Cyber Intelligence Weekly

Cyber Intelligence Weekly (March 8, 2026): Our Take on Three Things You Need to Know

By Dan Desko
Posted on Mar 08 / 2026

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we turn to this week’s edition of Cyber Intelligence Weekly, I want to introduce a new CISO Spotlight Series: The Human Side of Cybersecurity.

This series is grounded in conversation rather than commentary. It centers on CISOs who are in the seat—navigating real leadership pressure, complex risk decisions, and the human realities of building and sustaining security programs. Some are earlier in their journey, others further along paths many of you may recognize or aspire toward. What they share isn’t theory. It’s experience—earned through moments of progress, frustration, growth, and reflection. These conversations are for the professionals who show up every day to quietly carry the weight of this industry.

Paul Guerra (Rackspace) — “You don’t get credit for being right. You get credit for outcomes.”

In this episode, I sat down with Paul Guerra, CISO at Rackspace and a two-time CISO who has led multiple security transformations across industries including media, insurance, banking, and digital marketplaces. Paul’s career did not start in security—it started in engineering, mathematics, and operational problem-solving. Early on, he became the person leaders called when something critical needed fixed: data center migrations, customer issues, high-stakes business programs, and eventually security incidents. What began as being pulled into breach response turned into something much bigger: building security programs from the ground up and creating a repeatable playbook for what strong, scalable security leadership actually looks like.

What stood out most in our conversation was Paul’s honesty about how reluctant he initially was to move into cybersecurity. Even when others around him—including his wife and senior leaders—encouraged him to lean in, he resisted. The turning point came when he realized the role played directly to his strengths: translating risk for non-technical leaders, building executable plans, securing support and funding, and aligning people at every level around what matters most. In other words, he found that his real value wasn’t just in solving technical problems—it was in connecting technical work to business outcomes.

One of Paul’s biggest leadership lessons came from learning that security is not just about controls, tooling, and dashboards. Early in his journey, he focused heavily on execution and on making the plan go green. Over time, he learned that relationships matter more than any single status update. He shared a memorable example: a painful, combative weekly vulnerability meeting where security and stakeholders were talking past each other. The breakthrough came when the team shifted from enforcement to partnership—working together on tradeoffs, jointly escalating where needed, and accepting that not every vulnerability can be treated like the only priority. That shift changed the outcome because it changed the relationship.

Additional takeaways from the conversation:

  • Security is a team sport. If you do not bring people with you, you will not win—no matter how right your architecture or analysis may be.
  • Stop chasing shiny tools before fixing the fundamentals. New startups and trendy categories will not save a weak foundation.
  • AI, zero trust, and buzzwords have their place—but they are often overused. What is less glamorous, but more important, is asset clarity, ownership, accountability, and execution.
  • Decision latency is an underrated risk. Many teams know what they should do, but they wait too long to make the call. Faster decisions often matter more than new technology.
  • Bias for action requires structure. Clear risk articulation, the right telemetry, and executive support are what allow security teams to move from months to weeks to days.
  • Burnout often starts when leaders pretend everything is urgent. Strong CISOs protect weekends, PTO, and focus time by prioritizing ruthlessly.
  • The first three investments in a new program should be people, asset/data ownership, and executive alignment on risk tolerance. Those three create the foundation everything else depends on.
  • Being a CISO is not primarily a technical job—it is a leadership job. Influence, negotiation, coaching, and communication consume far more time than tooling or configuration.
  • Talent alone is not enough. Work ethic, grit, and ownership matter when the stakes are high and nobody is watching.

His billboard message for every new CISO was one of the best I have heard in this series: You don’t get credit for being right. You get credit for outcomes. That idea captures so much of modern security leadership. The role is not about winning arguments or proving technical superiority. It is about earning trust, influencing decisions, building strong teams, and driving results the business can feel.

Watch the Full Video Here: https://youtu.be/KWgs9XH7Yts?si=PVqidHPcTPn64j8h

____________________________________

RSA 2026, Come Meet With Us!

Also, to highlight upcoming events, we hope to meet you at RSAC 2026! If you are heading out to RSA and want to meet up with the Echelon team, come see us at our exclusive happy hour at the prestigious Olympic Club, a quiet oasis from the busy hustle and bustle of RSA.

