The FBI warns that Russian intelligence services are actively targeting Signal and WhatsApp users in phishing campaigns that have already compromised thousands of accounts. Oracle issues an out-of-band emergency patch for a critical unauthenticated RCE in Identity Manager (CVE-2026-21992). CISA orders all federal agencies to patch a maximum-severity Cisco Secure Firewall Management Center flaw by Sunday. The DoJ disrupts four massive IoT botnets responsible for record-breaking 31.4 Tbps DDoS attacks.
Russian intelligence-linked threat actors have already compromised thousands of accounts across Signal, WhatsApp, and other encrypted messaging platforms through sophisticated phishing campaigns.
The FBI has issued a public service announcement warning that threat actors linked to Russian intelligence services are conducting large-scale phishing campaigns targeting users of encrypted messaging applications, including Signal and WhatsApp. The campaigns have already successfully compromised thousands of accounts.
The attackers are exploiting the trust users place in end-to-end encrypted platforms. The phishing operations use sophisticated social engineering — including fake security alerts, device-linking requests, and QR codes — designed to trick users into granting attackers access to their accounts. Once compromised, all messages, contacts, and attachments are accessible to the threat actors.
Many organizations now use Signal or WhatsApp for sensitive communications, including executive discussions, deal negotiations, and crisis management. If employees use these apps for work communications, a compromise exposes corporate intelligence to a nation-state adversary.
Oracle has released an out-of-band security update for a critical unauthenticated RCE vulnerability in Identity Manager and Web Services Manager. This is severe enough that Oracle broke its quarterly patch cycle to address it.
Oracle has taken the unusual step of releasing an out-of-band emergency security update to address CVE-2026-21992, a critical unauthenticated remote code execution vulnerability affecting Oracle Identity Manager and Web Services Manager. The fact that Oracle departed from its standard quarterly Critical Patch Update schedule underscores the severity of this flaw.
Oracle Identity Manager is a core enterprise identity governance solution used by large organizations to manage user identities, access provisioning, and compliance. A compromise of this system gives an attacker the keys to the kingdom — the ability to create admin accounts, modify access policies, and move laterally across the entire enterprise.
CISA has added a maximum-severity vulnerability in Cisco Secure Firewall Management Center to its Known Exploited Vulnerabilities catalog, ordering all federal agencies to patch by March 22 (Sunday).
The Cybersecurity and Infrastructure Security Agency (CISA) has ordered all US federal agencies to patch CVE-2026-20131, a maximum-severity vulnerability in Cisco Secure Firewall Management Center (FMC), by Sunday, March 22. The addition to CISA's Known Exploited Vulnerabilities (KEV) catalog confirms that this flaw is being actively exploited in the wild.
Cisco FMC is the centralized management platform for Cisco's firewall infrastructure. Compromising FMC gives an attacker the ability to modify firewall rules, disable security policies, create tunnel rules for persistent access, and effectively neutralize an organization's entire network perimeter defense.
CISA's standard remediation timeline is typically 2-3 weeks. A two-day deadline indicates the agency has intelligence suggesting active, widespread exploitation that poses an imminent threat to federal networks. This urgency should alarm private sector organizations as well.
US, German, and Canadian authorities have disrupted the command-and-control infrastructure of the AISURU, Kimwolf, JackSkid, and Mossad botnets — collectively controlling over 3 million IoT devices and responsible for record-breaking DDoS attacks.
The US Department of Justice, working with authorities from Germany and Canada, has dismantled the command-and-control (C2) infrastructure behind four major IoT botnets: AISURU, Kimwolf, JackSkid, and Mossad. These botnets collectively controlled over 3 million compromised IoT devices and were responsible for launching some of the largest DDoS attacks ever recorded, including a 31.4 Terabits per second attack documented by Cloudflare in November 2025.
The operation involved assistance from major tech companies including Akamai, AWS, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, and others. This public-private partnership was essential for identifying and dismantling the distributed C2 infrastructure.
An international law enforcement operation called Operation Alice has shut down over 373,000 dark web sites that offered fake CSAM packages. While the sites themselves contained scam content rather than actual exploitation material, the operation demonstrates the expanding scale of law enforcement's ability to operate within the dark web and disrupt criminal infrastructure.
The takedown is significant from a cybersecurity perspective because the infrastructure used to host these sites was shared with other criminal operations, and the operation has yielded intelligence about dark web hosting providers, payment processors, and the criminal ecosystem's supply chain.
North Carolina musician Michael Smith has pleaded guilty to collecting over $10 million in fraudulent royalty payments from Spotify, Apple Music, Amazon Music, and YouTube Music using AI-generated music and automated bots. The scheme involved creating thousands of AI-generated tracks and using bot farms to artificially inflate stream counts.
This case represents a growing intersection of AI misuse and financial fraud. As AI tools make it trivial to generate music, images, text, and video, the attack surface for fraud schemes that exploit automated payment systems continues to expand dramatically.
Microsoft has confirmed that the March Windows 11 update (KB5079473) is breaking sign-ins with Microsoft accounts across multiple applications, including Teams and OneDrive. Users who installed the update are unable to authenticate with their Microsoft accounts in these critical productivity applications.
While not a security vulnerability per se, this is a significant operational disruption for organizations relying on Microsoft 365 services. The workaround involves either uninstalling the update or waiting for Microsoft's fix — neither option is ideal from a security standpoint, as uninstalling means losing the security patches included in the same update.
| Threat | Severity | Type | Action Required |
|---|---|---|---|
| Russian Signal/WhatsApp Phishing | CRITICAL | Nation-State | Audit linked devices, brief executives |
| Oracle Identity Manager RCE (CVE-2026-21992) | CRITICAL | Vulnerability | Apply emergency patch immediately |
| Cisco FMC (CVE-2026-20131) | CRITICAL | Vulnerability | Patch by Sunday March 22 |
| IoT Botnet Takedown (AISURU et al.) | HIGH | Botnet | Audit IoT devices, check for compromise |
| Operation Alice — 373K Sites Down | MEDIUM | Law Enforcement | Awareness — dark web disruption |
| AI Streaming Fraud ($10M) | MEDIUM | AI Fraud | Review automated payout systems |
| Windows 11 Update Breaks Teams/OneDrive | HIGH | Operational | Hold KB5079473 deployment |
KENSAI continuously monitors your infrastructure for vulnerabilities like CVE-2026-21992, Cisco FMC flaws, and IoT misconfigurations — before attackers find them.
Start Your Free Security Scan →Published by the KENSAI Threat Intelligence Team
Daily Security Briefing — March 21, 2026
Read more briefings →