WEEKLY TOP TEN: March 9, 2026, 16:00 GMT
- LexisNexis Confirms Data Breach After Hackers Leak Files
LexisNexis Risk Solutions confirmed that attackers accessed company systems and leaked stolen files online. Threat actors claim to have exfiltrated approximately 2GB of internal data containing personal information records associated with customers. The company acknowledged the breach but stated that the impact appears limited following internal investigation. LexisNexis provides risk intelligence, legal data, and analytics services used widely across financial services, insurance, and government sectors, making any breach potentially sensitive. Security teams are assessing the compromised data and reviewing internal controls, as organizations that rely on the company’s data services evaluate potential downstream exposure. - Cognizant TriZetto Breach Exposes 3.4 Million Patient Records
TriZetto Provider Solutions, a healthcare IT subsidiary of Cognizant, disclosed a significant data breach exposing the sensitive information of more than 3.4 million individuals. The compromised data includes patient information processed through TriZetto’s healthcare payment and administrative platforms used by insurers and healthcare providers. Attackers reportedly accessed systems containing protected health data, raising concerns about potential identity theft and fraud risks. Healthcare organizations relying on the platform are investigating whether their customers’ records were affected. The incident highlights the continuing cybersecurity risks in the healthcare software supply chain and the critical need for strong protection of patient data. - Cisco Warns of Active Exploitation of Catalyst SD-WAN Vulnerabilities of Business Data
Cisco warned that attackers are actively exploiting multiple vulnerabilities affecting its Catalyst SD-WAN networking platform. The flaws allow attackers to gain unauthorized access to systems and potentially escalate privileges to root level on vulnerable devices. Organizations running affected SD-WAN deployments may face risks ranging from network compromise to lateral movement across enterprise infrastructure. Cisco issued security updates and urged administrators to apply patches immediately. Given the widespread use of SD-WAN technology in enterprise networks and branch connectivity, exploitation could provide attackers a foothold deep within corporate environments. - MS-Agent AI Framework Vulnerability Enables Full System Compromise
Researchers discovered a critical vulnerability in the MS-Agent framework used to build AI agents capable of executing system commands. The flaw stems from improper input validation within the framework’s Shell tool, allowing attackers to inject malicious commands that bypass security checks. Successful exploitation could lead to arbitrary code execution, data theft, and persistence within compromised environments. Because MS-Agent enables AI agents to interact with operating systems and external tools, exploitation could provide attackers with broad control over affected hosts. The vulnerability highlights emerging security challenges as AI-driven automation frameworks become more integrated into enterprise workflows. - OAuth Redirection Abuse Used in Targeted Phishing Attacks
Security researchers revealed that attackers are exploiting legitimate OAuth authentication flows to bypass phishing protections. The campaign uses trusted-authentication redirects to lead victims to malicious applications that request account access. Victims believe they are authenticating with legitimate services while actually granting permissions to attacker-controlled apps. Government and public-sector organizations are among the primary targets of these attacks. The technique demonstrates how attackers increasingly abuse legitimate authentication mechanisms rather than traditional malware to compromise accounts and maintain stealth. - WordPress Plugin Vulnerability Exploited to Create Admin Accounts
Attackers are actively exploiting a critical vulnerability in the widely used User Registration & Membership plugin for WordPress websites. The flaw allows unauthenticated attackers to create administrator accounts on affected sites, giving them full control over the platform. Security researchers observed hundreds of exploitation attempts targeting websites running vulnerable versions of the plugin. Once attackers obtain admin access, they can install malware, host phishing pages, or use the compromised site as part of a broader attack infrastructure. Website administrators are advised to update to patched versions immediately or disable the plugin. - FBI Investigates Breach of Surveillance and Wiretap Systems
The Federal Bureau of Investigation confirmed it is investigating a cybersecurity incident affecting systems used to manage surveillance operations and wiretap warrants. According to reports, attackers accessed infrastructure used to handle court-authorized monitoring requests. While the FBI said it identified and addressed suspicious activity, officials declined to disclose the attack’s origin or the full scope of data exposure. The breach raises concerns about operational security within critical law-enforcement infrastructure and the protection of highly sensitive investigative tools. Even a limited compromise could expose investigative procedures or ongoing surveillance activities. - LeakBase Cybercrime Marketplace Dismantled in International Operation
Law-enforcement agencies shut down the cybercrime forum LeakBase in a coordinated international takedown operation. The underground platform hosted stolen credentials and databases collected from numerous breaches and had grown to more than 142,000 registered users since launching in 2021. Authorities arrested several suspects believed to be connected to the platform’s administration and distribution of stolen data. LeakBase served as a marketplace for cybercriminals seeking compromised credentials and datasets for use in account-takeover attacks, fraud, and phishing campaigns. The shutdown disrupts one distribution channel but also illustrates the persistent ecosystem supporting cybercrime operations. - CISA Warns of iOS Flaws Used in Spyware and Crypto-Theft Attacks
The Cybersecurity and Infrastructure Security Agency issued a directive warning federal agencies to patch multiple Apple iOS vulnerabilities being exploited in active attacks. The flaws are linked to campaigns involving espionage activity and cryptocurrency theft operations. Attackers reportedly use an exploit toolkit to compromise devices and extract sensitive data. Mobile devices increasingly serve as gateways to corporate systems and personal financial accounts, making such vulnerabilities highly valuable to threat actors. Agencies were ordered to apply patches quickly to prevent further exploitation. - Tycoon 2FA Phishing Platform Taken Down
Law-enforcement agencies dismantled Tycoon 2FA, a phishing-as-a-service platform used to bypass multi-factor authentication protections. The platform enabled cybercriminals to send large volumes of phishing emails that captured login credentials and session tokens in real time. Investigators say Tycoon 2FA infrastructure was used to target hundreds of thousands of organizations globally. The takedown disrupted an important component of the cybercrime ecosystem, enabling less-skilled attackers to launch sophisticated phishing campaigns against enterprise users.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The previous 10 stories were determined to be most significant during the course of the week, ranked by highest risk, and using multiple sources when available.