Join Echelon Risk + Cyber for our annual RSA Happy Hour at The Olympic Club on Monday, March 23, from 3:00–5:00 PM PT, just before the official RSA Welcome Reception, with our sponsors Drata and Schellman!

Good people, great conversations, easy networking, no pressure.

📍 The Olympic Club, San Francisco

👉 Reserve your spot here: https://lnkd.in/enj3Q9D3
 

Away we go!

1.  The Surprising Silence of Iran’s Cyber Forces

As the United States and Israel carry out military strikes against Iran, one expected battlefield has been surprisingly quiet: cyberspace. For years, Iran’s state-aligned hacking groups have been portrayed as a persistent cyber threat capable of launching disruptive operations across critical infrastructure and government networks. Yet during the opening phase of the current conflict, cybersecurity analysts say those groups have played little visible role, marking a stark contrast to expectations of widespread digital retaliation.

Instead, the most notable cyber activity so far appears to have come from Western and pro-Israeli operations. Reports indicate that cyber capabilities were used early in the campaign to disrupt Iranian communications and conduct psychological operations aimed at influencing public perception inside the country. In one instance, a widely used Iranian prayer application was reportedly hijacked to deliver messages encouraging military surrender, while state media channels and television broadcasts were temporarily compromised to push messaging from Western leaders. U.S. officials have also confirmed that Cyber Command participated in the early phases of the campaign.

Iranian cyber groups, by comparison, have been largely silent. Threat intelligence analysts note that the number of active pro-Iranian hacking groups has sharply declined in recent years, and many of the claims made by affiliated actors during the current conflict remain unverified. Some researchers also point to Iran’s domestic internet disruptions and infrastructure pressure as factors limiting the country’s ability to coordinate cyber operations during active military strikes.

Despite the current lull, security experts caution that the cyber dimension of the conflict is far from over. Historically, Iranian operators have relied on disruptive tactics such as distributed denial-of-service attacks, hack-and-leak campaigns, and proxy cybercrime groups to project influence abroad. The broader lesson for defenders is that modern conflict increasingly blends traditional military operations with cyber disruption and information warfare. Even when the digital battlefield appears quiet, it may simply be a matter of timing.

Blockchain Smart Contracts Weaponized — Malware Distribution via WordPress Sites

A financially motivated threat group known as UNC5142 is now weaponizing blockchain technology to distribute malware via compromised WordPress sites. The campaign, dubbed “EtherHiding,” hides malicious JavaScript code in smart contracts stored on public blockchains such as Binance Smart Chain.

Here’s the chain of attack: WordPress sites are breached, malicious JavaScript is injected, and that code communicates with a smart contract to retrieve payload details. The contract returns an encrypted URL, which directs users to fake update prompts. These then execute PowerShell or shell commands to install stealers such as Lumma, AMOS, and Vidar.

This approach is powerful because blockchain data is immutable and decentralized—making takedown nearly impossible. Over 14,000 compromised pages have been observed, suggesting large-scale weaponization.

Defender guidance:

  • Enforce WordPress integrity monitoring and strong plugin hygiene.
  • Use strict Content Security Policies to block rogue script execution.
  • Watch for unexpected blockchain or cryptocurrency network requests from web servers.

The attack blends Web2 and Web3 technologies, showing how threat actors are evolving beyond traditional infrastructure. As blockchain becomes a standard component of web systems, defenders must treat it not as a novelty, but as an active part of the attack surface.

2. Suspicious Activity Inside FBI Surveillance Systems Triggers Investigation

U.S. officials are investigating a suspected cyber intrusion involving a sensitive FBI platform used to support surveillance operations and investigative data collection. The activity was first detected in mid-February after analysts observed unusual behavior on the bureau’s network, prompting an internal investigation and notifications to Congress. While the affected system is considered unclassified, it contains law-enforcement sensitive information related to investigative tools such as pen registers, trap-and-trace monitoring, and other data tied to ongoing criminal and national security cases.

According to officials familiar with the probe, the suspicious activity appears to involve sophisticated techniques that allowed attackers to bypass normal security controls. Early reporting suggests the intrusion may have leveraged infrastructure connected to a commercial internet service provider used by the agency — a tactic increasingly seen in advanced cyber operations where attackers compromise vendors or technology providers to gain indirect access to well-defended targets.

