![Cybersecurity News | Daily Recap [21 Mar 2026]](https://www.hendryadrian.com/tweet/image/DailyRecap.png "Cybersecurity News | Daily Recap [21 Mar 2026]")
Daily Recap, The FBI and allied agencies warn that Russian intelligence-linked actors are conducting mass phishing campaigns targeting Signal and WhatsApp, hijacking accounts via verification-code requests and malicious QR/links, compromising thousands of high-value targets. The report also details a supply-chain attack involving the CanisterWorm that infected npm packages and breached Trivy GitHub Actions, with ties to TeamPCP and hackerbot-claw, alongside enforcement actions such as Operation Alice and the Handala takedown. #CanisterWorm #OperationAlice
Messaging Attacks
- The FBI and French agencies warn that Russian intelligence-linked actors are running mass phishing campaigns to hijack Signal and WhatsApp accounts via verification-code requests and malicious QR/links, compromising thousands of high-value targets – Signal Phishing, Signal Takedown
Supply-Chain
- Actors behind the Trivy compromise infected dozens of npm packages with a self-propagating CanisterWorm using an ICP canister C2 and also breached Trivy GitHub Actions to steal CI/CD secrets, with ties to TeamPCP and hackerbot-claw – CanisterWorm, Trivy Breach
Vulnerabilities & Patches
- Oracle released emergency updates to fix a critical unauthenticated RCE in Identity Manager/Web Services tracked as CVE-2026-21992 (CVSS 9.8) and urged immediate patching – Oracle RCE, Oracle RCE
- CISA ordered federal agencies to patch a max-severity Cisco Secure Firewall Management Center flaw CVE-2026-20131 exploited by the Interlock ransomware group for unauthenticated RCE as root – Cisco FMC
- A critical Langflow bug CVE-2026-33017 enabling unauthenticated RCE was weaponized within 20 hours of disclosure, leading to rapid scanning, exfiltration, and calls to patch and rotate secrets – Langflow RCE
- Activity tied to exploitation of Quest KACE SMA CVE-2025-32975 can allow unauthenticated impersonation and potential full admin takeover of internet-exposed appliances—apply May 2025 patches immediately – KACE Flaw
Android
- Google rolled out an “Advanced Flow” that enforces a one-time multi-step sideload setup and a mandatory 24-hour wait for installing apps from unverified developers to reduce scams and malware while enabling developer verification and limited distribution options – Advanced Flow, 24-Hour Wait, Android Roundup
Law & Enforcement
- German-led Operation Alice with Europol shut down over 373,000 fake CSAM sites, seized 287 servers, and disrupted a platform that scammed ~10,000 users out of about $400,000 in Bitcoin – Operation Alice
- The FBI seized domains used by Iran’s MOIS (aliases including Handala) to publish stolen data and linked Handala to attacks that wiped over 200,000 Stryker devices, prompting a $10 million reward – Handala Takedown
- Three men, including a Super Micro executive, were charged with conspiring to smuggle U.S.-assembled servers with advanced Nvidia AI chips to China, diverting roughly $2.5 billion in orders and shipping at least $510 million worth of equipment – AI Smuggling
Incidents
- Foster City, California declared a state of emergency after a ransomware attack that may have exposed public information while Los Angeles Metro limited employee access following detected unauthorized activity – Foster Ransomware
Geopolitical Threats & Policy
- Seqrite Labs attributed “Operation GhostMail” to APT28, describing a zero-click HTML XSS campaign exploiting Zimbra CVE-2025-66376 to hijack Ukrainian webmail sessions and exfiltrate credentials and mailbox data – GhostMail
- A five-step CISO playbook recommends containment, identity-aware controls, and automated isolation to combat state-linked wiper campaigns (citing Iran-linked Handala and the Stryker disruption) – CISO Playbook
- Congress is pushing for an 18-month clean reauthorization of Section 702 of FISA amid debates over surveillance reforms and intelligence use in national-security operations – Section 702