← Back to Blog
Security Briefing 10 min read March 21, 2026

FBI Links Signal Phishing to Russian Intelligence, Oracle Pushes Emergency RCE Fix, CISA Orders Cisco FMC Patch by Sunday, DoJ Dismantles 3-Million-Device IoT Botnets

The FBI warns that Russian intelligence services are actively targeting Signal and WhatsApp users in phishing campaigns that have already compromised thousands of accounts. Oracle issues an out-of-band emergency patch for a critical unauthenticated RCE in Identity Manager (CVE-2026-21992). CISA orders all federal agencies to patch a maximum-severity Cisco Secure Firewall Management Center flaw by Sunday. The DoJ disrupts four massive IoT botnets responsible for record-breaking 31.4 Tbps DDoS attacks.


1. FBI: Russian Intelligence Behind Signal and WhatsApp Phishing Campaigns

⚠️ CRITICAL — Encrypted Messaging Apps Under Nation-State Attack

Russian intelligence-linked threat actors have already compromised thousands of accounts across Signal, WhatsApp, and other encrypted messaging platforms through sophisticated phishing campaigns.

The FBI has issued a public service announcement warning that threat actors linked to Russian intelligence services are conducting large-scale phishing campaigns targeting users of encrypted messaging applications, including Signal and WhatsApp. The campaigns have already successfully compromised thousands of accounts.

The attackers are exploiting the trust users place in end-to-end encrypted platforms. The phishing operations use sophisticated social engineering — including fake security alerts, device-linking requests, and QR codes — designed to trick users into granting attackers access to their accounts. Once compromised, all messages, contacts, and attachments are accessible to the threat actors.

Attack Methodology

Why This Matters for Organizations

Many organizations now use Signal or WhatsApp for sensitive communications, including executive discussions, deal negotiations, and crisis management. If employees use these apps for work communications, a compromise exposes corporate intelligence to a nation-state adversary.

Immediate Actions


2. Oracle Emergency Patch: Critical Unauthenticated RCE in Identity Manager

⚠️ CRITICAL — CVE-2026-21992: Unauthenticated Remote Code Execution

Oracle has released an out-of-band security update for a critical unauthenticated RCE vulnerability in Identity Manager and Web Services Manager. This is severe enough that Oracle broke its quarterly patch cycle to address it.

Oracle has taken the unusual step of releasing an out-of-band emergency security update to address CVE-2026-21992, a critical unauthenticated remote code execution vulnerability affecting Oracle Identity Manager and Web Services Manager. The fact that Oracle departed from its standard quarterly Critical Patch Update schedule underscores the severity of this flaw.

Oracle Identity Manager is a core enterprise identity governance solution used by large organizations to manage user identities, access provisioning, and compliance. A compromise of this system gives an attacker the keys to the kingdom — the ability to create admin accounts, modify access policies, and move laterally across the entire enterprise.

Technical Details

Immediate Actions


3. CISA Orders Federal Agencies to Patch Max-Severity Cisco FMC Flaw by Sunday

⚠️ CRITICAL — CVE-2026-20131: Maximum-Severity Cisco Firewall Vulnerability

CISA has added a maximum-severity vulnerability in Cisco Secure Firewall Management Center to its Known Exploited Vulnerabilities catalog, ordering all federal agencies to patch by March 22 (Sunday).

The Cybersecurity and Infrastructure Security Agency (CISA) has ordered all US federal agencies to patch CVE-2026-20131, a maximum-severity vulnerability in Cisco Secure Firewall Management Center (FMC), by Sunday, March 22. The addition to CISA's Known Exploited Vulnerabilities (KEV) catalog confirms that this flaw is being actively exploited in the wild.

Cisco FMC is the centralized management platform for Cisco's firewall infrastructure. Compromising FMC gives an attacker the ability to modify firewall rules, disable security policies, create tunnel rules for persistent access, and effectively neutralize an organization's entire network perimeter defense.

Why a Sunday Deadline

CISA's standard remediation timeline is typically 2-3 weeks. A two-day deadline indicates the agency has intelligence suggesting active, widespread exploitation that poses an imminent threat to federal networks. This urgency should alarm private sector organizations as well.

