March 26 / 2026 / Reading Time: 9 minutes
Weekly Situation Report : 3/23/26
EXECUTIVE SUMMARY
This article is to inform our partners and clients on the various happenings within the cybersecurity space. That includes items such as relevant breaches, emerging vulnerabilities, research, threat actor movement, and what you need to do as an organization to mitigate a future threat.
KEY TAKEAWAYS
- A critical Telnet vulnerability affecting all versions has been disclosed, with no patch expected until April 1st.
- The LeakNet ransomware group is using ClickFix techniques and the Deno runtime to conduct stealthy intrusions.
- The “ForceMemo” campaign has compromised Python repositories in the aftermath of the GlassWorm supply-chain attack.
- Newly discovered “CrackArmor” AppArmor vulnerabilities create potential pathways for local privilege escalation on Linux systems.
- The Interlock ransomware gang exploited a Cisco firewall zero-day weeks before it was publicly disclosed.
- A critical vulnerability in ScreenConnect exposes machine keys, allowing compromise through session creation.
1. Critical Telnet flaw affecting all versions, No Patch Until April 1st
SUMMARY
A critical buffer overflow vulnerability (CVE-2026-32746) in GNU InetUtils Telnetd allows unauthenticated remote attackers to execute code with elevated privileges.
Category
Critical Vulnerabilities
Industry
Multiple
Sources
https://www.openwall.com/lists/oss-security/2026/02/24/2
https://www.openwall.com/lists/oss-security/2026/03/12/5
https://lists.gnu.org/archive/html/bug-inetutils/2026-03/msg00031.html
https://thehackernews.com/2026/03/critical-telnetd-flaw-cve-2026-32746.html
https://github.com/jeffaf/cve-2026-32746/blob/main/exploit.py
ANALYST COMMENTS
A critical vulnerability (CVE-2026-32746) in GNU InetUtils Telnetd allows unauthenticated remote attackers to execute code with elevated privileges due to an out-of-bounds write in the LINEMODE handler. This affects all versions up to 2.7 and is expected to be patched by April 1, 2026. Exploitation can lead to complete system compromise including arbitrary root-level code execution, backdoor installation, data exfiltration, and network intrusion use cases. The flaw affects Linux distributions, IoT devices, and legacy OT/ICS environments using Telnet. There is currently no evidence of active exploitation of this vulnerability.
This is the second major Telnetd flaw discovered this year, following CVE-2026-24061, which was disclosed in late January and was soon exploited in the wild. This could indicate renewed research focus on the protocol, especially against sectors such as manufacturing that rely heavily on OT and IoT devices where Telnet services may still be exposed.
ACTIONABLE GUIDANCE
Telnetd services and ports (typically port 23) should be disabled. If the service cannot be disabled at this time, the affected host should be isolated and not exposed to the public internet until a patch can be released that addresses this issue. If compromise is suspected, the presence of similar Telnet protocol byte-code sequences in LINEMODE SLC packets is a strong indicator that exploitation has occurred.
2. LeakNet ransomware uses ClickFix, Deno runtime in stealthy attacks
SUMMARY
LeakNet ransomware gang leverages the ClickFix social engineering technique to access corporate networks. IT then uses Deno runtime for JavaScript/TypeScript to execute malicious payloads directly into memory. This reduces detection and forensic evidence while enabling various post-exploitation activities such as lateral movement and data exfiltration.
Category
Ransomware
Industry
Technology, Telecommunications, Manufacturing, Education, Public Sector and Government Administration, Energy, Logistics and Shipping, Legal and Law
Sources
https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us
Internal OSec Collection
ANALYST COMMENTS
LeakNet ransomware gang has started using the ClickFix technique for gaining initial access into corporate networks and deploys a malware loader based on Deno, an open-source runtime for JavaScript and TypeScript. This allows execution of malicious payloads directly into system memory. This method minimizes forensic evidence and detection by leveraging legitimate software signatures of Deno, which bypasses security filters designed to block unknown binaries. The ransomware actor has been active since late 2024, and uses various post-exploitation techniques like DLL sideloading, credential discovery with 'klist', lateral movement through PsExec, and data exfiltration via Amazon S3 buckets.
The use of Deno.exe as a technique was originally discovered through analysts in January, and was mentioned in a vendor report on CastleRat infections. There are also reports that the Iranian APT MuddyWater has used the technique during Dindoor infections. The technique uses commands with base64 encoded payloads to load .js or .vbs files for additional stages of infection, as observed in this LeakNet activity.
Additionally, each campaign analyzed used the domain serialmenot[.]com within its infections chain. The proliferation of the technique and the shared domain overlap indicate that the technique and some of its factors are shared amongst threat actors. This may also indicate a potential service offering being bought and shared amongst threat actors, however further verification is required.
