Cyber Security News Daily Recap

Cybersecurity News | Daily Recap [23 Mar 2026]

admin
Cybersecurity News | Daily Recap [23 Mar 2026]

Daily Recap, Microsoft rolled back a newly introduced virtual account after it intermittently blocked access to cloud-based Exchange Online via Outlook Mobile and the new Outlook for Mac, and published an optional out-of-band KB5085516 emergency update to fix Microsoft account sign-in failures caused by KB5079473 affecting Windows 11 apps (Teams, OneDrive) with a restart workaround. The patching and threat activity also covers QNAP CVEs 62843–62846 and Oracle CVE-2026-21992 (CVSS 9.8), with CVE-2025-32975 impacting Quest KACE SMA, plus FBI warnings about Handala using Telegram and Russian Intelligence phishing via Signal, new DarkSword iOS flaws, a Trivy supply-chain compromise with CanisterWorm and TeamPCP, and Tycoon 2FA phishing.
#Handala #Telegram #RussianIntelligence #Signal #DarkSword #KACE #SMA #Trivy #CanisterWorm #TeamPCP #Tycoon2FA #AWSBedrock #NIST80081r3 #OperationAlice #AlexanderPaulTravis #NKITWorkers

Microsoft Services & Patches

  • Microsoft reverted a newly introduced virtual account after it intermittently blocked access to cloud‑based Exchange Online via Outlook Mobile and the new Outlook for Mac – Exchange Outage
  • Microsoft published an optional out‑of‑band KB5085516 emergency update to fix Microsoft account sign‑in failures caused by KB5079473 affecting Windows 11 apps (Teams, OneDrive) and provided a restart workaround – KB5085516 Fix

Vulnerabilities & Patches

  • QNAP issued patches for multiple products including four SD‑WAN router bugs demonstrated at Pwn2Own (CVE‑2025‑62843–62846) and urged admins to update firmware – QNAP Patches
  • Oracle released an out‑of‑band patch for a critical unauthenticated RCE in Identity Manager (CVE‑2026‑21992, CVSS 9.8) and warned customers to update immediately – Oracle Patch
  • Attackers are exploiting CVE-2025-32975 to bypass authentication on unpatched Quest KACE SMA systems, enabling admin takeover, credential theft (Mimikatz), and RDP access—apply patches and avoid internet exposure – KACE Exploit

State-linked Campaigns

  • The FBI warned Iranian‑linked groups including Handala and state‑aligned actors are abusing Telegram as C2 to deliver Windows malware against journalists, dissidents and opponents, including Intune‑based device wipes – Handala Campaign
  • FBI and CISA issued an advisory on Russian Intelligence phishing that hijacks commercial messaging apps—especially Signal—to take over accounts, monitor chats, and enable follow‑on phishing – Messaging Hijack
  • CISA ordered federal agencies to patch three iOS flaws exploited by the DarkSword exploit kit used in crypto theft and espionage operations attributed to groups like UNC6353DarkSword Patch

Malware & Supply‑chain

  • A supply‑chain compromise of Trivy images spread a credential stealer, defaced repos, infected npm packages with CanisterWorm, and deployed Kubernetes‑wiping backdoors in a campaign tied to TeamPCP—avoid affected Trivy versions and treat recent runs as compromised – Trivy Supply-chain
  • VoidStealer uses a debugger trick to attach to suspended Chrome processes and extract the v20_master_key from memory, bypassing Application‑Bound Encryption to steal browser secrets – VoidStealer

Phishing & PhaaS

  • Tax‑season phishing campaigns hit roughly 29,000 users to harvest credentials and deploy RMM malware, abusing legitimate tools like ScreenConnect, Datto, and SimpleHelp for persistence and exfiltration – IRS Phishing
  • Subscription PhaaS Tycoon 2FA quickly returned to pre‑takedown levels, reportedly sending > 30 million malicious emails monthly and accounting for ~62% of Microsoft’s blocked phishing in 2025 – Tycoon 2FA

Cloud & AI Security

  • XM Cyber mapped eight validated attack vectors against AWS Bedrock—including log manipulation, agent hijacking, flow injection, guardrail degradation, and prompt poisoning—and recommends tight permissions and posture controls for Bedrock deployments – Bedrock Vectors

Standards & Guidance

  • NIST published SP 800‑81r3, a major DNS security update after 12 years that promotes protective/encrypted DNS (DoH/DoT/DoQ), modern crypto (ECDSA, Ed25519), and operational best practices for federal agencies and hybrid deployments – NIST DNS

Prosecutions & Fraud

  • German authorities dismantled an operator running > 373,000 onion sites in Operation Alice, seizing servers after buyers paid ~€345,000 for nonexistent CSAM and cybercrime services – Dark Web Takedown
  • Three men, including U.S. Army Specialist Alexander Paul Travis, were sentenced for enabling North Korean IT workers to use stolen identities to collect ≈$1.3M in illicit salaries from U.S. employers – NK IT Scheme
  • A North Carolina man pleaded guilty to an AI‑assisted streaming fraud that generated fake tracks and used bots to steal > $8M in royalties from legitimate artists—demonstrating scale risks of AI content abuse – Music Fraud

Industry & Trends

  • Hackmanac CEO Sofia Scozzari argues defenders must treat cybersecurity as a business risk, adopt security‑by‑design, and improve information sharing to counter attackers scaling via as‑a‑service models – Cyber Basics
  • Women leaders in India are advancing mobile security by embedding runtime protections and security‑by‑design as mobile apps become the primary attack surface in a mobile-first economy – Women in Mobile

Roundups

  • Weekly threat research recap and consolidated updates for security teams – Weekly Recap

Cybersecurity News | Daily Recap – hendryadrian.com

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint