Secure MS Intune, Warns CISA After Stryker Wipe; Apple Background Security Improvements Launch; DarkSword iOS Exploit Kit

Following a March 11, 2026 cyberattack that wiped devices at medical technology company Stryker, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert urging organizations to harden their endpoint management system configurations, specifically Microsoft Intune, which was reportedly exploited by the attackers to execute the fleet-wide wipe. Microsoft published "Best Practices for Securing Microsoft Intune" on March 14, and CISA endorses their recommendations: 1. Restrict permissions using principles of least privilege, using role-based access control; 2. Enforce conditional access, phishing-resistant MFA, risk signals, and privileged access controls to ensure privileged access is "hard to obtain and hard to reuse;" and 3. Implement Multi Admin Approval restrictions for performing high-impact actions. As of March 19, 2026, the FBI has seized and taken down two websites used by a threat group called Handala, linked with the Iranian Ministry of Intelligence and Security, who claimed the attack, and whose logo appeared on affected devices, according to Stryker employees. Stryker's updates as of this writing indicate that their products, technologies, and communication channels with sales representatives are safe to use, but ordering and distribution is still recovering from disruptions.

Apple has released the first security update pushed via the "Background Security Improvements" feature, fixing a flaw in WebKit affecting iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2. CVE-2026-20643 could allow maliciously crafted web content to bypass the Same Origin Policy due to a cross-origin issue in the Navigation API. Background Security Improvements (BSIs) are lightweight updates for system components "that benefit from smaller, ongoing security patches between software updates." The feature was introduced in version 26.1 of Apple OSes, and once activated through the Privacy & Security settings menu, it will automatically apply incremental patches without requiring a full OS upgrade. Apple notes that "if you choose to turn off this setting, your device will not receive these improvements until they're included in a subsequent software update," and that choosing to remove an installed BSI will remove all BSIs applied since the last baseline OS version update.

Coordinated research published by Google, iVerify, and Lookout describes an iOS exploit kit dubbed DarkSword that since November 2025 has been used by multiple spyware vendors and nation-state operatives to steal sensitive information from vulnerable devices. DarkSword exploits six vulnerabilities to drop three backdoors on vulnerable devices to facilitate exfiltration of sensitive information, including passwords, pictures, messaging app logs, browser histories, and data from Apple's Calendar, Notes, and Health apps. Exploitation requires a targeted iPhone user to visit a maliciously crafted website. DarkSword affects iOS 18.4 through 18.7, which Apple recently estimated accounts for nearly 25 percent of iPhone users. Users are urged to update to the most recent version of iOS. Reports of DarkSword follow close on the heels of the discovery of the Coruna iOS exploit kit.

The Qualys Threat Research Unit (TRU) is warning of a high severity privilege escalation flaw in components related to the Linux snap daemon, affecting Ubuntu Desktop version 24.04 (Noble Numbat) and later. CVE-2026-3888, CVSS score 7.8, allows an attacker to gain root privileges by re-creating snap's private /tmp directory with malicious payloads after systemd-tempfiles deletes it during automatic cleanup. "During the next sandbox initialization, snap-confine bind-mounts these files as root, allowing the execution of arbitrary code within the privileged context." Users running Ubuntu Desktop 24.04 and later should consult TRU's list of affected versions and immediately upgrade their snapd package to a patched release, and users running older versions should patch as well in case of non-default configurations that could behave similarly to this flaw. Qualys also mentions a race condition in the rm utility potentially allowing arbitrary file deletion as root or privilege escalation, discovered and mitigated during pre-release review of the uutils coreutils package for Ubuntu Desktop 25.10.

A high-severity deserialization of untrusted data vulnerability in Microsoft SharePoint (CVE-2026-20963) is being actively exploited. The vulnerability was initially disclosed on January 13, and Microsoft addressed the flaw in the January 2026 Patch Tuesday release. The vulnerability can be exploited to achieve remote code execution and affects multiple versions of SharePoint. Updates are available for SharePoint Server 2016, 2019, and Subscription Edition; SharePoint Server 2007, SharePoint Server 2010, and SharePoint Server 2013 are also affected, but are no longer supported and no updates are available for those versions. The US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog on March 18 with a three-day mitigation window for Federal Civilian Executive Branch (FCEB) agencies: they have until Saturday, March 21 to address the issue in their systems.

