Iran-linked Handala wiped 80,000 to 200,000 Stryker devices across 79 countries on 11 March using one stolen Microsoft Intune admin credential, with no malware deployed. NHS Supply Chain issued a UK disruption alert; Stryker filed an SEC 8-K/A. US defenders face this with a proposed $707m CISA cut and a Citrix/F5 vendor stack still burning.
Identity and administration planes are now the primary attack surface; US defenders face this reality with a proposed $707m CISA cut.
One stolen login, no malware, up to 200,000 devices dark in hours across 79 countries. The Microsoft Intune admin console used exactly as designed.
United StatesIran-linked hacktivist group Handala remotely wiped between 80,000 and 200,000 Stryker devices across 79 countries on 11 March 2026 by exploiting a single stolen Microsoft Intune administrator credential, deploying no malware.
First mass-scale demonstration that an identity-only attack at the Mobile Device Management (MDM) layer can reach every enrolled endpoint without tripping any endpoint defence.
The first public company to formally disclose a credential-only wipe as material. Q1 2026 earnings take a hit; full-year guidance held.
Stryker filed a Securities and Exchange Commission 8-K/A on 10 April 2026 disclosing the March device wipe as a material cybersecurity incident, acknowledging Q1 2026 earnings impact while maintaining full-year guidance.
The filing establishes an SEC materiality reference case for a no-malware, identity-only attack, which every listed company's disclosure counsel will now cite.
Google-Wiz is the largest pure-cybersecurity deal of the post-CrowdStrike era. SecurityWeek counted 38 cyber M&A deals in March and 42 in February.
Google completed its $32 billion acquisition of cloud security vendor Wiz in March 2026, marking the largest pure-cybersecurity deal of the post-CrowdStrike era. SecurityWeek counted 38 cybersecurity M&A deals in March 2026 alone and 42 in February; deals included Databricks acquiring Antimatter and SiftD.ai to launch the Lakewatch SIEM product, and OpenAI acquiring Promptfoo to fold prompt-injection defence into its platform.
The commercial signal on cloud and identity security is running ahead of the defensive one at an 80-deal-a-quarter pace.
CVE-2026-3055 is the third critical memory-disclosure bug in NetScaler in thirty months. Researchers are calling it CitrixBleed 3.
Citrix disclosed CVE-2026-3055, an unauthenticated memory overread in NetScaler ADC and NetScaler Gateway when configured as a SAML Identity Provider, with CVSS v4.0 score of 9.3, on 23 March 2026. CISA added it to the Known Exploited Vulnerabilities catalogue on 28 March with a 2 April federal patch deadline; WatchTowr confirmed active reconnaissance in the wild.
Three serial critical memory overreads in the same product family, exploited in the appliance that fronts enterprise single sign-on, stops looking like three bugs.
A vulnerability triaged in 2025 as a medium-severity denial-of-service issue turned out to be unauthenticated Remote Code Execution. 14,000+ instances still exposed.
F5 reclassified CVE-2025-53521 in BIG-IP Access Policy Manager from a medium-severity denial-of-service bug to an unauthenticated Remote Code Execution vulnerability with CVSS v3.1 score of 9.8 on 28 March 2026; CISA added it to KEV the same day. Shadowserver scan data showed over 14,000 exposed BIG-IP APM instances still unpatched at reclassification.
Defenders who triaged the original F5 advisory as low priority and deferred patching were, in effect, routed into the wrong queue by the vendor's own initial rating.
CVE-2009-0238 was cut during the Bush administration. Attackers dug it back up and CISA put it on the active-exploitation list in April.
CISA added CVE-2009-0238, a 17-year-old Microsoft Office Remote Code Execution vulnerability from the Bush administration era, to the Known Exploited Vulnerabilities catalogue on 14 April 2026 as actively exploited in the wild, primarily via macro-based attack chains in unpatched legacy Office deployments in healthcare and public sector.
The legacy Office estate in healthcare and the public sector is now a regulatory deadline, not a technical-debt ticket.
NCSC attributed a DNS-hijack campaign to APT28, assessed with near-certainty as GRU Unit 26165. The target was the Outlook login in the kitchen.
NCSC published an attribution-backed advisory on 7 April 2026 stating APT28, assessed with near-certainty as GRU Unit 26165, has since 2024 exploited SOHO routers including TP-Link WR841N via CVE-2023-50224 and MikroTik models to hijack DNS resolution and conduct adversary-in-the-middle credential theft against Microsoft 365 OAuth tokens. The FBI Internet Crime Complaint Center issued a coordinated public service announcement PSA260407.
A consumer router under a remote worker's desk is now a credential-collection point the corporate perimeter cannot see.
Russia's FSB, China's APT31 and Iran's IRGC are all running the same trade against journalists, lawyers and politicians. NCSC and Dutch AIVD advised passkeys plus a device audit.
NCSC and Dutch intelligence service AIVD issued joint advisories on 31 March and 9 March 2026 warning that state-linked actors including Russia's FSB Star Blizzard, China's APT31, and Iran's Islamic Revolutionary Guard Corps were targeting Signal, WhatsApp, and Facebook Messenger accounts of politicians, journalists, academics, and lawyers using malicious QR codes and contact impersonation.
Three unrelated state services converging on the same civil-society attack vector suggests messaging-app compromise has become a standard intelligence-collection method.
Mandiant's M-Trends 2026 set the China-nexus benchmark at a 393-day average dwell inside VMware hypervisors. The telemetry built for malware does not see it.
