Security Boulevard

A newly disclosed critical vulnerability in the widely used pac4j authentication framework is drawing attention across the open source community. Tracked as CVE-2026-29000, the flaw affects the pac4j-jwt library, which is commonly pulled in as a dependency by many popular Java authentication stacks, and could allow attackers to bypass authentication controls in affected Java applications.

The post pac4j CVE-2026-29000: Sonatype Finds 18 Additional Packages appeared first on Security Boulevard.

In the wake of Operation Epic Fury, digital attacks have shifted from quiet espionage to a loud, coordinated campaign of economic and physical retaliation. In response, the Tenable Research Special Operations (RSO) team is examining the latest threats and cyber operations linked to Iranian threat actors.

Key takeaways:

1. Following the military operations of Operation Epic Fury, Iranian-linked actors have moved beyond quiet intelligence gathering to a coordinated, hybrid offensive and actively engaging in disruptive and destructive campaigns targeting critical infrastructure and other sectors.
    
2. MOIS-affiliated actors are increasingly operating under the veil of cybercriminal infrastructure to complicate attribution.
    
3. A significant increase in the targeting of IP cameras by Iranian-nexus actors has been observed using known and exploitable vulnerabilities.

Background

Following the February 28 military operations conducted by the United States and Israel known as Operation Epic Fury, Tenable’s RSO team released a blog post examining Iranian-linked threat actors and their operational focus. As ongoing kinetic strikes have continued to target Iranian leadership and infrastructure, Iranian threat actor activity has surged into a coordinated, hybrid offensive targeting Western, Israeli and regional economic and critical infrastructure.

Analysis

Recently Ministry of Intelligence and Security (MOIS) affiliated groups have significantly escalated their operations, shifting from espionage to disruptive and destructive campaigns. MuddyWater and the Void Manticore persona known as Handala are two groups which have seen an increased level of malicious activity surrounding the recent military operations in Iran.

From silt to strike: How MuddyWater weaponized pre-positioned access

MuddyWater, also known as Seedworm and additional aliases, is a MOIS affiliated actor known for targeting telecommunications and government organizations. The group is well known for gaining initial access to victim networks, often acting as an initial-access broker. Recent reporting indicates that the group infiltrated U.S. and Israeli infrastructure weeks prior to the military operations conducted as part of Operation Epic Fury. According to Symantec, a U.S bank, software company, airport and non-government organizations in both the U.S. and Canada were targeted. These attacks uncovered a previously unknown backdoor known as Dindoor, and a Python backdoor known as Fakeset.

Additional targeting by MuddyWater includes a campaign tracked by Group-IB known as Operation Olalampo. The campaign observed in late January included targeting across the Middle East and North Africa (MENA) region, where multiple malware variants attributed to MuddyWater were identified. This included the use of a Telegram bot used as a command and control (C2) channel.

The Handala hand-off: From silent espionage to wiping the slate clean

The Void Manticore persona known as Handala specializes in destructive attacks, often wiping data from compromised hosts. They frequently collaborate with initial access brokers (IAB) in a tag-team approach, taking control of victim networks to deploy custom wipers like the BiBi Wiper and Cl Wiper after the IAB group has exfiltrated data from the victim.

On March 11, Handala posted to Telegram, claiming an attack on the global medical technology company Stryker. The group claims to have erased data on more than 200,000 systems, including mobile devices. While a root-cause is unknown, reports suggest that the wipe attack on the mobile devices may have been the result of compromising Stryker’s Microsoft Intune instance. Handala also claims to have stolen 50 terabytes of data and defaced Microsoft Entra login pages with their logo as part of their attack on Stryker.

Despite widespread internet blackouts at the onset of the initial strikes in February, Handala has been observed using Starlink IP ranges in order to bypass Iran's internet blackout and allowing them to maintain C2 infrastructure.

