TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

Weekly Threat Bulletin – March 18th, 2026

2026-03-18 · Read original ↗

ATT&CK techniques detected

17 predictions
T1195.001Compromise Software Dependencies and Development Tools
99%
"2026 - 21671 / https : / / www. thehackerwire. com / veeam - backup - replication - local - privilege - escalation / unc6426 exploits nx npm supply - chain attack to gain aws admin access in 72 hours a threat actor, unc6426, executed a supply - chain attack, gaining full aws admi…"
T1486Data Encrypted for Impact
97%
"mar - 2026 / https : / / www. hendryadrian. com / ransom - israeli - weather - stations - crippled - mar - 2026 / https : / / www. hendryadrian. com / ransom - jerusalem - water - supply - facilities - mar - 2026 / https : / / www. hendryadrian. com / ransom - the - general - in …"
T1190Exploit Public-Facing Application
95%
"##h lockout on ` x86 _ 64 ` systems. an attacker can trigger this bug with a single crafted 300 - byte ssh packet without authentication. immediate openssh package updates are required, specifically replacing ` sshpkt _ disconnect ( ) ` with ` ssh _ packet _ disconnect ( ) ` in `…"
T1588.002Tool
93%
"like handala and their tactics, techniques, and procedures ( ttps ), particularly those targeting your industry or supply chain. https : / / buaq. net / go - 398863. html https : / / cyberpress. org / hacktivists - escalate - cyber - warfare / https : / / gbhackers. com / epic - …"
T1525Implant Internal Image
91%
"##thub reconnaissance, employing nord stream to acquire github service account credentials. these credentials facilitated the abuse of github - to - aws openid connect ( oidc ) trust, generating temporary aws security token service ( sts ) tokens for an overly permissive ` github…"
T1190Exploit Public-Facing Application
76%
". com / chrome - 146 - update - patches - two - exploited - zero - days / https : / / www. theregister. com / 2026 / 03 / 13 / google _ zeroday _ chrome _ update / a single line of code : pre - auth openssh flaw exposes ubuntu and debian servers a critical pre - authentication vu…"
T1486Data Encrypted for Impact
75%
"1 ) permits rce for authenticated backup administrators in high availability deployments, while cve - 2026 - 21668 ( cvss 8. 8 ) allows authenticated domain users to manipulate arbitrary files on a backup repository, and cve - 2026 - 21672 ( cvss 8. 8 ) facilitates local privileg…"
T1485Data Destruction
72%
"' remote wipe '. - enable a multi - administrator approval ( maa ) feature within your mobile device management ( mdm ) platform for high - impact actions such as remote device wipes and global policy changes. - conduct an immediate audit of all third - party and service provider…"
T1525Implant Internal Image
68%
"least privilege. - develop and deploy automated alerting within your siem to detect high - risk aws iam activity, such as the creation of a new role with administrator privileges or the attachment of an ' administratoraccess ' policy by an automated process. - implement aws servi…"
T1588.006Vulnerabilities
60%
"company - managed web browsers, such as disabling jit compilation or restricting unneeded plugins and extensions. - plan and implement network segmentation to isolate user workstations into a separate network zone from critical infrastructure like application servers and database…"
T1190Exploit Public-Facing Application
59%
"company - managed web browsers, such as disabling jit compilation or restricting unneeded plugins and extensions. - plan and implement network segmentation to isolate user workstations into a separate network zone from critical infrastructure like application servers and database…"
T1190Exploit Public-Facing Application
58%
", a use - after - free vulnerability in css handling. users are advised to update their browsers promptly. severity : critical threat details and iocs mitigation advice - force an immediate update of google chrome on all company workstations and servers to the latest stable versi…"
T1195.001Compromise Software Dependencies and Development Tools
49%
"- risk actions, monitoring for anomalous iam activity, and implementing controls against shadow ai risks, as this incident exemplifies ai - assisted supply chain abuse where malicious intent is conveyed through natural - language prompts to ai agents. severity : critical threat d…"
T1490Inhibit System Recovery
37%
"' remote wipe '. - enable a multi - administrator approval ( maa ) feature within your mobile device management ( mdm ) platform for high - impact actions such as remote device wipes and global policy changes. - conduct an immediate audit of all third - party and service provider…"
T1490Inhibit System Recovery
37%
"1 ) permits rce for authenticated backup administrators in high availability deployments, while cve - 2026 - 21668 ( cvss 8. 8 ) allows authenticated domain users to manipulate arbitrary files on a backup repository, and cve - 2026 - 21672 ( cvss 8. 8 ) facilitates local privileg…"
T1588.006Vulnerabilities
35%
"weekly threat bulletin – march 18th, 2026 google rushes chrome update fixing two zero - days already under attack google has issued an emergency chrome update to address two zero - day vulnerabilities, cve - 2026 - 3909 and cve - 2026 - 3910, which are actively being exploited. c…"
T1587Develop Capabilities
31%
"2026 - 21671 / https : / / www. thehackerwire. com / veeam - backup - replication - local - privilege - escalation / unc6426 exploits nx npm supply - chain attack to gain aws admin access in 72 hours a threat actor, unc6426, executed a supply - chain attack, gaining full aws admi…"

Summary

These are the top threats you should know about this week.