๐ก๏ธ Security Research Brief
March 31, 2026 ยท Auto-generated at 04:00 CET ยท Sources: BleepingComputer, The Hacker News, SecurityWeek, CyberSecurityNews
โก TL;DR โ What Matters Today
- 3 critical CVEs actively exploited โ Citrix NetScaler, F5 BIG-IP, and Fortinet FortiClient EMS all under active attack
- European Commission breached โ ShinyHunters claims 350GB+ of data stolen from Europa.eu
- Healthcare data breach โ CareCloud patient data stolen in network intrusion
- Russian APT activity โ Star Blizzard adopts DarkSword iOS exploit kit; new CTRL toolkit uses RDP hijacking
- Supply chain attack โ Malicious PyPI packages target Telnyx SDK users
- Apple responds to ClickFix โ macOS Tahoe 26.4 adds Terminal paste protection
๐ Data Breaches & Intrusions
European Commission โ Europa.eu Breached by ShinyHunters
Critical Government Data TheftThe European Commission confirmed a major data breach after the ShinyHunters extortion gang claimed to have stolen over 350GB of information from European Commission cloud systems. The incident represents one of the largest government data thefts in recent European history.
CareCloud โ Healthcare Patient Data Stolen
High Healthcare PHIHealthcare IT firm CareCloud disclosed a cybersecurity incident involving one of its electronic health record (EHR) environments. Sensitive patient data was exposed during a network disruption lasting approximately eight hours. The breach affects an unknown number of patients whose protected health information (PHI) may have been accessed.
FBI Director Kash Patel โ Personal Email Compromised
High Government IranThe FBI confirmed that Iranian hackers targeted FBI Director Kash Patel's personal email account. A pro-Iranian hacking group claimed credit and made emails and documents available for download. The US is offering a $10M reward for information on the hackers. The FBI noted the compromised information is old.
๐จ Critical CVEs โ Actively Exploited
CVE-2026-3055 โ Citrix NetScaler ADC/Gateway Memory Overread
CVSS 9.3 โ ACTIVELY EXPLOITEDA critical memory overread vulnerability in Citrix NetScaler ADC and Gateway allows attackers to leak sensitive information, including authenticated admin session IDs. Exploitation requires the appliance to be configured as a SAML Identity Provider. Active exploitation observed since March 27.
Action: Patch immediately. Check for SAML IDP configurations.
F5 BIG-IP APM โ DoS Reclassified to Critical RCE
Critical RCE โ ACTIVELY EXPLOITEDF5 reclassified a BIG-IP APM vulnerability from high-severity DoS to critical RCE. Attackers are actively deploying webshells on unpatched devices. CISA has added this to its Known Exploited Vulnerabilities (KEV) catalog.
Action: Patch immediately. Audit BIG-IP instances for webshells.
CVE-2026-21643 โ Fortinet FortiClient EMS SQL Injection
Critical โ ACTIVELY EXPLOITEDA critical SQL injection vulnerability in Fortinet's FortiClient Endpoint Management Server (EMS) is being actively exploited in the wild. Threat actors are leveraging this flaw for initial access to enterprise networks.
Action: Patch FortiClient EMS immediately. Review EMS logs for anomalous queries.
๐ฅ Additional Notable Vulnerabilities
Grafana 12.4.2 โ Dual Critical RCE Vulnerabilities
Critical MonitoringTwo critical vulnerabilities in Grafana allow full remote code execution. Security updates released in version 12.4.2.
CVE-2026-33660 โ n8n Workflow Automation RCE
Critical AutomationCritical RCE flaw in the popular open-source workflow automation platform n8n exposes host servers to remote code execution attacks.
CVE-2026-33634 โ Aqua Trivy Scanner
Critical DevSecOps โ IN KEVCISA added a critical vulnerability in Aqua Security's Trivy scanner to the KEV catalog. Ironic โ a security scanner itself became a vulnerability vector.
Vim โ Arbitrary Command Execution via Weaponized Files
High Developer ToolsA high-severity flaw in Vim allows attackers to execute arbitrary commands through weaponized files. Developers using Vim should update immediately.
Cisco Secure Firewall Management Center โ Unauthenticated RCE
Critical Network SecurityUnauthenticated remote code execution vulnerability in Cisco's Secure Firewall Management Center (FMC) software.
Synology DiskStation Manager โ Remote Command Execution
Critical NASUnauthenticated remote attackers can execute arbitrary commands on Synology DSM devices.
Jira Work Management โ Stored XSS
Medium AtlassianA stored XSS vulnerability in Jira Work Management could lead to account compromise in the Atlassian ecosystem.