State intent, criminal consent: Analyzing the MOIS-Cyber crime alliances

Recent reporting from Check Point points to Iran-linked actors engaging with and operating under the veil of other cyber criminals. In one instance, MuddyWater was likely using the infrastructure provided by Qilin, the well known ransomware-as-a-service (RaaS) operator, in order to conduct attacks targeting Israeli hospitals. Using cyber crime and hacktivism as cover for destructive activity gives the attackers a layer of cover and plausible deniability. Attribution of attacks has always been tricky to pinpoint, but these tactics and reliance on criminal infrastructure make attribution even more difficult, providing greater chances of anonymity in their attacks.

Industries targeted and likely to be targeted

Following a missile strike on Bank Sepah, one of the largest public banks in Iran, an Iranian spokesperson warned that U.S. and Israeli financial institutions would be targeted in response. While it’s unclear whether these will be kinetic or digital attacks, the financial sector is just one of many industries that are likely to see targeting. Industries known to have been targeted or likely to be at elevated risk include:

• Aviation
• Transportation
• Finance
• Healthcare
• Defense
• Government
• Critical Infrastructure (Energy/Utilities/Water & Wastewater)
• Telecommunications

While warnings of attacks targeting critical infrastructure and attacks against supervisory control and data acquisition (SCADA) and industrial control systems (ICS) systems are of great concern to Western countries, it’s unclear what pre-positioning or successful attacks can be attributed to Iranian-nexus actors.

Recently, the pro-Russia hacktivist group Z-Pentest claimed to have compromised several SCADA and ICS systems of U.S. based organizations as well as CCTV networks. However, these claims have not been verified. Despite this, collaboration or hacktivism in support of Iran by threat actors is a concern.

With the threat of increased cyberattacks from Iranian state-sponsored actors, hacktivists and cybercriminal groups targeting critical infrastructure, the Information Technology-Information Sharing and Analysis Center (IT-SAC) published a joint advisory outlining various groups, their operations and recommendations for defensives measures. We recommend reviewing this advisory and taking proactive steps to reduce your threat from these actors.

Focusing on flaws: The surge in Hikvision and Dahua exploitation

In connection with the ongoing military campaign, Check Point has identified an increase in IP camera targeting, including devices from Hikvision and Dahua. The attack infrastructure was assessed to be linked to Iran-nexus actors and activity appears to have increased during various geopolitical events. While it’s unclear if the camera targeting is to observe targets for kinetic attacks or to make observations after a strike, the timing and compromise of these devices should be of concern to any organization who may be affected by the following vulnerabilities:

CVE Description CVSSv3 VPR* CVE-2017-7921 Hikvision IP Camera Improper Authentication Vulnerability 10 9.2 CVE-2021-33044 Dahua Authentication Bypass Vulnerability 9.8 7.4 CVE-2021-36260 Hikvision IP Camera Command Injection Vulnerability 9.8 9.7 CVE-2023-6895 Hikvision Intercom Broadcasting System Command Injection Vulnerability 9.8 6.7 CVE-2025-34067 Hikvision Integrated Security Management Platform Command Execution Vulnerability 9.8 6.7

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on March 11, 2026 and reflects VPR at that time.

Of these five vulnerabilities, three of them have been added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog. At the time this blog was published, CVE-2023-6895 and CVE-2025-34067 were not yet part of the KEV.

Additional CVEs that have been widely exploited and have also been attributed to Iranian-nexus threat actors include:

CVE Description CVSSv3 VPR* CVE-2017-11882 Microsoft Office Memory Corruption Vulnerability 7.8 9.8 CVE-2020-0688 Microsoft Exchange Server Validation Key Remote Code Execution Vulnerability 8.8 9.5

 

 

Additionally, you can review our previous blog posts on Iranian threat actors for other CVEs that have been attributed to Iran-nexus threat actors:

• Frequently Asked Questions About Iranian Cyber Operations
• Operation Epic Fury: Potential Iranian Cyber Counteroffensive Operations
• Group-IB blog: Operation Olalampo: Inside MuddyWater’s Latest Campaign

