that drift from security baselines over time. Container images get pinned to mutable tags, branches lose protection settings, and required templates go missing. An open-source tool called Plumber automates the detection of those conditions by scanning pipeline configuration and repository settings directly."
https://www.helpnetsecurity.com/2026/03/23/plumber-open-source-gitlab-ci-cd-compliance-scanner/
https://github.com/getplumber/plumber
Vulnerabilities
- QNAP Patches Four Vulnerabilities Exploited At Pwn2Own
"QNAP on Friday announced patches for multiple vulnerabilities across its products, including four issues that were demonstrated at the Pwn2Own Ireland hacking contest in October 2025. The four security defects, tracked as CVE-2025-62843 to CVE-2025-62846, impact the company’s SD-WAN routers and were addressed in QuRouter version 2.6.3.009. According to QNAP’s advisory, the first bug requires physical access to a vulnerable device to gain specific privileges, while the second flaw could be exploited over the local network to obtain sensitive information."
https://www.securityweek.com/qnap-patches-four-vulnerabilities-exploited-at-pwn2own/
https://securityaffairs.com/189871/security/qnap-fixed-four-vulnerabilities-demonstrated-at-pwn2own-ireland-2025.html - We Found Eight Attack Vectors Inside AWS Bedrock. Here's What Attackers Can Do With Them
"AWS Bedrock is Amazon's platform for building AI-powered applications. It gives developers access to foundation models and the tools to connect those models directly to enterprise data and systems. That connectivity is what makes it powerful – but it’s also what makes Bedrock a target. When an AI agent can query your Salesforce instance, trigger a Lambda function, or pull from a SharePoint knowledge base, it becomes a node in your infrastructure - with permissions, with reachability, and with paths that lead to critical assets. The XM Cyber threat research team mapped exactly how attackers could exploit that connectivity inside Bedrock environments. The result: eight validated attack vectors spanning log manipulation, knowledge base compromise, agent hijacking, flow injection, guardrail degradation, and prompt poisoning."
https://thehackernews.com/2026/03/we-found-eight-attack-vectors-inside.html
Malware
- CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran
"We found a new payload in the TeamPCP arsenal, and this one doesn't just steal credentials or install backdoors. It wipes entire Kubernetes clusters. The script uses the exact same ICP canister (tdtqy-oyaaa-aaaae-af2dq-cai[.]raw[.]icp0[.]io) we documented in the CanisterWorm campaign. Same C2, same backdoor code, same /tmp/pglog drop path. The Kubernetes-native lateral movement via DaemonSets is consistent with TeamPCP's known playbook, but this variant adds something we haven't seen from them before: a geopolitically targeted destructive payload aimed specifically at Iranian systems."
https://www.aikido.dev/blog/teampcp-stage-payload-canisterworm-iran
https://www.bleepingcomputer.com/news/security/teampcp-deploys-iran-targeted-wiper-in-kubernetes-attacks/ - Trivy Supply Chain Attack Expands To Compromised Docker Images
"Socket's threat research team has identified additional compromised Trivy artifacts published to Docker Hub, following the recently disclosed GitHub Actions compromise affecting the aquasecurity/trivy-action repository. New image tags 0.69.5 and 0.69.6 were pushed on March 22 without corresponding GitHub releases or tags. Both images contain indicators of compromise associated with the same TeamPCP infostealer observed in earlier stages of this campaign. The latest tag currently points to 0.69.6, which is also compromised. Analysis of the binaries confirms the presence of known IOCs, including the typosquatted C2 domain scan.aquasecurtiy.org, exfiltration artifacts (payload.enc, tpcp.tar.gz), and references to the fallback tpcp-docs GitHub repository."
