March 2026 witnessed a surge in high-impact cybersecurity incidents, including global phishing takedowns, state-sponsored attacks, and critical vulnerabilities in SD-WAN systems.
Cisco SD-WAN Vulnerabilities Under Active Exploitation
Following the successful takedown of LabHost, attention shifted to critical infrastructure vulnerabilities. Cisco issued urgent warnings about two new SD-WAN vulnerabilities, CVE-2026-20122 and CVE-2026-20128, currently under active exploitation. These flaws affect Cisco Catalyst SD-WAN Manager, allowing attackers to overwrite arbitrary files or escalate privileges on compromised systems. The Cisco Talos team emphasized the need for immediate patching to mitigate risks, as these vulnerabilities pose significant threats to enterprise networks. These incidents highlight the persistent targeting of SD-WAN systems, underscoring their pivotal role in modern network architectures. For more information, see the related article.
Cisco SD-WAN Vulnerabilities Under Active Exploitation
Cisco issued urgent warnings about two new SD-WAN vulnerabilities (CVE-2026-20122 and CVE-2026-20128) being actively exploited. These flaws affect Cisco Catalyst SD-WAN Manager, allowing attackers to overwrite arbitrary files or escalate privileges on compromised systems. Cisco’s Talos team recommends immediate patching to mitigate risks. The repeated targeting of SD-WAN systems highlights their critical role in enterprise networks.
Cisco’s warnings follow a Five Eyes intelligence alert about attackers targeting SD-WAN infrastructure. The sophisticated threat actor UAT-8616 is linked to these exploits. Cisco’s Talos team noted that exploitation of CVE-2026-20127 may date back to 2023, emphasizing the need for proactive vulnerability management. The new advisories lack indicators of compromise (IoCs), but immediate patching is strongly recommended to secure networks. This highlights the ongoing threat to critical infrastructure, following the recent China-linked attacks on South American telecom systems. For more information, see the related article.
3. China-Linked APT Group Deploys Novel Malware in South American Telecom Attacks
Cisco Talos has identified a sophisticated China-linked APT group (UAT-9244) targeting South American telecom infrastructure since 2024. The group, associated with FamousSparrow and Salt Typhoon, has deployed three new implants: TernDoor, PeerTime, and BruteEntry. These tools facilitate process manipulation, file operations, and brute-force scanning, indicating a well-organized and persistent threat.
TernDoor is a Windows backdoor that uses DLL side-loading via wsprint.exe and BugSplatRc64.dll. It handles file operations and C2 communication, with a custom driver to hide components. PeerTime, a Linux P2P backdoor, uses BitTorrent for C2 communication and exfiltration. It exists in C/C++ and Rust variants, checks for Docker environments to evade detection. BruteEntry is a scanner installed on edge devices, turning them into proxy nodes for attacking servers. Debug strings in Simplified Chinese suggest state sponsorship.
The initial access methods remain unclear, but past campaigns exploited outdated Windows/Microsoft Exchange servers. The use of custom malware and operational relay boxes (ORB) reflects a highly organized and persistent threat. For more details, refer to the source article.
Middle East Cyberattacks Surge Amid Geopolitical Tensions
A coordinated military campaign by the U.S. and Israel against Iran triggered a wave of cyberattacks across 16 countries. Radware reported 149 DDoS incidents targeting 110 organizations, with hacktivist groups like Hider Nex and Keymous+/DieNet accounting for 70% of attacks. The attacks combined DDoS, hack-and-leak tactics, and espionage, reflecting the blurring lines between hacktivism and state-sponsored operations. The geopolitical conflict led to focused attacks on critical infrastructure, such as the Iron Dome air-defense system. Pro-Russian groups, including Cardinal and Russian Legion, claimed breaches of Israeli military networks, highlighting escalating tensions and the use of cyber warfare as a strategic tool. SMS phishing campaigns targeted the RedAlert app, a mobile early-warning system, likely to implant spyware. Additionally, the resurfacing of old threats like Cotton Sandstorm, rebranded as Altoufan Team, underscores the persistent nature of cyber threats amid geopolitical conflicts. These incidents emphasize the need for enhanced cybersecurity measures and international cooperation. For more insights, visit the related article. For an in-depth discussion on cyber-kinetic conflicts, refer to the article on cyber-kinetic conflicts.
Final words
The surge in cybersecurity incidents during March 2026 underscores the need for continuous vigilance and proactive measures. Phishing-as-a-Service platforms, critical infrastructure vulnerabilities, and state-sponsored attacks highlight the evolving threat landscape. Organizations must prioritize user education, patch management, and robust threat intelligence to safeguard against these emerging threats.