Featured image of post Cybersecurity Week in Review: March 3, 2026 – March 9, 2026
News

Cybersecurity Week in Review: March 3, 2026 – March 9, 2026

Cyberattacks, data breaches, zero-days, and global responses—discover the biggest cybersecurity headlines of this week.

By Senthorus SOC

Major Data Breaches

LexisNexis Data Breach: Legacy Data Exposed, Government Accounts Impacted

LexisNexis Legal & Professional, a global provider of legal and business analytics, confirmed a significant data breach after the threat actor “FulcrumSec” leaked approximately 2GB of internal files online. The attackers reportedly exploited the React2Shell vulnerability in an unpatched React frontend application, gaining access to the company’s AWS infrastructure on February 24, 2026. The breach exposed legacy data, including customer names, user IDs, business contact information, and survey responses, primarily from before 2020. Notably, the attackers claim to have accessed 3.9 million records, including about 400,000 user profiles and over 100 accounts with .gov email addresses—encompassing U.S. government employees, federal judges, and Department of Justice attorneys. LexisNexis asserts that no sensitive PII, financial data, or active passwords were compromised, and that the incident has been contained. The company has engaged a leading cybersecurity forensic firm and notified law enforcement12.

  • Attack vector: React2Shell vulnerability in an unpatched React app
  • Data exposed: Legacy customer and business data, government user profiles
  • Response: Forensic investigation, law enforcement notified, containment measures implemented

Cal AI App Alleged Breach: 3 Million User Records Dumped

The calorie-tracking app Cal AI, popularized by celebrity endorsements, allegedly suffered a massive breach with a threat actor dumping nearly 15GB of data, including over 3 million user emails, personal details, and subscription information. The attacker claims to have exploited an unauthenticated Google Firebase backend, allowing access to sensitive user data such as weights, dates of birth, and even meal times. The app’s use of a simple 4-digit PIN instead of passwords, and lack of rate limiting or CAPTCHA, contributed to the exposure. While the breach has not been officially confirmed by Cal AI, independent researchers have reviewed the leaked data and found it appears legitimate3.

  • Attack vector: Unauthenticated Google Firebase backend
  • Data exposed: Emails, personal details, subscription info, health data
  • Response: Awaiting official confirmation; researchers validate data authenticity

TriZetto Provider Solutions (Cognizant) Breach: 3.4 Million Patient Records Exposed

TriZetto Provider Solutions, a healthcare IT subsidiary of Cognizant, disclosed a breach affecting more than 3.4 million individuals. The compromised data includes insurance and medical information processed through TriZetto’s platforms. Notifications were issued this week after investigators determined the unauthorized access began in 2024, highlighting ongoing risks in the healthcare software supply chain45.

  • Attack vector: Undisclosed, unauthorized access to healthcare IT systems
  • Data exposed: Patient insurance and medical information
  • Response: Notifications issued, investigation ongoing

Significant Cyberattacks

AkzoNobel Cyberattack: Ransomware Group Claims 170GB Data Theft

AkzoNobel, the Netherlands-based global paint manufacturer, confirmed a cyberattack affecting one of its U.S. sites. The Anubis ransomware group claimed responsibility, stating it stole 170GB of data, including employee and financial records. The company reported the intrusion was contained, but the full extent of data exfiltration is under review64.

  • Attack vector: Ransomware (Anubis group)
  • Data exposed: Employee and financial records (claimed)
  • Response: Containment, ongoing investigation

Wikimedia Foundation: JavaScript Worm Disrupts Wikipedia

The Wikimedia Foundation faced a self-propagating JavaScript worm that vandalized pages and replaced editor scripts across multiple wikis. Engineers restricted editing while cleaning up the incident, which modified nearly 4,000 pages and affected about 85 users’ personal scripts. The attack demonstrates the risks of supply chain and script-based vulnerabilities in collaborative platforms4.

  • Attack vector: JavaScript worm, self-propagating via user scripts
  • Impact: Page vandalism, editor disruption
  • Response: Editing restrictions, incident cleanup

Fake Banking App Phishing Campaign

A sophisticated malware dropper mimicking the IndusInd Bank app targeted Android users in a phishing scheme to steal sensitive financial information. The malicious app, distributed via Telegram, tricked users into entering credentials, which were then sent to a phishing server and a Telegram-controlled C2 channel. The dropper used obfuscation and XOR-encryption to evade detection7.

