Cyber Intelligence Weekly

Cyber Intelligence Weekly (March 22, 2026): Our Take on Three Things You Need to Know

By Dan Desko
Posted on Mar 22 / 2026

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we turn to this week’s edition of Cyber Intelligence Weekly, I want to introduce a new CISO Spotlight Series: The Human Side of Cybersecurity.

This series is grounded in conversation rather than commentary. It centers on CISOs who are in the seat—navigating real leadership pressure, complex risk decisions, and the human realities of building and sustaining security programs. Some are earlier in their journey, others further along paths many of you may recognize or aspire toward. What they share isn’t theory. It’s experience—earned through moments of progress, frustration, growth, and reflection. These conversations are for the professionals who show up every day to quietly carry the weight of this industry.

Julie Ray (Wabtec Corporation) — “Explain the why.”

In this episode, I sat down with @Julie Ray, VP and CISO at a Fortune 500 manufacturer, whose career reflects a path many of the best security leaders share: she did not start in cybersecurity, but grew into it through infrastructure, compliance, and operational leadership. Julie has spent most of her career in manufacturing, began on the infrastructure side of IT, helped build one of the early cyber compliance programs aligned to the NIST framework, and later stepped into the CISO role when the opportunity presented itself. Alongside her executive work, she also gives back through teaching and coaching at Robert Morris University and Carnegie Mellon.

What stood out most in our conversation was Julie’s belief that some of the strongest security professionals are those who have seen more than just security. Her background in infrastructure and applications gave her a broader perspective—one that helps her understand the realities of the teams she partners with instead of simply asking why they are not moving faster. That perspective shaped her leadership style. Julie sees a big part of her job as being a translator: helping people understand why security matters, especially when they are not living in technical details every day.

She also shared an honest view of what modern security leadership really requires. A CISO has to stay informed, keep learning, and understand a wide range of domains—but no single person can be the deepest expert in every area. Julie’s answer is to build a strong team around a shared North Star, then trust those people to lead within their areas of expertise. That combination—clarity of direction plus trust in the team—is what allows a security organization to move with focus instead of getting buried by the size of the mission.

Additional takeaways from the conversation:

  • Great cyber leaders often come from adjacent disciplines. Exposure to infrastructure, applications, analytics, or the business side builds empathy and better judgment.
  • Cybersecurity is a constant learning profession. If you do not like reading and keeping up with change, it is a hard field to thrive in.
  • You cannot do it all yourself. Strong CISOs build teams they trust rather than pretending to be the expert in every domain.
  • A shared North Star matters. Teams perform better when they know where the organization is headed and how their decisions connect to that direction.
  • Prioritization is leadership. Security teams will try to do everything because they care. Effective leaders decide what not to do right now—and own that decision.
  • The business creates some of the whiplash. Security has to understand new technologies and trends because the organization wants to move, but that does not mean every new thing becomes the top priority.
  • AI is important, but its long-term business impact is still being sorted out. The hype is real, but the value curve is still emerging.
  • Burnout prevention requires backups and cross-training. People rest better when they know someone else can carry the work while they disconnect.
  • Vacation should actually mean vacation. Julie is intentional about creating a culture where people can unplug, recharge, and come back refreshed.
  • Being a CISO is not mainly about technical execution. It is about communication and negotiation—getting busy people to care about security and move on what matters.

Her billboard message for every new CISO was simple and powerful: Explain the why.

That idea captures her whole philosophy. Security cannot just issue edicts or say no. It has to help people understand the reason behind the ask, the risk behind the control, and the path forward that makes sense for the business.

Watch the Full Interview Here: https://www.youtube.com/watch?v=GvHJoHFVHj4

___________________________________________

Echelon Thought Leadership Highlight

CMMC Compliance is a program, not just a checkbox.

At Echelon Risk + Cyber, we partnered with PJ Dick - Trumbull - Lindy, to help them prepare for evolving Department of Defense cybersecurity requirements, including CMMC Level 2.

Together, we:

✅ Assessed their current cybersecurity posture and identified key gaps

✅ Built a clear Plan of Action & Milestones to guide leadership and long-term strategy

✅ Developed and standardized key policies and documentation across the organization

The result?

Clearer visibility into their security posture, stronger alignment across teams, and a durable compliance foundation that continues to support their program today.

Check out the full case study to see how we did it 👇 https://lnkd.in/e_8UP7r5

Away we go!

1. Feds Disrupt Massive IoT Botnets Powering Record DDoS Attack

According to a new report from Brian Krebs, U.S. and international law enforcement agencies have taken down the infrastructure behind several large-scale botnets responsible for some of the most disruptive distributed denial-of-service (DDoS) attacks in recent memory. The coordinated operation—spanning the United States, Canada, and Germany—targeted four botnets that collectively hijacked more than three million internet-connected devices, including home routers and web cameras.