ACTIONABLE GUIDANCE
The threat actor varies initial access methods based on the target, including the use of initial access brokers against external services such as VPNs or ClickFix techniques. However, the threat actor post-exploitation playbook remains consistent. For Clickfix based delivery, defenders should block or restrict the use of Win + R to prevent users from executing malicious strings due to social engineering. Use of Deno or similar software should be restricted and monitored, especially on non developer systems where it should be treated as suspicious. The actor makes use of PsExec delivered into the environment, so blocking downloads of Windows Sysinternals tools can help reduce impact. Additionally, blocking serialmenot[.]com can support detection and mitigation, as it is a high confidence indicator associated with this activity.
3. ‘ForceMemo’ Compromises Python Repos in GlassWorm Aftermath
SUMMARY
Threat actors are exploiting credentials stolen from the VS Code GlassWorm campaign to inject malware, dubbed ForceMemo, into Python repositories on GitHub. The campaign likely aims to steal cryptocurrency and sensitive information by modifying commits to leave fewer traces of compromise.
Category
Supply Chain Risk
Industry
Technology (primarily developers and their projects)
Sources
https://www.securityweek.com/forcememo-python-repositories-compromised-in-glassworm-aftermath/
https://thehackernews.com/2026/03/glassworm-attack-uses-stolen-github.html
https://www.reddit.com/r/github/comments/1rq8bxc/null_committed_to_most_of_my_repos_adding/
https://www.koi.ai/blog/glassworm-goes-mac-fresh-infrastructure-new-tricks
ANALYST COMMENTS
Threat actors are exploiting credentials stolen from the GlassWorm campaign to inject malware, dubbed ForceMemo, into Python repositories on GitHub. The attacks target Python projects and aim to steal cryptocurrency and sensitive information by rebasing legitimate commits with added obfuscated malicious code and force-pushing them. This method leaves fewer traces as it modifies only the committer date while keeping the original commit message and author date unchanged. ForceMemo executes system checks, avoiding Russian-language repositories, and queries specific Solana blockchain addresses for instructions to fetch, decrypt, and execute an encrypted JavaScript payload. The malware maintains persistence by leveraging the Solana memos for posting instructions from a controlled private key address.
The threat actor is primarily financially motivated, and targets Python repositories that are l old, abandoned, or ‘vibe coded’ projects to reduce the chance of detection. The use of a Solana wallet address links this activity to the Glassfish campaign that targets VS Code and Cursor Extensions to compromise developers and projects.
Compromised projects typically contain initial stage malware embedded in primary files such as main.py, setup.py, app.py, or manage.py.
While this campaign is currently focused on cryptowallet exploitation for financial gain, it may evolve to target other information such as workstation credentials for resale to initial access brokers.
ACTIONABLE GUIDANCE
Any project that will be used should have its code vetted before use, installation, or integration with other projects. Compromised developer accounts may create downstream risk for other projects that rely on public open source ecosystems such as Github. Malicious code in this campaign is typically placed in files likely to execute during a pip install, such as main or setup files.
4. ‘CrackArmor’ AppArmor bugs with Pathways to LPE
SUMMARY
Researchers uncovered nine AppArmor flaws dubbed "CrackArmor". This allows unprivileged users to bypass security measures, escalate privileges to root, execute arbitrary code within the kernel, and cause denial-of-service conditions.
Category
Critical Vulnerabilities
Industry
Multiple
Sources
https://ubuntu.com/security/vulnerabilities/crackarmor
ANALYST COMMENTS
Researchers discovered nine "CrackArmor" flaws in Linux AppArmor that could allow unprivileged users to bypass protections, escalate privileges to root, execute arbitrary kernel code, or cause denial-of-service conditions. These vulnerabilities have existed since 2017 and affect more than 12.6 million systems due to AppArmor's widespread deployment across enterprise systems, cloud platforms, containers, and IoT environments. The flaws stem from a design issue that lets unprivileged users manipulate security profiles via pseudo-files, bypass namespace restrictions, and potentially trigger kernel panics or forced reboots.
Technical research and public PoC code is available in order to exploit these vulnerabilities. A basic example involves the use of su to arbitrarily remove an AppArmor profile. AppArmor is typically not installed on Redhat, Centos, or Amazon Linux based distributions and are therefore not vulnerable to this vulnerability. Ubuntu and Debian based Linux distributions and containers are most at risk.
ACTIONABLE GUIDANCE
Given the critical impact on system confidentiality, integrity, and availability, immediate patching of the Linux kernel is recommended to remediate these risks. Updates can be applied through your Linux distribution package management system or by following guidance from your distribution official site on versions that fix these vulnerabilities Linux distributions that do not rely on AppArmor are not affected by this vulnerability.
5. Interlock ransomware gang exploited Cisco firewall zero-day weeks before disclosure
SUMMARY
Interlock ransomware gang exploited a critical vulnerability in Cisco's firewall management software before it was publicly disclosed.
