Here are today’s top cybersecurity stories for Friday, March 27, 2026.
TELUS Digital Confirms ShinyHunters Breach After Hacker Claims Nearly One Petabyte of Data Stolen
Canadian telecommunications outsourcer TELUS Digital confirmed it suffered a cyberattack after the ShinyHunters group claimed responsibility and offered stolen data for sale. The attackers reportedly accessed TELUS Digital’s Google Cloud Platform environment using credentials obtained from the earlier Salesloft Drift breach, then moved laterally to exfiltrate up to one petabyte of data including BPO customer records, FBI background checks, Salesforce exports, call data records, and source code. ShinyHunters demanded a $65 million ransom. TELUS Digital says all business operations remain active with no disruption to customer connectivity. BleepingComputer | CBC News
US, Canada, and Germany Dismantle Four IoT Botnets Behind Record 31 Tbps DDoS Attacks
The US Department of Justice, working with law enforcement partners in Canada and Germany, seized infrastructure behind four IoT botnets — Aisuru, Kimwolf, JackSkid, and Mossad — that compromised more than three million devices worldwide and launched DDoS attacks peaking at 31.4 terabits per second. Aisuru alone issued more than 200,000 attack commands. A 22-year-old Canadian man was identified as a core operator of the Kimwolf botnet. A 15-year-old in Germany was also investigated. The disrupted infrastructure had targeted internet service providers, gaming platforms, and government networks. Krebs on Security | The Hacker News
Oracle Issues Emergency Patch for Critical CVSS 9.8 Unauthenticated RCE Flaw in Identity Manager
Oracle released an out-of-band security alert to address CVE-2026-21992 (CVSS 9.8), a critical remote code execution vulnerability in Oracle Identity Manager and Oracle Web Services Manager. The flaw resides in the REST WebServices component and requires no authentication — an attacker with network access via HTTP can exploit it remotely. Affected versions include Oracle Identity Manager 12.2.1.4.0 and 14.1.2.1.0, and Oracle Web Services Manager 12.2.1.4.0 and 14.1.2.1.0. No active exploitation has been confirmed, but the vulnerability shares affected product components with CVE-2025-61757, which was exploited in November 2025. The Hacker News | Help Net Security
GlassWorm Malware Uses Solana Blockchain Dead Drops to Deliver RAT and Steal Crypto Credentials
Researchers at The Hacker News detailed GlassWorm, a multi-stage malware campaign distributing payloads through rogue npm, PyPI, and GitHub packages. The malware uses Solana blockchain transaction memo fields as dead drops to retrieve command-and-control addresses, bypassing traditional domain-based defenses. Stage two deploys an infostealer targeting browser extension wallets, npm tokens, git credentials, and cloud provider secrets. Stage three force-installs a fake Google Chrome extension that logs keystrokes, steals cookies, captures screenshots, and exfiltrates up to 5,000 browser history entries. GlassWorm operators have also begun targeting the Model Context Protocol ecosystem with impersonation packages. The Hacker News
Unit 42 Updates Iran Cyber Threat Brief as Wiper Attack Risk Reaches Elevated Levels
Palo Alto Networks Unit 42 updated its March 2026 Iran threat brief on March 26, warning of an elevated risk of wiper attacks tied to the ongoing US-Israel-Iran conflict. Iran entered its 27th consecutive day of near-total internet blackout as retaliatory cyber operations continued. Unit 42 identified 7,381 conflict-themed phishing URLs across 1,881 hostnames, with activity spanning financial fraud, credential harvesting, and destructive wiper deployment. Iranian actors have conducted destructive wiper operations since 2012 and are assessed to have both the capability and intent to target Western organizations. Palo Alto Networks Unit 42
149 Hacktivist DDoS Attacks Hit 110 Organizations Across 16 Countries Following Middle East Escalation
Researchers documented 149 hacktivist-linked DDoS attacks against 110 organizations across 16 countries in the weeks following the February 28 US-Israel strike on Iran. Targeted sectors included government, financial services, media, and telecommunications. The attacks ranged in method from volumetric flood to application-layer targeting. Researchers noted a sharp rise in coordination between groups sympathetic to Iran and those operating against Western targets. The Hacker News
Google Patches Two Chrome Zero-Days Exploited in the Wild Affecting Skia Graphics and V8 Engine
Google released emergency Chrome updates to address two actively exploited vulnerabilities: CVE-2026-3909 (CVSS 8.8), an out-of-bounds write in the Skia 2D graphics library, and CVE-2026-3910 (CVSS 8.8), an inappropriate implementation flaw in the V8 JavaScript and WebAssembly engine. Both allow a remote attacker to execute code via a crafted HTML page. Users should update Chrome to version 146.0.7680.75 or later. This brings the total number of weaponized Chrome zero-days patched so far in 2026 to three. The Hacker News
Critical Command Injection Flaw CVE-2026-0625 in Legacy D-Link DSL Routers Actively Exploited
Active exploitation continues against CVE-2026-0625 (CVSS 9.3), a command injection vulnerability in the dnscfg.cgi endpoint of multiple legacy D-Link DSL router models including the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B. Unauthenticated remote attackers can inject and execute arbitrary shell commands. The affected devices are end-of-life and D-Link will not release patches. Organizations still operating these models should replace them or place them behind strict network segmentation with remote administration disabled. The Hacker News | SecurityWeek
Two US Cybersecurity Professionals Plead Guilty to Ransomware Attacks Against American Companies
Two US cybersecurity professionals pleaded guilty to conducting ransomware attacks against American companies. Aleksei Volkov was sentenced to 81 months in federal prison for his role in Yanluowang ransomware attacks. A second individual, associated with the TA-551 cybercrime group (also tracked as Shathak, Gold Cabin, and Monster Libra), also entered a guilty plea. The prosecutions represent part of a broader DOJ effort to hold individuals in the security community accountable for offensive operations against domestic targets. SecurityWeek
Ajax Amsterdam Discloses Data Breach Affecting Hundreds of Individuals
Dutch professional football club AFC Ajax disclosed a data breach after a threat actor exploited vulnerabilities in its IT systems and accessed personal data belonging to a small number of individuals. The club stated the breach affects a few hundred people and is working with authorities and security specialists to assess the full scope. Ajax has notified affected individuals and is taking steps to secure its systems. BleepingComputer
Stay tuned for today’s in-depth analysis posts.