The botnets, tracked as Aisuru, Kimwolf, JackSkid, and Mossad, were used to launch hundreds of thousands of attacks against organizations worldwide. In many cases, attackers leveraged these networks to extort victims—overwhelming their systems with traffic and demanding payment to stop the disruption. Authorities say the operation focused on seizing domains, servers, and other infrastructure used to control the botnets, effectively cutting off their ability to coordinate future attacks.

What made these botnets particularly effective was their ability to spread rapidly across vulnerable IoT devices. Researchers observed newer variants using techniques that allowed them to compromise systems even behind internal networks—significantly expanding their reach. Many of the infected devices were running outdated firmware or were never properly secured, creating a massive, distributed attack surface that could be weaponized at scale.

While the takedown marks a meaningful disruption, it also underscores a persistent problem: the security of consumer and small business devices remains a weak link in the global internet ecosystem. As long as millions of routers, cameras, and connected devices remain unpatched or poorly configured, attackers will continue to rebuild similar botnets. For defenders, this is a reminder that DDoS is no longer just a nuisance attack—it’s an industrialized capability powered by the most overlooked assets on the network edge.

MFA Isn’t Broken—But Attackers Found a Way Around It

One of the more concerning developments this week is the rise of adversary-in-the-middle (AiTM) phishing kits—like the recently observed “Starkiller” platform—that are specifically designed to bypass multi-factor authentication in cloud environments.

Instead of stealing credentials and trying to log in later, these tools act as a live proxy between the user and the real login page (Microsoft 365, Google Workspace, Okta, etc.). When a user enters their username, password, and MFA code, the attacker captures it all in real time and immediately establishes a valid session. The result: full account takeover without ever “breaking” MFA.

What This Looks Like in the Real World

We’re seeing this play out in real incidents across SaaS environments:

  • A finance team member clicks a Microsoft 365 phishing link → logs in → approves MFA
  • The attacker captures the session cookie → bypasses future MFA prompts
  • Within minutes: mailbox rules are created, invoices are altered, and payments are redirected

In other cases, attackers are using these sessions to:

  • Access SharePoint/OneDrive for data exfiltration
  • Register new OAuth apps for persistence
  • Launch internal phishing from trusted accounts

Why This Matters for Cloud Security

This isn’t a vulnerability you can patch—it’s a design limitation of session-based authentication in modern SaaS platforms. Once a session is issued, it’s trusted.

That’s why many of these attacks are completely malware-free and nearly invisible to traditional controls.

What to Do Right Now

To reduce exposure, organizations should prioritize:

  • Phishing-resistant MFA (FIDO2 / passkeys vs. SMS or push)
  • Conditional access policies (device trust, location, risk-based login)
  • Session monitoring and token protection (look for impossible travel, token reuse)
  • OAuth app governance (review and restrict third-party app permissions)
  • User awareness (especially around URL tricks like “login.microsoft.com[at]malicious-site”)

The Bottom Line

Cloud attacks are shifting from “break the system” to “trick the user, steal the session, and blend in.”

If your cloud security strategy still assumes MFA is the finish line, you’re already behind.

2.  CISA Issues Emergency Directive on Critical Cisco Firewall Flaw Amid Active Exploitation

Federal cybersecurity officials are moving with unusual urgency after a critical vulnerability in Cisco’s firewall management platform was confirmed to be under active attack. The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch the flaw—tracked as CVE-2026-20131—within days, signaling just how serious the risk has become. The vulnerability carries the highest possible severity rating and impacts Cisco Secure Firewall Management Center (FMC), a system widely used to manage core security controls across enterprise environments.

At its core, the issue allows a remote, unauthenticated attacker to execute arbitrary code with root-level privileges by exploiting a flaw in how the platform processes serialized Java data. In practical terms, that means an attacker could take full control of a critical security management system—often the very tool organizations rely on to defend their networks. Cisco had initially warned customers to patch immediately upon disclosure, but the situation escalated quickly after evidence emerged that threat actors were already exploiting the vulnerability in real-world attacks.

What’s particularly concerning is that exploitation appears to have started well before a fix was publicly available. Threat intelligence researchers have linked the activity to a ransomware group that has been quietly leveraging the flaw since early 2026, targeting high-value organizations and deploying follow-on malware once access is established. With no viable workaround available, patching is the only effective defense—prompting CISA to include the vulnerability in its Known Exploited Vulnerabilities (KEV) catalog and issue a firm remediation deadline.

