The FBI takes down Handala hacktivist infrastructure after the group wiped approximately 80,000 devices at medical technology giant Stryker. A newly disclosed PolyShell vulnerability enables unauthenticated remote code execution on every Magento and Adobe Commerce installation. Navia Benefit Solutions confirms a data breach affecting 2.7 million individuals. Russian military hackers APT28 exploit a Zimbra flaw in active attacks on Ukrainian government entities. Plus: CISA issues emergency Intune guidance, Ubiquiti patches max-severity UniFi flaw, Bitrefill attributes attack to Lazarus, and Iran's pre-positioned cyber capabilities revealed.
The Handala hacktivist group wiped approximately 80,000 devices at medical technology giant Stryker in one of the most destructive cyberattacks targeting the healthcare sector this year. The FBI has now seized the group's data leak infrastructure.
The FBI has seized two websites operated by the Handala hacktivist group following a devastating cyberattack on Stryker, one of the world's largest medical technology companies. The attack resulted in the wiping of approximately 80,000 devices across Stryker's infrastructure — a scale of destruction rarely seen outside of nation-state operations.
Stryker, which manufactures surgical equipment, orthopedic implants, and medical devices used in hospitals worldwide, faced catastrophic operational disruption. The wiper attack didn't just encrypt data for ransom — it destroyed it entirely, targeting endpoints, servers, and connected systems across the organization.
A newly disclosed vulnerability called PolyShell affects ALL stable Magento Open Source and Adobe Commerce version 2 installations, enabling unauthenticated remote code execution and full account takeover.
A devastating vulnerability dubbed PolyShell has been disclosed affecting every Magento Open Source and Adobe Commerce version 2 installation in existence. The flaw allows completely unauthenticated attackers to achieve remote code execution on the web server, leading to full store compromise including payment data theft, customer data exfiltration, and webshell installation.
This is particularly alarming because Magento/Adobe Commerce powers a significant percentage of the world's e-commerce stores. With the vulnerability requiring no authentication and affecting all stable v2 releases, the potential for mass exploitation is enormous.
Nearly 2.7 million people are being notified after attackers accessed Navia Benefit Solutions' systems and exfiltrated personal information including benefits enrollment data.
Navia Benefit Solutions, a company that administers employee benefit plans including FSAs, HSAs, and commuter benefits, has disclosed a data breach affecting 2.7 million individuals. The breach exposed sensitive personal information that employers entrust to Navia for benefits administration.
The scale of this breach is significant — 2.7 million people represents a large portion of Navia's customer base, and the data involved (benefits enrollment, personal identifiers, potentially health-related information) is particularly sensitive under HIPAA and state privacy regulations.
Russia's APT28 (GRU) is actively exploiting a Zimbra Collaboration Suite vulnerability to compromise Ukrainian government email systems through crafted HTML emails.
Russia's military intelligence hacking unit APT28 (also known as Fancy Bear, linked to the GRU) is actively exploiting a vulnerability in Zimbra Collaboration Suite (ZCS) to target Ukrainian government entities. The attack exploits insufficient sanitization of CSS content within HTML emails — when the victim opens the malicious email in a browser-based mail client, inline scripts execute automatically.
This is a particularly insidious attack vector because it requires no clicks beyond opening the email. Simply viewing the message in Zimbra's web interface triggers the exploit, making it highly effective for mass targeting of government employees.
Following the devastating Stryker breach, CISA (Cybersecurity and Infrastructure Security Agency) has issued an urgent advisory warning US organizations to follow Microsoft's guidance for hardening Intune endpoint management deployments. The advisory came after investigators determined that the Handala attackers exploited weaknesses in Stryker's Microsoft Intune configuration to execute the mass device wipe.
Microsoft Intune, which manages mobile devices and PCs across enterprises, became the weapon used against Stryker. Attackers who compromised the Intune admin console were able to push destructive wipe commands to every managed endpoint simultaneously.
Ubiquiti has patched two vulnerabilities in the UniFi Network Application, including a maximum-severity flaw (CVSS 10.0) that may allow attackers to take over user accounts. UniFi is widely deployed in enterprise and SMB networks for managing access points, switches, and security gateways.
A maximum CVSS score means the vulnerability is trivially exploitable, requires no authentication, and results in full compromise. Given UniFi's widespread deployment — especially in SMBs that may lack dedicated security teams — this is a high-priority patch.
Cryptocurrency gift card platform Bitrefill has attributed its recent cyberattack to Bluenoroff, a subgroup of North Korea's notorious Lazarus hacking operation. The attack, which occurred earlier this month, targeted the company's crypto-related infrastructure.
Lazarus/Bluenoroff continues to be one of the most prolific financially motivated threat actors globally, with a particular focus on cryptocurrency platforms. Their operations fund North Korea's weapons programs, making them both a cybersecurity and a geopolitical concern.
A detailed analysis has revealed a six-month buildup of Iran-linked cyber infrastructure, including US-based shell companies, designed to weather kinetic strikes and ensure the resilience of Iran's global hacking operations. The infrastructure was positioned to enable rapid cyber retaliation capabilities in response to military escalation.
This pre-positioning strategy represents a significant evolution in nation-state cyber doctrine — rather than building offensive capabilities in response to events, Iran has created persistent, resilient infrastructure capable of launching attacks at short notice from geographically distributed points, including inside the United States.
| Threat | Severity | Type | Action Required |
|---|---|---|---|
| Handala / Stryker 80K Wipe | CRITICAL | Destructive Attack | Review backup & endpoint strategies |
| PolyShell Magento RCE | CRITICAL | Vulnerability | Patch all Magento stores immediately |
| Navia 2.7M Breach | HIGH | Data Breach | Credit freeze if affected |
| APT28 Zimbra Exploitation | HIGH | Nation-State | Patch Zimbra, enable MFA |
| CISA Intune Advisory | HIGH | Advisory | Harden Intune configurations |
| Ubiquiti UniFi CVSS 10.0 | CRITICAL | Vulnerability | Update UniFi Network Application |
| Lazarus / Bitrefill Attack | HIGH | Nation-State | Review crypto platform security |
| Iran Cyber Pre-Positioning | MEDIUM | Intelligence | Monitor threat intelligence feeds |
KENSAI continuously monitors your infrastructure for vulnerabilities like PolyShell, Zimbra flaws, and UniFi misconfigurations — before attackers find them.
Start Your Free Security Scan →Published by the KENSAI Threat Intelligence Team
Daily Security Briefing — March 20, 2026
Read more briefings →