Featured image of post Cybersecurity Week in Review: March 24–March 30, 2026
News

Cybersecurity Week in Review: March 24–March 30, 2026

Cyberattacks, data breaches, zero-days, and global responses—discover the biggest cybersecurity headlines of this week.

By Senthorus SOC

Major Data Breaches

Berkadia Ransomware Attack

Summary:
Berkadia, a major real estate services provider, suffered a ransomware attack attributed to the ShinyHunters group. Over 5 million Salesforce records, including personally identifiable information (PII) and internal corporate data, were compromised. The attack highlights the persistent threat of ransomware to the real estate and financial sectors, with attackers targeting large data repositories for extortion and data theft.

Key Details:

  • Organization: Berkadia (New York, USA)
  • Data Exposed: Over 5 million Salesforce records, including PII and internal data
  • Attack Vector: Ransomware (ShinyHunters group)
  • Discovery Date: March 2026
  • Response: Incident under investigation; details on ransom demand not disclosed

Technical Details:

  • Ransomware Family: ShinyHunters
  • Data Exfiltration: Confirmed
  • Impact: Disruption of business operations and potential exposure of sensitive client information

Source: SharkStriker1

HackerOne Employee Data Breach

Summary:
HackerOne, a leading bug bounty platform, disclosed a breach involving a third-party system that exposed employee personal data. The incident underscores the risks associated with third-party vendors, even for organizations at the forefront of cybersecurity.

Key Details:

  • Organization: HackerOne
  • Data Exposed: Employee personal data (specifics not disclosed)
  • Attack Vector: Third-party system compromise
  • Discovery Date: March 2026
  • Response: Investigation ongoing; enhanced monitoring of third-party vendors

Source: Barefoot Cyber2

Infinite Campus Data Breach

Summary:
Infinite Campus, a widely used K-12 student information system, reported a data breach following an extortion attempt by a threat actor. The breach has raised concerns about the security of educational technology platforms and the sensitive nature of student data.

Key Details:

  • Organization: Infinite Campus
  • Data Exposed: Not fully disclosed; extortion attempt involved
  • Attack Vector: Extortion by threat actor
  • Discovery Date: March 24, 2026

Source: BleepingComputer3

Significant Cyberattacks

European Commission Web Platform Attack

Summary:
The European Commission confirmed a cyberattack on its cloud-hosted Europa web platform. Early indications suggest data exfiltration may have occurred, though internal systems were reportedly unaffected. The incident highlights the ongoing targeting of government platforms in Europe and the risks associated with public-facing infrastructure.

Key Details:

  • Organization: European Commission
  • Attack Vector: Cloud platform compromise
  • Discovery Date: March 24, 2026
  • Response: Breach contained; investigation ongoing

Source: Reuters via Barefoot Cyber2

Surge in State-Linked Attacks on Critical Infrastructure

Summary:
Poland reported a sharp increase in cyberattacks, including a destructive attack on energy infrastructure believed to be linked to Russian-affiliated actors. This reflects a broader trend of state-aligned cyber operations targeting critical infrastructure across NATO and EU regions.

Key Details:

  • Country: Poland
  • Sector: Energy infrastructure
  • Attack Vector: Destructive malware, suspected Russian affiliation
  • Discovery Date: March 2026

Source: AP News via Barefoot Cyber2

GitHub Supply Chain Attack: TeamPCP Targets CI/CD Pipelines

Summary:
Attackers linked to TeamPCP compromised Checkmarx GitHub Actions using stolen CI credentials, extending a broader campaign targeting CI/CD pipelines. This incident marks a continued evolution of supply chain attacks, moving beyond software dependencies into development workflows.

Key Details:

  • Target: Checkmarx GitHub Actions
  • Attack Vector: Stolen CI credentials, supply chain compromise
  • Discovery Date: March 2026

Source: The Hacker News2

Stryker Cyberattack by Iran-Linked Group

Summary:
Stryker, a global medical technology provider, confirmed a cyberattack attributed to the Iran-linked Handala group. The attackers weaponized Microsoft Intune to wipe data from thousands of devices, causing temporary disruption to manufacturing and shipping. The attack is part of a broader trend of targeting healthcare and critical infrastructure.

Key Details:

  • Organization: Stryker (USA)
  • Attack Vector: Microsoft Intune device management compromise
  • Threat Actor: Handala (Iran-linked)
  • Discovery Date: March 2026
  • Response: Attack contained; restoration underway

Source: Cybersecurity Dive4

Critical Vulnerabilities

Citrix NetScaler ADC and Gateway (CVE-2026-3055)

Summary:
A critical vulnerability (CVE-2026-3055, CVSS 9.3) in Citrix NetScaler ADC and Gateway allows unauthenticated remote attackers to leak sensitive information from device memory. The flaw is actively exploited as of March 27, 2026, particularly in appliances configured as SAML Identity Providers. Citrix urges immediate patching.

