Threat Newsletter March 30, 2026

This week’s newsletter focuses on urgent patching and active exploitation: critical Citrix NetScaler and Cisco FMC issues (including a ransomware-linked zero-day), plus Quest KACE and Oracle fixes.

It also highlights disruption of a huge router proxy botnet, Russia-aligned phishing targeting Signal/WhatsApp accounts, and a major Trivy GitHub Actions supply-chain compromise stealing CI/CD secrets—alongside broader breach/leak claims and elevated mobile risk from leaked iOS exploit tooling.

NetScaler Under Fire Again: Critical Memory Overread Lets Attackers Leak Data

Citrix released fixes for a critical NetScaler (ADC/Gateway) vulnerability that could let an unauthenticated attacker read out-of-bounds memory and potentially leak sensitive data from the appliance.

Key Takeaways:

Patch NetScaler urgently: Citrix shipped updates for two flaws; one is critical (CVE-2026-3055, 9.3) with potential unauthenticated data leakage.

Affected versions (per the advisory coverage):

• NetScaler ADC/Gateway 14.1 before 14.1-66.59
• NetScaler ADC/Gateway 13.1 before 13.1-62.23
• NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262

Don’t assume “not exploited yet” means “safe”: even if there’s no confirmed in-the-wild exploitation at the time of reporting, NetScaler devices are routinely targeted and exploitation is considered likely.

Quick self-check strings (from Citrix guidance):

• SAML IdP profile: add authentication samlIdPProfile .*
• AAA vserver: add authentication vserver .*
• Gateway: add vpn vserver .*

Citrix urges admins to patch NetScaler flaws as soon as possible

Citrix has patched two NetScaler ADC and NetScaler Gateway vulnerabilities, one of which is very similar to the CitrixBleed and CitrixBleed2 flaws exploited in zero-day attacks in recent years.

BleepingComputerSergiu Gatlan

Cisco FMC Under Active Zero‑Day Exploitation: Interlock Ransomware Gets Root

Amazon Threat Intelligence reported active exploitation tied to the Interlock ransomware operation targeting Cisco Secure Firewall Management Center (FMC). The campaign abuses CVE‑2026‑20131 (CVSS 10.0), an insecure deserialization flaw that enables an unauthenticated attacker to bypass authentication and execute arbitrary Java code as root.

Key Takeaways:

What happened: Interlock ransomware is actively exploiting Cisco FMC via CVE‑2026‑20131.

Why it’s serious: Pre-auth remote code execution as root (no login required) with a CVSS of 10.0.

Timeline: Observed as a zero-day from Jan 26, 2026—weeks before Cisco publicly disclosed it.

Post-exploit behavior: The attack chain includes outbound callbacks and downloading additional payloads/tools for recon and control (including custom RATs and scripts).

Defense:

• Patch/upgrade Cisco FMC to a fixed release immediately.
• Hunt for compromise indicators and unusual outbound traffic from FMC.
• Review environments for unauthorized ScreenConnect installs (used for persistence in the campaign).
• Lean on defense-in-depth controls because patching alone can’t protect during zero-day windows.

Ransomware gang exploits Cisco flaw in zero-day attacks since January

The Interlock ransomware gang has been exploiting a maximum severity remote code execution (RCE) vulnerability in Cisco’s Secure Firewall Management Center (FMC) software in zero-day attacks since late January.

BleepingComputerSergiu Gatlan

Law Enforcement Seizes SocksEscort: Massive Router Botnet Powering Criminal Proxy Service

A global law enforcement coalition seized infrastructure used by SocksEscort, a criminal paid proxy service that was powered by a botnet of hacked home and small business routers.

Key Takeaways:

What it was: SocksEscort was a paid criminal proxy network built on hijacked routers/IoT devices.

Why it matters: It let criminals mask their IPs to enable downstream crimes (DOJ/Europol cited things like fraud; Europol also cited ransomware, DDoS, and CSAM distribution facilitation).

Scale: Europol alleged more than 369,000 compromised routers/IoT devices across 163 countries.

Action taken: Coordinated law enforcement operation seized/disrupted the service; infected routers were disconnected and the site was replaced with a seizure banner.

Malware link: The botnet was powered by AVRecon (per Black Lotus Labs), which tracked the operation and supported the takedown.

Defender takeaway: SOHO routers remain high-value “quiet” infrastructure for proxy botnets—reduce exposure by patching firmware, disabling remote admin, using strong unique credentials, and monitoring for unusual outbound traffic from edge devices.

