WEEKLY TOP TEN: March 2, 2026, 16:00 GMT
- APT37 Deploys Malware Against Air-Gapped Networks
North Korean threat group APT37 has developed and deployed a suite of malware tools (Ruby Jumper) to breach air-gapped systems, circumventing traditional isolation via removable media. The tools enable covert surveillance and data movement between secured and unsecured environments in critical sectors. Researchers warn that this activity demonstrates how advanced persistent threats are adapting to highly secure enclave targets. Organizations relying on physical isolation must reassess controls around removable drives and monitor for unusual lateral data flows. - Cisco Warns of Actively Exploited SD-WAN Zero-Day
Cisco disclosed a critical authentication bypass flaw (CVE-2026-20127) in its Catalyst SD-WAN products that has been actively exploited in the wild since at least 2023. Attackers have been adding rogue peers and, in some cases, escalating to root access through chained exploits. The U.S. CISA issued an Emergency Directive requiring immediate mitigation. This affects both on-prem and cloud SD-WAN controllers globally, with threat actors targeting exposed management interfaces. Organizations are urged to patch and hunt for malicious activity. - UFP Technologies Confirms Theft of Business Data
American medical device manufacturer UFP Technologies reported a cybersecurity incident on February 14, in which attackers stole data from its IT systems. The breach disrupted functions such as billing and delivery and necessitated emergency containment measures, including system isolation and external cybersecurity assistance. Although remediation removed the threat actor, some company data was exfiltrated or destroyed, suggesting possible involvement by ransomware or destructive malware. The firm indicated normal operations have largely resumed, but continues its investigation. - Previously “Harmless” Google API Keys Expose Gemini Data
Security researchers discovered nearly 3 000 exposed Google API keys embedded in public code could be used to access private Gemini AI data services via improperly protected authentication mechanisms. What were once considered non-sensitive API keys (e.g., Maps) now grant broader access because Gemini assistant integration expands their privileges. The issue affects organizations embedding API keys in client-side code and highlights critical API security oversight in AI service integrations. - CISA Warns of Dormant RESURGE Malware on Ivanti
The U.S. CISA issued a warning about the RESURGE implant used in zero-day attacks against Ivanti Connect Secure devices (CVE-2025-0282), where the malware can lie dormant and enable future exploitation. Organizations should assume possible compromise of unpatched systems and take remediation steps, including isolating affected systems and applying vendor advisories. This reinforces the danger of persistent implants in remote access gateways. - Critical Juniper PTX Router Vulnerability
Juniper Networks disclosed a critical flaw (CVE-2026-21902) in its PTX Series routers running Junos OS Evolved that allows unauthenticated remote code execution and full takeover. These high-performance routers are the core infrastructure in ISP and cloud networks. The vulnerability stems from improper permissions exposing internal services externally. Security teams should patch urgently and monitor for signs of exploitation. - UNC2814 Espionage Campaign Hits Telecom & Govt
Security researchers disrupted operations of a suspected China-linked threat actor UNC2814, which had breached networks across at least 53 organizations in 42 countries, including telecom firms and government agencies. The attackers used SaaS API calls to disguise malicious traffic and maintain persistence. This campaign highlights sophisticated, long-running global espionage targeting sensitive infrastructure. - Optimizely Data Breach via Vishing Attack
A voice phishing (vishing) campaign led to unauthorized access to internal business systems at ad tech provider Optimizely, compromising basic business contact information and internal CRM records. The breach resulted from attackers tricking employees into divulging credentials, thereby enabling access to systems such as Zendesk and Salesforce. While there’s no confirmed loss of highly sensitive customer data, the incident underscores the risk of social engineering attacks that could compromise major SaaS platforms serving thousands of enterprises. Investigation and mitigation efforts are underway. - ManoMano Third-Party Breach Affects 38M Users
French e-commerce giant ManoMano disclosed a data breach impacting approximately 38 million individuals after hackers accessed a third-party service provider’s systems. The attackers extracted personal data tied to customer accounts and service interactions; the investigation began in January 2026. While ManoMano believes the breach stemmed from a subcontractor compromise, it highlights widespread risk in complex digital supply chains. Affected users are being notified and advised on protective measures. - Trend Micro Patches Critical Apex One RCE Flaws
Endpoint security provider Trend Micro released patches addressing two critical RCE vulnerabilities in its Apex One platform (CVE-2025-71210 & CVE-2025-71211). These path traversal weaknesses could allow unauthenticated remote attackers to execute code. Organizations with externally exposed management consoles should limit access and apply mitigations. The issue shows vulnerabilities can exist even in security software, affecting detection and response capabilities if unpatched.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The previous 10 stories were determined to be most significant during the course of the week, ranked by highest risk, and using multiple sources when available.