Google Rushes Chrome Update Fixing Two Zero-Days Already Under Attack
Google has issued an emergency Chrome update to address two zero-day vulnerabilities, CVE-2026-3909 and CVE-2026-3910, which are actively being exploited. CVE-2026-3909 is an out-of-bounds write flaw located in Skia, Chrome's graphics library, while CVE-2026-3910 is an inappropriate implementation issue within the V8 JavaScript and WebAssembly engine. Both vulnerabilities could allow attackers to execute arbitrary code, with V8 flaws being particularly critical as they can be triggered by visiting a malicious webpage. Technical details are being withheld to prevent further exploitation until a majority of users have updated. These fixes, discovered internally by Google, are available in the latest Chrome Stable update for Windows, macOS, and Linux, bringing the total count of actively exploited Chrome zero-days in 2026 to three, following a previous patch for CVE-2026-2441, a use-after-free vulnerability in CSS handling. Users are advised to update their browsers promptly.
Severity: Critical
Threat Details and IOCs
| CVEs: | CVE-2026-2441, CVE-2026-3909, CVE-2026-3910 |
| Technologies: | Apple macOS, Chromium, Google Android, Google Chrome, Google Chromium, Linux, Microsoft Windows |
Mitigation Advice
- Force an immediate update of Google Chrome on all company workstations and servers to the latest stable version that includes the fixes.
- Use a vulnerability scanner or endpoint management system to run a report verifying that all instances of Google Chrome are updated to the patched version and no vulnerable versions exist on the network.
- Review web proxy, DNS, and Endpoint Detection and Response (EDR) logs for indicators of compromise, such as connections to suspicious domains or unusual child processes spawned by chrome.exe, particularly from the time before the patch was deployed.
Compliance Best Practices
- Implement or refine an automated patch management policy to ensure security updates for all web browsers are deployed enterprise-wide within a defined, short timeframe (e.g., 72 hours).
- Use Group Policy Objects (GPO) or a Mobile Device Management (MDM) solution to enforce security hardening policies for all company-managed web browsers, such as disabling JIT compilation or restricting unneeded plugins and extensions.
- Plan and implement network segmentation to isolate user workstations into a separate network zone from critical infrastructure like application servers and databases, thereby containing the blast radius of a successful endpoint compromise.
- Tune Endpoint Detection and Response (EDR) rules to create high-fidelity alerts for suspicious browser behaviors, such as memory injection, unexpected child process creation, and execution of scripts from unusual locations.
https://cyberinsider.com/google-patches-two-actively-exploited-zero-days-in-chrome-146-update/
https://cyberpress.org/two-new-google-chrome-zero-day-vulnerabilities/
https://gbhackers.com/two-newly-discovered-chrome-zero-days-exploited/
https://socprime.com/blog/cve-2026-3910-vulnerability/
https://www.hendryadrian.com/chrome-146-update-patches-two-exploited-zero-days/
https://www.theregister.com/2026/03/13/google_zeroday_chrome_update/
A Single Line of Code: Pre-Auth OpenSSH Flaw Exposes Ubuntu and Debian Servers
A critical pre-authentication vulnerability, CVE-2026-3497, has been identified in OpenSSH's GSSAPI Key Exchange patch, impacting Ubuntu and Debian servers with GSSAPIKeyExchange enabled. This flaw, discovered by security researcher Jeremy Brown, arises from an incorrect error handling implementation where `sshpkt_disconnect()` was used instead of ``ssh_packet_disconnect()`,` allowing code execution to continue into sensitive blocks. This leads to uninitialized variable use, information leakage of up to 127KB of heap data to the root monitor, and heap corruption, potentially causing a denial of service with a 90-second SSH lockout on `x86_64` systems. An attacker can trigger this bug with a single crafted 300-byte SSH packet without authentication. Immediate OpenSSH package updates are required, specifically replacing `sshpkt_disconnect()` with `ssh_packet_disconnect()` in `kexgsss.c`. Separately, an emergency Chrome update addresses actively exploited zero-day flaws, CVE-2026-3909 and CVE-2026-3910, impacting the Skia and V8 components.
Severity: Critical
Threat Details and IOCs
| Malware: | PLASMAGRID, PlasmaLoader, TaxiSpy, TaxiSpy RAT |
| CVEs: | CVE-2026-3497 |
| Technologies: | Debian, Linux, OpenSSH, Red Hat Enterprise Linux, Ubuntu |
| Victim Countries: | United Kingdom, United States |
Mitigation Advice
- Apply the latest OpenSSH security patches to all identified Ubuntu and Debian servers.