Key Details:

  • CVE: CVE-2026-3055
  • CVSS Score: 9.3
  • Affected Products: NetScaler ADC and Gateway (various versions)
  • Attack Vector: Out-of-bounds read, memory overread
  • Mitigation: Upgrade to fixed versions immediately

Source: Help Net Security5

Fortinet FortiClient EMS (CVE-2026-21643)

Summary:
A critical SQL injection vulnerability (CVE-2026-21643, CVSS 9.1) in Fortinet FortiClient EMS is under active exploitation. The flaw allows unauthenticated attackers to execute unauthorized code or commands via crafted HTTP requests. Fortinet released a patch in version 7.4.5.

Key Details:

  • CVE: CVE-2026-21643
  • CVSS Score: 9.1
  • Affected Product: FortiClient EMS
  • Attack Vector: SQL injection via HTTP header
  • Mitigation: Update to version 7.4.5

Source: The Hacker News6

GNU InetUtils telnetd (CVE-2026-32746)

Summary:
A critical, unpatched vulnerability (CVE-2026-32746, CVSS 9.8) in GNU InetUtils telnetd allows unauthenticated remote code execution as root. The flaw is due to an out-of-bounds write in the LINEMODE SLC handler and affects all versions through 2.7. A fix is expected by April 1, 2026.

Key Details:

  • CVE: CVE-2026-32746
  • CVSS Score: 9.8
  • Affected Product: GNU InetUtils telnetd (all versions through 2.7)
  • Attack Vector: Pre-auth buffer overflow via port 23
  • Mitigation: Disable telnetd, block port 23, run without root privileges

Source: The Hacker News7

Government Responses

CISA Adds Exploited Vulnerabilities to Catalog

Summary:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added several new vulnerabilities to its Known Exploited Vulnerabilities Catalog between March 24 and March 27, 2026. The advisories urge immediate patching and hardening of affected systems, particularly those exposed to the internet.

Key Details:

  • Agency: CISA
  • Action: Added new vulnerabilities to KEV Catalog
  • Date: March 24–27, 2026
  • Focus: Urgent patching and mitigation for critical flaws

Source: CISA8

FCC Bans Import of Foreign-Made Routers

Summary:
The U.S. Federal Communications Commission (FCC) announced a ban on the import of new, foreign-made consumer routers, citing unacceptable risks to national security. Only routers with conditional approval from the Department of Homeland Security or Department of War are exempt.

Key Details:

  • Agency: FCC
  • Action: Ban on foreign-made consumer routers
  • Date: March 2026
  • Rationale: National security concerns

Source: The Hacker News6

Miscellaneous

“DarkSword” iPhone Exploit Goes Public

Summary:
A previously restricted exploit known as “DarkSword” for iPhones has leaked publicly, making it easier for attackers to target vulnerable devices and extract sensitive data. The exploit, originally used for targeted surveillance, is now available to a broader range of threat actors.

Key Details:

  • Exploit Name: DarkSword
  • Affected Devices: Certain iOS versions
  • Impact: Increased risk of mobile device compromise, especially in finance and government sectors
  • Mitigation: Update all devices, enforce MDM, restrict access policies

Source: Tom’s Guide via Barefoot Cyber2

Red Menshen “Sleeper Cell” Implants in Telecom Networks

Summary:
A China-linked threat actor, Red Menshen, has deployed stealthy BPFDoor implants in global telecom backbone infrastructure. These implants act as sleeper cells, remaining dormant until activated, and are designed for long-term espionage and persistence.

Key Details:

  • Threat Actor: Red Menshen (China-linked)
  • Target: Global telecom networks
  • Technique: Kernel-level implants, passive backdoors
  • Impact: Long-term, hard-to-detect espionage

Source: The Hacker News6

Conclusion

This week’s cybersecurity landscape was marked by a surge in state-linked attacks on critical infrastructure, high-profile data breaches, and the rapid exploitation of newly disclosed vulnerabilities. Organizations are urged to prioritize patching, enhance third-party risk management, and remain vigilant against evolving supply chain and mobile threats. The increasing sophistication and coordination of cyber-physical attacks, as well as the public release of advanced exploits, underscore the need for robust, adaptive security strategies.

For further details and technical advisories, consult the linked sources throughout this report.

© 2026 Senthorus Blog