March was a turbulent month in cybersecurity, with espionage campaigns, ransomware takedowns, and new zero-day exploits shaking global systems.
From military intel leaks to multi-billion dollar acquisitions, the threat landscape is evolving fast – and so are the actors behind it.
Cybercrime Breaking News
- A leaked Signal chat exposed U.S. military plans – how did a journalist end up in the room?
- Microsoft tracks Silk Typhoon’s pivot to IT tools and VPN exploits – is your infrastructure vulnerable?
- GitHub restores a popular tool after attackers slipped in code to leak CI/CD secrets – what does this mean for open-source supply chain security?
Cybersecurity Justice & Regulation
- Interpol’s Operation Red Card leads to over 300 arrests in Africa – what types of cyber scams were uncovered?
- U.S. charges 12 Chinese nationals in a global data theft scheme – how much did stolen inboxes cost?
- A ransomware developer extradited to the U.S. – could this shift the landscape for LockBit-style attacks?
Read on to discover March’s key developments across cybersecurity, crime, and compliance.
Cybercrime Breaking News
A Signal group chat accidentally involving a journalist revealed U.S. military plans to strike Houthi targets in Yemen, raising serious concerns about the use of unsecured messaging platforms for classified communications. While Signal offers end-to-end encryption, experts warn that its use for sharing sensitive military intelligence violates federal protocols and may erode trust among international partners.
CISA has denied reports that it is scaling back its focus on Russian cyber threats, calling claims to the contrary “fake” and harmful to national security. However, a Guardian investigation suggests a shift in US cybersecurity policy, citing an internal memo and anonymous sources who claim analysts were instructed to deprioritize tracking Russian cyber activities. In other news, CISA has announced a $10 million annual funding cut to the Multi-State and Election Infrastructure Information Sharing and Analysis Centers, citing a shift in priorities and efforts to reduce redundancies in federal cybersecurity programs.
Microsoft has observed that Silk Typhoon, a Chinese espionage group, is increasingly exploiting common IT tools like remote management software and VPNs (including a zero-day in Ivanti Pulse Connect) to gain initial access, elevate privileges, and infiltrate networks using stolen credentials. Although the group has not directly attacked Microsoft cloud services, researchers warn that its rapid use of unpatched vulnerabilities, covert infrastructure, and access to sensitive applications poses an ongoing espionage risk to organizations worldwide.
Researchers have uncovered widespread abuse of a long-standing Windows shortcut vulnerability by state-sponsored actors from North Korea, China, and Russia, who use manipulated .lnk files to deliver malware discreetly. Although the issue was reported to Microsoft, the company classified it as a low-severity user interface concern and has not issued a patch.
A zero-day exploit in Google Chrome was used in an espionage campaign targeting Russian media and academic institutions, with researchers reporting the flaw to Google, which confirmed active exploitation and issued a security patch.
The Medusa ransomware gang has targeted over 300 critical infrastructure organizations across sectors like healthcare, education, and manufacturing, according to an advisory from the FBI, CISA, and the Multi-State Information Sharing and Analysis Center (MS-ISAC). The group, operating as a ransomware-as-a-service (RaaS) model, exploits unpatched vulnerabilities and phishing tactics, with some victims reporting triple extortion schemes.
GitHub restored a widely used open-source Action after malicious code was discovered leaking CI/CD secrets from public repositories, prompting swift intervention and a temporary suspension of the compromised account.
The FBI and CISA have warned about a scam in which criminals impersonating the BianLian ransomware gang send executives ransom letters demanding up to $500,000 in Bitcoin – no direct link to the actual group has been confirmed.
Researchers have identified a previously unreported botnet, dubbed Ballista, that exploits a TP-Link Archer router vulnerability (CVE-2023-1389) to spread itself across the internet, with evidence suggesting ties to an Italian-based threat actor.
Ukraine’s state railway operator restored online ticket sales after a “complex and multi-layered” cyber attack disrupted services for nearly four days: train schedules remained unaffected, and no sensitive data was compromised.
Home appliance maker National Presto Industries has reported a cyber attack disrupting its shipping, manufacturing, and back-office operations, warning that the incident could have a material financial impact.
Cyberwar between Russia and Ukraine: Updates
Cisco Talos has linked a phishing campaign targeting Ukrainian entities to the Gamaredon threat group, noting that the attackers used war-themed Windows shortcut files to lure victims into downloading Remcos RAT via geo-fenced servers located in Russia and Germany. The malicious LNK files, created on machines previously tied to Gamaredon, contained PowerShell code that disguised the infection process by displaying decoy documents while executing the malware through DLL side-loading.
Cybersecurity and AI
Google has announced its largest-ever acquisition with a $32 billion all-cash deal to buy cloud security firm Wiz, aiming to strengthen multi cloud and AI-era cybersecurity capabilities across its services.