Law enforcement shuts down botnet made of tens of thousands of hacked routers | TechCrunch

An international law enforcement operation shut down a service called SocksEscort, which allegedly helped cybercriminals all over the world launch ransomware and DDoS attacks, as well as distribute child sexual abuse material.

TechCrunchLorenzo Franceschi-Bicchierai

WorldLeaks “Names” Los Angeles as Victim in Data Leak Operation (779 Files, 159.9GB)

WorldLeaks (an extortion-focused ransomware group) claimed it breached the City of Los Angeles and added it to its leak site on March 20, 2026, alleging theft of about 159.9 GB of data across 779 files.

Key Takeaways:

Claim: WorldLeaks says Los Angeles was breached and data was stolen (779 files / 159.9 GB).

Extortion model: The group focuses on data theft + leak pressure (not necessarily encrypting systems).

Attribution note: WorldLeaks reportedly emerged after rebranding from Hunters International.

Real-world impact: Public-sector targets can see service disruption and emergency measures even when core services continue running.

What defenders should do: Treat leak-site claims as potential compromise signals—validate via incident response, scope possible data access/exfiltration, and monitor for follow-on extortion or secondary intrusions.

WorldLeaks group breached the City of Los Angels

WorldLeaks group hit Los Angeles and its Metro system, forcing a shutdown, while two Bay Area cities declared emergencies after the attacks

Security AffairsPierluigi Paganini

CISA/FBI Alert: Russia-Aligned Actors Target High-Value Signal and WhatsApp Users

Threat actors linked to Russian intelligence services are running phishing campaigns aimed at taking over commercial messaging app accounts, specifically Signal and WhatsApp, according to a joint CISA/FBI warning.

Key Takeaways

Not an encryption break: The compromise happens via phishing/social engineering, not by cracking Signal/WhatsApp encryption.

Who’s targeted: High-value individuals (government, military, political figures, journalists).

Common lures: Messages posing as “support” (e.g., “Signal Support”) claiming suspicious login activity and urging urgent action.

Two main outcomes:

• If a victim shares a verification code/PIN: attacker can recover the account; victim may lose access; attacker can monitor new messages and impersonate the victim.
• If a victim scans a QR code/clicks a link: an attacker device gets linked, potentially giving access to message history while the victim may not notice immediately.

Best defenses (simple):

• Never share SMS verification codes or app PINs with anyone.
• Treat “support” outreach via DM/SMS/social as a scam.
• Regularly check “linked devices” in Signal/WhatsApp and remove anything unfamiliar.
• Be cautious with unexpected links/QR codes, even if they appear to come from a known contact.

FBI links Signal phishing attacks to Russian intelligence services

The FBI has issued a public service announcement warning that Russian intelligence-linked threat actors are actively targeting users of encrypted messaging apps such as Signal and WhatsApp in phishing campaigns that have already compromised thousands of accounts.

BleepingComputerLawrence Abrams

Patch Now: Quest KACE SMA Auth Bypass (CVE‑2025‑32975) Under Active Exploitation

A newly observed campaign is targeting internet-exposed, unpatched Quest KACE Systems Management Appliance (SMA) instances by exploiting CVE‑2025‑32975, a critical authentication bypass (CVSS 10.0).

Key Takeaways:

What’s being exploited: CVE‑2025‑32975 (CVSS 10.0), an auth bypass in Quest KACE SMA tied to SSO authentication handling.

Impact: Unauthenticated attacker can impersonate users/admins → potential full administrative compromise.

Who’s at risk: Unpatched, internet-facing KACE SMA instances (activity observed starting week of March 9, 2026).

Patch targets (fixed versions): 13.0.385, 13.1.81, 13.2.183, 14.0.341 (Patch 5), 14.1.101 (Patch 4).

Gotcha for 13.x: Quest advises the 13.x security hotfix must be re-applied after full 13.x upgrades to remain protected.

Immediate actions:

• Verify all KACE SMA versions and upgrade to the fixed builds.
• Remove/limit public exposure of SMA management interfaces.
• Assume exposed + unpatched systems may be compromised and investigate accordingly.

Hackers Exploit CVE-2025-32975 to Hijack Unpatched Quest KACE SMA Systems

Hackers are exploiting CVE-2025-32975, a critical Quest KACE SMA authentication bypass flaw with CVSS 10.0, allowing admin takeover of unpatched systems.

VulertDawood Ikhlaq

Oracle Warns of Critical Remote Code Execution Bug in Identity Manager, Urges Immediate Updates

Oracle released an out-of-band (emergency) security update to fix a critical unauthenticated remote code execution vulnerability affecting Oracle Identity Manager and Oracle Web Services Manager (CVE‑2026‑21992).

