![Cybersecurity News | Daily Recap [24 Mar 2026]](https://www.hendryadrian.com/tweet/image/DailyRecap.png "Cybersecurity News | Daily Recap [24 Mar 2026]")
Daily Recap, the latest cybersecurity news highlights breaches, ransomware activity, and malware campaigns across government, education, finance, and tech, featuring Yanluowang, Handala, WaterPlum and StoatWaffle, and a growing emphasis on supply-chain risks from Trivy and TeamPCP. Daily Recap, notable outcomes include Yanluowang’s 81‑month sentence and multi‑million dollar recoveries, Resolv’s $80M DeFi incident, and ongoing phishing and B2B fraud campaigns such as Tycoon2FA. #Yanluowang #Handala #WaterPlum #StoatWaffle #Trivy #TeamPCP #Resolv #Tycoon2FA
News:
Daily Cybersecurity Recap
Breaches & Exposures
- Dutch Ministry confirms an intrusion detected on March 19 that affected internal systems (tax/customs systems said unaffected) while investigators block access and probe potential data loss – Dutch Finance, Finance Breach
- HackerOne notified employees that a Navia breach via a BOLA flaw exposed Social Security numbers and other personal data for 287 employees and dependents – HackerOne Breach
- Infinite Campus warns of a data breach after a ShinyHunters extortion claim tied to an employee Salesforce account and has disabled some services while scanning exposed data – Infinite Campus
- Crunchyroll is probing alleged March 12 access via a third‑party vendor after claims of nearly 100GB of user data exposure (emails, IPs, passwords, some card data); users urged to change passwords – Crunchyroll Claim, Crunchyroll Probe
- Mazda discloses unauthorized access to a parts warehouse system that exposed 692 employee and partner records (no customer data) and reported the incident to Japan regulators – Mazda Breach
- Kaplan says a fall 2025 incident exposed names, SSNs and driver’s license numbers for at least 230,000 people, prompting filings and potential class actions – Kaplan Breach
- Trio-Tech subsidiary hit by ransomware on March 11, prompting systems offline, a Tor leak listing, and an investigation with responders and law enforcement – Trio-Tech Ransom
Ransomware & Sentencing
- An access broker tied to the Yanluowang ransomware pleaded guilty and was sentenced to 81 months (≈ 6.75 years) with restitution/forfeiture over $9.16M, linked to roughly $1.5M in ransom proceeds and multiple attacks – Yanluowang Case, Volkov Sentence
- A Nigerian national was sentenced to 90 months for a global business‑email‑compromise scheme that stole about $6M, ordered to forfeit $1.2M and pay restitution – Email Fraud
Malware & Nation‑state Activity
- Stryker confirms investigators found a malicious file in an Iran‑linked attack claimed by Handala, likely abusing Microsoft Intune (possible infostealer credentialing) to wipe devices while restoration continues with Unit 42 and US agencies – Stryker Attack
- The FBI warns Russian and Iranian actors are abusing messaging platforms (hijacking Signal, Telegram‑linked malware) to compromise accounts, deploy malware, and exfiltrate data, affecting thousands of users – FBI Alert
- North Korean actor WaterPlum is abusing Visual Studio Code auto‑run tasks to deliver the StoatWaffle Node.js credential stealer and RAT via malicious projects, npm packages and GitHub repos targeting developers and crypto professionals – StoatWaffle Campaign
Supply‑chain & DevOps Abuse
- The Trivy supply‑chain compromise spread to Docker images and GitHub repos, and has been linked to subsequent Kubernetes/SSH propagation and cluster compromises – Trivy Supply-Chain
- TeamPCP is targeting Kubernetes clusters with a backdoor called CanisterWorm that installs on non‑Iranian systems and deploys a geopolitically targeted wiper for systems configured for Iran, exploiting Docker APIs and SSH paths tied to Trivy supply‑chain activity – TeamPCP Wiper
Vulnerabilities & Patches
- Oracle released an emergency out‑of‑band patch for a critical unauthenticated RCE tracked as CVE‑2026‑21992 affecting Oracle Identity Manager and Web Services Manager; apply immediately – Oracle Patch
Phishing & Account Takeover
- The Tycoon2FA phishing‑as‑a‑service platform rebounded days after a Europol/Microsoft disruption (≈ 330 domains seized), with campaign volume dropping to ~25% briefly before returning to prior levels targeting Microsoft 365 and Gmail – Tycoon2FA Return
Crypto & DeFi Incidents
- Resolv’s DeFi platform was breached after a compromised private key allowed minting of ~$80M in uncollateralized USR and an attacker exfiltrated roughly 11,408 ETH (≈ $24.5M), forcing a pause, redemptions for verified users, and tracing efforts – Resolv Heist
Reports & Industry
- Google/Mandiant’s M‑Trends 2026 finds the median initial‑access handoff time shrank to 22 seconds, highlights exploits as top vectors and rising Linux/macOS malware and activity from GoldVein and Cl0p – M-Trends 2026
- Zero‑trust commentary stresses tying identity to device posture beyond MFA to detect compromised endpoints and stolen sessions — advocates for continuous posture enforcement – Zero Trust
