San Mateo, CA, March 9, 2026 — Stories, events, and developments that impacted the cybersecurity landscape last week, including emerging threats, policy changes, and industry responses.
Conflict drives Iran-linked surveillance camera attacks
Check Point says several Iran-nexus actors have been scanning and exploiting Hikvision and Dahua cameras across Israel and Middle Eastern states since the war began on February 28, with hundreds of intrusion attempts observed. The activity has been linked to “several Iran-nexus threat actors” and could be an “early indicator of potential follow-on kinetic activity,” Check Point researchers said in a Wednesday threat intelligence report. Researchers cite Iran’s pattern of using compromised CCTV for digital reconnaissance ahead of physical strikes, noting a MOIS-linked compromise of Jerusalem camera feeds before missile attacks and similar activity during the June 2025 12-day war. The infrastructure used VPN exits and VPS hosts, and focused only on those two vendors, targeting patched authentication bypass and command-injection flaws. Check Point has not yet seen U.S. targeting. Read more.
Coalition defines early cybersecurity principles for 6G
A coalition of seven governments has published voluntary cybersecurity and cyber resilience principles intended to shape 6G before standards and deployments solidify. The Global Coalition on Telecoms (GCOT), founded by Australia, Canada, Japan, the U.K., and the U.S. in October 2023 and joined by Finland and Sweden at Mobile World Congress 2026, says early direction is needed because 6G will likely expand virtualization, disaggregated architectures, standardized interfaces, and AI-native capabilities. Objectives include containment to limit lateral propagation, confidentiality and integrity by design, measurable resilience for emergency services, and operator regulatory compliance. GCOT also calls for robust failover, alternative PNT beyond GNSS, and Open RAN approaches to improve interoperability. “Although the commercial launch of 6G networks is some years away, it is helpful to establish at an early stage the principles that will guide the development,” said Virgin Media O2’s Rob Joyce. Read more.
FBI and Europol seize LeakBase cybercrime forum
An international law enforcement operation led by the FBI and Europol dismantled LeakBase, a major cybercrime forum where hackers traded stolen data and tools. Investigators say the site had over 142,000 members and 215,000 messages. FBI Cyber Division Assistant Director Brett Leatherman said agencies seized user accounts, posts, payment details, private messages, and IP logs as evidence. Actions on March 3 and 4 were coordinated across 14 countries, with seizure banners and warning notices replacing the forum. Authorities also executed search warrants and made arrests in the U.S., Australia, Belgium, Poland, Portugal, Romania, Spain, and the U.K. Assistant Attorney General A. Tysen Duva said the disruption targets theft of personal and banking credentials on the platform, which had amassed 142,000 members. Read more.
Critical Cisco firewall management flaw enables RCE
Cisco issued an urgent advisory for a critical vulnerability in the web management interface of Secure Firewall Management Center (FMC) and Security Cloud Control (SCC) Firewall Management. With a CVSS rating of 10.0, it allows a remote, unauthenticated attacker to send a crafted serialized Java object that exploits insecure deserialization and executes arbitrary Java code on the operating system. Because execution runs with root-level privileges, compromise could enable takeover of the management device, policy changes, disabled defenses, and use of the manager as a pivot into the internal network. The issue was found during internal testing by Keane O’Kelley of Cisco’s Advanced Security Initiatives Group. Cisco PSIRT says it is unaware of active exploitation. No workarounds exist, and the flaw must be fixed with Cisco updates. Read more.
Report finds CISOs working six to seven-day workweeks
Seemplicity’s State of the Cybersecurity Workforce Report, based on 300 CISOs and peers, finds U.S. security leaders routinely working a sixth or seventh day, amid tool sprawl and gaps: 45% log 11+ extra hours weekly and 20% add 16+ hours. The workload is taking a toll, with 44% saying the role is emotionally exhausting more often than rewarding, rising to 56% among C-level respondents, and 43% unable to take time off without major stress on return. Yet 94% would still choose cybersecurity. Seemplicity argues AI is not easing pressure; it is shifting leaders from execution to interpretation, increasing demand for communication and business skills, and risking a “governance gap” if human guardrails lag. Read more.
