Stryker Devices Wiped in Attack Abusing MS Intune: Apple Patches EOL Devices Against Coruna Flaws; SocksEscort Disrupted by Internat'l Operation

On Wednesday, March 11, 2026, Michigan-based medical technology supplier Stryker reported a "global network disruption to [its] Microsoft environment as the result of a cyberattack." According to news sources, the attack wiped devices managed by Stryker's network, including both corporate and personal computers and mobile devices, and led to thousands of employees being sent home and cut off from corporate email systems and other work platforms. A source known to Brian Krebs believes that the affected devices were managed and remotely wiped by Microsoft Intune, a cloud-based endpoint management service. Stryker believes the incident is contained, and has found no evidence of ransomware or malware. Ongoing updates to the security notice state that business continuity measures are in place; the electronic ordering system is undergoing restoration and orders will be processed once communications return; email and phone communication with Stryker employees is safe; and there is no impact to Mako, Vocera, or LIFEPAK devices, nor to the LIFENET service. Users should contact their electronic patient care reporting (ePCR) vendor or hospital administrator if their ePCR or hospital systems have temporarily paused transmissions. A social media post on the same day alleges responsibility for the attack by a threat group called Handala, linked with the Iranian Ministry of Intelligence and Security; some Stryker employees working at the company's hub in Cork, Ireland, have reported a Handala logo appearing on affected devices. External advisors and cybersecurity experts are aiding ongoing investigation into the scope, nature, and operational and financial impacts of the attack, according to the company's 8-K filing, but Stryker foresees ongoing disruptions and limitations, with an unknown timeline for full restoration.

Apple has released updates for older versions of iOS and iPadOS to address several vulnerabilities leveraged by the Coruna exploit kit; the fixed vulnerabilities include a use-after-free issue in the kernel (CVE-2023-41974); a type confusion issue (CVE-2024-23222) in WEbKit; a use-after-free issue in WebKit (CVE-2023-43000); and an unspecified vulnerability (CVE-2023-43010) in WebKit, the description for which notes that processing maliciously crafted web content may lead to memory corruption and that the issue was addressed with improved memory handling. In a write-up of Coruna earlier this month, Google Threat Intelligence Group states that the exploit kit "contain[s] five full iOS exploit chains and a total of 23 exploits." Coruna has 12 associated CVEs, three of which (CVE-2021-30952, CVE-2023-43000, and CVE-2023-41974) were added to the US Cybersecurity and Infrastructure Security Agency's (CISA's) Known Exploited Vulnerabilities (KEV) catalog on March 5, 2026. (See NewsBites Vol. 28, No. 18 from Tuesday, March 10, 2026, for more details.)

On Wednesday, March 11, 2026, Europol, in collaboration with law enforcement agencies from multiple countries as well as Eurojust, executed Operation Lightning, which disrupted operations of the SocksEscort proxy network. Law enforcement agents took down and seized 34 domains and 23 servers in seven countries. US law enforcement agents froze US $3.5 million in cryptocurrency. The investigation began in June 2025 in response to a Europol Joint Cyberaction Task Force (J-CAT) case that revealed a botnet comprising numerous infected devices, many of which were home and small business routers. SocksEscort sold access to this botnet to cybercriminals wishing to hide their actual IP addresses and locations. Countries participating in the operation include Austria, Bulgaria, France, Germany, Hungary, the Netherlands, Romania, and the US. The operation was also supported by private sector partners, including Lumen’s Black Lotus Labs and the Shadowserver Foundation.

A February 2025 cyberattack that targeted Milwaukee-based Bell Ambulance compromised protected health information (PHI) belonging to more than 235,000 individuals. Bell Ambulance detected anomalous activity on its network on February 13, 2025. At that time, a third-party investigation revealed that PHI belonging to 114,000 individuals had been compromised. Those people were notified in April 2025. A year-long internal review of the incident, which concluded on February 20, 2026, revealed that the breach affected PHI of 237,830 individuals; letters have been sent to all those affected. The compromised data include first and last names, birth dates, Social Security numbers, driver’s license numbers, financial account information, medical information, and health insurance information.