Immediate Actions


4. DoJ Dismantles Four Massive IoT Botnets Behind Record 31.4 Tbps DDoS Attacks

🔶 HIGH — International Botnet Takedown Operation

US, German, and Canadian authorities have disrupted the command-and-control infrastructure of the AISURU, Kimwolf, JackSkid, and Mossad botnets — collectively controlling over 3 million IoT devices and responsible for record-breaking DDoS attacks.

The US Department of Justice, working with authorities from Germany and Canada, has dismantled the command-and-control (C2) infrastructure behind four major IoT botnets: AISURU, Kimwolf, JackSkid, and Mossad. These botnets collectively controlled over 3 million compromised IoT devices and were responsible for launching some of the largest DDoS attacks ever recorded, including a 31.4 Terabits per second attack documented by Cloudflare in November 2025.

The operation involved assistance from major tech companies including Akamai, AWS, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, and others. This public-private partnership was essential for identifying and dismantling the distributed C2 infrastructure.

Scale of the Operation

For Organizations


5. Operation Alice: International Law Enforcement Takes Down 373,000 Dark Web Sites

An international law enforcement operation called Operation Alice has shut down over 373,000 dark web sites that offered fake CSAM packages. While the sites themselves contained scam content rather than actual exploitation material, the operation demonstrates the expanding scale of law enforcement's ability to operate within the dark web and disrupt criminal infrastructure.

The takedown is significant from a cybersecurity perspective because the infrastructure used to host these sites was shared with other criminal operations, and the operation has yielded intelligence about dark web hosting providers, payment processors, and the criminal ecosystem's supply chain.


6. $10 Million AI-Powered Streaming Fraud Scheme: Musician Pleads Guilty

North Carolina musician Michael Smith has pleaded guilty to collecting over $10 million in fraudulent royalty payments from Spotify, Apple Music, Amazon Music, and YouTube Music using AI-generated music and automated bots. The scheme involved creating thousands of AI-generated tracks and using bot farms to artificially inflate stream counts.

This case represents a growing intersection of AI misuse and financial fraud. As AI tools make it trivial to generate music, images, text, and video, the attack surface for fraud schemes that exploit automated payment systems continues to expand dramatically.

Implications for Enterprises


7. Microsoft March Update Breaks Teams and OneDrive Sign-Ins

Microsoft has confirmed that the March Windows 11 update (KB5079473) is breaking sign-ins with Microsoft accounts across multiple applications, including Teams and OneDrive. Users who installed the update are unable to authenticate with their Microsoft accounts in these critical productivity applications.

While not a security vulnerability per se, this is a significant operational disruption for organizations relying on Microsoft 365 services. The workaround involves either uninstalling the update or waiting for Microsoft's fix — neither option is ideal from a security standpoint, as uninstalling means losing the security patches included in the same update.

Recommended Approach


Daily Threat Summary

ThreatSeverityTypeAction Required
Russian Signal/WhatsApp PhishingCRITICALNation-StateAudit linked devices, brief executives
Oracle Identity Manager RCE (CVE-2026-21992)CRITICALVulnerabilityApply emergency patch immediately
Cisco FMC (CVE-2026-20131)CRITICALVulnerabilityPatch by Sunday March 22
IoT Botnet Takedown (AISURU et al.)HIGHBotnetAudit IoT devices, check for compromise
Operation Alice — 373K Sites DownMEDIUMLaw EnforcementAwareness — dark web disruption
AI Streaming Fraud ($10M)MEDIUMAI FraudReview automated payout systems
Windows 11 Update Breaks Teams/OneDriveHIGHOperationalHold KB5079473 deployment

Are Your Systems Protected Against These Threats?

KENSAI continuously monitors your infrastructure for vulnerabilities like CVE-2026-21992, Cisco FMC flaws, and IoT misconfigurations — before attackers find them.

Start Your Free Security Scan →

Published by the KENSAI Threat Intelligence Team
Daily Security Briefing — March 21, 2026
Read more briefings →

🛡️ Is your website secure?

Discover vulnerabilities before attackers do.

Scan your website for free →

Related Articles

Redirecting... Redirecting... CISA Emergency Directive on Cisco SD-WAN