Ticker feed

Carnival Corp. disclosed Thursday that hackers breached its systems in March, potentially exposing Social Security numbers, passport details, birthdates, addresses, and health information of customers and employees across Carnival Cruise Line, Holland America, and Princess Cruises.

The company detected the March 19 intrusion and immediately shut down access while hiring cybersecurity experts to investigate. Carnival hasn't revealed how many people were affected but has notified victims and set up a call center for questions.

This marks Carnival's third cyberattack in eight months, following ransomware incidents in August and December 2020. The breach joins a growing list of major companies targeted this year, including McDonald's, JBS, and Colonial Pipeline. Carnival's stock dropped 3% following the announcement.

Source: CBS News

Iran-linked hacker group Handala compromised US medical technology company Stryker on March 11, wiping over 200,000 devices and forcing office shutdowns across dozens of countries. New evidence reveals the attackers likely used credentials stolen by infostealer malware, some potentially years old, to access Stryker's Microsoft Intune system.

The hackers created a global admin account through the compromised Intune administrator credentials, then remotely wiped managed devices. Stryker manufactures surgical equipment and orthopedic implants for hospitals worldwide. The breach disrupted order processing, manufacturing, and shipping, though the company says all products remain safe to use.

CISA and FBI are investigating the incident, marking the most significant Iranian cyberattack against the US since the Gaza conflict began.

Source: Security Week

Cybersecurity firm Outpost24 was targeted in a sophisticated phishing attack that used a complex seven-stage redirect chain to bypass email security systems without triggering alerts. The attackers impersonated JP Morgan in a convincing financial email to a C-level executive, using legitimate services like Cisco and Nylas to build credibility.

The attack leveraged the Kratos phishing kit and routed victims through trusted domains and compromised infrastructure to reach a final credential-harvesting page. Researchers say the campaign demonstrates how attackers are "laundering" phishing links through multiple trusted services, similar to money laundering.

Security firms make attractive targets because they're deeply integrated into customer environments and inherently trusted by users and systems. The incident highlights the need for layered defenses and zero-trust principles.

Source: Dark Reading

Handala, an Iran-linked hacker group, attacked Michigan-based Stryker Corporation's systems Wednesday, claiming retaliation for the Minab school bombing in Iran. The cyberattack disrupted thousands of employees' Microsoft systems at the medical device manufacturer, causing Stryker's stock to drop 3%.

The hackers claimed they wiped systems and stole 50 terabytes of data, calling Stryker a "Zionist-rooted corporation." However, Stryker says there's no ransomware evidence and the incident appears contained, though full restoration timeline remains unknown.

Cybersecurity experts warn this marks escalation as Middle East conflicts spread to US cyber targets, with more attacks likely coming.

Source: The Guardian

Cybercriminals are exploiting credentials stolen from the VS Code GlassWorm attacks to inject malware into hundreds of Python repositories on GitHub. The campaign, dubbed ForceMemo by StepSecurity, targets Django apps, ML research code, and PyPI packages by rebasing legitimate commits with obfuscated malicious code.

The malware uses an innovative approach, connecting to a Solana blockchain address to receive encrypted instructions while leaving minimal traces of compromise. Attackers skip Russian-language systems, suggesting Eastern European origins.

This represents an escalation of the GlassWorm campaign that began in October 2025, initially targeting VS Code extensions with over 35,000 downloads. The threat has now expanded across GitHub, NPM, and VS Code marketplaces in a coordinated multi-platform attack affecting hundreds of developer accounts.

Source: Security Week

Attackers are exploiting the customer support platform LiveChat to conduct sophisticated phishing campaigns that steal credit card details and personal data. Cofense researchers discovered two attack methods: fake PayPal refund emails and generic order confirmation messages that redirect victims to LiveChat pages mimicking legitimate customer support.

Once connected, human operators impersonating Amazon or PayPal agents use social engineering tactics to extract credentials, MFA codes, and financial information through seemingly trustworthy conversations. The personal interaction makes victims less cautious, increasing success rates.

This marks the first recorded abuse of LiveChat for phishing, essentially creating an online version of voice phishing attacks that feel like real customer service interactions.

Source: Dark Reading

Microsoft is disabling hands-free deployment in Windows Deployment Services after discovering CVE-2026-0386, a critical vulnerability that lets attackers steal credentials and execute code during network OS installations. The flaw affects Windows Server 2008 through 2025, exposing the Unattend.xml configuration file over unauthenticated channels.

Starting January 13, 2026, administrators can manually disable the feature. By April 2026, Microsoft will automatically block it entirely unless organizations explicitly re-enable it through registry settings.

The vulnerability carries SYSTEM-level privileges and poses supply chain risks in enterprise environments. Microsoft recommends migrating to secure alternatives like Intune or Configuration Manager before the April deadline.

Source: Cybersecurity News

The Iran-linked hacker group Handala attacked Michigan-based Stryker Corporation, a major medical device manufacturer, claiming retaliation for the bombing of Iran's Minab school. The Wednesday cyberattack disrupted thousands of employees' Microsoft systems globally, causing Stryker's stock to drop 3%.

Handala claimed to have wiped systems and stolen 50 terabytes of data, calling Stryker a "Zionist-rooted corporation." The company says there's no ransomware detected and the incident appears contained, though full restoration timeline remains unknown.

Cybersecurity experts warn this marks escalation as Iran's conflict spreads to US cyber targets, with more attacks likely coming.

Source: The Guardian

The massive 2024 Polyfill supply chain attack that compromised over 100,000 websites has been linked to North Korean hackers, not just Chinese actors as initially believed. The attack began when Chinese company Funnull acquired the popular Polyfill.io service and injected malicious code that redirected mobile users to gambling sites.

New evidence from Hudson Rock shows Funnull was likely a front for North Korean operations. Security researchers discovered this after analyzing data stolen from a North Korean hacker's infected computer, which contained credentials for Polyfill control panels and conversations about the attack.

The ultimate goal was reportedly to funnel users to gambling sites owned by China's Suncity Group, which laundered cryptocurrency back to North Korea. This fits a pattern of North Korean cyber operations that have stolen over $2 billion in cryptocurrency.

Source: Security Week

Cybercriminals launched a coordinated attack wave in early 2026, exploiting three critical FortiGate firewall vulnerabilities to breach enterprise networks. The attacks leveraged CVE-2025-59718 and CVE-2025-59719 (both rated 9.8 severity), which allow hackers to gain admin access using fake SAML tokens, plus a zero-day flaw CVE-2026-24858 that enabled login through attackers' own FortiCloud accounts.

Once inside, attackers extracted firewall configurations and decrypted embedded service account credentials for Active Directory systems. In one case, hackers maintained access for two months undetected, creating fake admin accounts and deploying remote access tools. They ultimately stole domain controller databases containing all user passwords.

Fortinet has released patches, but organizations must immediately update firmware, rotate all LDAP credentials, and strengthen firewall monitoring to prevent further breaches.

Source: Cybersecurity News