Experts Warn Iran-Linked Hacktivists Could Target Governments

Article Link: https://www.nextgov.com/cybersecurity/2026/03/iran-linked-hacktivists-could-target-governments-experts-warn/411876/

• Escalating conflict with Iran may increase cyber activity from Iran-backed hacktivist groups against government entities, including state and local governments.
• While Iran’s cyber capabilities are currently diminished due to the military strikes taking place, government and critical infrastructure must remain aware of the threat presented by hacktivist groups.
• Hacktivists typically act on their own, but the conflict in the Middle East has loosely united these groups in their attacks. In addition to the cyber threat, some groups are also targeting physical infrastructure, such as data centers, leading to disruptions in services.
• Additional Information: https://www.cnbc.com/2026/03/03/iran-war-uae-drone-strikes-aws-data-centers.html

Iran-Linked MuddyWater Hackers Target U.S. Networks with New Dindoor Backdoor

Article Link: https://thehackernews.com/2026/03/iran-linked-muddywater-hackers-target.html

• Researchers at Symantec and Carbon Black identified a backdoor used by an Iranian-linked hacking group to target banks, airports, and other organizations.
• The attack exploits a previously unknown backdoor in Deno, a commonly used JavaScript runtime. The campaign began before the current military conflict, which suggests Iranian actors may already have a presence inside some U.S.-based organizations.
• MuddyWater is primarily known for espionage operations. However, because the full scope of the campaign is still unknown, the ongoing conflict could increase the level of threat.

Indian APT ‘Sloppy Lemming’ Targets Defense, Critical Infrastructure

Article Link: https://www.darkreading.com/threat-intelligence/india-apt-sloppy-lemming-defense-critical-infrastructure

• An Indian threat group known as Sloppy Lemming has started targeting defense firms and critical infrastructure. The group has evolved from using a malware as a service approach to developing their own malicious tooling.
• Sloppy Lemming originally leveraged tools such as Cobalt Strike, however recent attacks on critical infrastructure have used custom-built tools. They also utilize social engineering tactics leveraging malicious PDFs and macro-enabled Excel documents to gain access to systems.
• Other India-based threat groups exist that use similar tactics with Sloppy Lemming focusing their attacks on nuclear-regulatory groups, defense firms, and critical infrastructure in Southeast Asia.  
• Link to Additional Information: https://arcticwolf.com/resources/blog/sloppylemming-deploys-burrowshell-and-rust-based-rat-to-target-pakistan-and-bangladesh/

Recent Cisco Catalyst SD-WAN Vulnerability Now Widely Exploited

Article Link: https://www.securityweek.com/recent-cisco-catalyst-sd-wan-vulnerability-now-widely-exploited/

• Four recently identified vulnerabilities in Cisco Catalyst SD-WAN are now being used in large-scale attacks instead of small, targeted ones.
• The exploits allow malicious actors to elevate privileges in the system, access information, and manipulate or create files on the system.
• The use of these attacks is growing and has spread around the world. It affects all Catalyst SD-WAN systems, including both on-premise and cloud environments.
• Companies utilizing Catalyst SD-WAN are advised to consider their system compromised unless explicitly proven otherwise.
• FRSecure recommends conducting Threat Hunting activities immediately to identify any potentially unwanted or malicious activity within your environment.
  • Please use the CISA ED 26-03: Hunt and Hardening Guidance:
  • https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems
  • If you are in need of Threat Hunting assistance or believe you may be dealing with an active incident, please contact CSIRT@FRSECURE.COM

Threat Actors Use New Malware to Breach Air-gapped Networks

Article Link: https://www.bleepingcomputer.com/news/security/apt37-hackers-use-new-malware-to-breach-air-gapped-networks/

• Hackers linked to North Korea are using USB drives and other removable media to breach air-gapped networks. Users unknowingly open a malicious file on the drive, which automatically activates the attack.
• The payload turns the removable media into a command-and-control relay, allowing the threat actor to interact with the system.
• The malware can spread through the air-gapped environment by copying itself onto other removable drives, replacing safe files with infected ones.
• Link to Additional Information: https://www.zscaler.com/blogs/security-research/apt37-adds-new-capabilities-air-gapped-networks

‘You can’t separate the physical from the cyber,’ says New York’s First Security and Intelligence Director

Article Link: https://statescoop.com/new-york-colin-ahern-security-intelligence-director/

• New York established a new Director of Security and Intelligence position to unify and strengthen the state’s security strategy. Colin Ahernm former Chief Cyber Officer, was promoted into the role and emphasized the importance of a cohesive strategy between digital and physical security.
• This role will oversee the protection of all levels of government, pushing for “prescriptive, forward-looking legislation” that will improve protections across digital and physical environments.
• Governor Kathy Hochul noted that the creation of this position was driven by the increasing sophistication and aggressiveness of malicious actors, making it the first role of its kind in the nation.

OAuth Redirection Logic Used to Deliver Malware and Steal Credentials

Article Link: https://www.helpnetsecurity.com/2026/03/03/attackers-abusing-oauth-redirection-phishing-malware/

• A phishing campaign, with a slightly different attack path from Evilginx, is using the OAuth protocol to target organizations and deliver malware or steal credentials.
• The attack starts with an email containing a link that appears to point to a Microsoft of Google login page. The link brings victims to legitimate OAuth sign-in before a redirect sends them to a malicious site.
• This campaign is primarily targeting government and public-sector organizations. It can circumvent traditional security protections like email filters and browser safeguards.
• Additional Information: https://www.microsoft.com/en-us/security/blog/2026/03/02/oauth-redirection-abuse-enables-phishing-malware-delivery/

Ransomware Attack Exposes 1.2 million University of Hawaii Cancer Center Records

Article Link: https://www.scworld.com/news/ransomware-attack-exposes-1-2-million-university-of-hawaii-cancer-center-records

• The University of Hawaii’s Cancer Center revealed that a ransomware attack last summer exposed sensitive information, including social security numbers and driver’s license details of roughly 1.2 million people.
• The attack, which occurred in August 2025, was first believed to only affect research operations, but an archive of data spanning over 30 years was also compromised.
• The encryption used by the attackers was so extensive that recovering the systems and assessing the full impact took considerable time.
• Investigators found that inadequate data retention practices and the absence of a full inventory slowed the response, as the University could not determine what data was affected until systems were decrypted.