- If patching cannot be done immediately, disable GSSAPI authentication in the SSH server configuration file (`/etc/ssh/sshd_config`) by setting `GSSAPIAuthentication no`.
- Use a vulnerability scanner or asset inventory system to identify all Ubuntu and Debian servers in the environment.
Compliance Best Practices
- Establish and enforce a patch management policy that defines timelines for applying critical security updates to all internet-facing and internal servers.
- Incorporate a security hardening baseline for server deployments that includes disabling unused SSH features, such as GSSAPI authentication, by default.
- Configure system monitoring tools to generate alerts for repeated SSH daemon crashes or service restarts.
Veeam Patches 7 Critical Backup Replication Flaws Allowing Remote Code Execution
Veeam has released security updates for its Backup & Replication software to address seven critical vulnerabilities, several of which enable remote code execution (RCE). Specifically, CVE-2026-21666, CVE-2026-21667, CVE-2026-21708, and CVE-2026-21669, all with CVSS scores of 9.9, allow authenticated domain users or Backup Viewers to achieve RCE on the Backup Server or as the postgres user. Additionally, CVE-2026-21671 (CVSS 9.1) permits RCE for authenticated Backup Administrators in high availability deployments, while CVE-2026-21668 (CVSS 8.8) allows authenticated domain users to manipulate arbitrary files on a Backup Repository, and CVE-2026-21672 (CVSS 8.8) facilitates local privilege escalation on Windows-based servers. These flaws affect Veeam Backup & Replication 12.3.2.4165 and earlier version 12 builds, as well as 13.0.1.1071 and earlier version 13 builds, with fixes provided in versions 12.3.2.4465 and 13.0.1.2067 respectively. Users are strongly advised to update their instances immediately, as threat actors are known to reverse-engineer patches for exploitation, and Veeam vulnerabilities have historically been leveraged in ransomware attacks.
Severity: Critical
Threat Details and IOCs
| Malware: | Akira, Akira_v2, Black Basta, ChaCha ransomware, COLDDRAW, Conti, COPALocker, Cuba, Egregor, Fidel, Fog, Frag, Lost in the Fog, Lumma, LummaC2, Lumma Stealer, Maze, Megazord, REvil, Sodinokibi, Tropical Scorpius |
| CVEs: | CVE-2026-21666, CVE-2026-21667, CVE-2026-21668, CVE-2026-21669, CVE-2026-21671, CVE-2026-21672, CVE-2026-21708 |
| Technologies: | Linux, Microsoft Active Directory, Microsoft Windows, Microsoft Windows Server, PostgreSQL, Veeam Backup & Replication |
| Threat Actors: | Akira, BlackBasta, Conti, Cuba, FIN6, FIN7, GoldRebellion, IceFog, Maze, PinchySpider, REvil, STAC5143, Storm0506, Storm0826, Storm-1567, Storm1567, Ta2101, Unc3973, Unc4393, WIZARDSPIDER |
| Attacker Countries: | China, Iran, Russia |
| Victim Industries: | Automotive, Construction, Education, Engineering, Financial Services, Government, Healthcare, Hospitality, Information Technology, Legal Services, Manufacturing, Media and Entertainment, Pharmaceuticals, Retail, Technology Hardware, Telecommunications, Transportation, Utilities, Utilities & Energy |
| Victim Countries: | Canada, Switzerland, United States |
Mitigation Advice
- Identify all Veeam Backup & Replication version 12 instances and update them to version 12.3.2.4465 immediately.
- Identify all Veeam Backup & Replication version 13 instances and update them to version 13.0.1.2067 immediately.
- Review authentication and process execution logs on all Veeam Backup & Replication servers for anomalous activity, focusing on unexpected actions performed by authenticated domain user accounts.
Compliance Best Practices
- Implement network segmentation to place Veeam Backup & Replication servers and repositories in a secure, isolated network zone, restricting access to only authorized administrative personnel and systems.
- Conduct a recurring audit of all user and service account permissions within the Veeam Backup & Replication console and associated Active Directory groups, enforcing the principle of least privilege for all roles.
- Architect and implement a backup strategy that includes immutable storage for critical backup copies, such as a hardened Linux repository or a cloud object storage service with object-lock enabled.