https://socket.dev/blog/trivy-docker-images-compromised
https://opensourcemalware.com/blog/teampcp-aquasec-com-github-org-compromise
https://thehackernews.com/2026/03/trivy-hack-spreads-infostealer-via.html
https://www.bleepingcomputer.com/news/security/trivy-supply-chain-attack-spreads-to-docker-github-repos/
https://www.infosecurity-magazine.com/news/trivy-supply-chain-attack-expands/
https://securityaffairs.com/189856/uncategorized/44-aqua-security-repositories-defaced-after-trivy-supply-chain-breach.html - Green Blood v2.0 Ransomware Analysis With Decryption
"The Green Blood ransomware group, which has been active since January 2026, has been targeting countries in South Asia, Africa, and parts of South America, and is characterized by its Golang-based ransomware payload. in this post, we will analyze the main characteristics of the Green Blood ransomware, its encryption method, and the technical reasons why it is decryptable, in order to provide insights to help you effectively respond to similar threats in the future. The Green Blood ransomware group, like other ransomware groups, uses file encryption on infected systems to steal sensitive data from victimized organizations, and pressures victims for ransom payments through threatening messages that promise to permanently destroy the encryption key if the ransom is not paid."
https://asec.ahnlab.com/en/92997/ - Tycoon2FA Phishing-As-a-Service Platform Persists Following Takedown
"On March 4, 2026, Europol announced the technical disruption of Tycoon2FA, a subscription-based phishing-as-a-service (PhaaS) platform that enabled cybercriminals to bypass multifactor authentication (MFA) and compromise email accounts. Law enforcement authorities from six countries worked with industry partners to seize 330 domains that formed the platform’s core infrastructure. Infrastructure takedowns are a challenging and important aspect of adversary disruption and a centerpiece of law enforcement and private sector cooperation in cybersecurity. In situations where direct physical enforcement actions such as arrests are infeasible, disrupting bad actors' operational means can often be the most efficacious and direct way to impose costs on criminals who otherwise act with relative impunity."
https://www.crowdstrike.com/en-us/blog/tycoon2fa-phishing-as-a-service-platform-persists-following-takedown/
https://www.bleepingcomputer.com/news/security/tycoon2fa-phishing-platform-returns-after-recent-police-disruption/
https://www.infosecurity-magazine.com/news/tycoon2fa-phishing-service-resumes/
https://www.securityweek.com/tycoon-2fa-fully-operational-despite-law-enforcement-takedown/ - FBI Warns Of Handala Hackers Using Telegram In Malware Attacks
"The U.S. Federal Bureau of Investigation (FBI) warned network defenders that Iranian hackers linked to the country's Ministry of Intelligence and Security (MOIS) are using Telegram in malware attacks. In a flash alert issued on Friday, the FBI says Telegram is being used as command-and-control (C2) infrastructure by malware targeting journalists criticizing the Iranian government, Iranian dissidents, and various other oppositional groups worldwide. "Due to the elevated geopolitical climate of the Middle East and current conflict, the FBI is highlighting this MOIS cyber activity," the bureau said."
https://www.bleepingcomputer.com/news/security/fbi-warns-of-handala-hackers-using-telegram-in-malware-attacks/
https://www.ic3.gov/CSA/2026/260320.pdf
https://therecord.media/russia-iran-cyber-fbi-hacks
https://cyberscoop.com/fbi-iranian-hackers-targeting-opponents-with-telegram-malware/
https://securityaffairs.com/189820/malware/iran-linked-actors-use-telegram-as-c2-in-malware-attacks-on-dissidents.html - Riding The Rails: Threat Actors Abuse Railway.com PaaS As Microsoft 365 Token Attack Infrastructure
"In partnership with our friends at Flare.io and other contacts across the community, Huntress has attributed the Railway attack to the EvilTokens Phishing as a Service (PhaaS) platform. First advertised on the NOIRLEGACY GROUP telegram channel, EvilTokens spun up its own Telegram channels and made a first public post on February 16th, 2026. This activity corresponds with the first handful of compromises Huntress saw from Railway infrastructure on February 19th and 24th, 2026."
