The Interlock ransomware gang exploited a critical Cisco firewall vulnerability (CVE-2026-20131) as early as January 26, weeks before Cisco disclosed and patched it on March 4. Amazon Web Services researchers discovered this through honeypots and a misconfigured Interlock server that exposed their complete attack toolkit.

The vulnerability affects Cisco's Secure Firewall Management Center software, allowing remote attackers to execute code as root. Interlock used sophisticated tools including PowerShell scripts, remote-access Trojans, and memory-resident backdoors to maintain persistent access to compromised networks.

This case highlights the danger of zero-day exploits, where even well-maintained systems remain vulnerable until patches become available. Cisco users should immediately upgrade to fixed releases.

Source: Dark Reading

Foster City officials discovered a ransomware attack on their computer networks early Thursday morning, prompting plans to declare a state of emergency. The cyberattack has shut down all public services except emergency responses - 911 and police dispatch remain operational.

City Manager Stefan Chatwin said they're working with cybersecurity experts to restore systems and investigate the breach's scope. Officials don't yet know if public information was accessed, but they're urging anyone who's done business with the city to change passwords as a precaution.

The emergency declaration would unlock additional financial support from outside agencies. This continues a troubling trend for Bay Area cities - Oakland, Hayward, and St. Helena have all suffered similar ransomware attacks in recent years.

Source: CBS News San Francisco

Cybercriminals exploited a critical vulnerability in Langflow, an open-source AI framework, within 20 hours of its disclosure on March 17. The bug (CVE-2026-33017) scored 9.3 on the severity scale and allows attackers to execute malicious code without authentication using just one HTTP request.

Sysdig researchers watched as hackers built working exploits directly from the security advisory, then scanned the internet for vulnerable systems. The attackers successfully harvested credentials, API keys, and database access from exposed instances.

This lightning-fast exploitation reflects a troubling trend: median time-to-exploit dropped from 771 days in 2018 to mere hours in 2024. Meanwhile, organizations typically take 20 days to deploy patches, leaving them dangerously exposed.

Source: Infosecurity Magazine

While the US and Israel openly showcase their conventional military strikes against Iran, they're staying quiet about extensive cyber operations that may be equally important to their campaign.

US Central Command Admiral Brad Cooper hinted at cyber's role, mentioning strikes "from seabed to space and cyber-space." Intelligence sources suggest Israeli hackers infiltrated Iran's CCTV and traffic cameras to track Ayatollah Ali Khamenei's movements before recent strikes. US officials claim Iranian military communications have been severely disrupted.

Meanwhile, Iran has been surprisingly quiet in cyberspace, with only one major attack reported - Iranian hackers targeting US medical tech company Stryker with "wiper" malware that erased data. This silence is puzzling given Iran's reputation as a capable cyber power, raising questions about whether they've been incapacitated or overestimated.

Source: BBC

Security researchers have uncovered DarkSword, a sophisticated iPhone exploit chain targeting iOS versions 18.4-18.7 that's being used by both espionage actors and financially motivated criminals. The attack requires just one click on a malicious website to fully compromise devices within seconds, stealing sensitive data including cryptocurrency wallets.

Google's Threat Intelligence Group found the exploit has been deployed by commercial surveillance vendors and suspected state-sponsored groups against users in Saudi Arabia, Turkey, Malaysia, and Ukraine since November 2025. What makes DarkSword unusual is its dual-purpose design - it serves both traditional espionage and financial theft.

The exploit chain uses six vulnerabilities to achieve remote code execution and privilege escalation. While Apple has patched these flaws in iOS 18.7.6 and iOS 26.3.1, researchers estimate over 200 million users remain vulnerable due to delayed updates.

Source: Dark Reading

Carnival Corp. disclosed Thursday that hackers breached its systems in March, potentially exposing Social Security numbers, passport details, birthdates, addresses, and health information of customers and employees across Carnival Cruise Line, Holland America, and Princess Cruises.

The company detected the March 19 intrusion and immediately shut down access while hiring cybersecurity experts to investigate. Carnival hasn't revealed how many people were affected but has notified victims and set up a call center for questions.

This marks Carnival's third cyberattack in eight months, following ransomware incidents in August and December 2020. The breach joins a growing list of major companies targeted this year, including McDonald's, JBS, and Colonial Pipeline. Carnival's stock dropped 3% following the announcement.

Source: CBS News

Iran-linked hacker group Handala compromised US medical technology company Stryker on March 11, wiping over 200,000 devices and forcing office shutdowns across dozens of countries. New evidence reveals the attackers likely used credentials stolen by infostealer malware, some potentially years old, to access Stryker's Microsoft Intune system.

The hackers created a global admin account through the compromised Intune administrator credentials, then remotely wiped managed devices. Stryker manufactures surgical equipment and orthopedic implants for hospitals worldwide. The breach disrupted order processing, manufacturing, and shipping, though the company says all products remain safe to use.

CISA and FBI are investigating the incident, marking the most significant Iranian cyberattack against the US since the Gaza conflict began.

Source: Security Week

Cybersecurity firm Outpost24 was targeted in a sophisticated phishing attack that used a complex seven-stage redirect chain to bypass email security systems without triggering alerts. The attackers impersonated JP Morgan in a convincing financial email to a C-level executive, using legitimate services like Cisco and Nylas to build credibility.

The attack leveraged the Kratos phishing kit and routed victims through trusted domains and compromised infrastructure to reach a final credential-harvesting page. Researchers say the campaign demonstrates how attackers are "laundering" phishing links through multiple trusted services, similar to money laundering.

Security firms make attractive targets because they're deeply integrated into customer environments and inherently trusted by users and systems. The incident highlights the need for layered defenses and zero-trust principles.

Source: Dark Reading

Handala, an Iran-linked hacker group, attacked Michigan-based Stryker Corporation's systems Wednesday, claiming retaliation for the Minab school bombing in Iran. The cyberattack disrupted thousands of employees' Microsoft systems at the medical device manufacturer, causing Stryker's stock to drop 3%.

The hackers claimed they wiped systems and stole 50 terabytes of data, calling Stryker a "Zionist-rooted corporation." However, Stryker says there's no ransomware evidence and the incident appears contained, though full restoration timeline remains unknown.

Cybersecurity experts warn this marks escalation as Middle East conflicts spread to US cyber targets, with more attacks likely coming.

Source: The Guardian

Cybercriminals are exploiting credentials stolen from the VS Code GlassWorm attacks to inject malware into hundreds of Python repositories on GitHub. The campaign, dubbed ForceMemo by StepSecurity, targets Django apps, ML research code, and PyPI packages by rebasing legitimate commits with obfuscated malicious code.

The malware uses an innovative approach, connecting to a Solana blockchain address to receive encrypted instructions while leaving minimal traces of compromise. Attackers skip Russian-language systems, suggesting Eastern European origins.

This represents an escalation of the GlassWorm campaign that began in October 2025, initially targeting VS Code extensions with over 35,000 downloads. The threat has now expanded across GitHub, NPM, and VS Code marketplaces in a coordinated multi-platform attack affecting hundreds of developer accounts.

Source: Security Week