  • Attack vector: Fake banking app, phishing via Telegram
  • Data exposed: Financial credentials, personal information
  • Response: Security researchers highlight the need for mobile threat vigilance

Critical Vulnerabilities

Qualcomm Android Component Zero-Day (CVE-2026-21385) Exploited in the Wild

Google disclosed a high-severity vulnerability (CVE-2026-21385, CVSS 7.8) in an open-source Qualcomm component used in Android devices, confirmed to be exploited in the wild. The flaw, a buffer over-read in the graphics component, allows memory corruption and potential privilege escalation. Google’s March 2026 Android update patched 129 vulnerabilities, including this zero-day and a critical remote code execution flaw (CVE-2026-0006). The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-21385 to its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch by March 24, 202689.

  • CVE: CVE-2026-21385 (CVSS 7.8)
  • Affected systems: Android devices with Qualcomm chipsets
  • Patch status: Fixes released March 2026; urgent update recommended

Cisco SD-WAN Vulnerabilities Under Active Exploitation

Cisco warned of active exploitation of multiple vulnerabilities affecting its Catalyst SD-WAN networking platform. The flaws allow attackers to gain unauthorized access and potentially escalate privileges to root on vulnerable devices. Cisco issued security updates and urged immediate patching, given the widespread use of SD-WAN in enterprise networks5.

  • Affected systems: Cisco Catalyst SD-WAN
  • Impact: Unauthorized access, privilege escalation
  • Patch status: Security updates released, immediate action advised

Chrome 145 Emergency Update: 10 Critical CVEs Fixed

Google released an emergency update for Chrome (version 145) on March 3, 2026, addressing 10 critical vulnerabilities, including integer overflows, heap buffer overflows, and object lifecycle bugs. These classes of vulnerabilities have historically been used in real-world attacks, making this update a high priority for all users10.

  • Affected systems: Chrome browser (all platforms)
  • Patch status: Update available, immediate installation recommended

Government Responses

CISA Adds New Vulnerabilities to KEV Catalog, Issues Patch Mandates

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two new vulnerabilities, including the actively exploited Qualcomm Android flaw (CVE-2026-21385), to its Known Exploited Vulnerabilities catalog on March 3, 2026. Federal agencies are required to apply patches by March 24, 2026. CISA also issued advisories on ongoing exploitation of Cisco SD-WAN systems and provided updated guidance for defending against supply chain and cloud-based threats11.

  • Mandate: Patch CVE-2026-21385 and other listed vulnerabilities by March 24, 2026
  • Focus: Mobile, cloud, and supply chain security

New York State DFS Advisory: Heightened Cyber Threats Due to Global Conflict

The New York State Department of Financial Services (DFS) issued an industry letter on March 3, 2026, reminding regulated entities of increased cyber risks stemming from ongoing global conflicts. While no specific coordinated campaign has been observed, DFS urged financial sector organizations to review and strengthen their cybersecurity programs, emphasizing vulnerability management, operational resilience, and secure configuration12.

  • Audience: Financial sector, DFS-regulated entities
  • Guidance: Review and enhance cybersecurity controls, monitor for suspicious activity

Miscellaneous

AI-Driven Threats and Security Research

Researchers reported a surge in AI-driven cyber threats, including the use of generative AI for malware development, phishing, and deepfake creation. Notably, a campaign abused interest in the OpenClaw AI agent by planting fake installers on GitHub, delivering the Vidar infostealer and GhostSocks proxy malware. Additionally, Chrome and Edge extensions impersonating legitimate AI tools were found harvesting chat histories and browsing activity, impacting nearly 900,000 users across 20,000 enterprise environments4.

  • Trends: AI-enabled malware, supply chain attacks, malicious browser extensions
  • Impact: Credential theft, proxy abuse, enterprise data exposure

Conclusion

This week’s cybersecurity landscape was marked by high-profile data breaches, sophisticated ransomware and phishing campaigns, and the urgent patching of critical vulnerabilities in widely used platforms. Government agencies responded with new mandates and advisories, while researchers highlighted the growing role of AI in both offensive and defensive cyber operations. Organizations are urged to remain vigilant, prioritize timely patching, and strengthen their security posture in the face of evolving threats.

© 2026 Senthorus Blog