WEEKLY TOP TEN: March 16, 2026, 16:00 GMT
- Microsoft Fixes Exploited Zero-Day Vulnerabilities In March Patch Tuesday
Microsoft released security updates addressing numerous vulnerabilities in Windows and related products, including at least two actively exploited zero-day flaws affecting enterprise environments. The vulnerabilities could allow attackers to escalate privileges, execute arbitrary code, or bypass security protections if successfully exploited. Organizations running Windows systems were urged to apply patches immediately due to evidence that threat actors were already exploiting some flaws in the wild. The updates also addressed dozens of additional security weaknesses across Microsoft software and services. Security teams were advised to prioritize patch deployment, review endpoint logs for signs of compromise, and ensure systems exposed to the internet were updated quickly to reduce exploitation risk. - Cisco Warns Of Actively Exploited Vulnerabilities In Catalyst SD-WAN Devices
Cisco warned that multiple vulnerabilities in its Catalyst SD-WAN platform are being actively exploited by attackers targeting enterprise network infrastructure. The flaws could allow remote attackers to gain elevated privileges or execute arbitrary commands on affected devices. Cisco confirmed that threat actors have been attempting to exploit the vulnerabilities in the wild, increasing urgency for organizations using the networking equipment to patch their systems. Security teams were advised to upgrade firmware and review access controls on affected devices. Given the role of SD-WAN systems in enterprise connectivity, successful compromise could allow attackers to intercept traffic, pivot inside corporate networks, or disrupt critical business operations. - Ericsson US Data Breach Linked To Compromised Service Provider
Ericsson disclosed that attackers accessed personal information belonging to more than 15,000 individuals after breaching a third-party service provider used by the company. The investigation determined that unauthorized access occurred in April 2025 but the review of affected files was completed in early 2026. Exposed information included names, government identification numbers, financial details, and other sensitive records related to employees and customers. Ericsson stated that external cybersecurity specialists were engaged to investigate the intrusion and that law enforcement was notified. The incident illustrates how supply chain relationships and external service providers remain a common entry point for data breaches affecting major enterprises. - Salesforce Experience Cloud Misconfiguration Exploited In Data Theft Campaign
Threat actors linked to the ShinyHunters extortion group are reportedly exploiting misconfigured Experience Cloud deployments to access sensitive data from Salesforce environments. The campaign targets instances where guest users are granted excessive permissions, enabling attackers to extract information stored within Salesforce-powered websites and portals. Security researchers warn that hundreds of organizations may be affected due to widespread configuration errors. Salesforce has issued warnings urging customers to review access settings and remove unnecessary guest privileges. The incident highlights how misconfigurations in widely used SaaS platforms can expose sensitive corporate data even without a software vulnerability being exploited. - LeakBase Cybercrime Marketplace Dismantled By Law Enforcement
Authorities announced the takedown of LeakBase, an online cybercrime forum used to distribute stolen credentials and databases. Investigators said the marketplace hosted large collections of breached account information that criminals used for credential stuffing, fraud, and account takeovers. Law enforcement identified and arrested several suspects believed to be involved in operating the platform. The investigation revealed that the forum had accumulated more than 140,000 users since its launch in 2021. Security experts noted that the takedown disrupted a major distribution hub for stolen data but warned that similar underground forums continue to emerge quickly, making ongoing international cooperation essential to combat cybercrime ecosystems. - BlackSanta Malware Disables Security Tools Before Launching Attack
Security researchers identified a malware strain called BlackSanta that disables antivirus and endpoint detection systems before executing its main payload. The malware operates at the kernel level to terminate defensive processes and evade detection. Once security controls are disabled, BlackSanta performs credential harvesting, system reconnaissance, and data exfiltration. The campaign demonstrates how modern malware increasingly focuses on neutralizing endpoint protection tools early in the attack chain. Organizations are encouraged to deploy behavioral monitoring and tamper-protection mechanisms that prevent unauthorized modifications to security software components during an intrusion. - Stryker Targeted By Iran-Linked Handala Cyberattack
Medical technology manufacturer Stryker was reportedly targeted by the pro-Iranian hacktivist group Handala in a destructive cyberattack. The attackers claimed to have wiped more than 200,000 devices belonging to the company and released evidence of network access on social media platforms. While the full scope of operational disruption has not been confirmed, the incident highlights the growing overlap between geopolitical conflicts and corporate cyber risk. Hacktivist groups increasingly target global companies they believe are associated with adversary nations. The attack underscores the need for stronger resilience strategies and incident response preparedness for organizations operating in politically sensitive environments. - AppsFlyer SDK Supply Chain Attack Injects Cryptocurrency-Stealing Code
The AppsFlyer Web SDK was temporarily compromised in a supply-chain incident that allowed attackers to distribute malicious JavaScript to websites and applications using the analytics platform. The injected code was designed to intercept cryptocurrency wallet addresses entered by users and replace them with attacker-controlled addresses, redirecting funds to criminals. Because AppsFlyer software is integrated into tens of thousands of mobile and web applications used by businesses worldwide, the compromise had the potential to affect a large number of websites. The company stated that the incident originated from a domain registrar issue and that the malicious code exposure was quickly contained. - McKinsey Internal AI Chatbot Compromised In Red-Team Attack
Security researchers demonstrated that McKinsey’s internal generative AI platform could be compromised by an automated AI agent capable of exploiting system weaknesses. During the test, the agent reportedly gained read-write access to the chatbot environment within two hours. The compromise allowed access to millions of internal chat messages and hundreds of thousands of files containing confidential consulting data and client information. The research highlights emerging risks associated with enterprise AI deployments, particularly those connected to large knowledge repositories. Experts warn that poorly secured AI systems could expose sensitive corporate data and strategic documents if attackers discover similar weaknesses. - Microsoft Teams Phishing Campaign Deploys A0Backdoor Malware
Attackers launched a phishing campaign through Microsoft Teams messages targeting employees at organizations in sectors including finance and healthcare. The attackers impersonated technical support staff and persuaded victims to grant remote access using Microsoft’s Quick Assist tool. Once access was granted, the attackers deployed a malware strain known as A0Backdoor to maintain persistence and enable remote control of compromised systems. The technique shows how attackers increasingly abuse legitimate collaboration platforms to bypass traditional email security defenses. Organizations were advised to restrict external Teams communications and educate employees about social engineering attempts conducted through enterprise messaging platforms.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The previous 10 stories were determined to be most significant during the course of the week, ranked by highest risk, and using multiple sources when available.