Category
Ransomware
Industry
Multiple
Sources
https://therecord.media/cisco-ransomware-interlock-firewalls
ANALYST COMMENTS
The Interlock ransomware group exploited a zero-day vulnerability (CVE-2026-20131) in Cisco Secure Firewall Management Center software, beginning attacks on January 26 before public disclosure on March 4. Researchers identified this through analysis of a misconfigured server used by Interlock, uncovering extensive malware and operational details that exposed widespread targeting of local governments, schools, and healthcare systems. Additionally, Interlock has been noted for using regulatory compliance threats alongside ransomware to pressure victims, particularly targeting sectors like education and healthcare that cannot afford downtime. These tactics are typically used by ransomware groups to achieve higher ransom payouts and reduced negotiation times.
The vulnerability exploited has known PoC code available publicly, with multiple Github repositories hosting several variations. The exploit takes advantage of a serialization gadget chain in order to execute commands against the vulnerable Cisco hosts. The following endpoints are typical targets for deserialization attacks on these hosts:
"/j_spring_security_check",
"/api/fmc_platform/v1/auth/generatetoken",
"/dispatcher",
"/invoker/JMXInvokerServlet",
"/invoker/EJBInvokerServlet"The PoC code constructs requests against these endpoints, usually performing checks first. An HTTP 500 response may indicate the payload was deserialized and processed, while an HTTP 200 response may indicate successful execution.
Currently known IoCs associated with Interlock ransomware, based on the vendor report, include the following:
199.217.98[.]153 - Exploit source IP - Active Mar 2026
89.46.237[.]33 - Exploit source IP - Active Mar 2026
144.172.94[.]59 - C2 Fallback IP - Active Mar 2026
199.217.99[.]121 - C2 Fallback IP - Active Mar 2026
188.245.41[.]78 - C2 Fallback IP - Active Mar 2026
144.172.110[.]106 - Backend C2 IP - Active Mar 2026
95.217.22[.]175 - Backend C2 IP - Active Mar 2026
37.27.244[.]222 - Staging host IP- Active Mar 2026
ms-server-default[.]com Exploit Support Domain Active Mar 2026
initialize-configs[.]com Exploit Support Domain Active Mar 2026
ms-global.first-update-server[.]com Exploit Support Domain Active Mar 2026
ms-sql-auth[.]com Exploit Support Domain Active Mar 2026
kolonialeru[.]com Exploit Support Domain Active Mar 2026
sclair.it[.]com Exploit Support Domain Active Mar 2026
browser-updater[.]com C2 domain Active Mar 2026
browser-updater[.]live C2 domain Active Mar 2026
os-update-server[.]com C2 domain Active Mar 2026
os-update-server[.]org C2 domain Active Mar 2026
os-update-server[.]live C2 domain Active Mar 2026
os-update-server[.]top C2 domain Active Mar 2026ACTIONABLE GUIDANCE
Cisco FMC should be updated to the latest version available to remediate this vulnerability and prevent initial compromise by this threat actor. Restrict PowerShell for non administrator users as a preventative control. Monitor for unauthorized use of tools such as ScreenConnect, identify unusual high port TCP connections, and hunt for the listed IoCs to detect potential past compromise.
6. Critical ScreenConnect Vulnerability Exposes Machine Keys
SUMMARY
ConnectWise has released ScreenConnect version 26.1 to address a critical vulnerability (CVE-2026-3564) that allows server-level cryptographic material used for authentication to be leaked to an attacker.
Category
Critical Vulnerabilities
Industry
Technology
Sources
https://www.securityweek.com/critical-screenconnect-vulnerability-exposes-machine-keys/
https://www.connectwise.com/company/trust/security-bulletins/2026-03-17-screenconnect-bulletin
https://thehackernews.com/2025/05/connectwise-hit-by-cyberattack-nation.html
ANALYST COMMENTS
ConnectWise has released ScreenConnect version 26.1, which introduces enhanced security measures to protect machine keys and remediate the critical CVE-2026-3564 vulnerability. This update encrypts cryptographic material used for session authentication, previously stored in server configuration files without encryption, thus reducing risks of unauthorized access and potential server compromise. The impact of the vulnerability allows extraction of ASP.NET keys in order to sign sessions, thus allowing attackers to craft their own usable session cookies or tokens.
The sources have stated that no exploitation has occurred in the wild, however some claims over social media have stated that these machine keys have been used by nation-state attributed threat actors in the past. ConnectWise (developer of ScreenConnect) was breached last year and in 2024 by Chinese, Russian, and North Korean cybercrime and nation state actors. Additionally, the wording of the advisory also notes that security researchers have observed attempts to abuse the disclosed ASP.NET machine keys associated with this product. Therefore based on this information, there is a high likelihood the vulnerability has been used in the wild or is already in the possession of threat actors and will likely be integrated into future attacks.
ACTIONABLE GUIDANCE
Organizations should update ScreenConnect to the latest version available (26.1) in order to remediate this vulnerability. Organizations that cannot update right away should take steps to isolate and segregate the vulnerable host and not expose it to the public internet. Indicators of compromise will likely be unknown sessions created without logins from unknown locations.
Get the Complete Report
The full Intelligence Desk brief includes exhaustive IOC lists, YARA detection rules, detailed remediation playbooks, and OSec's original threat research. Delivered weekly to our partners and clients. REQUEST ACCESS