For organizations outside the federal government, the message is just as clear. This is not a theoretical risk or a vulnerability to schedule for “next patch cycle”—it’s an actively weaponized entry point into some of the most sensitive layers of enterprise infrastructure. Security leaders should treat this as a priority incident: identify affected systems, apply patches immediately, and review access logs for signs of compromise. In today’s threat landscape, the window between disclosure and exploitation is no longer measured in weeks—it’s measured in days, if not hours.

AI Coding Tools Introduce a New Supply Chain Risk

This week highlighted a growing concern in the AI space: developer-focused AI tools becoming a new attack surface. Recent vulnerabilities discovered in an AI coding assistant platform showed how attackers could manipulate project configuration files to execute code on a developer’s machine or exfiltrate API keys—before the user even approves access.

The issue centers around how these tools trust local project files and configurations by default. In the observed case, attackers could embed malicious instructions into configuration files (like hooks or model context settings), tricking the AI tool into executing commands or redirecting API traffic to attacker-controlled endpoints.

What This Looks Like in the Real World

This isn’t theoretical—this is how it plays out:

  • A developer clones a GitHub repo that appears legitimate
  • The repo contains a malicious config file (hidden in project settings)
  • The AI coding tool auto-loads the project → executes embedded commands
  • Result: API keys exposed, local system access, or downstream supply chain compromise

In another scenario:

  • A config file silently redirects API calls → attacker intercepts tokens
  • Stolen keys are then used to access cloud environments, models, or internal services

Why This Matters

This is a new flavor of supply chain attack—not through software packages, but through AI-assisted development workflows.

Developers are increasingly trusting AI tools to execute code, interpret environments, and automate tasks. That trust is now being targeted.

Patches & Defensive Moves

Vendors have started addressing these risks by:

  • Requiring explicit user consent before executing any commands or network calls
  • Blocking automatic execution from untrusted directories
  • Adding stronger warnings and visibility into configuration-driven actions

But organizations shouldn’t rely on vendor fixes alone. Immediate actions include:

  • Treat AI tool configurations like code → review, version control, and restrict changes
  • Scan repositories for malicious config files before use
  • Limit API key exposure (short-lived tokens, scoped permissions)
  • Run AI tools in sandboxed or restricted environments
  • Educate developers on risks of cloning and running unknown projects

The Bottom Line

AI is accelerating development—but it’s also expanding the software supply chain in ways most security programs aren’t tracking yet.

If your developers are using AI tools, you don’t just have a code risk—you now have a configuration-driven execution risk sitting on every laptop.

3.  Silent Strikes on iPhones: Advanced Exploit Campaign Targets Ukrainian Users

A newly uncovered cyber campaign is shedding light on how modern espionage operations are quietly evolving—this time targeting iPhones with a level of sophistication once reserved for nation-state toolkits. Security researchers have identified a likely Russia-linked group deploying a malware platform known as “DarkSword,” capable of infiltrating Apple devices with little to no user interaction. The operation has primarily focused on Ukrainian targets, leveraging compromised local websites to silently trigger infections the moment a visitor lands on the page.

Rather than relying on phishing or user error, the attackers are using so-called “watering hole” techniques—infecting trusted websites that their intended victims are likely to visit. In this case, those included regional news outlets and even a court system website. Once triggered, the exploit chain gives attackers rapid, deep access to the device, allowing them to pull emails, messages, photos, credentials, and even cryptocurrency wallet data. What makes this campaign particularly notable is its speed: data is collected and exfiltrated within minutes, and the malware then removes itself, leaving little forensic evidence behind.

This “smash-and-grab” approach marks a departure from traditional spyware campaigns that aim to persist on a device for long-term surveillance. Instead, DarkSword appears optimized for efficiency and stealth—get in, take what’s valuable, and disappear. Researchers believe the tool is modular and professionally engineered, suggesting access to high-end exploit frameworks typically associated with government-backed actors or commercial surveillance vendors. At the same time, some operational sloppiness hints that the operators themselves may be leveraging purchased capabilities rather than building them from scratch.

Perhaps most concerning is what this signals about the broader threat landscape. The same campaign infrastructure has been linked to activity beyond Ukraine, with targets reported in regions like the Middle East and Southeast Asia. This points to a growing secondary market for advanced mobile exploits—one where powerful, previously exclusive capabilities are becoming more accessible to a wider range of actors. While Apple has since patched the vulnerabilities used in these attacks, the incident underscores a hard truth: even the most secure mobile ecosystems are no longer out of reach, especially when attackers combine zero-click exploits with strategic targeting.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about

Are you ready to get started?