Researchers warn of first mass-scale iOS compromise
Coruna is an iOS exploit kit that researchers say may trace back to a leaked U.S. government framework, and it is now driving what they describe as the first mass-scale iOS compromise. Google Threat Intelligence Group and iVerify say the kit’s zero-day capabilities have proliferated across multiple actors, including a financially motivated group in China, a suspected Russian espionage campaign against Ukrainian users, and a customer of a surveillance vendor. Google argues the spread suggests an active “second-hand” market for zero-days, where advanced techniques are reused and adapted as new vulnerabilities emerge. iVerify’s Rocky Cole compared it to an “EternalBlue moment,” warning that even if the origin story is murky, the outcome is predictable: elite tooling escapes and gets operationalized by whoever can obtain it. iVerify estimates at least 42,000 devices have been affected. Read more.
App alerts users to nearby smart glasses
Nearby Glasses is a new Android app designed to flag “luxury surveillance” wearables, especially smart glasses that can record while appearing to be normal eyewear. Built by Yves Jeanrenaud, it runs in the background. It continuously scans for Bluetooth signals from manufacturers like Meta and Snap, then sends an alert if it detects a matching device nearby. Jeanrenaud said he was motivated by reporting on how smart glasses have been used to film people without their consent, and he criticized Meta’s move toward face-recognition features as opening the door to broader privacy abuses. In testing, adding Apple’s identifier caused a flood of alerts, demonstrating that the approach works but can be noisy. Read more.
CyberStrikeAI used in global FortiGate attacks
Team Cymru says a suspected Russian-speaking actor used CyberStrikeAI, an open-source, AI-native offensive security platform, to mass-scan and exploit vulnerable Fortinet FortiGate appliances. The activity follows Amazon Threat Intelligence reporting that the attacker used genAI services, including Anthropic Claude and DeepSeek, to compromise more than 600 FortiGate devices across 55 countries systematically. Researcher Will Thomas assessed CyberStrikeAI, an AI offensive security tool “developed by a China-based developer,” as being tied to the Chinese government. Cymru observed 21 IPs running the tool from Jan. 20 to Feb. 26, 2026, largely hosted in China, Singapore, and Hong Kong, with additional nodes in the U.S., Japan, and Switzerland. The GitHub account also hosts ransomware and jailbreak tools, and links to Knownsec 404. Read more.
OpenAI strikes deal with U.S. Department of War
Sam Altman said OpenAI struck a deal to deploy models in DoD classified networks, claiming red lines: “prohibitions on domestic mass surveillance” and “human responsibility for the use of force.” It follows President Donald Trump’s order to halt Claude and Anthropic services after Pete Hegseth threatened a “supply chain risk” label unless certain guardrails against its use were removed. Jeremy Lewin said the Department of War contract cites existing authorities and safety mechanisms, and that OpenAI and xAI accepted the compromise Anthropic rejected. Anthropic replied, “We will challenge any supply chain risk designation in court.” OpenAI says it will build safeguards, send engineers, and deploy only in the cloud. Read more.
ClawJacked flaw allows AI agent hijacking
OpenClaw users were urged to upgrade after Oasis Security disclosed “ClawJacked,” a high-severity indirect prompt injection that can lead to complete remote control. OpenClaw’s gateway “acts as the brain of the operation,” authenticating sessions and dispatching commands to connected nodes that can run system commands, access cameras, and read contacts. However, if a user visits a malicious website, the system’s trust system can break down. The flaw allows a weaponized site to open a WebSocket to the gateway port, brute-force the password by bypassing rate limiting on localhost, then register as a trusted device because localhost pairings are auto-approved without a prompt. After that, attackers can interact with the agent, dump configuration, enumerate devices, and read logs. Users should update to 2026.2.25 or later. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
