News Briefs Archive

Complete collection of cybersecurity news briefs, threat intelligence, and incident reports.

Qilin Ransomware Hits All-Time Record — 131 Victims in March, 808 Total Across 65 Groups

Qilin ransomware claimed 131 victims in March 2026, an all-time single-month record for any ransomware group. Total ransomware activity reached 808 victims across 65 active groups — a 19% jump from February. Manufacturing was the hardest-hit sector, and European countries saw dramatic increases.

Mar 31, 2026Breachsense

RansomwareQilinStatisticsManufacturing

HighIncidents

European Commission Confirms Breach — 90GB of Data Published After Trivy Supply Chain Attack

CERT-EU attributed the breach of European Commission cloud infrastructure to threat group TeamPCP, which exploited a compromised Trivy vulnerability scanner to obtain AWS API keys. ShinyHunters subsequently published a 90GB archive containing email content, DKIM signing keys, contracts, and data from 42 internal and 29 external EU entities.

Mar 27, 2026TechCrunch

European CommissionSupply ChainTrivyShinyHunters

HighVulnerabilities

Critical Langflow RCE Exploited Within 20 Hours of Disclosure

CVE-2026-33017, a CVSS 9.3 unauthenticated remote code execution flaw in the open-source AI workflow builder Langflow, was exploited in the wild within 20 hours of public disclosure. CISA added it to the Known Exploited Vulnerabilities catalog on March 25, giving federal agencies until April 8 to patch.

Mar 25, 2026Sysdig

LangflowCVE-2026-33017RCEAI Security

CriticalVulnerabilities

Ubiquiti UniFi Hit with CVSS 10.0 Path Traversal — Third Maximum-Severity Flaw in 12 Months

CVE-2026-22557 allows unauthenticated attackers to achieve complete system takeover of Ubiquiti UniFi Network Application through path traversal. At CVSS 10.0, it is the third maximum-severity vulnerability in UniFi within 12 months. A companion NoSQL injection flaw (CVE-2026-22558, CVSS 7.7) enables privilege escalation chaining.

Mar 18, 2026CyCognito

UbiquitiCVE-2026-22557CVSS 10Path Traversal

HighThreats

BlackSanta EDR Killer Targets HR Departments via Resume-Themed ISO Files

Aryaka Threat Labs uncovered a year-long campaign using BYOVD techniques to disable endpoint security. BlackSanta exploits vulnerable truesight.sys and IObitUnlocker.sys drivers to terminate AV/EDR processes at kernel level, delivered via resume-themed ISO files targeting recruiters.

Mar 12, 2026Aryaka

BlackSantaBYOVDEDR EvasionDLL Sideloading

MediumThreats

BoryptGrab Stealer Spreads via 100+ Fake GitHub Repositories with SEO Poisoning

Trend Micro uncovered a large-scale campaign distributing the BoryptGrab information stealer through SEO-optimized GitHub repositories posing as free software tools. The C/C++ malware targets browser data, cryptocurrency wallets, Telegram files, and Discord tokens.

Mar 12, 2026Trend Micro

BoryptGrabGitHubInfostealerSEO Poisoning

CriticalIncidents

McKinsey's Lilli AI Platform Breached in Two Hours via SQL Injection

Red-team startup CodeWall demonstrated full read-write access to McKinsey's internal AI chatbot platform through 22 unauthenticated API endpoints and SQL injection in JSON field names. Accessible data included 46.5 million chat messages, 728,000 files, and 57,000 user accounts.

Mar 12, 2026CodeWall

McKinseyAI SecuritySQL InjectionAPI Security

HighThreats

Medusa Ransomware Shuts Down Mississippi's Only Level I Trauma Centre for Nine Days

The Medusa ransomware group demanded $800,000 from the University of Mississippi Medical Center after a February 19 attack forced a nine-day outage — closing 35 clinics, cancelling elective procedures, and taking the EPIC EHR system offline. Medusa's operational tempo allows deployment within 24 hours of initial access.

Mar 12, 2026The Record

RansomwareMedusaHealthcareCritical Infrastructure

HighVulnerabilities

Zombie ZIP Technique Bypasses 98% of Antivirus Engines via Malformed Headers

CVE-2026-0866 enables attackers to craft ZIP archives that evade 50 of 51 VirusTotal scanning engines. The Zombie ZIP technique declares Method=0 (stored) while containing DEFLATE-compressed payloads, causing AV scanners to inspect compressed noise instead of actual malware signatures.

