LinkedIn Carousel - #CyberWeekly Week 12

EU Strikes Back

EU sanctions Chinese and Iranian state hackers — while a security firm loses 900,000 records to a single phone call

Cisco Firewall Zero-Day CVSS 10.0: Interlock Ransomware Found the Master Key

ShinyHunters Hacks Aura — The Identity Protection Firm

LeakNet: This CAPTCHA Will Encrypt Your Files

Easy Cyber Protection

1/4

EU names and sanctions the Chinese and Iranian companies behind years of cyberattacks on Europe

On March 16, the EU Council publicly named five actors — three companies, two individuals — responsible for state-sponsored cyberattacks against EU member…

Integrity Technology Group (China): between 2022 and 2023, this Beijing company's tools compromised more than 65,000 devices across six EU member states. The EU didn't say "allegedly" — it said the company "routinely provided products used to compromise and access devices"
Anxun Information Technology (China): provided hacking services aimed directly at critical infrastructure and critical functions across EU member states and third countries. Also known as I-Soon, previously exposed in a leaked document dump in 2024
Emennet Pasargad (Iran): the private Iranian company that ran cyberattacks against Charlie Hebdo in 2023 and then targeted the Paris 2024 Olympic and Paralympic Games. The Olympics attack included DDoS campaigns and disinformation operations

EU Council: full press release → https://www.consilium.europa.eu/en/press/press-releases/2026/03/16/cyber-attacks-against-the-eu-and-its-member-states-council-sanctions-three-entities-and-two-individuals/

2/4

Cisco firewall zero-day CVSS 10.0: Interlock ransomware had root access 36 days before anyone knew

The device meant to protect your network from attackers became the attackers' entry point.

Zero-day timeline: Cisco disclosed the vulnerability on March 4, 2026. Interlock had been exploiting it since January 26 — 36 days of active attacks before a patch even existed. During that window, every unpatched Cisco FMC instance was a potential ransomware entry point
Attack chain: crafted HTTP request → authentication bypass → arbitrary Java code execution as root → ELF binary fetched from attacker server → full network access. The attacker never needs credentials
SharePoint also needs patching: CISA added CVE-2026-20963 (CVSS 8.8, Microsoft SharePoint deserialization) to its Known Exploited Vulnerabilities catalog on March 18, with a federal patch deadline of March 21. If your organization runs SharePoint on-premise, this is a P1
What Interlock does next: once inside via FMC, the group deploys ScreenConnect for persistence, moves laterally, and eventually encrypts. The firewall admin console is their lateral movement launchpad

Hacker News: Cisco FMC zero-day → https://thehackernews.com/2026/03/interlock-ransomware-exploits-cisco-fmc.html

3/4

LeakNet ransomware's new trick: you visit a legitimate website, paste one command, and your files disappear

LeakNet ransomware has a new entry method — and it doesn't require you to click a suspicious email or download a shady file.

The ClickFix technique: the fake CAPTCHA instructs you to open the Windows Run dialog and paste a command. The command looks like a verification step. It's actually an msiexec.exe call that fetches and runs the ransomware payload. No email. No download prompt. Just copy, paste, Enter
Deno in-memory loader: LeakNet feeds the actual malicious payload to Deno (a JavaScript runtime) as a base64-encoded data URL. Deno decodes and executes it entirely in memory — no file ever touches disk, so traditional antivirus has nothing to scan
Wide-net strategy: LeakNet isn't targeting a specific industry. It compromises any website it can and serves the fake CAPTCHA to whoever visits. Currently averaging ~3 victims per month, but scaling up as the technique spreads

BleepingComputer: LeakNet analysis → https://www.bleepingcomputer.com/news/security/leaknet-ransomware-uses-clickfix-and-deno-runtime-for-stealthy-attacks/

4/4

ShinyHunters hacked an identity protection company — via one phone call to one employee

Aura is a company that sells identity protection.

What happened: an Aura employee received a targeted phone call from someone posing as IT support. The attacker convinced the employee to hand over account access. The attacker had that access for approximately one hour before detection
Scale vs. access time: one hour was enough to exfiltrate contact records for 900,000 people. Aura says fewer than 20,000 active and 15,000 former customers had data accessed — the rest appear to be older records. No passwords, SSNs, or financial data were in scope
ShinyHunters: the same group behind the 2024 Ticketmaster breach (560M records), the Santander breach, and dozens of others. They now appear to be running a parallel Salesforce Experience Cloud campaign targeting 400+ companies using a weaponized internal security tool

Help Net Security: Aura breach → https://www.helpnetsecurity.com/2026/03/19/aura-data-breach-900000-records/