Claude Chrome Extension โ 0-Click Prompt Injection
Critical AI SecurityA zero-click vulnerability in Anthropic's Claude Chrome Extension exposed over 3 million users to silent prompt-injection attacks, allowing malicious websites to hijack the AI assistant.
๐ต๏ธ Threat Actors & Campaigns
Russian APT Star Blizzard โ DarkSword iOS Exploit Kit
Russia APT iOSThe Russian state-sponsored group Star Blizzard has adopted the DarkSword iOS exploit kit, targeting government, higher education, financial, and legal entities, as well as think tanks. This marks a notable expansion of their mobile exploitation capabilities.
Russian CTRL Toolkit โ RDP Hijacking via FRP Tunnels
Russia RAT RDPA newly discovered Russian-origin remote access toolkit called CTRL is being distributed via malicious LNK files disguised as private key folders. Built in .NET, it includes credential phishing (Windows Hello UI), keylogging, RDP session hijacking, and reverse proxy tunneling via Fast Reverse Proxy (FRP).
China-Linked APTs โ Southeast Asian Government Targeted
China Espionage APTThree China-aligned threat clusters (Mustang Panda, Earth Estries/Crimson Palace, Unfading Sea Haze) ran a coordinated campaign against a Southeast Asian government. Malware deployed includes HIUPAN, PUBLOAD, MASOL RAT, PoshRAT, FluffyGh0st, and others โ indicating a well-resourced, persistent operation.
Iran โ Cyber Operations in Warfare Context
Iran Hybrid WarfareIran-linked hacking groups are shifting to high-volume, low-impact cyberattacks with AI-powered boosts. Targets include hospitals, infrastructure, and civilian systems in an evolving conflict landscape.
๐ฆ Supply Chain & Malware
TeamPCP Supply Chain Attack โ Telnyx SDK Poisoned on PyPI
High Supply Chain PyPITwo malicious versions of the popular Telnyx SDK were uploaded to the PyPI registry, targeting Windows, macOS, and Linux systems. Part of the growing TeamPCP supply chain attack campaign.
RoadK1ll โ New WebSocket Implant for Lateral Movement
Malware Post-ExploitationA newly identified implant named RoadK1ll uses WebSocket connections to enable quiet lateral movement from compromised hosts to other systems on the network.
Infiniti Stealer โ Cloudflare-Themed ClickFix Targeting Macs
macOS InfostealerA Cloudflare-themed ClickFix attack drops the Infiniti Stealer on Macs via fake CAPTCHA pages, Bash scripts, a Nuitka loader, and a Python-based infostealer. Apple's macOS Tahoe 26.4 now includes Terminal paste warnings specifically to counter ClickFix techniques.
๐ ๏ธ Security Tools & Defenses
Apple macOS Tahoe 26.4 โ Terminal Paste Protection
Defense macOSApple introduced a new security feature in macOS Tahoe 26.4 that blocks pasting and executing potentially harmful commands in Terminal, directly addressing the ClickFix social engineering technique that tricks users into pasting malicious commands.
Huskeys โ Edge Security Management Startup ($8M Funding)
Startup Edge SecurityHuskeys emerged from stealth with $8M in funding, building an edge security management (ESM) platform โ an AI engine atop the entire edge security stack.
Google Sets 2029 Quantum Deadline
Quantum CryptographyGoogle has set an internal 2029 deadline for quantum-related security readiness, signaling that post-quantum cryptography migration timelines are tightening.
๐ Emerging Patterns & Trends
LLMs Eroding Access Control
AI Risk IAMSecurityWeek highlights a growing concern: LLMs can generate complex access control policies (Rego, Cedar) in seconds, but a single missing condition or hallucinated attribute can quietly dismantle least-privilege security models. Organizations using AI to write access policies should treat output as untrusted code requiring thorough review.
Browser-Based Attacks Bypassing Traditional Controls
Browser Security AITMA Push Security report details how browser-based attacks โ AITM phishing, ClickFix, malicious OAuth apps, and session hijacking โ are driving major breaches while existing security controls fail to detect them. The browser is becoming the primary attack surface.
Network Appliance CVEs Under Rapid Mass Exploitation
Pattern Edge DevicesToday's report shows 3 separate network appliance vendors (Citrix, F5, Fortinet) with critical CVEs being actively exploited simultaneously. The window between disclosure and exploitation continues to shrink. Edge device patching is not optional โ it's a race.
State-Sponsored Mobile Exploitation Expanding
APT MobileStar Blizzard's adoption of the DarkSword iOS exploit kit signals Russian APTs expanding mobile targeting capabilities. Combined with Iran's AI-powered attack scaling, nation-state offensive capabilities are broadening faster than defensive coverage.