The potential exposure of investigative metadata — including phone number relationships and monitoring records — raises significant counterintelligence concerns. Even without access to the content of communications, this type of information could reveal who federal investigators are tracking, what networks they are examining, and how certain operations are structured. For foreign intelligence services or organized criminal groups, that visibility could provide valuable insights into active law enforcement efforts.

Multiple federal agencies, including the National Security Agency and the Cybersecurity and Infrastructure Security Agency, are now assisting in the response. Investigators are still determining the scope and origin of the activity, and officials have not publicly attributed the incident. However, the breach highlights a recurring pattern in modern cyber operations: attackers targeting not just government agencies themselves, but the broader ecosystem of vendors, service providers, and infrastructure that support them.

Malicious Chrome Extensions Steal ChatGPT and DeepSeek Sessions from 900,000 Users

Cybersecurity researchers at OX Security uncovered two malicious Chrome extensions (collectively installed by over 900,000 users) that systematically exfiltrate ChatGPT and DeepSeek conversations along with full browser tab data to attacker-controlled servers.

The names of the extensions include Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI, as well as AI Sidebar with Deepseek, ChatGPT, Claude, and more. The malicious browser extensions (add-ons) masquerade as legitimate AI assistants while requesting broad permissions under the guise of "anonymous analytics." Once granted, they scrape chat messages via DOM element extraction, encode the data, and transmit it every 30 minutes to domains like chatsaigpt[.]com and deepaichats[.]com.

At the core lies a deceptive technique dubbed "Prompt Poaching" by Secure Annex: the malware impersonates the popular AITOPIA extension, uses AI platforms like Lovable for legitimate-looking privacy policies, and even earned a "Featured" badge from Google despite its data theft. The harvested conversations—potentially containing intellectual property, customer details, or strategic queries—enable corporate espionage, identity theft, or targeted phishing, with organizations facing unknown exposure from employee installations.

Even legitimate extensions like Similarweb (1 million users) now engage in similar DOM scraping and API hijacking to collect AI inputs and outputs, updating policies in late 2025 to disclose the practice but raising questions about Chrome Web Store enforcement of single-purpose rules.

This incident underscores a new vector in AI security: browser extensions as persistent surveillance tools that turn trusted productivity aids into data pipelines for attackers. Organizations should immediately audit extensions, enforce allowlisting, and train employees to scrutinize permissions—especially as "prompt poaching" scales to capture conversations across ChatGPT, Claude, Gemini, and beyond.

3.  FBI-Led Operation Shuts Down Global Cybercrime Marketplace Leakbase

An international law enforcement effort led by the FBI has dismantled Leakbase, a long-running cybercriminal marketplace that served as a hub for trading stolen credentials, personal data, and software exploits. The coordinated crackdown, known as Operation Leak, involved authorities across more than a dozen countries and resulted in arrests, infrastructure seizures, and the takedown of the forum’s online presence.

Leakbase had operated since 2021 as a subscription-based cybercrime platform where users paid for access to a marketplace of compromised data and hacking tools. At its peak, the forum attracted more than 140,000 members and hosted tens of thousands of discussions centered around breached databases, stolen login credentials, and vulnerabilities that could be exploited against businesses and government systems. Much of the data circulating on the platform was reportedly obtained through attacks such as SQL injection against poorly secured web applications.

The international operation targeted the infrastructure supporting the marketplace and the individuals running or actively participating in it. Investigators executed more than 100 coordinated actions, including arrests, search warrants, and the seizure of servers located across multiple countries. Authorities also captured the forum’s internal database, which could help investigators identify additional threat actors and victims connected to the platform’s activities.

For cybersecurity defenders, the takedown highlights the increasingly collaborative approach law enforcement is taking against cybercrime ecosystems. Rather than focusing on individual hackers alone, operations are now targeting the entire underground economy — including the forums, marketplaces, and infrastructure that enable criminals to monetize stolen data and vulnerabilities. While new platforms inevitably emerge to replace those taken down, each disruption forces threat actors to rebuild trust networks, infrastructure, and supply chains — slowing their operations and increasing the risk of exposure.

 

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about

Are you ready to get started?