- Develop and implement a formal vulnerability management program that includes asset inventory, risk-based prioritization, and defined service-level agreements (SLAs) for patching critical infrastructure like backup and recovery systems.
https://thecyberexpress.com/veeam-security-patch-for-backup-replication/
https://thehackernews.com/2026/03/veeam-patches-7-critical-backup.html
https://www.thehackerwire.com/backup-repository-arbitrary-file-manipulation-cve-2026-21668/
https://www.thehackerwire.com/backup-server-rce-via-authenticated-user-cve-2026-21669/
https://www.thehackerwire.com/critical-rce-in-backup-viewer-cve-2026-21708/
https://www.thehackerwire.com/cve-2026-21667-backup-server-rce-via-authenticated-domain-user/
https://www.thehackerwire.com/veeam-backup-replication-ha-rce-cve-2026-21671/
https://www.thehackerwire.com/veeam-backup-replication-local-privilege-escalation/
UNC6426 Exploits nx npm Supply-Chain Attack to Gain AWS Admin Access in 72 Hours
A threat actor, UNC6426, executed a supply-chain attack, gaining full AWS administrator access within 72 hours, stemming from the August 2025 compromise of the nx npm package. This began with exploiting a `pull_request_target` workflow (Pwn Request) to steal a developer's GitHub token, leading to the deployment of trojanized packages containing QUIETVAULT. This JavaScript credential stealer weaponized an on-endpoint Large Language Model (LLM) tool to exfiltrate environment variables, system information, and GitHub Personal Access Tokens (PATs) to a public GitHub repository, "/s1ngularity-repository-1." UNC6426 then used the stolen PAT for GitHub reconnaissance, employing Nord Stream to acquire GitHub service account credentials. These credentials facilitated the abuse of GitHub-to-AWS OpenID Connect (OIDC) trust, generating temporary AWS Security Token Service (STS) tokens for an overly permissive `Github-Actions-CloudFormation` role. This allowed the threat actor to deploy a new AWS Stack, create an IAM role with `AdministratorAccess`, and escalate to full AWS administrator permissions. Subsequently, UNC6426 enumerated S3 buckets, terminated production EC2 and RDS instances, decrypted application keys, and made all internal GitHub repositories public by renaming them to "/s1ngularity-repository-[randomcharacters]." Mitigations include using package managers that prevent postinstall scripts, applying the principle of least privilege to CI/CD service accounts and OIDC roles, enforcing fine-grained, short-lived PATs, removing standing privileges for high-risk actions, monitoring for anomalous IAM activity, and implementing controls against Shadow AI risks, as this incident exemplifies AI-assisted supply chain abuse where malicious intent is conveyed through natural-language prompts to AI agents.
Severity: Critical
Threat Details and IOCs
| Malware: | QUIETVAULT, S1ngularity |
| CVEs: | CVE-2025-10894 |
| Technologies: | Amazon Web Services, GitHub, GitHub Actions, Node.js, npm, Nrwl Nx |
| Threat Actors: | TraderTraitor, UNC4899, UNC6426 |
| Attacker Countries: | North Korea |
| Attacker Domains: | timeapis.io |
| Attacker Hashes: | 8eea1f65e468b515020e3e2854805f1ef5c611342fa23c4b31d8ed3374286a90 |
| Victim Industries: | Technology Hardware |
| Victim Countries: | United States |
Mitigation Advice
- Configure your npm client to ignore postinstall scripts by running 'npm config set ignore-scripts true' and verify this setting across all developer workstations and build servers.
- Immediately audit all active GitHub Personal Access Tokens (PATs), revoking any that lack a near-term expiration date, have overly broad permissions (like 'repo' or 'admin'), or are no longer in use.
- Scan all GitHub Actions workflows for the use of the `pull_request_target` trigger. Prioritize reviewing any workflows that use this trigger for potential vulnerabilities that could expose secrets.
- Review the trust policies of all AWS IAM roles configured for GitHub OIDC federation. Ensure each policy is narrowly scoped to specific repositories and workflows using the `repo` and `sub` condition keys, rather than allowing access from any repository in your organization.
- Query AWS CloudTrail logs for recent 'CreateRole' and 'AttachRolePolicy' events where the 'AdministratorAccess' policy was attached, especially if initiated by a role assumed via OIDC, and investigate any findings.
Compliance Best Practices
- Implement sandboxing for all CI/CD build processes to ensure that dependency installation and build scripts execute in an isolated environment with no access to host credentials, environment variables, or the local network.
- Establish and enforce a security policy that requires all GitHub Personal Access Tokens (PATs) to be fine-grained, repository-specific, and have a maximum expiration of 30 days.