https://www.huntress.com/blog/railway-paas-m365-token-replay-campaign
https://cyberscoop.com/huntress-railway-ai-phishing-campaign-compromised-hundreds-of-organizations/ - How LevelBlue OTX And Cybereason XDR Detected a North Korea-Linked Remote IT Worker
"Talk about dodging the insider threat from hell. From August 15 to 25, 2025, the SpiderLabs threat intel team, through the integration of LevelBlue OTX threat intelligence with Cybereason XDR behavioral analytics, detected a North Korea attempt to infiltrate an organization by replying to a help wanted ad. Let’s take a look at how this organization, with LevelBlue’s help, was able to detect and block this sneaky infiltration attempt. It took just 10 days for a nation-state threat actor to go from new hire to terminated employee. What appeared to be routine onboarding quickly unraveled when behavioral analytics flagged suspicious login patterns, and threat intelligence confirmed the worst: the organization had unknowingly hired a suspected North Korea-linked operative."
https://www.levelblue.com/blogs/spiderlabs-blog/how-levelblue-otx-and-cybereason-xdr-detected-a-north-korea-linked-remote-it-worker
https://hackread.com/north-korean-hacker-remote-it-job-vpn-slip/ - FriendlyDealer Mimics Official App Stores To Push Unvetted Gambling Apps
"We’ve identified a huge social-engineering campaign designed to steer people into online gambling sites under the impression they’re installing a legitimate app. We’re calling it FriendlyDealer. It’s been observed across at least 1,500 domains, each hosting a website that impersonates the Google Play or Apple App Store. Users think they’re downloading a gambling app from a trusted source, with all the checks, reviews, and safeguards that implies. But they’re actually still on a website, installing a web app that then redirects them to casino offers through affiliate links."
https://www.malwarebytes.com/blog/scams/2026/03/friendlydealer-mimics-official-app-stores-to-push-unvetted-gambling-apps - Pro-Iranian Nasir Security Is Targeting The Energy Sector In The Middle East
"Resecurity is tracking a relatively new cybercriminal group called Nasir Security, presumably associated with Iran, that is targeting energy organizations in the Middle East. The energy sector is one of the most impacted areas because of Iranian malicious activity in the region, including the lockdown of the Strait of Hormuz and drone/missile attacks against the energy infrastructure of neighboring countries in the GCC, allies of the US. Based on the artifacts collected by the threat intelligence team at Resecurity, the group is attacking supply chain vendors involved in engineering, safety, and construction. The data stolen as a result of such incidents is authentic but originates from a third party (of the target company), which may lead to incorrect assumptions about the origin of the breach. Notably, the focus of the attacks is centered on the energy sector, which has experienced significant financial and technological damage since the start of the war in Iran. Cyberspace is used to amplify it, following recent attacks against LNG and logistics providers."
https://www.resecurity.com/blog/article/pro-iranian-nasir-security-is-targeting-the-energy-sector-in-the-middle-east - StoatWaffle, Malware Used By WaterPlum
"WaterPlum is regarded as an attacking group related to North Korea. They are known to have been operating Contagious Interview attacking campaign. WaterPlum can be classified into multiple clusters (or teams), and among them, activity by Team 8 (also known as Moralis or Modilus family) has been observed. In Contagious Interview campaign, Team 8 has been mainly using OtterCookie. Starting around December 2025, Team 8 started using new malware. We named this malware StoatWaffle. In this article, we'll introduce the latest attacking flow for WaterPlum Team 8 and in deep analysis result of StoatWaffle, new malware that they started using just recently."
https://jp.security.ntt/insights_resources/tech_blog/stoatwaffle_malware_en/
https://thehackernews.com/2026/03/north-korean-hackers-abuse-vs-code-auto.html - When Tax Season Becomes Cyberattack Season: Phishing And Malware Campaigns Using Tax-Related Lures
"During tax season, threat actors reliably take advantage of the urgency and familiarity of time-sensitive emails, including refund notices, payroll forms, filing reminders, and requests from tax professionals, to trick targets into opening malicious attachments, scanning QR codes, or following multi-step link chains. Every year, there is an observable uptick in tax-themed campaigns as Tax Day (April 15) approaches in the United States, and this year is no different. In recent months, Microsoft Threat Intelligence identified email campaigns using lures around W-2, tax forms, or similar themes, or posing as government tax agencies, tax services firms, and relevant financial institutions. Many campaigns target individuals for personal and financial data theft, but others specifically target accountants and other professionals who handle sensitive documents, have access to financial data, and are accustomed to receiving tax-related emails during this period."
