Originally reported by Security Affairs, The Record, Palo Alto Unit 42
TL;DR
Unit 42 reports increased wiper attacks by Iran-linked Handala Hack group exploiting Microsoft Intune, while a separate China-based espionage operation targets military infrastructure across Southeast Asia. Additional developments include FBI surveillance data increases, Stryker cyberattack recovery uncertainties, and critical WordPress plugin vulnerabilities.
Unit 42 reports active wiper attacks by Iran-linked Handala group and strategic espionage operations by China-based actors targeting military infrastructure in Southeast Asia.
Unit 42 researchers observe an increase in destructive wiper attacks by the Iran-linked Handala Hack group (also tracked as Void Manticore). The threat actor leverages phishing campaigns and misuses Microsoft Intune for deployment, representing an evolution in their tactical approach to destructive operations.
The escalation aligns with broader Iranian cyber activities targeting critical infrastructure and suggests potential coordination with geopolitical tensions in the region.
A suspected China-based espionage operation demonstrates strategic operational patience against military targets across Southeast Asia, according to Unit 42 analysis. The campaign deploys custom backdoors and maintains persistent access to high-value military infrastructure.
The operation's focus on Southeast Asian defense capabilities indicates potential intelligence collection priorities aligned with regional territorial disputes and military modernization efforts.
Medical device manufacturer Stryker disclosed in an SEC 8-K filing that recovery timelines from a recent cyberattack remain unknown. The incident caused global disruption to the company's Microsoft environment, prompting engagement of external cybersecurity experts for threat assessment and containment.
The filing underscores the cascading operational impacts of sophisticated attacks on critical healthcare supply chain infrastructure.
Acquia's Drew Webber discovered an unauthenticated SQL injection flaw (CVE-2026-2413, CVSS 7.5) in the Ally WordPress plugin installed on over 400,000 sites. The vulnerability allows attackers to extract sensitive data without authentication, presenting immediate risk to affected installations.
Website operators should prioritize plugin updates to prevent unauthorized data access through this widely deployed accessibility tool.
New data reveals FBI searches of Americans' data collected under FISA Section 702 rose to 7,413 between December 2024 and November 2025, up from 5,518 the previous year. The 34% increase occurs amid ongoing legislative debates over surveillance program reauthorization and civil liberties protections.
The Information Commissioner's Office (ICO) and Ofcom issued joint demands for social media platforms to implement stronger age verification preventing under-13 access. Platforms have until end-April to report compliance plans, with immediate action expected on protective measures.
Brig. Gen. Matthew Lennox from Army Cyber Command will assume command of the Cyber National Mission Force, replacing Marine Corps Maj. Gen. Lorna Mahlock who led the organization since 2024. The transition occurs amid broader leadership changes across U.S. cyber operations.
Apple released iOS 16.7.15 and 15.8.7 emergency updates for older iPhone and iPad models to address vulnerabilities linked to the recently disclosed Coruna exploit chain. The patches protect legacy devices from active exploitation techniques targeting outdated iOS versions.
As organizational workflows migrate from traditional file servers to collaboration platforms and AI systems, security practitioners face new challenges in protecting unstructured data. Legacy file servers persist for governance and legal requirements, but operational data increasingly flows through modern cloud-native platforms requiring updated protection strategies.
Originally reported by Security Affairs, The Record, Palo Alto Unit 42