A critical deserialization of untrusted data vulnerability in Cisco Secure Firewall Management Center (FMC) Software (CVE-2026-20131) is being actively exploited. The flaw allows an unauthenticated remote attacker to execute arbitrary Java code as root on an affected device. According to Amazon threat intelligence researchers, the vulnerability has been exploited by the Interlock ransomware group since January 2026. Cisco released an update to address the vulnerability on March 4, 2026, and has updated that advisory to reflect the fact that it is being actively exploited. The US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog on March 19, with a three-day mitigation window for Federal Civilian Executive Branch (FCEB) agencies: they have until Sunday, March 22 to address the issue in their systems.

Researchers at Eclypsium have detected nine vulnerabilities affecting IP KVM (Keyboard, Video, Mouse over Internet Protocol) devices that could be exploited to compromise networks. The devices allow users to "control multiple computers with a single set of peripherals," accessing machines at the BIOS/UEFI level, or as Eclypsium put it, "below the operating system, below EDR, below every security control you have deployed." The vulnerabilities affect four different products: GL-iNet's Comet RM-1; Angeet/Yeeso's ES3 KVM; Sipeed's NanoKVM; and JetKVM. Of the four vulnerabilities in GL-iNet's Comet RM-1, fixes are being planned for two: a high-severity insufficient verification of firmware authenticity flaw (CVE-2026-32290) and a high-severity missing authentication for critical function flaw (CVE-2026-32291). Two other vulnerabilities — a critical improper restriction of excessive authentication attempts flaw (CVE-2026-32292) and a medium-severity improper certificate validation issue (CVE-2026-32293) — are addressed in Comet RM-1 v1.8.1 BETA. Fixes are not available for the two vulnerabilities in Angeet/Yeeso's ES3 KVM: a critical missing authentication for critical function flaw (CVE-2026-32297), and a high-severity OS command injection flaw (CVE-2026-32298). A high-severity missing authentication for critical function flaw (CVE-2026-32296) in Sipeed NanoKVM is fixed in NanoKVM v2.3.1 and NanoKVM Pro 1.2.4. A high-severity insufficient update verification issue (CVE-2026-32294), and a critical improper restriction of excessive authentication attempts issue (CVE-2026-32295) are addressed in JetKVM version 0.5.4.

Digital safety services company Aura says that a "phone phishing attack" resulted in the compromise of 900,000 records, the majority of which are from a marketing contact list that originated with a company Aura acquired in 2021. The list includes 35,000 current and former Aura customers. Compromised data include names, email addresses, physical addresses, and phone numbers. Washington-based employee benefits administrator Navia Benefit Solutions has notified Maine's Attorney General of a data security breach that compromised information belonging to nearly 2.7 million individuals. The incident was detected on January 23, 2026; the intruders appear to have accessed the data between December 22, 2025 and January 15, 2026. Comprised data include names, email addresses, birth dates, Social Security numbers, phone numbers, and health plan information. Robotic surgery instrument manufacturer Intuitive has disclosed that a phishing attack compromised "information from certain internal IT business applications." Intuitive stresses that their network infrastructure is segmented, noting that "the networks and infrastructure that support our internal IT business applications, our manufacturing operations, and our da Vinci and Ion platforms and digital products are separate." Hospital customer networks are also separate from Intrusive networks. In a statement regarding the incident, Intrusive writes, "the information accessed was obtained from an employee’s compromised access into Intuitive’s internal business administrative network. It includes some customer business and contact information, as well as Intuitive employee and corporate data."

Nordstrom customers have reported receiving cryptocurrency scam emails sent from an official corporate marketing email address. Screenshots show a message prompting the recipient to send cryptocurrency to specified addresses within two hours, promising to return double the deposited amount as part of a St. Patrick's Day promotion. A follow-up email assures customers that the previous message was unauthorized and should be disregarded, and that "Nordstrom will never ask customers to transact or otherwise transfer funds using cryptocurrency." A source known to BleepingComputer alleges that Nordstrom suffered a security breach through Okta SSO, which allowed the attacker to access the company's Salesforce Marketing Cloud and send the emails. Even when an email appears to come from an official address, users should not trust communications that attempt to induce a sense of urgency or contain suspicious errors, such as a heading reading "Normstrom" in this case.