- Establish a recurring process to review and right-size permissions for all AWS IAM roles used in CI/CD pipelines, ensuring they adhere to the principle of least privilege.
- Develop and deploy automated alerting within your SIEM to detect high-risk AWS IAM activity, such as the creation of a new role with administrator privileges or the attachment of an 'AdministratorAccess' policy by an automated process.
- Implement AWS Service Control Policies (SCPs) to create preventative guardrails that deny the creation of IAM roles with 'AdministratorAccess' by any identity other than a designated break-glass security role.
- Develop a corporate policy that defines approved AI assistant tools for developer use and implement endpoint controls to monitor or block the execution of unauthorized LLM tools on corporate devices.
Iran-Backed Hackers Claim Wiper Attack on Medtech Firm Stryker
An Iran-backed hacktivist group, Handala (also known as Handala Hack Team and linked to Iran's Ministry of Intelligence and Security as Void Manticore), has claimed responsibility for a data-wiping attack against the global medical technology company Stryker. This incident reportedly led to the shutdown of Stryker's offices in 79 countries, the erasure of data from over 200,000 systems, servers, and mobile devices, and sent over 5,000 workers in Ireland home. The attack appears to have leveraged Microsoft Intune to issue a remote wipe command, affecting employee devices and defacing login pages with the Handala logo. The group stated the attack was in retaliation for a February 28 missile strike on an Iranian school, which The New York Times attributed to the United States, and referred to Stryker as a "Zionist-rooted corporation," potentially referencing its acquisition of Israeli firm OrthoSpace. Handala, which emerged in late 2023, is known for hack-and-leak operations primarily targeting Israel, with opportunistic attacks on other entities.
Severity: Critical
Threat Details and IOCs
| Malware: | BiBi, BiBi-Linux, BiBi-Windows Wiper, BiBi Wiper, ChillWipe, Cl Wiper, CoolWipe, DEADWOOD, Detbosit, DistTrack, GOLD IONIC, Hamsa, Handala, Handala PowerShell Wiper, Handala Wiper, Hatef, Hatef Wiper, INC, Inc. Ransom, INC Ransom, INC Ransomware, Karma Shell, Lynx, Radthief, Red Alert, RedAlert, Rhadamanthus, Rhadamanthys, Rhadamanthys Stealer, Shamoon, W32.DistTrack, win.handala, ZeroCleare |
| CVEs: | CVE-2017-11774, CVE-2018-20250, CVE-2019-0604, CVE-2023-3519, CVE-2023-48788, CVE-2024-30088 |
| Technologies: | Apple iOS, Cisco Secure Firewall Management Center, Citrix NetScaler, CrowdStrike, F5 BIG-IP, Fortinet FortiClient EMS, Google Android, Google Chrome, Google Cloud Storage, Google Drive, Linux, Microsoft Active Directory, Microsoft Entra ID, Microsoft Intune, Microsoft SharePoint, Microsoft Windows, Microsoft Windows Server, NetBird, VeraCrypt, VMware ESXi |
| Threat Actors: | 313 Team, Agrius, APT33, APT34, BanishedKitten, Chrysene, CyberAv3ngers, CyberIslamicResistance, Dark Storm Team, DarkStormTeam, DieNet, Elfin, Evil Markhors, EvilMarkhors, FaDTeam, Fatimion, FatimiyounCyberTeam, GoldIonic, Handala, HandalaHack, HandalaHackTeam, Hatef, HomelandJustice, INC, INCRansomware, IslamicCyberResistanceInIraq, MRHELL112, MuddyWater, NoName05716, OilRig, PinkSandstorm, RedSandstorm, ScarredManticore, Seedworm, Serpens, Storm0494, Storm0842, Storm842, Sylhet Gang, SylhetGang, SylhetGangSG, TarnishedScorpius, TheFADTeam, VanillaTempest, VoidManticore |
| Attacker Countries: | Iran, Iraq, Israel, Palestine, Russia, United States |
| Attacker IPs: | 107.189.19.52, 146.185.219.235, 23.254.228.135, 31.57.35.223, 82.25.35.25 |
| Attacker Domains: | api.ipify.org, api.ip.sb, api.ra-backup.com, b.barracudacentral.org, bit.ly, cbl.abuseat.org, crowdstrike.com.vc, dnsbl-1.uceprotect.net, handala-hack.to, handala.to, icanhazip.com, ident.me, ip.anysrc.com, ip-api.com, ipecho.net, ipinfo.io, iplogger.org, redalerts.me, spam.dnsbl.sorbs.net, wtfismyip.com, www.myexternalip.com, www.shirideitch.com, zen.spamhaus.org |
