White House Shifts to Offensive Cyber Strategy; Iranian APT Breaches US Critical Infrastructure; Critical Flaws in Cisco, Android & VMware Exploited

ShinyHunters Cybercrime Group Exploits Misconfigured Salesforce Experience Cloud Sites in Mass Data Theft Campaign

The **[ShinyHunters](https://malpedia.caad.fkie.fraunhofer.de/actor/shinyhunters)** cybercrime group is actively exploiting widespread customer misconfigurations in **[Salesforce](https://www.salesforce.com/)** Experience Cloud, leading to data exfiltration from hundreds of organizations. According to a Salesforce advisory on March 7, 2026, the attackers are not exploiting a platform vulnerability but are abusing overly permissive guest user access settings. Using a modified open-source tool, ShinyHunters scans for public sites and queries exposed APIs (`/s/sfsites/aura` and GraphQL) to steal CRM data. The campaign, which began in late 2025, has prompted a FINRA alert, warning that the stolen data is being used for targeted phishing and extortion.

ShinyHuntersSalesforceExperience CloudData BreachMisconfiguration +4 more

ShinyHunters Exploits Salesforce Cloud Flaw, Steals Data from Hundreds of Orgs

Cloud Security

Threat Actor

Cognizant Subsidiary TriZetto Breach Exposes 3.4M Patients' Health Data

Cognizant's TriZetto Provider Solutions Discloses Massive Data Breach Affecting 3.4 Million Patients

TriZetto Provider Solutions (TPS), a healthcare technology subsidiary of IT giant **[Cognizant](https://www.cognizant.com)**, has disclosed a data breach that exposed the protected health information (PHI) of 3,433,965 individuals. Unauthorized actors gained access to a system handling insurance eligibility verification and remained undetected for approximately one year, from November 2024 to October 2025. The compromised data includes highly sensitive information such as names, Social Security numbers, dates of birth, and health insurance details, placing millions of patients at significant risk of identity theft and financial fraud. The incident highlights severe security gaps in the healthcare supply chain.

Data BreachHealthcareCognizantTriZettoHIPAA +3 more

Cognizant Subsidiary TriZetto Breach Exposes 3.4M Patients' Health Data

Supply Chain Attack

Regulatory

Genesis Ransomware Hits Healthcare Firm, Claims 100GB Data Theft

Genesis Ransomware Group Claims Attack on Sierra Management Group, Stealing 100GB of Sensitive Healthcare and Financial Data

The **Genesis** ransomware group has claimed responsibility for a cyberattack against Sierra Management Group, a California-based firm that provides management services to medical practices. In a dark web post on March 7, 2026, the group alleged it exfiltrated 100GB of highly sensitive data, including PII, healthcare records, and financial information. The attackers are using a double extortion tactic, threatening to leak the stolen data within days if their ransom demand is not met. This incident underscores the significant risk to the healthcare sector from supply chain attacks, as the compromised data belongs to patients of Sierra's clients.

RansomwareGenesisHealthcareData BreachDouble Extortion +1 more

Ransomware

Supply Chain Attack

Phishing Campaign Delivers Signed Malware via Fake Zoom/Teams Invites

Fake Zoom and Teams Meeting Invites Deliver Malware Signed with Stolen EV Certificate

A sophisticated phishing campaign is targeting corporate employees with fake Zoom and Microsoft Teams meeting invitations. The attack, identified by **[Microsoft](https://www.microsoft.com/security)**, uses social engineering to trick users into downloading a supposed client update. The malware installer is signed with a stolen Extended Validation (EV) digital certificate from 'TrustConnect Software PTY LTD', allowing it to bypass security checks and appear legitimate. Once executed, the malware uses PowerShell to deploy legitimate remote monitoring and management (RMM) tools like ScreenConnect and MeshAgent, giving attackers persistent access to the victim's network for future attacks, such as ransomware deployment.

