The past 24 hours have witnessed a surge in cybersecurity incidents, from sophisticated tax scams to state-sponsored cyberattacks and large-scale botnet disruptions. This digest covers critical updates, including warnings from the U.S. Federal Trade Commission (FTC) on AI-driven tax fraud, an Iran-linked cyberattack targeting Microsoft Intune, a global crackdown on IoT botnets, and a high-profile data leak at Meta.
Iran-Linked Cyberattack on Microsoft Intune
A destructive cyberattack on U.S. medical technology firm Stryker (March 11, 2026) has exposed vulnerabilities in Microsoft Intune, an endpoint management platform widely used by financial institutions. The attack, attributed to Iranian state-sponsored group Handala Hack, disrupted Stryker’s global operations, including manufacturing and shipping. The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert (March 18) urging organizations to harden Intune against wiper attacks—malicious campaigns designed to delete servers and workstations.
Attack Vector: Handala Hack used phishing to steal credentials, then exploited Intune’s administrative access to deploy wipers. Unlike ransomware, these attacks aim for ‘pure disruption’ rather than financial gain. Israel’s National Cyber Directorate warned of similar incidents where attackers deleted entire corporate networks.
Mitigation Strategies:
- Least Privilege: Restrict Intune roles (e.g., Global Administrator) to essential tasks using role-based access control (RBAC) and just-in-time (JIT) access.
- Phishing-Resistant MFA: Replace SMS/app-based MFA with FIDO/WebAuthn protocols, per CISA’s ‘gold standard’ recommendation.
- Multi-Admin Approval: Require secondary approval for high-risk actions (e.g., device wipes) to prevent single-point compromises.
- Offline Backups: Maintain immutable, air-gapped backups to recover from wipe attacks.
Iran-Linked Cyberattack on Microsoft Intune
A destructive cyberattack on U.S. medical technology firm Stryker (March 11, 2026) has exposed vulnerabilities in Microsoft Intune, an endpoint management platform widely used by financial institutions. The attack, attributed to Iranian state-sponsored group Handala Hack, disrupted Stryker’s global operations, including manufacturing and shipping. The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert (March 18) urging organizations to harden Intune against wiper attacks—malicious campaigns designed to delete servers and workstations.
Attack Vector: Handala Hack used phishing to steal credentials, then exploited Intune’s administrative access to deploy wipers. Unlike ransomware, these attacks aim for ‘pure disruption’ rather than financial gain. Israel’s National Cyber Directorate warned of similar incidents where attackers deleted entire corporate networks.
Mitigation Strategies:
- Least Privilege: Restrict Intune roles (e.g., Global Administrator) to essential tasks using role-based access control (RBAC) and just-in-time (JIT) access.
- Phishing-Resistant MFA: Replace SMS/app-based MFA with FIDO/WebAuthn protocols, per CISA’s ‘gold standard’ recommendation.
- Multi-Admin Approval: Require secondary approval for high-risk actions (e.g., device wipes) to prevent single-point compromises.
- Offline Backups: Maintain immutable, air-gapped backups to recover from wipe attacks.
For more on Iranian cyber threats, read this internal article.
Global Takedown of IoT Botnets Behind Record 30 Tbps DDoS Attacks
The U.S. Department of Justice (DOJ), in coordination with Germany and Canada, disrupted four IoT botnets—Aisuru, KimWolf, JackSkid, and Mossad—responsible for hundreds of thousands of DDoS attacks, including strikes on U.S. Department of Defense systems. The botnets, comprising 3 million+ compromised devices (routers, IP cameras, DVRs), generated traffic bursts exceeding 30 terabits per second (Tbps), with one attack peaking at 31.4 Tbps—among the largest ever recorded .
Modus Operandi:
- Exploiting Weak Credentials: Devices with default passwords or unpatched firmware were hijacked to form botnet armies.
- DDoS-for-Hire: Operators monetized access by offering rental attack services and extorting victims.
Disruption Tactics: Authorities seized command-and-control (C2) domains, severing the botnets’ ability to coordinate attacks. However, infected devices remain vulnerable without firmware updates.
Ongoing Risks: Experts warn that millions of insecure IoT devices persist as recruitment pools for future botnets. Cloudflare previously flagged Aisuru for multi-terabit attacks .
Meta AI Agent Causes Data Leak
An AI agent at Meta (Facebook’s parent company) instructed an engineer to implement a solution that exposed sensitive user and company data to employees for two hours. The incident occurred when an employee sought help on an internal forum, and the AI’s response led to unintended data exposure. Meta confirmed the breach but did not disclose the scope of affected data. This incident is part of a broader trend of AI-induced operational disruptions. The NASA Artemis II mission faced delays due to a hydrogen leak, and a French navy security lapse revealed an aircraft carrier’s location via a sailor’s Strava fitness app.
Broader Implications: The incident underscores risks of over-reliance on AI agents in critical workflows. Meta’s internal investigation is ongoing. The breach highlights the need for stringent governance and oversight of AI implementations. Organizations should consider the potential risks and unintended consequences of AI integration into operational processes.
Final words
The recent surge in cybersecurity incidents underscores the evolving sophistication of threats, from AI-enhanced scams to state-backed disruption campaigns. Proactive defense, combining technical controls, user education, and international cooperation, is essential to mitigate risks. Stay informed and vigilant to protect against these growing threats. Read more about these incidents and how to safeguard your data.