https://www.microsoft.com/en-us/security/blog/2026/03/19/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures/
https://thehackernews.com/2026/03/microsoft-warns-irs-phishing-hits-29000.html - Hacker Walks Away With $24.5 Million After Breaching Resolv DeFi Platform
"Decentralized finance platform Resolv said a recent cyberattack allowed a threat actor to compromise the company’s infrastructure and illicitly create $80 million worth of its USR stablecoin. USR is pegged to the U.S. dollar but plummeted in value on Saturday when the hacker created the uncollateralized coins and traded them for about 11,408 ETH, which is worth about $24.5 million. The company published a statement confirming the incident. USR was depegged from the U.S. dollar after the incident and is now worth about 26 cents."
https://therecord.media/hacker-breaches-resolv-defi-25-million - Russia-Linked Malware Operation Collapses After Security Failures, Developer’s Arrest
"An Android spyware operation that briefly gained traction in Russia appears to have collapsed within months of its launch after security flaws exposed its infrastructure and authorities arrested its suspected developer, cybersecurity researchers said. The malware, known as ClayRat, was designed for espionage and remote control of infected Android devices. Once installed, it could intercept SMS messages and call logs, access contacts, take photos, record screens, and execute commands sent from a remote command-and-control server. Despite attracting attention shortly after emerging in October 2025, ClayRat’s infrastructure deteriorated rapidly. By December, all known command servers associated with the malware had gone offline, researchers at the Russian cybersecurity firm Solar said in a report released Friday. Solar is a subsidiary of Russian state-owned telecom giant Rostelecom."
https://therecord.media/russia-malware-arrest-clayrat
Breaches/Hacks/Leaks
- Mazda Discloses Security Breach Exposing Employee And Partner Data
"Mazda Motor Corporation (Mazda) announced that information belonging to its employees and business partners had been exposed in a security incident detected last December. Mazda is one of Japan’s largest automotive manufacturers, with an annual production of 1.2 million vehicles and revenue of nearly $24 billion. The company said the attackers exploited a vulnerability in a system related to warehouse management for parts procured from Thailand. The system did not contain any customer data. Also, the breach is limited to 692 records."
https://www.bleepingcomputer.com/news/security/mazda-discloses-security-breach-exposing-employee-and-partner-data/ - Crunchyroll Probes Breach After Hacker Claims To Steal 6.8M Users' Data
"Popular anime streaming platform Crunchyroll is investigating a breach after hackers claimed to have stolen personal information for approximately 6.8 million people. "We are aware of recent claims and are currently working closely with leading cyber security experts to investigate the matter," Crunchyroll initially told BleepingComputer. "Our investigation is ongoing, and we continue to work with leading cybersecurity experts. At this time, we believe that the information is primarily limited to customer service ticket data following an incident with a third-party vendor," Crunchyroll shared in a later statement."
https://www.bleepingcomputer.com/news/security/crunchyroll-probes-breach-after-hacker-claims-to-steal-68m-users-data/ - Chip Services Firm Trio-Tech Says Subsidiary Hit By Ransomware
"Semiconductor services firm Trio-Tech says one of its subsidiaries in Singapore fell victim to a ransomware attack. The incident, the company said in a filing with the Securities and Exchange Commission, occurred on March 11 and resulted in the encryption of certain files within its network. The subsidiary, it told the SEC, immediately activated response protocols, proactively taking its systems offline to contain the incident. Additionally, the subsidiary launched an investigation into the attack with help from third-party cybersecurity professionals and notified law enforcement."
https://www.securityweek.com/chip-services-firm-trio-tech-says-subsidiary-hit-by-ransomware/
https://therecord.media/ransomware-trio-tech-semiconductor-sec
https://www.theregister.com/2026/03/23/us_chip_testing_firm_shrugged/ - Education Company Kaplan Reports Data Breach Impacting More Than 230,000
"The educational services company Kaplan told state regulators last week that at least 230,000 people had Social Security and driver’s license numbers leaked following a cybersecurity incident in the fall of 2025. The Florida-based company filed breach notification letters in at least seven states but did not respond to requests for comment about the total number of people impacted by the security incident. The letters sent to victims say law enforcement was called after the incident was discovered and an investigation revealed the hackers had access to Kaplan servers from October 30 to November 18."