Mar 12, 2026CERT/CC

CVE-2026-0866Zombie ZIPAV EvasionCERT/CC

CriticalThreats

Iran-Linked Handala Group Wipes 80,000 Stryker Devices via Compromised Intune Account

Iran's MOIS-linked Handala group used a single compromised Microsoft Intune administrator account to issue mass wipe commands across 79 countries, halting manufacturing, shipping, and electronic ordering at medical device maker Stryker for several days. No malware was used — only legitimate Microsoft tools.

Mar 11, 2026Krebs on Security

Medical DevicesIntuneIranCISA

CriticalVulnerabilities

Cisco SD-WAN Zero-Day Under Active Exploitation Since 2023

CVE-2026-20127 is a CVSS 10.0 authentication bypass in Cisco Catalyst SD-WAN Controller and Manager. Exploited by UAT-8616 since 2023, CISA issued Emergency Directive 26-03 with a 24-hour patch mandate.

Mar 5, 2026Cisco Talos

CVE-2026-20127CiscoSD-WANCISA

CriticalIncidents

LexisNexis Confirms Cloud Breach — 400K User Profiles, Government Employees Exposed

Threat actor FulcrumSec exploited a React2Shell vulnerability and over-permissive AWS IAM roles to exfiltrate 2.04GB of data from LexisNexis Legal & Professional, including 400,000 cloud user profiles, 53 plaintext AWS secrets, and records of 118 US government employees.

Mar 4, 2026BleepingComputer

Cloud SecurityAWSData BreachLexisNexis

HighThreats

GRIDTIDE Espionage Campaign Breached 53 Organisations Across 42 Countries

Google GTIG disrupted UNC2814, a China-nexus espionage group that used Google Sheets as a C2 channel. The GRIDTIDE backdoor compromised telecom and government targets across four continents.

Mar 4, 2026Google Cloud Blog

UNC2814GRIDTIDEChinaEspionage

HighThreats

Dohdoor Backdoor Targets U.S. Education and Healthcare via DNS-over-HTTPS

Cisco Talos identified UAT-10027, a North Korea-nexus threat actor deploying the Dohdoor backdoor against education and healthcare organisations since December 2025. The malware uses DNS-over-HTTPS for covert C2.

Mar 3, 2026Cisco Talos

UAT-10027DohdoorNorth KoreaDNS-over-HTTPS

MediumVulnerabilities

2,863 Public Google API Keys Found to Authenticate to Gemini AI Endpoints

Truffle Security discovered that thousands of publicly exposed Google API keys can access Gemini endpoints, enabling data exposure and billing abuse. One developer was charged $82,314 in 48 hours.

Mar 2, 2026Truffle Security

Google CloudGeminiAPI KeysTruffle Security

HighThreats

ClickFix Campaigns Now Targeting Thousands of Devices Daily via Windows Terminal

Microsoft Threat Intelligence confirmed that ClickFix social engineering campaigns are targeting thousands of enterprise devices globally every day. A February 2026 variant escalates to Windows Terminal for privileged command execution.

Mar 1, 2026Microsoft Security Blog

ClickFixMicrosoftSocial EngineeringLumma Stealer

MediumIncidents

GTFire Phishing Campaign Exploits Google Services to Bypass Security Filters

Group-IB discovered the GTFire campaign chaining Google Translate and Firebase to harvest credentials from 1,000+ organisations across 100+ countries, bypassing email security gateways entirely.

Feb 28, 2026Cyber Security News

GTFirePhishingGoogle FirebaseGoogle Translate

CriticalIncidents

Cegedim Sante Breach Exposes 15.8 Million Patient Records in France

French healthcare software provider Cegedim Sante confirmed that 15.8 million patient records were compromised in a breach of its MonLogicielMedical platform — including 165,000 files containing sensitive diagnoses such as HIV status and psychiatric conditions. The company had been fined €800,000 by CNIL in September 2024 for illegally processing health data.

Feb 27, 2026France24

HealthcareGDPRData BreachFrance