#CyberWeekly

On March 11, Iran-linked hacktivist group Handala wiped over 200,000 laptops, phones, and servers at medtech giant Stryker — in a single morning — using Microsoft Intune. Not a zero-day, not a novel exploit. They weaponized the same mobile device management tool your IT team uses to push updates. BleepingComputer confirmed that employees across Ireland, the US, Costa Rica, and Australia woke up to blank screens — including personal phones enrolled for work.

• 79 countries, 200K+ devices, 50TB stolen: Stryker filed an SEC 8-K disclosing a "global disruption to the Company's Microsoft environment." Offices reverted to pen-and-paper workflows
• The attack vector: Handala gained access to Stryker's Intune environment and triggered mass remote wipes — the same "lost device" feature every MDM admin has access to. It's a legitimate tool turned weapon
• Personal devices caught in the crossfire: employees with personal phones enrolled for work lost data too, before being told to remove the Intune Company Portal app
• Context matters: Handala is linked to Iran's Ministry of Intelligence (MOIS) and escalated activity following the Feb 28 US-Israel joint offensive. Stryker isn't a defense contractor — it makes surgical equipment. Geopolitical conflict doesn't respect industry boundaries

The lesson for every MSP and SME: MDM tools, cloud admin consoles, and remote management platforms are high-value targets precisely because they have legitimate access to wipe everything. Review who has admin access, enforce MFA on all management interfaces, and — critically — document your incident response plan before you need it. If the Intune admin account goes, how fast can you recover?

Reading a news story about a wiper attack and wondering which CyFun control covers MDM security? You can now find out in one click. This week, 56 articles across the /learn library were updated with CyFun control callouts and contextual links — so every article connects the security concept to the specific framework control you need to implement.

• CyFun callouts on every applicable article: NIS2 guides, security basics, implementation how-tos — each article now surfaces the relevant CyFun controls directly. No more cross-referencing the framework PDF by hand
• Connected knowledge base: articles link to related guides, comparison pages, and framework documentation — so you can follow a topic from "what is it" to "how to implement it" to "how to prove it to an auditor" without losing your place
• 56 articles updated this week: basics, guides, NIS2, CyberFundamentals, compare, getting-started, and industry sections — the full library is now cross-linked
• Practical example: read access control basics, see exactly which CyFun PR.AC controls apply, click through to the full controls reference, then open your compliance checklist — all in the same flow

The April 18 NIS2 deadline is 5 weeks away. The learn library was built to help you understand what's required — now it tells you exactly where each topic lives in the CyFun control framework. Use it. And if your MSP clients aren't audit-ready yet, the IT partner guide shows you how to get them there at scale.

On March 3-4, Europol coordinated a global law enforcement operation that dismantled LeakBase, one of the internet's largest stolen-credential trading forums. Belgium was among the 14 participating countries. Europol's press release describes a platform active since 2021 with 142,000 registered users and 215,000+ private messages — a thriving marketplace for the stolen data that fuels phishing, account takeover, and ransomware attacks.

• What LeakBase was: a credential market specializing in "stealer logs" — archives of usernames, passwords, and session tokens harvested by infostealer malware. Attackers bought access credentials for specific organizations, then used them to log in and attack
• Belgium's data was on there: Belgian SME credentials stolen in phishing campaigns or software breaches regularly end up on platforms like this. LeakBase's closure removes one resale channel — but the stolen data still exists elsewhere
• The deanonymisation warning: Europol seized the forum database and contacted users through their own encrypted channels. "No one is truly invisible online" is the message — which also applies to any SME employee who reused a work password on a breached site
• One rule the forum had: prohibited publishing data related to Russia. Draw your own conclusions about who was operating it

What to do now: treat this as a prompt to audit credentials. If any of your accounts use passwords that appeared in breaches from 2021-2026 (the forum's active period), rotate them. Strong unique passwords and MFA on every account mean a stolen credential is worthless — even if it was on LeakBase.

Microsoft's March 2026 Patch Tuesday dropped 84 fixes including two actively exploited zero-days, and one of them is in SQL Server. CVE-2026-21262 (CVSS 8.8) allows an attacker with network access to escalate privileges to SQL Server sysadmin — the keys to the kingdom for any database. It was publicly disclosed and actively exploited before the patch dropped.

• CVE-2026-21262 — SQL Server EoP (CVSS 8.8): privilege escalation via network access to any SQL Server instance. No authentication required. If your SQL Server is network-accessible (common in SME environments), this is a P1 patch
• CVE-2026-26127 — .NET 9/10 DoS (CVSS 7.5): denial-of-service affecting .NET across Windows, Mac, and Linux. A broad blast radius — any line-of-business app running on modern .NET is potentially vulnerable to crashing
• CVE-2026-21536 — RCE via file upload (Critical): unauthenticated remote code execution through unrestricted file upload. Critical severity, no patch complexity — just upload and execute
• 84 CVEs total, 8 Critical: a heavier-than-average Patch Tuesday. The patch management guide covers how to triage and prioritize when everything seems urgent

For MSPs: every client running SQL Server should have this patch applied this week. An exploitable SQL Server privilege escalation is a direct ransomware entry vector — attackers gain sysadmin, dump credentials, move laterally. This is the attack chain that ends with encrypted backups and a ransom note. Don't let a patch be the reason it works.