https://therecord.media/kaplan-data-breach-hack-notification
General News
- NIST Updates Its DNS Security Guidance For The First Time In Over a Decade
"DNS infrastructure underpins nearly every network connection an organization makes, yet security configurations for it have gone largely unrevised at the federal guidance level for more than twelve years. NIST published SP 800-81r3, the Secure Domain Name System Deployment Guide, superseding a version that dates to 2013. The document covers three main areas: using DNS as an active security control, securing the DNS protocol itself, and protecting the servers and infrastructure that run DNS services. It is directed at two groups: cybersecurity executives and decision-makers, and the operational networking and security teams who configure and maintain DNS environments."
https://www.helpnetsecurity.com/2026/03/23/nist-dns-security-guide-sp-800-81r3/
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-81r3.pdf - Your AI Agents Are Moving Sensitive Data. Do You Know Where?
"In this Help Net Security interview, Gidi Cohen, CEO at Bonfy.AI, addresses what he sees as the most pressing gap in AI agent security: data-layer risk. While the industry focuses on prompt injection and model behavior, Cohen argues the deeper threat is autonomous AI agents operating across systems with no visibility into what data they access, combine, or expose. He explains how Bonfy.AI approaches this through three areas: controlling what data agents can access for grounding, monitoring content as it moves through tool calls and MCP servers, and letting agents query Bonfy in real time to check whether an action is safe before they take it. The conversation covers threat modeling, anomaly detection, multi-agent delegation, model versioning, and practical advice for CISOs navigating pressure to deploy AI at scale."
https://www.helpnetsecurity.com/2026/03/23/gidi-cohen-bonfy-ai-agent-security/ - US Soldier Sentenced For Helping North Korean IT Workers
"A District Court judge sentenced three men for their involvement in a scheme that allowed several North Korean IT workers to use their identities and gain employment at U.S. companies. One of the men, 35-year-old Alexander Paul Travis, was an active duty member of the U.S. Army and was stationed at Fort Gordon in Georgia while participating in the scheme from September 2019, until November 2022. Travis pleaded guilty to accusations that he allowed North Korean IT workers to use his identity on resumes and during employer vetting processes that involved interviews, drug tests and fingerprints. The North Korean IT workers also opened bank accounts in his name to receive payment from employers."
https://therecord.media/us-soldier-sentencer-for-helping-nk-it-workers
https://www.bankinfosecurity.com/ex-us-soldier-among-3-sentenced-for-dprk-worker-scam-a-31125 - 2025 Talos Year In Review: Speed, Scale, And Staying Power
"The 2025 Talos Year in Review is now available to view online. The pace and scale of adversary activity in 2025 placed sustained pressure on security teams across industries. As with each annual report, our goal at Talos is to provide the security community with a clear analysis of the tactics, techniques, and procedures that shaped adversary operations, and to help organizations prioritize the actions that reduce exposure and strengthen defenses."
https://blog.talosintelligence.com/2025-talos-year-in-review-speed-scale-and-staying-power/
https://blog.talosintelligence.com/2025yearinreview
https://www.theregister.com/2026/03/23/cisco_talos_cybersecurity_report_patch_fast/ - AI In The SOC: What Could Go Wrong?
"External, internal, and operational pressures to deploy AI to unlock its promise of increased speed and efficiency has left enterprise cybersecurity professionals in a tough spot — finding they need to enable innovation, while trying to foresee the risks it might introduce. Two enterprise cybersecurity leaders decided to take on the AI challenge and share at this year's RSAC 2026 Conference what they determined it can do well, and what it isn’t ready to take on."