Key Takeaways

Vulnerability: CVE‑2026‑21992 (CVSS 9.8) — unauthenticated remote code execution.

Affected products/versions:

• Oracle Identity Manager 12.2.1.4.0 and 14.1.2.1.0
• Oracle Web Services Manager 12.2.1.4.0 and 14.1.2.1.0

Exploit conditions: Remote over HTTP, no auth, no user interaction, low complexity → prioritize patching fast, especially if internet-exposed.

Patch type: Out-of-band “Security Alert” release (used for critical / potentially urgent issues outside normal patch cycles).

Exploitation status: Oracle did not confirm whether it’s being exploited and declined to comment on exploitation when asked.

Action items:

• Apply the Security Alert update/mitigations ASAP.
• Confirm you’re on a supported version line (Premier/Extended Support) so you can receive fixes.
• Identify any exposed OIM/WSM endpoints and reduce exposure where possible until patched.

Oracle pushes emergency fix for critical Identity Manager RCE flaw

Oracle has released an out-of-band security update to fix a critical unauthenticated remote code execution vulnerability in Identity Manager and Web Services Manager tracked as CVE-2026-21992.

BleepingComputerLawrence Abrams

Microsoft Pulls Back Copilot: Fewer AI Entry Points in Windows 11 Apps

Microsoft is dialing back how aggressively Copilot is embedded across Windows 11, saying it wants to “integrate AI where it’s most meaningful.” The rollback reduces Copilot entry points and integrations in some built-in apps—starting with Photos, Widgets, Notepad, and the Snipping Tool—after growing user pushback about “AI bloat” and ongoing trust/safety concerns.

Key Takeaways

What changed: Microsoft is reducing Copilot integrations/entry points in multiple Windows 11 apps (Photos, Widgets, Notepad, Snipping Tool).

Why: A “less-is-more” approach in response to feedback and concerns about AI being forced into every workflow (trust, privacy, safety).

This isn’t isolated: Reports suggest some deeper Copilot-branded system integrations (e.g., Settings/File Explorer) were also being reconsidered/shelved.

Recall context: Microsoft previously delayed Windows Recall for privacy concerns; even after launch, security issues continued to surface—adding to the “be more careful with AI” narrative.

Big picture: Microsoft is reframing Copilot as optional/targeted utility rather than constant OS-wide presence, while also shipping traditional usability improvements.

Microsoft rolls back some of its Copilot AI bloat on Windows | TechCrunch

The company is reducing Copilot entry points on Windows, starting with Photos, Widgets, Notepad, and other apps.

TechCrunchSarah Perez

Major iPhone Hacking Toolkit Leaks Online, Raising Mass Exploitation Fears

Security researchers say two powerful iPhone/iPad hacking toolkits, dubbed Coruna and DarkSword, have been used in real-world attacks to steal sensitive data from Apple devices (messages, browser data, location history, and even cryptocurrency).

Key Takeaways

What happened: Part of the DarkSword iOS exploit toolkit leaked online, lowering the barrier for broader abuse.

Why it matters: These are data-theft-focused iPhone/iPad exploit chains, not just “research code.”

Who’s at risk: People running out-of-date iOS/iPadOS (potentially hundreds of millions of devices, given how many don’t run the latest iOS).

Update guidance (as cited): iVerify recommended updating to iOS 18.7.6 or iOS 26.3.1 to mitigate the exploited vulnerabilities; Apple said fully up-to-date supported versions are protected.

Extra protection option: Lockdown Mode (opt-in) can block the specific attack techniques described—most relevant for high-risk users (journalists, dissidents, targeted individuals).

Practical defender takeaway: Treat “update iOS now” as the primary control; after a public leak, opportunistic scanning and mass exploitation attempts tend to spike against unpatched populations.

A major hacking tool has leaked online, putting millions of iPhones at risk. Here’s what you need to know. | TechCrunch

Here’s what we know, and what you need to know, about Coruna and DarkSword, two advanced iPhone hacking tools discovered by security researchers. DarkSword has now leaked online.

TechCrunchLorenzo Franceschi-Bicchierai

Google Threat Intelligence Adds AI Dark Web Monitoring to Reduce False Positives

Google announced a new “dark web intelligence” capability inside Google Threat Intelligence that uses Gemini to process massive volumes of dark web activity and surface the threats most relevant to a specific organization.

Key Takeaways

Problem being addressed: Dark web monitoring often creates heavy noise/false positives; teams need relevance, not more alerts.

