Cyber Threat Weekly – #120

The week of March 9^th through March 15^th, only a light amount of cyber threat trends and adversarial behavior news to share.  Power outage during storms crashed my Open CTI server, slowing things down a bit and limiting coverage.

Been using Open CTI to gather around 60 news feeds every week.  From those feeds I pick the topics that most fit the threat trends and adversarial behavior we should be paying attention too and defending against.  It’s important we use threat intelligence strategically to understand the broad threat landscape, prolific adversarial behavior, and trends.  That’s what this newsletter is all about.

Let’s start with a new open-source scanner, Betterleaks.  Open-source repository and other supply chain attacks.  Cloud Threat Horizons Report H1 2026.  Unit42 Global Incident Response Report 2026.  Salesforce overly permissive configs targeted.

AI-assisted malware used in ransomware attacks.  Cloud Security Risk Report 2025.   HR departments targeted by new ‘EDR Killer’ malware.

Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!

Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months.  We continue to share n-day vulnerabilities being actively exploited.  Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs.  If it’s in the catalog, it should be patched.

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.

VPN gateways from all vendors are under constant attack.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.

CISA Known Exploited Vulnerabilities – March 9^th to March 15^th:

CVE-2021-22054 – Omnissa Workspace ONE Server-Side Request Forgery:
Formerly known as VMware Workspace One UEM contains a server-side request forgery (SSRF) vulnerability that could allow a malicious actor with network access to UEM to send their requests without authentication and to gain access to sensitive information.

CVE-2025-26399 – SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability:
Could allow an attacker to run commands on the host machine.

CVE-2026-1603 – Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability:
Could allow a remote unauthenticated attacker to leak specific stored credential data.

CVE-2025-68613 – n8n Improper Control of Dynamically-Managed Code Resources Vulnerability:
Allows for remote code execution.

CVE-2026-3910 – Google Chromium V8 Improper Restriction of Operations Within the Bounds of a Memory Buffer Vulnerability:
Could allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

CVE-2026-3909 – Google Skia Out-of-Bounds Write Vulnerability:
Could allow a remote attacker to perform out of bounds memory access via a crafted HTML page. This vulnerability affects Google Chrome and ChromeOS, Android, Flutter, and possibly other products.

New Open-Source Secrets Scanning Tool – Betterleaks

Maintained by the same team, and intended to be the successor to Gitleaks.  This more advanced version is more efficient and written in Go language.  Right now, it’s Git only, but support for additional data sources more features is planned.  It’s worth using this tool to scan your repositories before threat actors do.

https://www.bleepingcomputer.com/news/security/betterleaks-a-new-open-source-secrets-scanner-to-replace-gitleaks/

https://www.aikido.dev/blog/betterleaks-gitleaks-successor

Open-source Repository and Other Supply Chain Attacks

There are several this week so instead of listing them individually, they fall under a common trend. 

https://www.bleepingcomputer.com/news/security/appsflyer-web-sdk-used-to-spread-crypto-stealer-javascript-code/

https://profero.io/blog/hijacked-at-the-source-a-trusted-marketing-appsflyers-sdk-distributes-a-crypto-stealer

https://thehackernews.com/2026/03/glassworm-supply-chain-attack-abuses-72.html

https://socket.dev/blog/open-vsx-transitive-glassworm-campaign

https://thehackernews.com/2026/03/unc6426-exploits-nx-npm-supply-chain.html

https://cloud.google.com/security/report/resources/cloud-threat-horizons-report-h1-2026?e=48754805#from-cicd-to-cloud-compromise-real-world-breach-using-openid-connect-abuse-9

https://www.darkreading.com/application-security/xygeni-github-action-compromised-via-tag-poison

https://www.bleepingcomputer.com/news/security/new-phantomraven-npm-attack-wave-steals-dev-data-via-88-packages/

Cloud Threat Horizons Report H1 2026 – Google

Some of the key findings from the report: exploitation of third-party user-managed software increasing as a primary initial access vector, identity compromise in 83% of compromises, living-off-the-cloud (LOTC) techniques, and more.

https://cloud.google.com/security/report/resources/cloud-threat-horizons-report-h1-2026

Unit42 Global Incident Response Report 2026

Key trends observed: AI is increasing speed and scale of attacks, identity techniques drove 65% of initial access, disruption through software supply chain, and nation states are adapting to modern environments.  The criminals will follow suit.

https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report

Salesforce Misconfigurations Targeted by Attackers

Using the guest user profile and allowing public access to objects and fields not intended for public exposure can put you “at risk”.  Salesforce provided a blog with configurations to limit exposure and minimize risk.

https://www.darkreading.com/application-security/overly-permissive-salesforce-cloud-configs-crosshairs

https://www.salesforce.com/blog/protecting-your-data-essential-actions-to-secure-experience-cloud-guest-user-access/

https://www.salesforce.com/blog/misconfiguration-mistakes/

Slopoly, AI-Assisted Malware, Used for Persistence

A financially motivated threat cluster has been observed using a likely AI built malware designed for command-and-control communications.  The attack started with the ClickFix social engineering technique leading to ransomware.

https://thehackernews.com/2026/03/hive0163-uses-ai-assisted-slopoly.html

https://www.ibm.com/think/x-force/slopoly-start-ai-enhanced-ransomware-attacks

Cloud Security Risk Report 2025

Similar to other reports cloud credential theft, leaked credentials, and other credential issues were a top trend.  Lateral movement, cloud storage, cloud supply chain, and cloud AI services round out the report.

https://www.sentinelone.com/resources/whitepapers/assets/cnapp/cloud-security-risk-report-en

Attackers Target HR Departments with New ‘Black Santa’ Malware

EDR killer malware uses the bring your own vulnerable driver technique.  Criminals continue to build tools to commoditize this attack vector.  These tools allow attackers to turn off anti-virus and EDR tools, weaken Microsoft Defender before deploying malicious payloads.  Any endpoint agent is at risk, currently AV / EDR is the target.

https://www.bleepingcomputer.com/news/security/new-blacksanta-edr-killer-spotted-targeting-hr-departments/

https://www.bleepingcomputer.com/news/security/new-blacksanta-edr-killer-spotted-targeting-hr-departments/