https://www.darkreading.com/cybersecurity-operations/ai-soc-go-wrong - Quantum Threats Are Already Active And The Defense Response Remains Fragmented
"Enterprises are moving toward post-quantum security at uneven speeds, and the gap between organizations that have built crypto-agility into their infrastructure and those that have adopted the label without the underlying capability is widening. Dr. Tan Teik Guan, CEO of Singapore-based cybersecurity company pQCee, draws a sharp line between the two. Crypto-agility, in his view, requires more than support for multiple algorithms or protocol-level negotiation. It demands the ability to respond with appropriate cryptographic defenses in a cost-effective, timely, and non-disruptive way. That means intelligence, governance, and mitigation working together across a layered defense architecture to maintain a quantum-safe state."
https://www.helpnetsecurity.com/2026/03/23/ciso-post-quantum-crypto-agility/ - The Devices Winning The Race To Get Hacked In 2026
"Enterprise networks keep adding connected devices, expanding the attack surface as threat actors target a wider range of systems, many of which are difficult to inventory, secure, and patch consistently. Forescout’s 2026 Riskiest Devices research maps that shift in IT, IoT, OT, and IoMT environments, with 11 new riskiest asset types entering the list this year. That is the second-largest year-over-year increase on record, and two of the new entries moved straight into the top five riskiest IT assets: serial-to-IP-converters and workstations."
https://www.helpnetsecurity.com/2026/03/23/connected-devices-security-risk-2026-research/
https://www.forescout.com/resources/riskiest-devices-2026-report/ - AI Pulse Poll Reveals Rampant Uncertainty On Enterprise Landscape
"The artificial landscape remains murky when it comes to accountability, transparency and capabilities for many organizations, as shown in ISACA’s 2026 AI Pulse Poll. The global pulse poll, reflecting responses from more than 3,400 digital trust professionals across IT audit, governance, cybersecurity, privacy and emerging technology roles, finds that even as AI usage accelerates across the enterprise landscape, there appears to be limited human oversight over AI decision-making, little disclosure around AI use, and uncertainty around AI security incident response and accountability for AI system harm. Below are five sneak-peek findings from the 2026 AI Pulse Poll. The full 2026 AI Pulse Poll from ISACA will be released in early May."
https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2026/ai-pulse-poll-reveals-rampant-uncertainty-on-enterprise-landscape
https://www.infosecurity-magazine.com/news/cyber-staff-unsure-on-preventing/ - M-Trends 2026: Data, Insights, And Strategies From The Frontlines
"Every year, the cyber threat landscape forces defenders to adapt to evolving adversary tactics, techniques, and procedures (TTPs). In 2025, Mandiant observed a clear divergence in adversary pacing that closely aligns with the trends we have been documenting for defenders over the past year. On one end of the spectrum, cyber criminal groups optimized for immediate impact and deliberate recovery denial. On the other end, sophisticated cyber espionage groups and insider threats optimized for extreme persistence, utilizing unmonitored edge devices and native network functionalities to evade detection. Today, we release M-Trends 2026. Grounded in over 500,000 hours of frontline incident investigations conducted by Mandiant globally in 2025, this report provides a definitive look at the TTPs actively being used in breaches today."
https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2026
https://www.infosecurity-magazine.com/news/high-tech-top-target-cyberattacks/
https://cyberscoop.com/social-engineering-surge-intrusion-vector-mandiant-m-trends/
https://www.securityweek.com/m-trends-2026-initial-access-handoff-shrinks-from-hours-to-22-seconds/
https://www.theregister.com/2026/03/23/voice_phishing_skyrockets_as_smooth/ - Google Authenticator: The Hidden Mechanisms Of Passwordless Authentication
"Passwordless authentication is often presented as the end of account takeover. But to understand the real threat landscape, we need to examine how passwordless is actually deployed in the real world. Attackers do not break protocols in theory. They target the most common implementations, the places where usability, scale and architecture intersect. Focusing on one of those common implementations, we examine Google Authenticator. This discussion explores the hidden mechanisms behind synced passkeys and their implementation within the Google ecosystem. Our aim is to help defenders better understand the technology, to lay the groundwork to show how new attack vectors could emerge in a passwordless environment."
https://unit42.paloaltonetworks.com/passwordless-authentication/
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Plumber: Open-Source Scanner Of GitLab CI/CD Pipelines For Compliance Gaps