What’s new: Gemini-powered dark web intelligence in Google Threat Intelligence that analyzes millions of events daily and elevates only what matches your business context.

Key differentiator: It can autonomously build and maintain an “org profile” (business/mission context) so you don’t have to constantly manage keyword lists.

Better detection of oblique mentions: Can identify likely references to your org/subsidiaries even when threat actors avoid using exact brand names.

Outcome: Faster warning on early-stage threat activity (e.g., access-for-sale posts) so defenders can act before an intrusion escalates.

Human + AI: GTIG analyst context is positioned as complementing Gemini’s scale, helping keep results grounded and actionable.

Bringing dark web intelligence into the AI era | Google Cloud Blog

To get teams the critical data they need to make quick, accurate decisions about rising threats, we’re introducing a new dark web intelligence capability in Google Threat Intelligence.

Google Cloud

Supply Chain Alert: Trivy GitHub Actions Hijacked to Exfiltrate Pipeline Secrets

Trivy’s GitHub ecosystem was hit by another supply chain compromise in March 2026, this time targeting the official GitHub Actions used to run Trivy scans in CI/CD.

Key Takeaways

What happened: Official Trivy GitHub Actions were compromised; attackers force-moved tags to malicious code (tag poisoning).

Why it’s dangerous: Many pipelines pin actions by tags (e.g., v0.34.2)—those tags were rewritten to point to malware, turning “trusted” references into a delivery mechanism.

Scale of tag hijack: 75/76 tags in trivy-action were force-pushed (and multiple tags in setup-trivy were also force-pushed).

What the malware steals: Secrets from CI/CD runners like SSH keys, cloud/provider creds, database creds, Git/Docker configs, Kubernetes tokens, and more.

Exfil/fallback: Data was exfiltrated to an attacker domain (scan.aquasecurtiy) and IP (45.148.10[.]212); if exfil failed, it could use a stolen GitHub PAT to create/use a repo named tpcp-docs to stage the data.

Root cause: Credential compromise + incomplete containment from a prior Trivy-related incident earlier in the month (tokens rotated non-atomically).

What to do:

• Assume compromise if you used affected action tags; rotate all pipeline secrets immediately.
• Update to known safe releases (as recommended in the reporting): trivy 0.69.3, trivy-action v0.35.0, setup-trivy v0.2.6.
• Hunt for tpcp-docs repos in your org and block the exfil domain/IP.
• Long-term: pin GitHub Actions to immutable commit SHAs, not tags.

Trivy vulnerability scanner breach pushed infostealer via GitHub Actions

The Trivy vulnerability scanner was compromised in a supply-chain attack by threat actors known as TeamPCP, which distributed credential-stealing malware through official releases and GitHub Actions.

BleepingComputerLawrence Abrams

Cl0p Targets Mazda: Oracle ERP Compromise Could Expose Global Manufacturing Records

Cl0p claimed it breached Mazda and gained access to internal systems, alleging the intrusion was part of a broader exploitation campaign targeting Oracle E‑Business Suite (ERP) environments.

Key Takeawways

Who/what: Cl0p claims it compromised Mazda and exfiltrated internal data.

Likely entry point (claimed): Exploitation of an Oracle E‑Business Suite “zero-day” campaign targeting ERP systems.

Why ERP breaches are severe: ERP platforms can contain high-value engineering files, prototype documentation, manufacturing processes, supplier agreements, logistics data, and corporate records.

Potential impact: Exposure of automotive IP and global manufacturing/supply-chain information could create long-term competitive and operational risk (not just short-term IT disruption).

Defender lesson: Treat internet-exposed ERP systems as high-risk Tier-0 assets—prioritize patching, segmentation, strict access controls, and monitoring for abnormal access/exfiltration patterns.

Mazda Data Breach Exposes Confidential Automotive Engineering Files and Sensitive Global Manufacturing Records

The Mazda data breach leaked confidential engineering documents, ERP archives, and sensitive manufacturing data impacting global automotive operations.

BotcrawlSean Doyle

FCC Moves to Block New Overseas-Made Consumer Routers Amid China-Linked Hacking Fears

The FCC issued an order banning the import of new consumer-grade routers manufactured overseas, citing cybersecurity and national security risks. The agency says foreign-made routers have been repeatedly exploited by hackers to compromise home and small business networks, support cybercrime/surveillance, and fuel botnets and DDoS attacks.

Key Takeaways

What happened: FCC ordered a ban on importing new overseas-made consumer routers.

Scope: New devices only; existing routers/imports already in-country aren’t affected.