Identifying affected systems

A list of Tenable plugins for this vulnerability can be found on the individual CVE pages for CVE-2017-11882, CVE-2017-7921, CVE-2020-0688, CVE-2021-33044, CVE-2021-36260, CVE-2023-6895 and CVE-2025-34067 as they’re released. This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Get more information

• Tenable Blog: Operation Epic Fury: Potential Iranian Cyber Counteroffensive Operations
• Symantec Blog: Seedworm: Iranian APT on Networks of U.S. Bank, Airport, Software Company
• Iran-Backed Hackers Claim Wiper Attack on Medtech Firm Stryker
• Check Point Blog: Iranian MOIS Actors & the Cyber Crime Connection
• Check Point Blog: Interplay between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East
•  

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

The post Cyber Retaliation: Analyzing Iranian Cyber Activity Following Operation Epic Fury appeared first on Security Boulevard.

How A Mississippi School District Saves Time Securing Google Workspace Without Hiring Another IT Staff Member When Adam Hamilton stepped into the role of Technology Director at Marshall County School District in Holly Springs, Mississippi, he inherited a fast-growing technology environment with limited margin for error. Serving roughly 2,750 students across a geographically large district, ...

The post Marshall County School District Reduces Google Security Risk with Cloud Monitor appeared first on ManagedMethods Cybersecurity, Safety & Compliance for K-12.

The post Marshall County School District Reduces Google Security Risk with Cloud Monitor appeared first on Security Boulevard.

PARIS, March 10, 2026 — Qevlar AI, a leader in AI for transforming security operations centres (SOCs), has raised $30 million in funding for its autonomous AI SOC platform.

The funding will support development of technology designed to turn … (more…)

The post News alert: Qevlar AI raises $30M to turn security alerts into actionable defense insights across SOCs first appeared on The Last Watchdog.

The post News alert: Qevlar AI raises $30M to turn security alerts into actionable defense insights across SOCs appeared first on Security Boulevard.

TL;DR

AI coding assistants can hallucinate package names, creating phantom dependencies that don't exist in official repositories. Attackers exploit this predictable behavior through slopsquatting, which involves registering malicious packages with names that AI models commonly suggest. This emerging supply chain attack requires new detection approaches focused on behavioral analysis to complement existing security tools.

The post Slopsquatting: How Attackers Exploit AI-Generated Package Names appeared first on Security Boulevard.

Russian threat actors for more than a year have targeted HR and recruiting operations in a sophisticated phishing and infostealing campaign that includes a component, dubbed BlackSanta, that can shut down antivirus tools and EDR protections before deploying the malware that exfiltrates data, Aryaka researchers say.

The post BlackSanta Malware Shuts Down Protections, Targets HR and Recruiting Operations appeared first on Security Boulevard.

via the comic artistry and dry wit of Randall Munroe, creator of XKCD

Permalink

The post Randall Munroe’s XKCD ‘Carbon Dating’ appeared first on Security Boulevard.

A hacktivist group with links to Iran's intelligence agencies is claiming responsibility for a data-wiping attack against Stryker, a global medical technology company based in Michigan. News reports out of Ireland, Stryker's largest hub outside of the United States, said the company sent home more than 5,000 workers there today. Meanwhile, a voicemail message at Stryker's main U.S. headquarters says the company is currently experiencing a building emergency.

The post Iran-Backed Hackers Claim Wiper Attack on Medtech Firm Stryker appeared first on Security Boulevard.

How Cybersecurity Became the Defining Challenge for European Banks

The post A Cyber Resilience Agenda: Inside the European Central Bank’s 2026–2028 Priorities appeared first on Security Boulevard.

The post How AI is Transforming Integrated Security appeared first on AI Security Automation.

The post How AI is Transforming Integrated Security appeared first on Security Boulevard.

