Cyber Intelligence Weekly

Cyber Intelligence Weekly (March 15, 2026): Our Take on Three Things You Need to Know

By Dan Desko
Posted on Mar 15 / 2026

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we turn to this week’s edition of Cyber Intelligence Weekly, I want to introduce a new CISO Spotlight Series: The Human Side of Cybersecurity.

This series is grounded in conversation rather than commentary. It centers on CISOs who are in the seat—navigating real leadership pressure, complex risk decisions, and the human realities of building and sustaining security programs. Some are earlier in their journey, others further along paths many of you may recognize or aspire toward. What they share isn’t theory. It’s experience—earned through moments of progress, frustration, growth, and reflection. These conversations are for the professionals who show up every day to quietly carry the weight of this industry.

Margarita Rivera (Carnival Corporation) — “Meet everyone.”

In this episode, I sat down with Margarita Rivera, Global CISO at Carnival Corporation, whose path into cybersecurity was anything but traditional. Margarita describes cyber as her “accidental career.” She started with a business administration and finance background, entered the workforce through risk management in financial services, and got her first real exposure to what was then called data security by helping a one-person security function overwhelmed by regulatory pressure. What began as stepping in to help quickly turned into a calling. She leaned in, went back to school, earned advanced degrees and certifications, and built a career that has now spanned more than two decades across financial services, telecommunications, retail, real estate, and hospitality.

What stood out most in our conversation was how clearly Margarita understands her role as a connector. She does not approach security as rigid or black-and-white. Instead, she meets people where they are—whether that is her own team, an audit committee, an executive leader, or a ship captain responsible for one of Carnival’s “floating cities.” Her strength is not just technical understanding. It is the ability to connect technology, business, and human priorities in a way that helps organizations move forward securely. That business fluency, paired with her love of puzzles, creativity, and innovation, became the secret sauce that helped her thrive in a field often dominated by pure technologists.

She also made a point that every modern security leader should hear: data, relationships, and trust drive effective decision-making. Margarita sees herself as a facilitator of risk decisions, not the sole owner of them. Her job is to quantify risk, provide options, tell the story with data, and help the business make informed calls. That mindset is especially important in an environment like Carnival, where the stakes extend far beyond office systems. Securing a corporate network is one thing. Securing ships at sea—where a bad day can become truly catastrophic—is something else entirely.

Additional takeaways from the conversation:

  • Cybersecurity rewards curiosity and creativity. Margarita was drawn to the field because it was dynamic, fast-changing, and full of puzzles to solve.
  • A business background can be a superpower in security. The ability to translate between technical teams and business leaders is often what accelerates transformation.
  • The best CISOs are connectors. Different audiences need different messages, and effective leaders tailor the conversation to what matters most to each group.
  • Rigid security loses influence. When security shows up as pure “yes/no,” people find ways to work around it. Partnership creates better outcomes.
  • AI is powerful, but the hype around labor reduction is overdone. AI will help accelerate work, but it is not a shortcut around sound operations or strong teams.
  • The basics remain underappreciated. Patching, observability, identity management, AI readiness, and data governance still matter more than shiny new tools.
  • Burnout prevention starts with clear direction. Teams avoid whiplash when leaders provide a roadmap, model healthy boundaries, and protect time to learn and recharge.
  • Org structure matters more than many leaders realize. Having the right people in the right seats is critical to performance and sustainability.
  • Being a CISO is not glamorous in the way younger professionals may think. It is high-accountability, high-complexity work that requires strategic thinking, adaptability, and constant learning.
  • The cybersecurity community is a real advantage. Security leaders are stronger when they collaborate, share openly, and treat each other’s problems as shared challenges.

Her billboard message for every new CISO was simple and unforgettable: Meet everyone. It captures her philosophy perfectly. Relationships are not a side note to the job—they are the job. The more people you understand, the more effectively you can influence change, build trust, and help an organization make better decisions.

Watch the Full Interview Here: https://www.youtube.com/watch?v=mN-3CKLC8FM

___________________________________________

Echelon Thought Leadership Highlight

What should “managed services” actually mean in 2026? As cybersecurity programs grow more complex, organizations need providers who go beyond tools and monitoring to help improve security outcomes over time.

Written by J.R. Hurd, he outlines what modern managed services should deliver and what organizations should expect from a provider.

Read the article here: https://lnkd.in/euv3mJqg

Away we go!