| Attacker URLs: | http://icanhazip.com, https://handala-hack.to/693-2/, https://handala-hack.to/handala-new-telegram/, https://handala-hack.to/israel-institute-for-national-security-studies-inss-hacked/, https://handala-hack.to/israeli-weather-stations-crippled/, https://handala-hack.to/jerusalem-water-supply-facilities-hacked/, https://t.me/HANDALA_HPR2, https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3.zip, hxxp://23.254.228.135:80/file.php, hxxp://redalerts.me/app.apk, hxxps://api.ra-backup.com/analytics/submit.php, hxxps://bit.ly/4tWJhQh, hxxps:www.shirideitch.com/wp-content/uploads/2022/06/RedAlert.apk |
| Attacker Hashes: | 19001dd441e50233d7f0addb4fcd405a70ac3d5e310ff20b331d6f1a29c634f0, 2a5dd680c05b43d72365e8beb7e40088, 3236facc7a30df4ba4e57fddfba41ec5, 3cb9dea916432ffb8784ac36d1f2d3cd, 3dfb151d082df7937b01e2bb6030fe4a, 5087a896360f5d99fbf4eb859c824d19eb6fa358387bf6c2c5e836f7927921c5, 5986ab04dd6b3d259935249741d3eff2, 8316065c4536384611cbe7b6ba6a5f12f10db09949e66cb608c92ae8b69e4d67, 96dec6e07229201a02f538310815c695cf6147c548ff1c6a0def2fe38f3dcbc8, e035c858c1969cffc1a4978b86e90a30 |
| Victim Industries: | Aerospace, Cloud Infrastructure, Defense, Education, Energy, Financial Services, Government, Healthcare, Industrials, Information Technology, IT Services, Manufacturing, Medical Devices, Military, Multimedia, Oil & Gas, Public Sector, Retail, Telecommunications, Transportation, Utilities, Water & Wastewater |
| Victim Countries: | Albania, Australia, Bahrain, Canada, Costa Rica, Egypt, Iran, Ireland, Israel, Jordan, Kuwait, Lebanon, Qatar, Saudi Arabia, Syria, Thailand, Turkey, United Arab Emirates, United Kingdom, United States |
Mitigation Advice
- Enforce mandatory multi-factor authentication (MFA) for all administrative accounts with access to Microsoft Intune or any other Mobile Device Management (MDM) platform.
- Review and apply the principle of least privilege to all Microsoft Intune administrative roles, ensuring only a minimal number of highly trusted administrators have permissions for destructive actions like 'remote wipe'.
- Enable a multi-administrator approval (MAA) feature within your Mobile Device Management (MDM) platform for high-impact actions such as remote device wipes and global policy changes.
- Conduct an immediate audit of all third-party and service provider accounts, verifying that their access to administrative platforms like Microsoft Intune follows the principle of least privilege.
Compliance Best Practices
- Implement and regularly test a backup and disaster recovery plan that includes immutable or air-gapped backups for critical enterprise data and infrastructure configurations.
- Establish a formal Bring-Your-Own-Device (BYOD) policy that utilizes Mobile Application Management (MAM) to containerize corporate data, enabling selective wipes of only company applications and data from personal devices.
- Configure security monitoring to generate high-priority alerts for anomalous or high-risk activities within your MDM/UEM platform, such as an unusual number of device wipe commands in a short period or modifications to global security policies.
- Establish a process to consume threat intelligence to stay aware of threat actors like Handala and their tactics, techniques, and procedures (TTPs), particularly those targeting your industry or supply chain.
https://buaq.net/go-398863.html
https://cyberpress.org/hacktivists-escalate-cyber-warfare/
https://gbhackers.com/epic-fury-cyber-shock/
https://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/
https://socradar.io/blog/dark-web-profile-handala-hack/
https://thecyberexpress.com/who-is-handala-hackers-in-stryker-cyberattack/
https://www.hendryadrian.com/ransom-handala-new-telegram-mar-2026/
https://www.hendryadrian.com/ransom-israel-institute-for-national-security-studies-inss-mar-2026/
https://www.hendryadrian.com/ransom-israeli-weather-stations-crippled-mar-2026/
https://www.hendryadrian.com/ransom-jerusalem-water-supply-facilities-mar-2026/
https://www.hendryadrian.com/ransom-the-general-in-the-shadows-sapirs-commander-exposed-feb-2026/