Why: Routers are high-value targets and have been exploited for household/network compromise, surveillance, and botnet/DDoS activity.

Threat framing: FCC tied the move to national security concerns and China-linked cyber activity (Volt/Salt/Flax Typhoon).

Exceptions: Possible if DoD or DHS approves.

Important caveat: FCC reportedly did not present evidence that domestically made routers are more secure than foreign-made ones.

FCC bans import of new consumer routers made overseas, citing security risks | TechCrunch

The FCC ban will affect the import of all new, foreign-made consumer routers, the agency’s head Brendan Carr said.

TechCrunchZack Whittaker

ShinyHunters Breaches Infinite Campus Salesforce Helpdesk, Not Core Student Systems

Infinite Campus told K‑12 technology leaders about a cyber incident that Infinite Campus leadership later described as a fast “smash and grab” attributed to ShinyHunters.

Key Takeaways

What was hit: Salesforce support/ticketing system (helpdesk), not Infinite Campus’ core student information databases.

How it happened: Vishing + fake login domain → employee entered credentials → attackers accessed Salesforce and exported reports/tickets.

Why districts got broad alerts: Nearly every district may have current or historical tickets in the system, so scope had to be validated via audit.

Data at risk: Anything ever placed into support tickets or related exports (could include PII if districts put it in tickets).

Operational lesson: Stop putting plain-text student PII (names, IDs, etc.) into vendor support tickets—helpdesks become a secondary data store attackers can raid.

What districts should do now:

• Ask the vendor to confirm whether your district’s tickets/data were in the exported set.
• Treat any credentials/API keys that might have been included in tickets as compromised and rotate them.
• Review internal processes for third-party/vendor risk and strengthen staff awareness against vishing/social engineering.

Infinite Campus Salesforce Breach: What K-12 Districts Need to Know - K12TechPro

The Infinite Campus Salesforce breach by ShinyHunters targeted K-12 support data. Get the full attack timeline and 3 essential takeaways for K-12 IT security.

K12TechProEric Martin

Major Cybercrime Forum LeakBase Hit as Suspected Admin Taken Into Custody

Russian authorities arrested the alleged administrator of LeakBase, a major international cybercrime forum used as a marketplace for stolen data.

Key Taakeaways

What happened: Alleged LeakBase admin arrested; infrastructure and devices seized for forensics.

Why it matters: LeakBase was a high-scale “marketplace” that helped criminals buy/sell stolen data and coordinate follow-on attacks.

Scale (claimed by MVD): Hundreds of millions of stolen records; ~147,000 users.

What investigators want from the seizure: Identify moderators, top sellers/buyers, and trace major leaks to additional actors.

Impact expectation: This disrupts data-trading efficiency short-term, but users will likely migrate to other forums over time.

Defender value: Seized backend data can enable new victim notifications, better attribution, and new indicators/leads for ongoing investigations.

LeakBase Hacker Forum Admin Arrested by Russian Authorities

The operation was carried out by officers from the Ministry of Internal Affairs (MVD) in coordination with regional security services in Rostov.

Cyber Security NewsAnuPriya

Third-Party Support Agent Compromise Leads to Alleged Crunchyroll Ticket Data Leak

Crunchyroll says it’s investigating breach claims after a threat actor alleged they accessed customer data by compromising a third-party support agent’s Okta single sign-on account.

Key Takeaways:

Likely impact area: Support-ticket data, not necessarily core Crunchyroll production systems (Crunchyroll says it appears “primarily limited” to customer service ticket data).

Initial access (claimed): Compromised Okta SSO account of a third-party support agent (BPO/vendor risk).

Data involved: Zendesk ticket records; alleged 6.8M unique emails, plus names/usernames, IP addresses, rough location, and ticket contents.

Credit card angle: Card data exposure appears to be mostly cases where customers voluntarily pasted payment details into tickets (not a direct payment system dump).

Risk to users: Phishing/social engineering risk increases because support tickets can contain high-trust context and account-related details.

Immediate defensive actions (practical):

• Treat any emails referencing Crunchyroll “support” with extra suspicion.
• If you ever shared sensitive info in a ticket, monitor accounts/payment methods and change reused passwords.
• For orgs: tighten vendor access (least privilege), enforce strong MFA/phishing-resistant auth, and reduce sensitive data in tickets via redaction + policy.

Crunchyroll probes breach after hacker claims to steal 6.8M users’ data

Popular anime streaming platform Crunchyroll is investigating a breach after hackers claimed to have stolen personal information for approximately 6.8 million people.

BleepingComputerLawrence Abrams