Daily Threat Intel Digest - March 30, 2026

🔴 Critical Threats & Active Exploitation

[UPDATE] F5 BIG-IP vulnerability reclassified from DoS to Critical RCE, now actively exploited F5’s CVE-2025-53521 has undergone a dramatic severity upgrade from a 7.5 CVSS Denial-of-Service flaw to a 9.8 Critical Remote Code Execution vulnerability, catching organizations that deferred patching off guard. Unauthenticated remote attackers can exploit the BIG-IP APM module when an access policy is configured on a virtual server to intercept traffic, harvest credentials, and pivot laterally into corporate networks. CISA added the flaw to its Known Exploited Vulnerabilities catalog on March 27, triggering mandatory patching deadlines for federal agencies by today, March 30. Defused Cyber reports active scanning targeting the /mgmt/shared/identified-devices/config/device-info REST API endpoint to fingerprint vulnerable systems. Defenders should immediately audit BIG-IP access policy configurations and review F5’s published indicators of compromise, including HTTP 201 responses with CSS content-type headers and modifications to /usr/bin/umount or /usr/sbin/httpd. [CISA Alert / Cyberpress; SecurityWeek; GBHackers]

[NEW] Critical Fortinet FortiClient EMS SQL injection under active attack Threat actors are actively exploiting CVE-2026-21643, a critical SQL injection vulnerability in FortiClient EMS 7.4.4 that allows unauthenticated remote code execution through maliciously crafted HTTP requests targeting the web interface. Defused Cyber reports first exploitation occurring approximately four days ago, with attackers smuggling SQL statements via the ‘Site’ header. Over 2,000 FortiClient EMS instances are currently exposed online—1,400+ in the United States and Europe—creating a substantial attack surface for ransomware operators and espionage groups. The vulnerability carries particular risk given Fortinet’s history as an initial access vector for both financially motivated and state-sponsored actors, including Salt Typhoon’s previous use of a similar FortiClient EMS flaw to breach telecommunications providers. Organizations must upgrade to version 7.4.5 or later immediately. [BleepingComputer]

[NEW] Citrix NetScaler CVE-2026-3055 undergoes mass reconnaissance ahead of exploitation Threat actors are conducting configuration-aware fingerprinting against internet-facing Citrix NetScaler ADC and Gateway appliances, probing the /cgi/GetAuthMethods endpoint to identify systems configured as SAML Identity Providers. This 9.3 CVSS memory overread vulnerability allows unauthenticated attackers to extract sensitive data including active session tokens, credentials, and backend configuration secrets from enterprise SSO environments. watchTowr and Defused Cyber report active scanning campaigns, with attackers building targeted hit lists of vulnerable appliances rather than launching blind attacks. The flaw affects versions before 14.1-66.59 and 13.1-62.23, requiring immediate patching for any NetScaler instance configured with add authentication samlIdPProfile. [Cyberpress; GBHackers]

🎯 Threat Actor Activity & Campaigns

[UPDATE] European Commission confirms data breach following ShinyHunters AWS compromise The European Commission has confirmed that data was stolen from its Europa.eu web platform following the ShinyHunters extortion gang’s breach of at least one AWS account. The threat actor claims to have exfiltrated over 350 GB of data including databases, confidential documents, and contracts before access was blocked, and has already released a 90 GB archive on their dark web leak site. The Commission reports that internal systems were not affected and staff took immediate containment measures. ShinyHunters has recently claimed breaches at Match Group (Tinder, Hinge, OkCupid), SoundCloud, and Panera Bread through large-scale vishing campaigns targeting SSO accounts at Okta, Microsoft, and Google across 100+ organizations. [BleepingComputer]

[NEW] Ransomware operators target healthcare, media, and manufacturing sectors Multiple ransomware groups launched attacks across diverse sectors this weekend. Qilin claimed an attack on Doctor.com, a US healthcare platform, creating potential HIPAA exposure and patient data risk. ALP-001 emerged as a highly active operator, claiming attacks on Polish media giant Polsat, Kyocera Document Solutions Europe, and Spanish firm Lacor S.A. Meanwhile, DragonForce targeted Alliance Select Foods in the Philippines and Anubis struck French IT company Scalian. Exitium claimed compromise of Taiwanese solar manufacturer Ming Hwei Energy, and Incransom targeted US eco-products company Greenology Products. The breadth of sector targeting—from healthcare and media to energy and IT services—indicates ongoing opportunistic ransomware operations without sector-specific restrictions. [DeXpose: Qilin; DeXpose: ALP-001 Polsat; DeXpose: Anubis Scalian; DeXpose: Exitium]

[UPDATE] Handala FBI email breach confirmed; Iran-linked group publishes personal data The FBI has confirmed that Iran-linked Handala hackers compromised FBI Director Kash Patel’s personal Gmail inbox, publishing watermarked personal photos and email correspondence from before his tenure as director. The FBI emphasizes that no government information or recent data was exposed. Handala, a hacktivist persona tied to Iran’s Ministry of Intelligence and Security, conducted the attack in retaliation for FBI seizure of Handala domains and the State Department’s $10 million reward for information on the group. The group previously breached medical technology giant Stryker, wiping nearly 80,000 devices. [BleepingComputer; SecurityWeek]

📋 Policy & Industry News

[NEW] Anthropic’s “Mythos” AI model triggers cybersecurity sector sell-off Anthropic is testing a highly capable AI model codenamed “Mythos” under its “Capybara” tier that can autonomously discover complex software vulnerabilities and potential zero-days in production code through dynamic reasoning rather than static scanning. The model significantly outperforms Claude Opus 4.6 in cybersecurity benchmarks and is currently restricted to vetted early-access customers—specifically defenders. News of the model triggered a sharp cybersecurity stock decline, with CrowdStrike, Palo Alto Networks, and Zscaler each dropping over 5%, and the Global X Cybersecurity ETF falling 4.5% to its lowest close since November 2023. While Bernstein analysts suggest the sell-off may be overdone, the dual-use nature of the technology raises concerns about an impending wave of offensive AI tools that could exploit vulnerabilities faster than human defenders can patch them. [Cyberpress; GBHackers]

[NEW] Microsoft releases critical WinRE and Setup updates ahead of Secure Boot certificate expiration Microsoft has released KB5081494 (Setup Dynamic Update) and KB5083482 (Safe OS Dynamic Update) for Windows 11 versions 24H2 and 25H2 to prepare systems for the expiration of three core Secure Boot certificates scheduled to begin in June 2026. After 15 years of service, the Microsoft Corporation KEK CA 2011, Microsoft Corporation UEFI CA 2011, and Microsoft Windows Production PCA 2011 certificates will expire, potentially preventing systems from installing future security updates or causing boot failures. Unpatched systems will lose the ability to install Secure Boot updates after June 2026 and will stop receiving Windows Boot Manager fixes entirely by October 2026. Enterprise administrators should consult Microsoft’s Secure Boot playbook for the four-step remediation process: inventory, monitoring, OEM firmware updates, and certificate deployment via Intune or Group Policy. [Cyberpress; GBHackers]