Weekly Cyber Briefing 13.03.2026
A new ShinyHunters campaign targets Salesforce customers and US firm Stryker reels from an Iranian attack; WordPress sites are hijacked to distribute infostealers; n8n customers are urged to patch; and Google sounds the alarm over exploited vulnerabilities.
Pro-Iranian hackers Handala (Cobalt Mystique) have notched up the regime’s first major digital victory since the beginning of the war with the US/Israel. They breached US medtech firm Stryker and reportedly wiped 200,000 devices via Microsoft Intune, as well as defacing Entra ID login pages. The $ 23bn-revenue firm is still assessing the damage but admitted that the “attack has resulted in a global disruption to the company’s Microsoft environment”. The Iranian attackers claimed the firm’s offices were shut in scores of countries and that they stole 50TB of data.
Why it matters
The attack could mark the start of a new period of cyber hostilities with the West, with UK firms potentially targeted.
Assured’s recommended action
Review Azure/Entra ID conditional access policies, especially those related to privileged accounts and device management permissions. Confirm Intune/MDM admin privileges can’t be abused to push device wipe or configuration changes. Increase monitoring of privileged identity activity across Intune, Azure and endpoint management environments.
Combine this with targeted threat hunting for persistence mechanisms, including Python tooling, scheduled tasks and PowerShell activity. Ensure backups are isolated and recovery processes tested – including the ability to rebuild endpoints at scale.
Notorious threat group ShinyHunters has claimed to have compromised around 100 “high-profile companies”, including cybersecurity vendors, after targeting misconfigured Experience Cloud websites. The group appears to have used a custom version of the open-source AuraInspector tool to scan /s/sfsites/aura API endpoints, identify CRM objects, and extract data, including names and phone numbers. It may have compromised as many as 400 websites this way.
Why it matters
Based on information gleaned from these website attacks, the group appears to have launched follow-on vishing attacks to enable broader network intrusion and data exfiltration. Even if your organisation isn’t the original target, it may be hit with these social engineering attempts.
Assured’s recommended action
Experience Cloud customers should follow Salesforce’s advice to secure their website infrastructure and review Event Monitoring logs for suspicious access patterns. Update security awareness training to mitigate vishing attempts, and harden helpdesk password reset processes with out-of-band verification or similar measures.
Exploits of flaws in third-party software accounted for far more (44.5%) instances of initial access in 2H 2025 than weak or absent credentials (27.2%), according to new Google Cloud analysis of breaches. Remote code execution (RCE) flaws were most commonly exploited, especially React2Shell (CVE-2025-55182) and the XWiki flaw (CVE-2025-24893). The exploitation window also shrank from weeks to just days in the second half of 2025.
Why it matters
Google Cloud claims the change is due to its security-by-default strategy for accounts and credentials. But as one avenue for initial access is blocked, threat actors gravitate to another. Most attacks analysed by Google were focused on data theft and extortion (73%), as well as BEC (10%).
Assured’s recommended action
To mitigate vulnerability exploitation, broadly follow Google’s advice, and apply automated processes where possible. This should include preventative virtual patching via web application firewalls (WAFs) and automated vulnerability scanning, including the CI/CD pipeline. Replace firewall rules with identity-centric proxies to protect admin interfaces.
Over 250 WordPress sites have been compromised to infect visitors with infostealer malware, according to Rapid7. A variety of sites in at least 12 countries are impacted: Australia, Brazil, Canada, Czechia, Germany, India, Israel, Singapore, Slovakia, Switzerland, the UK and the US. The threat actors employ ClickFix techniques, in which fake CAPTCHA popups are displayed, prompting the victim to open the Windows Run command box and paste a command for extra verification. Several infostealer payloads have been linked to the campaign.
Why it matters
Employees victimised by these techniques could have their corporate credentials stolen, enabling account takeover, impersonation, and/or wider access to corporate resources.
Assured’s recommended action
WordPress admins are advised to regularly perform vulnerability scans to identify outdated software versions and to use long, unique passwords stored in a password manager (alongside MFA) for admin access. Mitigate ClickFix through up-to-date security software and user awareness training, refreshed with the latest phishing techniques.
A vulnerability in the open-source workflow automation platform n8n is being actively exploited in the wild, prompting calls to patch. The US Cybersecurity and Infrastructure Security Agency (CISA) has given government agencies until March 25 to migrate to the latest version following the addition of CVE-2025-68613 to its KEV database. Reports suggest there are over 14,500 unpatched instances in Europe.
Why it matters
CVE-2025-68613 is a remote code execution bug which could enable authenticated attackers to execute arbitrary code and achieve full compromise of an instance. They could use that access to deploy ransomware and/or steal enterprise secrets (e.g., API keys, OAuth tokens) to reach the wider on-prem/cloud infrastructure.
Assured’s recommended action
Upgrade to n8n version 1.122.0 or later, or follow the temporary mitigations listed.
Weekly Cyber Briefing 06.03.2026
Phishing campaigns abuse OAuth and target LastPass users; an iOS exploit kit portends new mobile risks; FreeScout customers are urged to upgrade; and the NCSC warns UK firms about Iranian attacks.
Features 03.03.2026
France Travail’s failings are a reminder that identifying risk is not the same as managing it
Features 02.03.2026
What telco CISOs need to do to avoid becoming the next Odido