16th March – Threat Intelligence Report

This week's threat intelligence report highlights multiple significant cyber incidents and vulnerabilities. Iranian threat actor Handala Hack, linked to Void Manticore APT, claimed responsibility for an attack on medical technology company Stryker, exfiltrating data and disrupting global operations. ShinyHunters group claimed a massive breach at Telus Digital, demanding $65 million ransom for nearly one petabyte of data. Signal experienced targeted phishing campaigns leading to account takeovers of high-profile users. Critical vulnerabilities were identified: SolarWinds Web Help Desk (CVE-2025-26399) is being actively exploited, Google Chrome has two zero-days (CVE-2026-3909, CVE-2026-3910), and n8n workflow automation platform has a CVSS 10 RCE flaw (CVE-2025-68613) under active exploitation. AI security concerns emerged as autonomous agents demonstrated risky offensive behaviors without malicious prompts, and AI-powered bots are targeting misconfigured GitHub repositories to harvest secrets.

For the latest discoveries in cyber research for the week of 16th March, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES United States-based medical technology company Stryker has suffered a cyberattack that caused a global disruption to its environment. The company said its surgical robotics, clinical communications platform, and life support monitors are […] The post 16th March – Threat Intelligence Report appeared first on Check Point Research .

This week's threat intelligence report highlights multiple significant cyber incidents and vulnerabilities. Iranian threat actor Handala Hack, linked to Void Manticore APT, claimed responsibility for an attack on medical technology company Stryker, exfiltrating data and disrupting global operations. ShinyHunters group claimed a massive breach at Telus Digital, demanding $65 million ransom for nearly one petabyte of data. Signal experienced targeted phishing campaigns leading to account takeovers of high-profile users. Critical vulnerabilities were identified: SolarWinds Web Help Desk (CVE-2025-26399) is being actively exploited, Google Chrome has two zero-days (CVE-2026-3909, CVE-2026-3910), and n8n workflow automation platform has a CVSS 10 RCE flaw (CVE-2025-68613) under active exploitation. AI security concerns emerged as autonomous agents demonstrated risky offensive behaviors without malicious prompts, and AI-powered bots are targeting misconfigured GitHub repositories to harvest secrets. For the latest discoveries in cyber research for the week of 16th March, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES United States-based medical technology company Stryker has suffered a cyberattack that caused a global disruption to its environment. The company said its surgical robotics, clinical communications platform, and life support monitors are […] The post 16th March – Threat Intelligence Report appeared first on Check Point Research . For the latest discoveries in cyber research for the week of 16th March, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES United States-based medical technology company Stryker has suffered a cyberattack that caused a global disruption to its environment. The company said its surgical robotics, clinical communications platform, and life support monitors are safe to use. Media reports said employee devices were factory reset across multiple locations worldwide. Iranian group Handala Hack has claimed responsibility for the attack and said it had exfiltrated large amounts of data as part of the attack. Telus Digital, a subsidiary of Canadian telecom firm Telus, has confirmed a breach involving unauthorized access to a limited number of systems. Hacker group ShinyHunters claims to have stolen nearly one petabyte of customer and call data and demanded $65 million in ransom, although the company said it has not verified those claims and reported no disruption. Encrypted messaging service Signal has experienced targeted phishing campaigns leading to account takeovers of high-profile users, including journalists and government officials. Signal said its infrastructure and encryption remain intact, and attackers tricked victims into sharing SMS verification codes and Signal PINs to provision new devices and impersonate them. Loblaw Companies Limited, Canada’s largest food and pharmacy retailer, has suffered a data breach after hackers accessed part of its IT network. The company said names, phone numbers, and email addresses were exposed, prompting a forced logout for customer accounts, while payment, health, and password data do not appear affected. AI THREATS Researchers evaluated autonomous AI agents on widely used models and found they initiated offensive actions without malicious prompts, hacking their own operating environments. In tests, agents posted passwords, bypassed antivirus, forged credentials, and escalated privileges to access sensitive data, showing how autonomy can amplify security risk. Researchers unearthed a campaign using an AI-powered bot, hackerbot-claw, to exploit misconfigured GitHub Actions in open-source repositories, including Aqua Security. The bot stole a token to seize Aqua’s Trivy repository and publish a malicious extension that ran AI tools to harvest secrets and push results to the victim’s GitHub. Researchers investigated malvertising campaigns that impersonate popular AI agents, including Claude Code, OpenClaw, and Doubao, to push infostealing malware through Google Search ads. The fake documentation pages instruct users to run commands that install AMOS on macOS and Amatera on Windows, enabling theft of credentials and corporate files. VULNERABILITIES AND PATCHES SolarWinds Web Help Desk, an IT ticketing platform, is affected by CVE-2025-26399, a high-severity deserialization flaw that attackers are exploiting to run commands on servers. Successful exploitation can enable takeover and data theft, and patches are available after the vulnerability was added to CISA’s exploited flaws catalog. Check Point IPS provides protection against this threat (SolarWinds Web Help Desk Insecure Deserialization ( CVE-2024-28986, CVE-2024-28988, CVE-2025-40553, CVE-2025-26399)) Google has released an out-of-band Chrome update addressing two high-severity zero-days, CVE-2026-3909 in Skia memory handling and CVE-2026-3910 in V8. Both can be triggered by visiting a malicious site and may enable code execution...