- Varonis previews AI/data security guidance for protecting data that powers AI models and workflows – Varonis Atlas
- Pre‑RSAC 2026 coverage summarizes dozens of AI‑native and agent‑focused product announcements across identity, detection, SOAR, and exposure remediation from vendors including 1Password and Vellox – RSAC Announcements
Daily Cybersecurity Recap
Breaches & Exposures
- Dutch Ministry confirms an intrusion detected on March 19 that affected internal systems (tax/customs systems said unaffected) while investigators block access and probe potential data loss – Dutch Finance, Finance Breach
- HackerOne notified employees that a Navia breach via a BOLA flaw exposed Social Security numbers and other personal data for 287 employees and dependents – HackerOne Breach
- Infinite Campus warns of a data breach after a ShinyHunters extortion claim tied to an employee Salesforce account and has disabled some services while scanning exposed data – Infinite Campus
- Crunchyroll is probing alleged March 12 access via a third‑party vendor after claims of nearly 100GB of user data exposure (emails, IPs, passwords, some card data); users urged to change passwords – Crunchyroll Claim, Crunchyroll Probe
- Mazda discloses unauthorized access to a parts warehouse system that exposed 692 employee and partner records (no customer data) and reported the incident to Japan regulators – Mazda Breach
- Kaplan says a fall 2025 incident exposed names, SSNs and driver’s license numbers for at least 230,000 people, prompting filings and potential class actions – Kaplan Breach
- Trio-Tech subsidiary hit by ransomware on March 11, prompting systems offline, a Tor leak listing, and an investigation with responders and law enforcement – Trio-Tech Ransom
Ransomware & Sentencing
- An access broker tied to the Yanluowang ransomware pleaded guilty and was sentenced to 81 months (≈ 6.75 years) with restitution/forfeiture over $9.16M, linked to roughly $1.5M in ransom proceeds and multiple attacks – Yanluowang Case, Volkov Sentence
- A Nigerian national was sentenced to 90 months for a global business‑email‑compromise scheme that stole about $6M, ordered to forfeit $1.2M and pay restitution – Email Fraud
Malware & Nation‑state Activity
- Stryker confirms investigators found a malicious file in an Iran‑linked attack claimed by Handala, likely abusing Microsoft Intune (possible infostealer credentialing) to wipe devices while restoration continues with Unit 42 and US agencies – Stryker Attack
- The FBI warns Russian and Iranian actors are abusing messaging platforms (hijacking Signal, Telegram‑linked malware) to compromise accounts, deploy malware, and exfiltrate data, affecting thousands of users – FBI Alert
- North Korean actor WaterPlum is abusing Visual Studio Code auto‑run tasks to deliver the StoatWaffle Node.js credential stealer and RAT via malicious projects, npm packages and GitHub repos targeting developers and crypto professionals – StoatWaffle Campaign
Supply‑chain & DevOps Abuse
- The Trivy supply‑chain compromise spread to Docker images and GitHub repos, and has been linked to subsequent Kubernetes/SSH propagation and cluster compromises – Trivy Supply-Chain
- TeamPCP is targeting Kubernetes clusters with a backdoor called CanisterWorm that installs on non‑Iranian systems and deploys a geopolitically targeted wiper for systems configured for Iran, exploiting Docker APIs and SSH paths tied to Trivy supply‑chain activity – TeamPCP Wiper
Vulnerabilities & Patches
- Oracle released an emergency out‑of‑band patch for a critical unauthenticated RCE tracked as CVE‑2026‑21992 affecting Oracle Identity Manager and Web Services Manager; apply immediately – Oracle Patch
Phishing & Account Takeover
- The Tycoon2FA phishing‑as‑a‑service platform rebounded days after a Europol/Microsoft disruption (≈ 330 domains seized), with campaign volume dropping to ~25% briefly before returning to prior levels targeting Microsoft 365 and Gmail – Tycoon2FA Return
Crypto & DeFi Incidents
- Resolv’s DeFi platform was breached after a compromised private key allowed minting of ~$80M in uncollateralized USR and an attacker exfiltrated roughly 11,408 ETH (≈ $24.5M), forcing a pause, redemptions for verified users, and tracing efforts – Resolv Heist
Reports & Industry
- Google/Mandiant’s M‑Trends 2026 finds the median initial‑access handoff time shrank to 22 seconds, highlights exploits as top vectors and rising Linux/macOS malware and activity from GoldVein and Cl0p – M-Trends 2026
- Zero‑trust commentary stresses tying identity to device posture beyond MFA to detect compromised endpoints and stolen sessions — advocates for continuous posture enforcement – Zero Trust
- Varonis previews AI/data security guidance for protecting data that powers AI models and workflows – Varonis Atlas
- Pre‑RSAC 2026 coverage summarizes dozens of AI‑native and agent‑focused product announcements across identity, detection, SOAR, and exposure remediation from vendors including 1Password and Vellox – RSAC Announcements