Author, Creator & Presenter: Kendra Albert, Albert Sellars LLP

Our thanks to USENIX Security '25 (Enigma Track) (USENIX '25 for publishing their Creators, Authors and Presenter’s tremendous USENIX Security '25 (Enigma Track) content on the Organizations' YouTube Channel.

Permalink

The post USENIX Security ’25 (Enigma Track) – Everything Old Is New Again: Legal Restrictions On Vulnerability Disclosure On Bug Bounty Platforms appeared first on Security Boulevard.

“You pervert, I recorded you!” sextortion emails include real passwords harvested from public temporary email inboxes.

The post Sextortion “I recorded you” emails reuse passwords found in disposable inboxes appeared first on Security Boulevard.

Cybersecurity teams today face a relentless wave of cyber threats. Organizations must defend their networks, endpoints, cloud systems, and data from sophisticated attacks such as ransomware, phishing campaigns, insider threats, and advanced persistent threats. However, modern IT environments are highly complex, and security teams are often overwhelmed by thousands of alerts generated by different security

The post SOAR Cybersecurity appeared first on Seceon Inc.

The post SOAR Cybersecurity appeared first on Security Boulevard.

From ransomware and insider threats to advanced persistent attacks, the complexity and scale of cyber risks are growing faster than traditional security operations can handle. Security teams are overwhelmed by millions of alerts, fragmented tools, and limited human resources. This is where a cybersecurity automation platform becomes essential. A cybersecurity automation platform uses artificial intelligence,

The post Cybersecurity Automation Platform appeared first on Seceon Inc.

The post Cybersecurity Automation Platform appeared first on Security Boulevard.

Scammers are targeting Americans with robocalls during tax season. Here’s how to spot the scam.

The post Watch out for tax-season robocalls pushing fake “relief programs” appeared first on Security Boulevard.

How Can Non-Human Identities Transform AI-Driven Cloud Security? Have you ever pondered the pivotal role machine identities, or Non-Human Identities (NHIs), play in enhancing AI-driven cloud security and data protection? With technology evolves, the intersection between cybersecurity and artificial intelligence becomes increasingly critical. NHIs are often the unsung heroes in securing the cloud environment, ensuring […]

The post Can AI-driven cloud security fully protect data appeared first on Entro.

The post Can AI-driven cloud security fully protect data appeared first on Security Boulevard.

Are Enterprises Overlooking the Risk Posed by Non-Human Identities? When organizations increasingly migrate their operations to the cloud, a critical element often slips under the radar: Non-Human Identities (NHIs). Despite their importance, the management and security of these machine identities tend to remain overshadowed by human-centric cybersecurity measures. This can result in significant security gaps, […]

The post How does NHI management deliver value to businesses appeared first on Entro.

The post How does NHI management deliver value to businesses appeared first on Security Boulevard.

The Role of Non-Human Identities in Enhancing Enterprise Security How do organizations maintain trust in technology where machine interactions are increasingly prevalent? Non-human identities (NHIs) play a pivotal role in keeping systems secure and efficient. For enterprises utilizing advanced AI measures, understanding and managing these identities is crucial for ensuring a resilient cybersecurity framework. Understanding […]

The post How can enterprises be reassured by advanced AI measures appeared first on Entro.

The post How can enterprises be reassured by advanced AI measures appeared first on Security Boulevard.

Ransomware Group AtomSilo Returns After 5 Year Absence

The post Bitdefender Threat Debrief | March 2026 appeared first on Security Boulevard.

This is my completely informal, uncertified, unreviewed and otherwise completely unofficial blog inspired by my reading of our next Cloud Threat Horizons Report, #13 (full version, no info to enter!) that we just released (the official blog for #1 report, my unofficial blogs for #2, #3, #4, #5, #6, #7, #8, #9, #10, #11 and #12).

