soc

Palo Alto Networks evolves the NextWave Partner Program. Discover new incentives and a framework of Access, Commitment and Profitability drive success.

The post How NextWave’s Evolution Drives Shared Success appeared first on Palo Alto Networks Blog.

Cyprus and Israel Under DDoS Siege: Weekly DDoS Threat Intelligence Analysis Analysis Period: March 9 – 16, 2026 Between March 9 and 16, 2026, SOCRadar identified an extensive coordinated DDoS campaign conducted by the pro-Russian threat actor NoName057(16) using their DDoSia attack tool. The campaign resulted in 5,828 recorded attack entries, targeting 143 unique domains […]

Just a little over a month after fixing the actively exploited CVE-2026-20700 zero-day, Apple has now issued its first Background Security Improvements release to address CVE-2026-20643, a WebKit vulnerability that could allow maliciously crafted web content to bypass the Same Origin Policy, one of the browser’s core security boundaries. The issue in the limelight adds […]

The post CVE-2026-20643: Vulnerability in WebKit Navigation API May Bypass Same Origin Policy appeared first on SOC Prime.

Financial Crime in 2026: How Organized Threat Ecosystems Are Outsmarting AML ControlsFinancial crime has changed dramatically over the last few years. Fraud is no longer driven primarily by isolated attackers or opportunistic scams. Instead, it has evolved into a coordinated ecosystem where identity theft, account takeover, money laundering, and infrastructure services operate as interconnected criminal […]

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2026-20963 Microsoft SharePoint Deserialization of Untrusted Data Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2025-66376 Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA is aware of malicious cyber activity targeting endpoint management systems of U.S. organizations based on the March 11, 2026 cyberattack against U.S.-based medical technology firm Stryker Corporation, which affected their Microsoft environment.¹ To defend against similar malicious cyber activity, CISA urges organizations to harden endpoint management system configurations using the recommendations and resources provided in this alert. CISA is conducting enhanced coordination with federal partners, including the Federal Bureau of Investigation (FBI), to identify additional threats and determine mitigation actions.

To defend against similar malicious activity that misuses legitimate endpoint management software, CISA urges organizations to implement Microsoft’s newly released best practices for securing Microsoft Intune; the principles of these recommendations can be applied to Intune and more broadly to other endpoint management software: 

• Use principles of least privilege when designing administrative roles.
  • Leverage Microsoft Intune’s role-based access control (RBAC) to assign the minimum permissions necessary to each role for completing day-to-day operations—permissions include what actions the role can take, and what users and devices it can apply that action to.
• Enforce phishing-resistant multi-factor authentication (MFA) and privileged access hygiene.
  • Use Microsoft Entra ID capabilities (including Conditional Access, MFA, risk signals, and privileged access controls) to block unauthorized access to privileged actions in Microsoft Intune.
• Configure access policies to require Multi Admin Approval in Microsoft Intune.
  • Set up policies that require a second administrative account’s approval to allow changes to sensitive or high-impact actions (such as device wiping), applications, scripts, RBAC, configurations, etc.  

Additionally, CISA recommends reviewing the following resources to strengthen defenses against similar malicious cyber activity:

• Microsoft resources:
  • For recommendations on securing Microsoft Intune, see Best practices for securing Microsoft Intune.
  • For guidance on implementing Multi Admin Approval in Microsoft Intune, see Use Access policies to implement Multi Admin Approval.
  • For recommendations on configuring Microsoft Intune using zero trust principles, see Configure Microsoft Intune for increased security.
  • For guidance on implementing Microsoft Intune RBAC policies, see Role-based access control (RBAC) with Microsoft Intune.
  • For guidance on deploying Privileged Identity Management (PIM) across Microsoft Intune, Entra ID, and other Microsoft software, see Plan a Privileged Identity Management deployment.  
• CISA resources:
  • For guidance on implementing phishing-resistant multifactor authentication (MFA), see Implementing Phishing-Resistant MFA. 

Disclaimer

The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.  

Acknowledgements

Microsoft and Stryker contributed to this alert. 

Notes

1 For updates from Stryker on the incident, see “Customer Updates: Stryker Network Disruption,” Stryker, last modified March 15, 2026, https://www.stryker.com/us/en/about/news/2026/a-message-to-our-customers-03-2026.html.

Observability began as a visibility problem. Yet, today it is framed just as much as a control challenge because teams have to manage the floods of telemetry moving daily through the business environment. Most organizations already collect large volumes of logs, metrics, events, and traces. The issue now lies in managing tons of that data […]

The post Observability Pipeline: Managing Telemetry at Scale appeared first on SOC Prime.