1. Suspected Nation-State Hack Takes Down Medical Device Company Systems

Medical device giant Stryker is working to recover from a major cyber incident that disrupted large portions of its internal Microsoft-based infrastructure. The company confirmed that the attack triggered a global outage across its environment, forcing teams to respond to widespread system disruptions. While the incident has affected internal operations, Stryker said several of its critical medical technologies—including cardiac monitoring and surgical systems—remain operational.

The attack surfaced publicly after reports from employees and outside observers suggested that computers and mobile devices across parts of the company’s network had been wiped or rendered unusable. A hacking group known as Handala Hack quickly claimed responsibility online. Security researchers have long linked the group to Iranian state-aligned operations, and the timing of the attack—following escalating military tensions involving the United States and Israel—has fueled speculation that the incident may represent a form of cyber retaliation.

Investigators are still determining how attackers gained access to the company’s environment. Early analysis suggests the disruption may not have involved traditional ransomware or malware. Instead, researchers believe the attackers may have leveraged legitimate enterprise management tools—potentially issuing destructive commands through Microsoft Intune, which allows administrators to remotely manage and wipe devices at scale. If confirmed, the tactic would underscore a growing trend in modern cyber operations: attackers abusing trusted management platforms once they gain privileged access.

The broader objective of the attack appears less about financial gain and more about strategic signaling. Disrupting a globally recognized medical technology provider carries both operational and psychological impact, especially during periods of geopolitical tension. For security leaders, the incident highlights a recurring theme in modern cyber conflict: nation-state actors are increasingly willing to target commercial organizations to create pressure points beyond the traditional military domain.

When Attackers Don’t Break In — They Log Into Your Cloud

Cloud intrusions continue to accelerate, and the trend that stands out most in recent threat intelligence reports is how attackers are gaining access: valid credentials and misconfigured identity systems, not traditional malware.

A recent industry analysis found that cloud intrusions increased more than 35% year-over-year, with nation-state actors driving a large share of that activity. In many cases, attackers are exploiting identity gaps between on-premise systems and cloud environments—especially hybrid identity platforms, OAuth integrations, and SaaS application permissions. Once attackers gain access to a cloud account, they often operate entirely within legitimate tools and APIs, making detection far more difficult.

What We’re Seeing in the Wild

Recent incident response investigations highlight a few recurring patterns:

 

  • Compromised SaaS integrations – Attackers abuse OAuth tokens tied to applications like Microsoft 365, Google Workspace, or Slack to maintain persistent access without triggering password resets.
  • Misconfigured cloud storage – Publicly exposed S3 buckets, Azure Blob containers, and backup repositories continue to expose sensitive data at scale.
  • Identity sprawl in hybrid environments – Attackers pivot between on-prem Active Directory and cloud identity providers like Entra ID or Okta to escalate privileges.
  • Cloud management API abuse – Once authenticated, attackers often manipulate IAM policies, spin up compute resources for crypto mining, or silently exfiltrate data.

 

Security Updates and Defensive Steps

Several recent vendor advisories and best practices highlight practical ways organizations can reduce exposure:

  • Audit OAuth applications and API tokens across Microsoft 365, Google Workspace, and Salesforce environments. Remove unused integrations.
  • Enforce conditional access policies and phishing-resistant MFA wherever possible.
  • Continuously monitor cloud identity logs, including unusual token creation or abnormal API usage.
  • Enable automatic configuration scanning for misconfigured storage services and identity roles.
  • Implement cloud security posture management (CSPM) or similar tooling to identify risky permissions and exposed resources.

The Real Takeaway

The cloud attack surface isn’t shrinking—it’s shifting. The biggest risk today isn’t an attacker breaking through a firewall; it’s an attacker authenticating successfully and operating inside trusted systems.

For defenders, that means cloud security has become fundamentally about identity visibility, permission hygiene, and behavioral monitoring. If you can’t see who is using your cloud APIs, what tokens they hold, and what permissions they inherited, you’re not really seeing your attack surface.

2. Apple Patches Older iPhones to Block Coruna Exploits

Apple has issued an unusual round of security updates for older versions of iOS and iPadOS, patching several vulnerabilities that have been actively exploited by a sophisticated toolset known as the Coruna exploit kit. The fixes address multiple weaknesses affecting Apple’s kernel and WebKit browser engine—two components that, if compromised, can give attackers a powerful foothold on a device.