My favorite quotes from the report follow below:

• [in Google Cloud] “software exploitation overtook credentials as the primary initial access vector for the first time.” and “Threat actors exploited third-party software-based entry (44.5%) more frequently than weak credentials.” [A.C. — some of you may say this is because AI is making more zero days, but a dozen more mundane answers may be correct instead]

THR H1 2026 image 1

• “While threat actors continued to use brute-force attacks against weak credentials, the increase in RCE represents a pivot toward more automated exploitation of unpatched application-layer vulnerabilities.” [A.C. — to some extent “creds or vulns” debate is rather pointless as the real answer is “both”, and it varies by environment too, see below]
• “Threat actors continued to transition from traditional phishing to voice-based social engineering (vishing), and credential harvesting from third-party SaaS tokens to facilitate large-scale, silent data exfiltration.” [A.C. — again, this means “AND” not “OR” because classic phishing still works well in many cases, but yes “credential harvesting from third-party SaaS” has become very fruitful too]
• [overall] Still “Identity compromise underpinned 83% of compromises. [A.C. — so, yes, “creds” still beat “vulns” on many environments]

THR H1 2026 image 2

• “High-volume data theft operations — executed through compromised but legitimate access channels — remained the primary goal for threat actors, with our metrics showing they targeted data in 73% of cloud-related incidents.” [A.C. — again, not new, but very useful data confirming the running trend. Beware!]
• “The window between vulnerability disclosure and mass exploitation collapsed by an order of magnitude, from weeks to days.” [A.C. — again, some of you may see the invisible robot hand of an AI here, but, as usual, the reality is more complicated…]
• “Trend analysis from 2008–2025 indicates cloud services will soon surpass email as the primary data exfiltration pathway.” [A.C. — $32B reasons to finally get serious about it across all clouds?]
• “45% of intrusions resulted in data theft without immediate extortion attempts at the time of the engagement, and these were often characterized by prolonged dwell times and stealthy persistence.”
• “The traditional incident response model is no longer viable when dealing with containerized workloads and serverless architectures where data can vanish in seconds.” [A.C. — a very useful reminder here! Cloud is cloudy! Don’t be that guy who thinks that cloud is a rented colo. Cloud is not JUST somebody else’s computer.]
• “Threat actors used large language models (LLM) to automate credential harvesting and transition from a developer’s local environment to full cloud administration access.” [A.C. — this really should not be news for anybody in 2026, but if it is, HERE IS SOME NEWS: BAD GUYS USE AI!]
• Thus “Prevent LLM exploitation as an extension of living-off-the-land (LOTL) by treating LLM activity with the same scrutiny as administrative command-line tools.” [A.C. — or, as I say, “with AI agents, every prompt injection is an RCE”]

Now, go and read the CTHR 13 report!

Related posts:

• Google Cloud Security Threat Horizons Report #12 Is Out!
• EP112 Threat Horizons — How Google Does Threat Intelligence podcast
• Google Cloud Security Threat Horizons Report #11 Is Out!
• Google Cloud Security Threat Horizons Report #10 Is Out!
• Google Cybersecurity Action Team Threat Horizons Report #9 Is Out!
• Google Cybersecurity Action Team Threat Horizons Report #8 Is Out!
• Google Cybersecurity Action Team Threat Horizons Report #7 Is Out!
• Google Cybersecurity Action Team Threat Horizons Report #6 Is Out!
• Google Cybersecurity Action Team Threat Horizons Report #5 Is Out!
• Google Cybersecurity Action Team Threat Horizons Report #4 Is Out!
• Google Cybersecurity Action Team Threat Horizons Report #3 Is Out!
• Google Cybersecurity Action Team Threat Horizons Report #2 Is Out!
• Illicit coin mining, ransomware, APTs target cloud users in first Google
• Cybersecurity Action Team Threat Horizons report

Google Cloud Security Threat Horizons Report #13 (H1 2026) Is Out! was originally published in Anton on Security on Medium, where people are continuing the conversation by highlighting and responding to this story.

The post Google Cloud Security Threat Horizons Report #13 (H1 2026) Is Out! appeared first on Security Boulevard.