Geopolitical Wiper Attacks, Microsoft Zero-Days, and Supply Chain Stealth

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Geopolitical Conflict Drives Destructive Enterprise Attacks

State-aligned actors and hacktivists are explicitly targeting critical infrastructure and global enterprises, leveraging identity compromise and pre-positioned backdoors to cause massive operational disruption.

• CRITICAL Advisory: Iran–Israel–US Escalation (BFSI Threat) — The cyber conflict has transitioned to direct, declared targeting of the global financial sector. Iranian-linked actors (MuddyWater) have been confirmed inside a US banking network, deploying new backdoors (Dindoor, Fakeset) and using the legitimate Rclone utility for data exfiltration. Hacktivist groups like NoName057(16) have aligned to introduce high-capacity DDoS threats against financial portals.

• Handala Hack Group Wipes Stryker Infrastructure — In a massive destructive attack, the Handala group wiped over 200,000 endpoints and disrupted operations across 79 countries for medical technology giant Stryker. Rather than deploying traditional wiper malware, attackers compromised Microsoft Entra ID identities and abused the Microsoft Intune device management console to remotely factory-reset laptops and mobile devices.

2. Perimeter and Core Infrastructure Under Fire

Attackers are targeting unpatched software and extracting sensitive credentials from edge devices to penetrate internal corporate networks.

• Microsoft March 2026 Patch Tuesday (2 Zero-Days) — Microsoft addressed 79 vulnerabilities, including two publicly disclosed zero-days: an Elevation of Privilege in SQL Server (CVE-2026-21262) and a Denial of Service in .NET (CVE-2026-26127). The release also patches critical remote code execution (RCE) flaws in Microsoft Office (CVE-2026-26110, -26113) that trigger via the preview pane.

• FortiGate NGFW Compromise via Stolen Credentials — Threat actors are exploiting recent Fortinet vulnerabilities or weak passwords to steal FortiGate configuration files. These files contain reversibly encrypted LDAP service account credentials, which attackers decrypt and use to authenticate directly to internal Active Directory environments, allowing them to deploy RMM tools and expand network access.

3. Sandbox Escapes, OS Flaws, and Developer Targeting

The tools used to automate workflows, secure operating systems, and write code are being actively subverted by sophisticated threat actors.

• n8n Workflow Automation Platform RCE (CVE-2026-27577) — Multiple critical vulnerabilities in the n8n platform allow attackers to escape the expression sandbox and execute arbitrary commands on the host system. Unauthenticated attackers can exploit Form nodes (CVE-2026-27493) to achieve RCE, potentially exposing stored secrets like API keys, database passwords, and cloud tokens.

• CrackArmor Vulnerabilities in Linux AppArmor — A cluster of nine vulnerabilities, dubbed “CrackArmor,” affects the Linux AppArmor security module. Present since kernel 4.11, these confused deputy flaws allow unprivileged local users to manipulate security profiles, bypass container isolation, trigger kernel panics, and escalate to root privileges by coercing trusted utilities like Sudo.

• GlassWorm Supply Chain Campaign (Open VSX) — Attackers are compromising developer environments via malicious Open VSX extensions that impersonate legitimate tools. The campaign leverages transitive dependencies to silently install secondary payloads and uses invisible Unicode characters embedded in GitHub repositories to hide JavaScript loaders that steal developer credentials and tokens.

Proactive Steps for the Week 

• Protect Cloud Identity and MDM: Treat Microsoft Intune and Entra ID administrative consoles as Tier-0 infrastructure. Enforce FIDO2/phishing-resistant MFA and implement strict alerts for mass device wipe policies to prevent Handala-style destruction.

• Patch Microsoft and Linux Core Systems: Apply the March 2026 Patch Tuesday updates immediately (prioritizing SQL Server and Office). Prepare to apply vendor kernel updates for the CrackArmor Linux AppArmor vulnerabilities as soon as they become available.

• Rotate Edge Device Credentials: If operating FortiGate appliances, assume configurations may have been compromised. Immediately rotate all LDAP and Active Directory service account credentials bound to the firewall.

• Secure Automation Platforms: Upgrade n8n to version 2.10.1 (or 1.123.22/2.9.3 depending on your branch) and restrict workflow creation permissions to prevent unauthenticated sandbox escapes.

• Audit Developer Extensions: Review installed VS Code / Open VSX extensions for unexpected extensionPack relationships. Remove unrecognized extensions and monitor developer endpoints for obfuscated JavaScript execution.

• Hunt for Geopolitical TTPs: Search networks for unauthorized Rclone usage, Deno runtime execution on non-developer hosts, and outbound connections to wasabisys.com or backblaze.com (MuddyWater IOCs).