PhishingMalwareCode SigningEV CertificateRMM +3 more

Phishing

Malware

Supply Chain Attack

New Russian Malware 'BadPaw' & 'MeowMeow' Target Ukraine; 'Starkiller' Phishing Tool Bypasses MFA

Russian-Led Campaign Deploys New Malware in Ukraine; Separate 'Starkiller' Phishing Tool Emerges to Bypass MFA

Two distinct but significant threats have emerged. First, a new Russian-led cyber campaign is targeting Ukrainian organizations with two previously unknown malware families, **BadPaw** and **MeowMeow**. The attack uses a phishing lure disguised as a border crossing document to deploy a backdoor. Second, a powerful new Phishing-as-a-Service (PhaaS) tool named **Starkiller** has been identified. Starkiller is designed to defeat multi-factor authentication (MFA) by using real-time request proxying and headless browsers to steal not just credentials, but the post-authentication session tokens needed to hijack active user sessions.

MalwareBadPawMeowMeowPhishingStarkiller +4 more

Malware

Threat Actor

Phishing

Hacker 'GhostCrawl' Claims Breach of Cybersecurity Firm Team4Security

MEDIUM

Threat Actor 'GhostCrawl' Alleges Data Breach of Cybersecurity Firm Team4Security, Demands Ransom

On March 7, 2026, a threat actor using the alias 'GhostCrawl' posted a claim on the 'Breachforums' hacking forum, alleging they had breached the cybersecurity firm Team4Security. The actor demanded a ransom of $2,350, threatening to leak confidential files, company 'secrets', and security vulnerabilities if the payment was not made within 24 hours. The post is an extortion attempt, and the claims remain unverified. However, the incident highlights that cybersecurity firms themselves are high-value targets for attackers seeking to cause reputational damage or extort money.

ExtortionData BreachHacking ForumBreachforumsGhostCrawl +1 more

3 min read

Hacker 'GhostCrawl' Claims Breach of Cybersecurity Firm Team4Security

Cyberattack

Updated Articles (2)

Boggy Serpens (MuddyWater) APT Targets UAE Energy Firm in Sustained Espionage Campaign

APTBoggy SerpensMuddyWaterCyber EspionageThreat Actor +3 more

Palo Alto Networks' Unit 42 Uncovers Sustained Campaign by Boggy Serpens APT Against UAE Marine and Energy Company

Update:

The Iranian APT group MuddyWater, also known as Seedworm, has expanded its operations, now targeting U.S. critical infrastructure including a bank, an airport, and a defense software supplier. This new campaign, active since February 2026, utilizes novel malware families: 'Dindoor,' a Deno-based backdoor, and 'Fakeset,' a Python-based backdoor. Attackers were also observed using the legitimate tool Rclone for data exfiltration to cloud storage. This represents an evolution in the group's toolset and a significant expansion of their targeting scope beyond the UAE energy sector, indicating increased threat to Western interests.

February 11, 2026

Updated: March 7, 2026

6 min read

Boggy Serpens (MuddyWater) APT Targets UAE Energy Firm in Sustained Espionage Campaign

Threat Actor

Cyberattack

Threat Intelligence

CISA Adds VMware Aria RCE Flaw to 'Must-Patch' KEV List, Confirming Active Exploitation

VMware Aria Operations RCE Flaw (CVE-2026-22719) Added to CISA's Known Exploited Vulnerabilities Catalog

Update:

The latest intelligence on CVE-2026-22719, a critical RCE flaw in VMware Aria Operations, now includes specific affected versions: Aria Operations 8.x (fixed in 8.18.6), VMware Cloud Foundation 9.x.x.x (fixed in 9.0.2.0), and VMware vSphere Foundation 9.x.x.x (fixed in 9.0.2.0). Additionally, new cyber observables have been identified to aid detection, such as monitoring for 'bash', 'sh', or 'powershell.exe' processes spawned by the Java application, unexpected migration workflow initiations in Aria Audit Logs, anomalous outbound network connections, and suspicious file creation in '/tmp' or '/var/tmp' directories. These details provide crucial guidance for organizations to identify and remediate compromised systems more effectively.

March 6, 2026

Updated: March 7, 2026