On Tuesday, March 10, Microsoft released updates to address more than 80 vulnerabilities in its products. For the first time in six months, none of the vulnerabilities fixed in Microsoft's monthly security release are being actively exploited. Two of the vulnerabilities, an SQL Server Elevation of Privilege Vulnerability (CVE-2026-21262) and a .NET Denial of Service Vulnerability (CVE-2026-26127), were publicly known prior to the release. Eight of the vulnerabilities are rated critical. Of those, five affect cloud tools and do not require customer action to patch; the other three critical flaws affect Excel and Office.

Earlier this week, SAP, Adobe, HPE, Cisco, and others released security updates. SAP released 15 new security notes, including two that address critical vulnerabilities: a code injection vulnerability in SAP Quotation Management Insurance application (FS-QUO, CVE-2019-17571) and an insecure deserialization in SAP NetWeaver Enterprise Portal Administration (CVE-2026-27685). Adobe released updates to address 80 vulnerabilities, including four critical flaws in Adobe Commerce and Magento Open Source and five critical flaws in Adobe Illustrator. HPE released fixes for five vulnerabilities in Aruba Networking AOS-CX, including a critical authentication bypass issue in Web Interface (CVE-2026-23813). Cisco published four advisories to address multiple vulnerabilities in Cisco IOS XR Egress Packet Network Interface Aligner Interrupt, Cisco IOS XR Software Multi-Instance Intermediate System-to-Intermediate System, Cisco IOS XR Software, and Multiple Cisco Contact Center Products.

On Wednesday, March 11, the US Cybersecurity and Infrastructure Security Agency (CISA) added a critical remote code execution via expression injection vulnerability in n8n to the Known Exploited Vulnerabilities (KEV) catalog. The flaw could be exploited to execute arbitrary code with privileges of the n8n process. The vulnerability was first disclosed in December 2025; CISA has confirmed that it is now being actively exploited. US Federal Civilian Executive Branch (FCEB) agencies have until March 25 to mitigate the issue. On Monday, March 9, CISA added three vulnerabilities to KEV: one high-severity flaw in Ivanti Endpoint Manager (CVE-2026-1603) and one high severity server-side request forgery issue in Omnissa Workspace One UEM, formerly known as VMware Workspace One UEM (CVE-2021-22054) — both of which have mitigation due dates of March 23 — and one critical deserialization of untrusted data vulnerability in SolarWinds Web Help Desk (CVE-2025-26399) that has a mitigation deadline of Thursday, March 12.

The CERT Coordination Center (CERT/CC) has published a notice describing a new attack technique that uses a malformed ZIP file to bypass antivirus detection. Metadata indicates which processes must be performed on files by the antivirus software before a security scan (such as decompression), so if an attacker falsifies the compression method flag, the software will scan the file as though it contains uncompressed data when in fact the contents are still DEFLATE compressed, causing the scan to miss any signatures. When the cyclic redundancy field (CRC) is also mismatched, common tools such as 7-Zip, unzip, or WinRAR will be unable to extract the contents, but a "purpose-built loader that ignores the declared method" can still decompress the malformed file and extract a potentially malicious payload. Chris Aziz of Bombadil Systems discovered this technique and dubbed it “Zombie ZIP.” Aziz states that all but one of 51 tested engines on VirusTotal can be bypassed using this technique. CVE-2026-0866 has been reserved by a CVE Numbering Authority (CNA), and CERT/CC tracks this as VU#976247, but there is disagreement about the categorization — Cisco has issued a statement that while they will take it into consideration for future releases, "this is not considered a vulnerability, but rather, a hardening suggestion." CERT/CC recommends that scans not rely on declared metadata, and also that antivirus and EDR tools include "more aggressive detection modes to validate compression method fields against actual content characteristics, and flag inconsistencies for further inspection."

Researchers at Lumen's Black Lotus Labs have observed the infrastructure of a botnet that comprises routers and other network devices. In all, more than 14,000 devices have been infected with malware the researchers call KadNap. More than 60 percent of the infected devices are located in the US. The Black Lotus Labs team writes, "KadNap employs a custom version of the Kademlia Distributed Hash Table (DHT) protocol, which is used to conceal the IP address of their infrastructure within a peer-to-peer system to evade traditional network monitoring." The infected edge devices use that protocol to find and connect with command-and-control (C2) servers, which are fairly well camouflaged from defenders.