March 14, 2026 - Red Dot Security

Header image for the Red Dot Weekly Cyber Security News https://reddotsecurity.news

Hello all,

Last week I’d noted that I was surprised that there had been no evident cyber-retaliatory attacks by Iranian threat actors. Welp, on Wednesday a threat group named Handala claimed a successful attack on Stryker, a USA based global medical equipment company with $25.1 billion in revenue in 2025. According to the threat group, Stryker had a substantial portion of their systems apparently remote-wiped and 50TB of data exfiltrated. Also in the news this week, there was an enormous quantity of software defects and updates unleashed by the likes of Adobe, Apple, ASUS, Cisco, Google, HPE, Microsoft, SAP, and Veeam. Defenders will be busy.

Headline NEWS:

Iran War tech casualties. Stryker Corporation, a global medical device manufacturer with an estimated 56,000 employees, was forced to send most of them home on Wednesday when they discovered that they’d been attacked by Handala Hack Team. The threat group claims to have exfiltrated 50TB of data and then remote wiping over 200,000 devices via Microsoft Intune. This successful destruction should cause chills to run up the spine of every system administrator and security professional. There was no malware involved, legitimate tooling was broken into and used against Stryker in a devastating way. Identity truly is the new battlefront. Microsoft, apparently in response, has published, Best practices for securing Microsoft Intune. It is well worth reading and implementing the guidance therein. Verifone, a global payment and verification company was also claimed to have been hacked by Handala, but Verifone is denying the claim and asserts that there is no evidence of compromise. Handala has revealed what appears to be screen shots of administrative interfaces of Verifone systems. I guess we’ll see soon if this is legitimate.
Cisco disclosed yet another defect that needs immediate patching, this is the third week in a row they’ve announced patches. The most recent announced defect is in Cisco’s IOS XR and can allow elevation to root. Additionally, Cisco released updates for Packaged CCE, Unified CCE, Unified CCX, and Unified Intelligence Center.
Google patched several Chrome zero-days. Update your browser immediately. You should get in the habit of restarting your chromium-based browsers at least weekly, since Google has announced that Chrome will now have an accelerated update cycle with updates coming much more frequently.
HPE has released updates to their Aruba Networking AOS-CX operating system to address a critical defect that enables administrator account password reset. There is some mitigation guidance provided by HPE in case you cannot immediately update your switches. There is no currently known active exploitation. So patch soon.
Microsoft Patch Tuesday March 2026 was typical in size with 79 or 83 defects being patched, depending on who is counting. There were two zero-day remote code execution (RCE) vulnerabilities addressed in Microsoft Office. It would be wise to prioritize those since apparently; they can be triggered via the application’s preview pane. As with any Microsoft patch, vet them first on a subset of systems. There are usually issues reported, some of which are already cropping up and are linked in our full report.
Nginx UI Flaw enables a threat actor to access the server’s backup without authentication. This requires immediate attention if you publicly expose Nginx as this could result in exfiltration of critical information about the system’s configuration, credentials, tokens, and keys. Proof of Concept (PoC) is already in the wild, so now it is a race to patch or purloin. Don’t wait on this one.
Veeam Backup and Replication released patches to address defects that can allow remote code execution if successfully exploited. It should be noted that most of the flaws involve a domain authenticated user. Best practice is that your Veeam backup server is not domain joined and uses separate credentials. Threat actors are quick to jump on these defects since if they can wipe your backups, you would be forced to pay their ransoms should they successfully encrypt your systems. A few of the patches are not related to domain join, so please patch quickly.

In Ransomware, Malware, and Vulnerabilities News:

ClickFix Attacks Evolving. In the latest twist on what has been an amazingly successful infiltration method by dirtbags, the newest variants have users executing shortcut keys to bring up Windows Terminal (instead of Windows Run), and then have the user paste PowerShell commands into that. In another variant named InstallFix, these evil soulless meat-bags clone legitimate sites that offer helpful instructions for n00bs (people new to the industry or who are learning), and then along with the legitimate commands that instruct the novice how to accomplish a task by copying and pasting into their command-line and terminal sessions. Threat actors count on the novice not recognizing suspicious commands, and have the n00b paste commands that inject malicious downloaders that then infect the unsuspecting person’s system with keyloggers, Info Stealers, Remote Access Trojans (RAT), and more. The internet is not a safe place.

In Other News Events of Note and Interest:

Start-up is building the first data center to use human brain cells. I could leave this headline right there. But I won’t. Are they crazy!? This has all the makings of a b-rated sci-fi movie. It is bad enough that we are racing toward some sort of world-dominating AI consciousness with the speed of a three-year-old grabbing a cookie off the counter, but now we’re actively working on making data centers that could potentially develop their own neural pathways? Yikes! The prior article explains how human brain cells on a chip have learned to play the first-person shooter game Doom. Consider me a Luddite, but I don’t like this one bit.

Musings

Stryker Corporation is dealing with what is pretty much a worst-case scenario. I wonder if any of their enterprise planning were prepared for this outcome? If your company and systems are still working well, thank your cyber defenders for doing their jobs. And then ask for a review of your Disaster Recovery Plans, who does what, when, and how, if a disaster arises. How about your Business Continuity Plan? Do you have one? How will your business continue to make money, to do what it is that your business does if your systems are down? And what about your Business Resumption Plan? You have one, right? How do you effectively and safely bring things back online after being down? Who needs to be contacted, in what order, what information is needed, etc.? News headlines such as Stryker should serve as a metaphorical wake-up call to all of us. We cannot rest, we must be ever vigilant, and we must keep our DR, BC, and BR plans current, relevant, and available.

Headline NEWS

Ransomware, Malware, and Vulnerabilities News

Other News Events of Note and Interest

Like this: