Cyber Threat Brief — March 13 2026
⚠️ This report is AI-generated. Always validate findings.
1. Chrome Zero-Days CVE-2026-3909 + CVE-2026-3910 — Skia OOB Write + V8 Misimplementation Exploited in the Wild
Summary
Two high-severity Chrome zero-days landed Thursday with confirmed in-wild exploitation: CVE-2026-3909 is an out-of-bounds write in the Skia 2D graphics library (CVSS 8.8), and CVE-2026-3910 is an inappropriate implementation in the V8 JavaScript/WebAssembly engine (CVSS 8.8). Google discovered both internally on March 10 and patched them in Chrome 146.0.7680.75/76 within two days — no details on threat actors or targets shared. These are the second and third actively exploited Chrome zero-days fixed in 2026.
What’s New (Last 24 Hours)
- Google published emergency advisory and Chrome 146 stable update on March 13, 2026
- Confirmed in-the-wild exploitation of both flaws; no public PoC or actor attribution as of publication
- Update immediately available; auto-update will roll out over days/weeks — prompt manual update
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|---|---|---|---|
| Chrome versions < 146.0.7680.75 (Windows/Linux) or < 146.0.7680.76 (macOS) | Vulnerable version | T1203 (Exploit Client Software) | EDR software inventory / asset management | Hunt for outdated Chrome processes; alert on execution from unpatched version strings |
Out-of-bounds write in Skia renderer — crafted HTML page triggers memory corruption | TTP | T1189 (Drive-by Compromise) | Browser process telemetry / EDR child process | Alert on Chrome renderer spawning unexpected child processes post-navigation |
| V8 inappropriate implementation — malicious HTML page achieves sandbox code execution | TTP | T1203 (Exploit Client Software) | Browser crash logs / EDR process events | Monitor for Chrome renderer crashes clustered with suspicious domains; sandbox escape indicators |
| Chrome 146.0.7680.75/76 — patch update string (Windows/Mac/Linux) | Patch artifact | T1203 | Endpoint software inventory | Verify Chrome version ≥ 146.0.7680.75 across all managed endpoints within 24h of patch |
Potential Detection Coverage Based on MITRE ATT&CK Technique
| Source | Detections | Coverage |
|---|---|---|
| Splunk | None found | No Splunk ESCU rules directly target Chrome Skia/V8 exploitation; recommend hunting on Chrome process lineage anomalies (unexpected child processes from chrome.exe renderer) via EDR-sourced process events |
| Elastic | Suspicious Browser Child Process | Covers macOS Chrome renderer spawning unexpected children — directly applicable as a post-exploitation indicator if V8/Skia sandbox escape is achieved; Windows equivalent gap exists |
| Sigma | Suspicious Browser Child Process - MacOS | Detects Chrome/browser processes spawning unusual children on macOS — relevant if exploit achieves renderer escape; Windows browser process lineage monitoring gap exists |
Sources
- Google Chrome Security Advisory — CVE-2026-3909 & CVE-2026-3910 — Published 2026-03-13
- BleepingComputer — Google fixes two new Chrome zero-days exploited in attacks — Published 2026-03-13
- Security Affairs — Google fixed two new actively exploited flaws in Chrome — Published 2026-03-13
2. CrackArmor — Nine AppArmor Vulnerabilities Enable LPE to Root on 12.6M Linux Systems
Summary
Qualys TRU disclosed nine vulnerabilities in AppArmor — dubbed “CrackArmor” — that allow any unprivileged local user to escalate to full root on Ubuntu, Debian, SUSE, and derivative cloud/container/edge instances. No CVE IDs assigned yet (upstream kernel process delays assignment). The flaw has existed since 2017 (kernel v4.11+). Attack paths include: loading “deny-all” AppArmor profiles via pseudo-files to disable critical services (DoS), triggering kernel stack exhaustion via deeply nested subprofile removal (kernel panic), and a user-space LPE chain using a sudo capability-denial profile + MAIL_CONFIG env var manipulation to cause Postfix’s sendmail to run as root. Qualys holds working PoC exploits, shared only with affected vendors; public release withheld pending patching.
What’s New (Last 24 Hours)
- Qualys TRU published the CrackArmor advisory on March 12, 2026 (coordinated disclosure)
- 12.6 million enterprise Linux instances confirmed affected per Qualys asset analysis
- No CVE IDs yet; patch via vendor kernel updates — treat as priority even without CVE tracking
/sys/kernel/security/apparmor/is the critical monitoring path
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|---|---|---|---|
Writes to /sys/kernel/security/apparmor/ pseudo-files by non-root processes | TTP | T1068 (Exploitation for Privilege Escalation) | Linux auditd / file integrity monitoring | Alert on non-privileged processes writing to AppArmor securityfs paths |
| Loading “deny-all” AppArmor profile against system services (e.g., sshd, cron) | TTP | T1562.001 (Disable or Modify Tools) | Linux auditd / syslog | Monitor for profile changes via aa-enforce/apparmor_parser by non-admin users |
sudo invoked with MAIL_CONFIG env var set by unprivileged user → Postfix sendmail runs as root | TTP | T1548.003 (Sudo and Sudo Caching) | Linux auditd (execve syscall), EDR process | Alert on sendmail spawned from sudo context by non-root with unusual env vars |
| Recursive nested subprofile removal → kernel stack exhaustion → kernel panic (DoS) | TTP | T1499 (Endpoint Denial of Service) | Linux kernel panic logs / syslog | Alert on unexpected kernel panics on AppArmor-enabled systems; correlate with subprofile ops |
apparmor_parser -r executed by non-privileged user | TTP | T1068 | Linux auditd process logs | Hunt for apparmor_parser invocations from non-root UID |
Potential Detection Coverage Based on MITRE ATT&CK Technique
| Source | Detections | Coverage |
|---|---|---|
| Splunk | Linux APT Privilege Escalation | General Linux LPE pattern — not AppArmor-specific; monitor sudo/setuid patterns as a compensating control while AppArmor-specific rules are built |
| Elastic | Potential Buffer Overflow Attack Detected Deprecated - Sudo Heap-Based Buffer Overflow Attempt | Covers kernel stack/buffer overflow exploitation patterns; partially applicable to CrackArmor kernel-space attack path; sudo rule covers user-space exploitation chain via sudo capability manipulation |
| Sigma | None found | No Sigma rules target AppArmor profile manipulation via pseudo-files; custom rule needed: alert on apparmor_parser or writes to /sys/kernel/security/apparmor/ by non-root processes |
Sources
- Qualys Blog — CrackArmor: Critical AppArmor Flaws Enable LPE to Root — Published 2026-03-12
- The Hacker News — Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation — Published 2026-03-12
3. Slopoly / Hive0163 — AI-Generated C2 Backdoor Used in Interlock Ransomware Attack
Summary
IBM X-Force disclosed Hive0163’s deployment of “Slopoly,” a likely AI-generated PowerShell backdoor that served as the C2 persistence client during an Interlock ransomware attack. The attack started with a ClickFix social engineering lure, then progressed through NodeSnake and InterlockRAT before Slopoly was dropped in the later stage — indicating a “live-fire exercise” use of the custom C2 framework. Key indicators of AI-assisted development: extensive code comments, structured logging, clearly named variables, unused Jitter function. Slopoly establishes persistence via a scheduled task named “Runtime Broker” and beacons every 30 seconds to /api/commands.
What’s New (Last 24 Hours)
- IBM X-Force published full Slopoly analysis on March 12, 2026
- Confirms AI-generated malware in active ransomware operations — first Hive0163 attribution to AI tooling
- Attack chain: ClickFix → NodeSnake → InterlockRAT → Slopoly → Interlock ransomware
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|---|---|---|---|
C:\ProgramData\Microsoft\Windows\Runtime\ — Slopoly drop path | File path | T1036.005 (Masquerading: Match Legitimate Name) | EDR file creation events | Alert on new PE/script files created in C:\ProgramData\Microsoft\Windows\Runtime\ |
| Scheduled task named “Runtime Broker” created by non-system process | TTP | T1053.005 (Scheduled Task) | Windows Security Event 4698 / EDR | Alert on scheduled task creation with name “Runtime Broker” not from C:\Windows\System32\ |
PowerShell script polling /api/commands endpoint every 50 seconds | TTP | T1071.001 (Application Layer Protocol: Web) | Proxy / network logs | Alert on high-frequency outbound HTTP polling to novel domains from powershell.exe |
| HTTP POST beacon every 30 seconds (session ID + mutex name + C2 URL hardcoded in script) | TTP | T1071.001 | Proxy / network flow | Hunt for powershell.exe making recurring HTTPS POST requests at 28-32 second intervals |
cmd.exe spawned from PowerShell C2 client to execute commands + return output | TTP | T1059.003 (Windows Command Shell) | EDR process lineage | Alert on cmd.exe spawned from long-running PowerShell processes not associated with known admin tools |
| ClickFix fake CAPTCHA / browser fix social engineering initial vector | TTP | T1566.002 (Spearphishing Link) | Web proxy / EDR browser | Monitor for mshta.exe or wscript.exe spawned from browser processes (ClickFix delivery artifact) |
Potential Detection Coverage Based on MITRE ATT&CK Technique
| Source | Detections | Coverage |
|---|---|---|
| Splunk | Windows Scheduled Task with Suspicious Name Windows Scheduled Task Service Spawned Shell WinEvent Scheduled Task Created Within Public Path | Directly covers the “Runtime Broker” scheduled task creation (suspicious name masquerading as system process) and the task spawning cmd.exe/PowerShell for C2 command execution |
| Elastic | Suspicious Execution via Scheduled Task Outbound Scheduled Task Activity via PowerShell | Covers suspicious task execution patterns and PowerShell-sourced task creation — directly applicable to Slopoly’s “Runtime Broker” persistence mechanism |
| Sigma | Scheduled Task Creation Via Schtasks.EXE Suspicious Command Patterns In Scheduled Task Creation Powershell Create Scheduled Task | Covers task creation events and PowerShell-based task registration — applicable to Slopoly’s persistence via “Runtime Broker” scheduled task |
Sources
- IBM X-Force — A Slopoly Start to AI-Enhanced Ransomware Attacks — Published 2026-03-12
- BleepingComputer — AI-generated Slopoly malware used in Interlock ransomware attack — Published 2026-03-12
- The Hacker News — Hive0163 Uses AI-Assisted Slopoly Malware for Persistent Access in Ransomware Attacks — Published 2026-03-13
4. MicroStealer — NSIS → Electron → Java Infostealer Targeting Corporate Credentials
Summary
ANY.RUN researchers published analysis of MicroStealer, an emerging infostealer active since December 14, 2025, with 40+ sandbox sessions observed in under a month and low public detection coverage. Distribution is through compromised or impersonated accounts targeting education and telecom sectors. The delivery chain (NSIS → Electron → JAR) is deliberately layered to slow detection. Targets include browser credentials, session cookies, screenshots, and wallet files. The NSIS installer is named RocobeSetup.exe — a distinctive early IOC for hunting.
What’s New (Last 24 Hours)
- ANY.RUN published full technical analysis on March 12, 2026
- 40+ observed infections in under one month; education and telecom sectors targeted
- Low public detection coverage makes behavior-based hunting critical
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|---|---|---|---|
RocobeSetup.exe — NSIS installer (first stage) | File name | T1566.001 (Spearphishing Attachment) | EDR file events / email gateway | Alert on execution of RocobeSetup.exe; block at email/web gateway |
| NSIS installer dropping Electron app → spawning Java JAR (multi-stage chain) | TTP | T1027 (Obfuscated Files), T1059.007 (JS engine) | EDR process lineage | Alert on NSIS installer processes spawning Electron (electron.exe) which then spawns java.exe |
Browser credential file access: Chrome Login Data, Cookies, Firefox logins.json | TTP | T1555.003 (Credentials from Web Browsers) | EDR file access monitoring | Alert on non-browser processes accessing Chrome Login Data or Firefox logins.json |
| Session cookie extraction from browser profile directories | TTP | T1539 (Steal Web Session Cookie) | EDR file access / DLP | Alert on bulk reads of browser profile directories by java.exe or unknown processes |
Screenshot capture by java.exe or Electron app during stealer execution | TTP | T1113 (Screen Capture) | EDR API call telemetry | Monitor for java.exe invoking screen capture APIs (GDI/BitBlt) |
| Exfiltration via multiple channels post-theft | TTP | T1041 (Exfiltration Over C2) | Proxy / network logs | Alert on Java/Electron processes making outbound HTTPS connections to unclassified hosts post-credential-access |
Potential Detection Coverage Based on MITRE ATT&CK Technique
| Source | Detections | Coverage |
|---|---|---|
| Splunk | Windows Credentials from Web Browsers Saved in TEMP Folder Windows Credentials from Password Stores Chrome Copied in TEMP Dir | Directly applicable — covers Chrome credential file copying to temp directories, which aligns with MicroStealer’s browser credential harvesting behavior |
| Elastic | Potential Cookies Theft via Browser Debugging Suspicious Web Browser Sensitive File Access | Covers cookie theft and suspicious file access to browser credential stores — applicable to MicroStealer’s session cookie and credential extraction phase |
| Sigma | Suspicious File Access to Browser Credential Storage Potential Browser Data Stealing | Directly applicable — alerts on non-browser processes accessing credential storage files (Chrome Login Data, Firefox logins.json), matching MicroStealer’s core theft behavior |
Sources
- ANY.RUN Blog — MicroStealer Analysis: A Fast-Spreading Infostealer with Limited Detection — Published 2026-03-12
5. CVE-2025-68613 — n8n RCE Expression Injection Hits CISA KEV with 24,700 Exposed Instances
Summary
CISA added CVE-2025-68613 (CVSS 9.9) — a critical expression injection RCE in n8n’s workflow evaluation engine — to the Known Exploited Vulnerabilities catalog on March 11, 2026, confirming active in-the-wild exploitation. The vulnerability was patched in December 2025 (v1.120.4+), but over 24,700 unpatched instances remain exposed online (12,300+ in North America). A public PoC exists on GitHub. Exploitation allows authenticated users to execute OS-level commands with n8n process privileges, enabling full server compromise. FCEB agencies must patch by March 25, 2026.
What’s New (Last 24 Hours)
- CISA KEV addition confirmed March 11, 2026 — active exploitation now documented
- 24,700+ unpatched public instances identified by Shadowserver Foundation
- Companion vuln CVE-2026-27577 (CVSS 9.4) disclosed by Pillar Security as “additional exploit” in same evaluation system
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|---|---|---|---|
| Malicious expression in workflow node input field targeting n8n evaluation engine | TTP | T1190 (Exploit Public-Facing Application) | n8n application logs / web proxy | Monitor n8n logs for expression eval errors or unexpected OS command output; alert on workflow executions from new/unknown users |
| OS command execution spawned by n8n process (Node.js) on host system | TTP | T1059.006 (Python/Node scripting) | EDR process lineage | Alert on node process spawning sh, bash, cmd.exe or other shell processes unexpectedly |
| n8n versions < 1.120.4 / < 1.121.1 / < 1.122.0 exposed publicly | Vulnerable version | T1190 | Network scan results / asset inventory | Enumerate n8n deployments; immediately patch to v1.122.0+; remove public exposure |
GET /rest/workflows/{id}/run or /api/v1/workflows/{id}/run — exploit endpoint | URL pattern | T1190 | Web/proxy access logs | Alert on workflow execution API calls from unusual source IPs or outside business hours |
Public PoC: github.com/TheStingR/CVE-2025-68613-POC | Exploit artifact | T1190 | Threat intelligence feeds | Track PoC for payload signatures; use to verify exploitation against test instances |
Potential Detection Coverage Based on MITRE ATT&CK Technique
| Source | Detections | Coverage |
|---|---|---|
| Splunk | None found | No Splunk ESCU rule targeting n8n specifically; closest applicable: generic web application RCE patterns; recommend custom SPL alert on n8n process spawning shell children |
| Elastic | None found | No direct n8n rule; Potential JAVA/JNDI Exploitation Attempt pattern can be adapted for Node.js process lineage from n8n server |
| Sigma | Potential RCE Exploitation Attempt In NodeJS | Directly applicable — detects Node.js RCE exploitation attempts; covers n8n’s attack surface as a Node.js application spawning unexpected OS processes |
Sources
- CISA KEV — CVE-2025-68613 Addition — Published 2026-03-11
- The Hacker News — CISA Flags Actively Exploited n8n RCE Bug — Published 2026-03-12
- GitHub PoC — TheStingR/CVE-2025-68613-POC — Public