Today’s roundup
U.S. CISA adds Ivanti EPM, SolarWinds, and Omnissa Workspace One flaws to its Known Exploited Vulnerabilities catalog
Russia-linked hackers target Signal, WhatsApp of officials globally
APT28 Uses BEARDSHELL and COVENANT Malware to Spy on Ukrainian Military
UNC4899 Breached Crypto Firm After Developer AirDropped Trojanized File to Work Device
Threat Actors Mass-Scan Salesforce Experience Cloud via Modified AuraInspector Tool
Malicious npm Package Posing as OpenClaw Installer Deploys RAT, Steals macOS Credentials
Microsoft to enable Windows hotpatch security updates by default
New White House cyber strategy pledges to ease regulations, ‘impose costs’ on bad actors
Ericsson US discloses data breach after service provider hack
FBI alert: scammers target zoning permit applicants
Summary
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: Ivanti EPM authentication bypass (CVE-2026-1603), SolarWinds Web Help Desk RCE (CVE-2025-26399), and Omnissa Workspace One UEM SSRF (CVE-2021-22054). Federal agencies are mandated to patch these by mid-March 2026.
Dutch intelligence agencies warn of a Russian state-sponsored campaign to hijack Signal and WhatsApp accounts of global government and military officials. Attackers exploit 'linked devices' via phishing or malicious QR codes to gain persistent access to sensitive communications.
Russian state-sponsored APT28 is deploying new malware, BEARDSHELL and a custom Covenant framework, for long-term surveillance of Ukrainian military personnel. This espionage activity has been active since April 2024.
North Korean threat actor UNC4899 is linked to a 2025 cloud compromise of a cryptocurrency organization, stealing millions. The breach originated when a developer AirDropped a trojanized file from a personal to a work device.
Salesforce warns of active exploitation of misconfigured Experience Cloud sites. Threat actors are using a modified AuraInspector tool for mass-scanning, leading to unauthorized data access, with the ShinyHunters group also claiming active data theft.
A malicious npm package, '@openclaw-ai/openclawai', was discovered on March 3, 2026, masquerading as an OpenClaw installer. It deploys a remote access trojan (RAT) and steals macOS credentials, having been downloaded 178 times.
Microsoft announced it will enable hotpatch security updates by default for eligible Windows devices managed via Microsoft Intune and the Microsoft Graph API. This change, starting with the May 2026 Windows security update, aims to streamline updates and reduce system reboots.
The Trump administration unveiled a new National Cyber Strategy, emphasizing a shift towards preemption and deterrence in handling cyber threats. The strategy pledges to ease regulations and increase offensive cyber actions against criminal networks and adversarial governments.
Ericsson Inc., the U.S. subsidiary of the telecommunications giant, disclosed a data breach affecting over 15,000 employees and customers. The incident resulted from attackers compromising one of Ericsson's service providers, highlighting supply chain security risks.
The FBI warns of an emerging phishing scheme where criminals impersonate U.S. city and county officials to target zoning permit applicants. They leverage publicly available permit information to send fake invoices, demanding urgent fraudulent payments via digital methods to bypass verification.
Want to dig deeper?
Cyber Groups
| APT28 | IRON TWILIGHT, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127, Forest Blizzard, FROZENLAKE, GruesomeLarch |
Malware Families