The Good | Authorities Disrupt Proxy Network and Charge BlackCat Insider, Vendors Patch Critical RCE Bugs

U.S. and European law enforcement have dismantled the SocksEscort cybercrime proxy network, which relied on Linux edge devices infected with AVRecon malware. New research found that the service maintained roughly 20,000 compromised devices weekly and offered criminals access to ‘clean’ residential IP addresses from major internet service providers to evade blocklists. Since 2020, the platform has advertised access to hundreds of thousands of IPs. Now, authorities have seized dozens of servers and domains, froze $3.5 million in cryptocurrency, and disconnected infected routers, all previously linked to significant fraud and cryptocurrency theft.

Former DigitalMint employee Angelo Martino has been charged for conspiring with the BlackCat (aka ALPHV) ransomware group while serving as a ransomware negotiator. Prosecutors say Martino shared confidential negotiation details and participated in attacks with various accomplices between 2023 and 2025, operating as BlackCat affiliates. Victims included multiple U.S. organizations, with ransom payments exceeding $26 million and payments to BlackCat operators valued at a 20% cut of proceeds. Since the emergence of the group in 2021, the FBI has attributed to it thousands of targets and over $300 million in ransom payments.

Microsoft’s Patch Tuesday for the month delivers security updates for 79 vulnerabilities, including two publicly disclosed zero day flaws. The release also addresses three critical vulnerabilities including two remote code execution (RCE) bugs and one information disclosure issue.

The two zero days, an SQL Server elevation-of-privilege flaw (CVE-2026-21262) and a .NET denial-of-service bug (CVE-2026-26127), are not known to be actively exploited. The RCE bugs in Microsoft Office however, are exploitable via the preview pane, as is an Excel information disclosure flaw (CVE-2026-26144) that could leak data through Copilot.

Users are urged to prioritize updates to secure Office, Excel, SQL Server, and .NET environments.

The Bad | Attackers Exploit FortiGate Next-Gen Firewalls to Breach Networks

Threat actors are exploiting FortiGate Next-Generation Firewall (NGFW) appliances to gain access to targeted networks. A new post from SentinelOne outlines a consistent theme across these attacks: targeted victims did not retain appliance logs, preventing understanding on how and when the intruders gained access.

What happens when the FortiGate next-generation firewall protecting your network becomes the backdoor? 🚪

Our DFIR team has been tracking a wave of FortiGate NGFW compromises. Attackers are exploiting vulnerabilities to extract config files, steal service account credentials,… pic.twitter.com/Q9egoLwfN2

— SentinelOne (@SentinelOne) March 10, 2026

To date, attackers have leveraged known vulnerabilities (CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858) and weak credentials to extract configuration files containing service account credentials and network topology information. These accounts, often linked to Active Directory (AD) and Lightweight Directory Access Protocol (LDAP), allowed attackers to map roles, escalate privileges, and move laterally within environments.

In one case, an attacker compromised a FortiGate appliance in November 2025, creating a local administrator account named support and adding unrestricted firewall policies. The attacker later decrypted the configuration file to extract LDAP service account credentials, which were used to enroll rogue workstations into AD, enabling deeper access. Network scanning triggered alerts, stopping further lateral movement.

In another incident, attackers rapidly deployed legitimate Remote Monitoring and Management (RMM) tools, Pulseway and MeshAgent, and downloaded malware from AWS and Google Cloud storage. The Java payload, executed via DLL side-loading, exfiltrated the NTDS.dit file and SYSTEM registry hive to an external server, potentially enabling credential harvesting, though no subsequent misuse was observed.

These incidents highlight the high value of NGFW appliances, which threat actors are exploiting for cyber espionage or ransomware attacks. SentinelOne emphasizes enforcing strong administrative access controls, maintaining up-to-date patches, and retaining detailed FortiGate logs up to 14 days minimum, ideally sent to a Security Incident & Event Monitoring platform (SIEM), to detect configuration exports and unauthorized account creation. Proper monitoring, combined with automated defenses, can significantly reduce attacker dwell time and prevent full-scale network compromise.

The Ugly | Iran-Linked Hacktivist ‘Handala’ Wipes Stryker MedTech Systems Worldwide

Medical technology giant Stryker has suffered a major cyberattack involving wiper malware claimed by Handala, a pro-Palestinian hacktivist group linked to Iran.

Handala says it stole 50 terabytes of data and wiped over 200,000 systems, servers, and mobile devices, forcing office shutdowns in 79 countries. Employees in the U.S., Ireland, Costa Rica, and Australia reported that corporate and personal devices enrolled for work were wiped, disrupting access to Microsoft systems, Teams, VPNs, and other applications, with some locations reverting to manual workflows.

At the time of the incident, staff were instructed to remove corporate management and applications from personal devices. Stryker later confirmed the incident in a Form 8-K filing with the SEC, describing a global disruption affecting its Microsoft environment. The company activated its cybersecurity response plan and is working with internal teams and external experts. The incident appears contained and involved no ransomware, though full restoration timelines remain unknown.

Handala, active since December 2023, is known to target Israeli organizations with destructive malware that wipes Windows and Linux systems, often publishing stolen sensitive data. This attack marks a major disruption for Stryker, which employs over 53,000 people and reported $22.6 billion in global sales in 2024.

Cybersecurity experts warn that Iranian state-aligned actors, including APT groups and proxy hacktivists, frequently use cyber operations for retaliation and disruptive campaigns during geopolitical escalations. They are likely to increase attacks against U.S. organizations, critical infrastructure, and allied sectors. Organizations are urged to strengthen security controls and prepare for potential follow-on campaigns targeting networks and operations.