The patched flaws include memory corruption and use-after-free vulnerabilities that could allow malicious websites to trigger code execution or destabilize device memory handling. Security researchers say Coruna contains multiple exploit chains—some combining several vulnerabilities together—to break through iOS defenses. Several of the affected bugs have now been added to the Known Exploited Vulnerabilities catalog maintained by Cybersecurity and Infrastructure Security Agency, signaling that attackers have already used them in real-world operations.

What makes this release noteworthy is Apple’s decision to backport the patches to older operating systems, including versions that run on devices more than a decade old. Historically, Apple rarely releases fixes for platforms that are approaching or beyond end-of-life support. Security analysts say the move reflects the seriousness of the Coruna activity and the potential impact if the vulnerabilities were left unaddressed on legacy devices.

So far, researchers believe the exploit kit has been used primarily in targeted attacks, but that may not last. Once vulnerabilities become better understood, exploit techniques often spread from advanced operators to broader criminal groups. For organizations and individuals still using older Apple hardware, the message is straightforward: install the updates immediately—or better yet, move to a currently supported device and operating system.

Overcoming Risks from Chinese GenAI Tool Usage

A recent investigation conducted by Harmonic Security has revealed widespread, unmonitored use of Chinese-developed generative AI tools inside Western organizations, leading to significant data exposure risks and compliance concerns.

In a month-long review covering 14,000 employees across U.S. and U.K.-based organizations, nearly 8% of employees were found to be using Chinese GenAI platforms—including DeepSeek, Kimi Moonshot, Baidu Chat, Qwen, and Manus—without prior approval or oversight from security teams.

535 separate incidents were identified in which corporate data was entered into these tools, totaling over 17MB of potentially sensitive information. Source code and engineering information comprised about one third of the sensitive information; the rest was made up of data concerning mergers and acquisitions, financial reports, legal contracts, customers records, and PII. The vast majority of incidents involved DeepSeek totaling at 85%.

Unlike regulated or enterprise-approved AI platforms, many of these Chinese GenAI tools operate under opaque data handling policies, including utilizing user data to for model training. In regulated sectors or organizations handling intellectual property, this creates substantial risk exposure in privacy, compliance, and contracts.

In this case, security awareness alone is insufficient. Organizations are encouraged to implement real-time enforcement mechanisms that can:

  • Detect and restrict access to AI platforms based on country of origin
  • Monitor the type of data uploaded to AI tools
  • Block known tools that present high data governance risk
  • Implement active and enforced controls when considering GenAI adoption

Other measures including internal education initiatives are also recommended to help reduce unsanctioned usage while offering safer, sanctioned alternatives internally. AI adoption is happening faster than governance. When tools are freely accessible on the web, motivated employees will find and use them—regardless of corporate policy. As generative AI continues to permeate technical workflows, especially in development environments, the challenge is no longer just about what the models can do—but where they live, who owns them, and how they handle your data.

3. Global Operation Dismantles SocksEscort Proxy Botnet

An international law enforcement operation has dismantled a large proxy network used by cybercriminals to conceal their identities while carrying out attacks and fraud. The effort, dubbed Operation Lightning, brought together investigators from multiple European countries and the United States, coordinated through Europol and Eurojust. Authorities seized dozens of domains and servers across several jurisdictions and froze millions of dollars in cryptocurrency tied to the operation.

At the center of the investigation was SocksEscort, a subscription-based proxy service that sold access to a botnet built from compromised routers, modems, and Internet-connected devices. By routing malicious traffic through thousands of infected systems, the service allowed cybercriminals to mask their real locations and appear to originate from residential networks—making their activity much harder for defenders to detect or block.

The infrastructure powering the network had been quietly growing for years. Investigators say many of the infected systems were consumer or small-business devices that had been compromised through unpatched vulnerabilities or outdated firmware. Once infected, those devices became part of a distributed proxy pool that attackers could rent to conduct fraud, credential attacks, and other malicious activity while hiding behind legitimate IP addresses.

While the takedown represents a meaningful disruption to the cybercrime ecosystem, experts caution that the underlying problem remains widespread. Residential routers and IoT devices often run outdated software and remain deployed long after vendors stop issuing security updates. Until those edge devices become more secure—or users become more diligent about updating and replacing them—botnet operators will continue to find fertile ground for building the next generation of proxy networks.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about

Are you ready to get started?