Cybersecurity Justice
As part of Operation Red Card, Interpol and law enforcement agencies from seven African nations arrested over 300 suspects linked to cyber-enabled scams targeting mobile banking, investment, and messaging apps. The joint effort, supported by national cybercrime units and judicial authorities, uncovered cross-border criminal networks and seized nearly 2,000 devices, vehicles, properties, and illicit assets.
U.S. prosecutors have unsealed charges against 12 Chinese nationals accused of participating in a state-sponsored hacking scheme that targeted dissidents, U.S. government agencies, and foreign ministries. The Justice Department alleges the group operated under the direction of Chinese ministries and sold stolen data for tens of thousands of dollars per target.
The Federal Trade Commission (FTC) has withdrawn its investigation into MGM Resorts International’s handling of a 2023 ransomware attack, leading to the dismissal of related court cases. This decision coincides with the transition to the Trump administration.
UK IT services provider Advanced has been fined £3 million by the Information Commissioner’s Office for security failures that led to a 2022 ransomware attack, compromising the personal data of over 79,000 people. The breach, which disrupted NHS services, including the 111 hotline, stemmed from a compromised account lacking multifactor authentication.
The U.S. Treasury Department has sanctioned an Iranian national, the alleged sole administrator of the defunct Nemesis darknet marketplace, which facilitated drug trafficking and cybercrime.
An individual accused of developing ransomware for the LockBit group has been extradited from Israel to the U.S. and appeared in a New Jersey court. The charges relate to over 2,500 global attacks, including 1,800 in the U.S., which caused extensive financial and operational damage to organizations across critical sectors.
A Canadian citizen accused of involvement in major 2024 data breaches, including the attack on Snowflake that affected over 160 companies, has consented to extradition to the U.S. to face multiple federal charges. The breaches exposed hundreds of millions of records from companies like AT&T and Ticketmaster, sparking global concern over credential-based intrusions.
A Catalan court has ordered the indictment of three former NSO Group executives over their alleged involvement in the Pegasus spyware scandal, which targeted 63 members of Catalonia’s civil society.
FinTech Updates
Reports indicate that North Korean hackers, allegedly linked to the Lazarus Group, have completed the initial laundering stage of over $1 billion stolen from the crypto platform Bybit, using DeFi tools to obscure the funds’ origins.
Abracadabra Finance lost nearly $13 million in a crypto heist linked to an exploit in its lending product “cauldrons,” prompting an ongoing investigation and a bug bounty offer to the attacker.
U.S. and European law enforcement have seized the Russian cryptocurrency exchange Garantex, alleging it processed at least $96 billion in transactions linked to money laundering and sanctions violations. Two administrators have been indicted for conspiracy to launder money, with additional charges related to sanctions evasion and operating an unlicensed money-transmitting business.
Russian authorities arrested three individuals accused of creating the Mamont Android banking trojan, which has been linked to over 300 cybercrimes involving stolen funds and SMS-based fraud, according to the Ministry of Internal Affairs.
Following a federal appeals court ruling, the U.S. Treasury removed Tornado Cash from its sanctions list. While acknowledging the legal decision, Treasury emphasized its ongoing commitment to targeting illicit cyber activity, particularly efforts linked to North Korea.
Cybercriminals are using a fake Binance website and emails impersonating the platform to lure victims into downloading a remote access tool under the guise of claiming TRUMP cryptocurrency. Researchers warn that the malware, disguised as Binance software, allows hackers to take control of infected computers within minutes, posing a significant security risk.
Cybersecurity News Across The Globe
- Two Serbian investigative journalists were recently targeted with Pegasus spyware via suspicious Viber messages linked to a state-run telecom operator, according to Amnesty International. The organization’s Security Lab confirmed the attempted infections and contacted the journalists after identifying Pegasus-associated infrastructure, marking the third such targeting of Serbian civil society in two years.
- A cyber attack on South Africa’s largest poultry producer, Astral Foods, caused delivery delays and over $1 million in losses, prompting a full-scale activation of the company’s disaster recovery protocols.
- Malaysia’s Prime Minister confirmed that the country rejected a $10 million ransom demand following a cyber attack that disrupted computer systems at Kuala Lumpur International Airport.
- Thai authorities, as part of a joint operation involving the Ratchamanu Task Force and a drug suppression unit, intercepted 38 Starlink transmitters allegedly en route to scam compounds across the Myanmar border. The devices, believed to support internet-based fraud operations run by organized crime groups, mark the second such seizure in March.
Want to find out more about:
- Cybersecurity Risk Assessment – What Is It and Why Do It Regularly
- Penetration Testing for Fintech Companies
- PCI DSS Penetration Testing – Everything You Need to Know
- NIS2 and Penetration Testing: Ensuring Compliance and Cyber Resilience
AMATAS will continue to monitor this space and deliver salient information regularly.
Stay tuned for our next report, and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website www.amatas.com or by e-mailing office@amatas.com.
As always – be vigilant, stay alert, and think twice.