Mandiant's M-Trends 2026 report, based on over 500,000 hours of Incident Response, disclosed that UNC5221 deployed the BRICKSTORM Go-based backdoor on VMware vCenter and ESXi hosts with an average dwell time of 393 days undetected, primarily targeting US and UK legal services, business process outsourcers, SaaS providers, and technology firms. The campaign used BRICKSTEAL, a Java servlet filter, to capture vCenter credentials, and routed command-and-control through Cloudflare Workers and Heroku.
The China-nexus attacker median advantage is now more than a year of undetected access inside legal firms, BPOs and SaaS providers.
An FBI official told CyberTalks 2026 the China-linked telecoms compromise is not contained. 200+ companies, 80 countries, and Volt Typhoon sits behind it.
An FBI official confirmed at CyberTalks 2026 in February that the Salt Typhoon China-linked telecoms compromise was 'still very, very much ongoing' with at least 200 companies across 80 countries affected as of August 2025. CISA assessed with high confidence that Volt Typhoon was pre-positioning in US critical infrastructure IT networks for later lateral movement into operational technology systems across communications, energy, transportation, and water sectors.
Reframes the adversary model for US critical infrastructure from espionage to sabotage readiness.
Treasury sanctioned Sergey Zelenyuk, Matrix LLC and five associates for trafficking 8+ zero-days stolen from L3Harris. The statute was not written for cyber.
OFAC used the Protecting American Intellectual Property Act for the first time in a cyber matter, sanctioning Sergey Sergeyevich Zelenyuk, his firm Matrix LLC trading as Operation Zero, and five associated individuals and entities, for acquiring and distributing US government cyber tools. The underlying case: former L3Harris Trenchant executive Peter Williams pleaded guilty on 29 October 2025 to stealing at least eight zero-day exploits and selling them to Operation Zero between 2022 and 2025, and was sentenced to 87 months on 24 February 2026.
The first cyber use of the Protecting American Intellectual Property Act creates a legal template that can now be extended to any exploit acquisition traceable to US-origin tooling.
Ryan Goldberg worked at Sygnia. Kevin Martin negotiated ransoms at DigitalMint. Both admitted to using ALPHV/BlackCat against the organisations they were hired to defend.
Ryan Goldberg, 40, employed at Incident Response firm Sygnia, and Kevin Martin, 36, a ransomware negotiator at DigitalMint, pleaded guilty to conspiracy to obstruct commerce by extortion for using ALPHV/BlackCat ransomware to attack US victims between April and December 2023, exploiting their privileged positions and pre-existing victim relationships. Sentencing was scheduled for 12 March 2026.
The due-diligence question on incident-response vendors shifts from technical capability to personnel controls.
Michigan State Police co-led. German BKA and Finnish KRP ran infrastructure. A Russian national is charged with running the exchange since 2017.
The FBI and Michigan State Police seized cryptocurrency exchange E-Note and charged Russian national Mykhalio Petrovich Chudnovets with conspiracy to launder more than $70 million in ransomware and account-takeover proceeds through E-Note since 2017, with cooperation from German Federal Criminal Police and Finnish National Bureau of Investigation.
A state police force inside a five-country takedown is the operational template the laundering-rail crackdown will run on.
The FY27 budget would leave CISA on roughly $2bn with 860 fewer staff. The counter-ransomware initiative is already gone.
The Trump administration's FY27 budget proposal published on 7 April 2026 proposed cutting CISA by $707 million and eliminating 860 positions, bringing the agency's operating budget to approximately $2 billion and cancelling the counter-ransomware initiative. The proposal also cut FBI cyber obligations by $560 million affecting around 1,900 staff across cyber portfolios, and included NIST vulnerability-scoring and Software Bill of Materials programmes within the cuts envelope.
US federal cyber enforcement capacity contracts just as the threat cadence, KEV additions and ransomware postings, accelerates.
The Cyber Security and Resilience Bill passed Public Bill Committee. ICO fined Capita £14m for missing PAM and AD tiering, citing NCSC guidance as the GDPR baseline.
The UK Cyber Security and Resilience Bill reached Report Stage on 2 March 2026 with substantive provisions including a 24-hour initial incident reporting window, a 72-hour full report requirement, data centres classified as essential services under joint Ofcom and DSIT oversight, and a widened definition of organisations subject to statutory cybersecurity standards. Separately, the ICO fined Capita £14 million citing absence of Privileged Access Management controls and Active Directory tiering as GDPR-breaching failures, establishing NCSC guidance as the enforceable GDPR technical baseline.
The UK is turning NCSC cyber hygiene guidance into enforceable data-protection law while US federal capacity contracts.
European Commission draft CRA guidance opened 3 March. Only a third of German entities registered by the NIS2 deadline. Infringement proceedings are running.
The European Commission published draft implementation guidance for the Cyber Resilience Act on 3 March 2026, opening a feedback window to 31 March. Germany published its NIS2 implementation law on 5 December 2025 with a 6 March 2026 registration deadline; only around one-third of covered entities had registered by the deadline. The European Commission ran parallel infringement proceedings against non-compliant EU member states on NIS2 transposition.
The EU has a fine ceiling of €15m or 2.5 per cent of global turnover in place; whether it is applied in practice in 2026 is the test.
The threat cadence is accelerating. Ransomware postings reached 808 in March, up 19% month-on-month and 33% above the 2025 monthly average. The KEV catalogue added nine CVEs in the window with active exploitation confirmed on multiple critical-severity appliances. Nation-state dwell benchmarks are lengthening, not shortening. US federal enforcement capacity is proposed to contract. UK and EU regulatory pressure is rising but takes time to change enterprise posture. The defender advantage is narrowing, not widening, in this window.
