Summary5 min read

Cybersecurity Headlines – March 20, 2026

Host: Steve Prentiss, CISO Series
Episode Focus: Key vulnerabilities, emerging cyberattack tactics, major data breaches, and new security technologies shaping the information security landscape.

Episode Overview

This episode breaks down the latest pressing stories in cybersecurity, highlighting a critical Microsoft SharePoint flaw actively exploited in attacks, advances in real-time endpoint protection, urgent warnings around Microsoft Intune following a high-profile breach, the launch of an AI agent security platform, significant vulnerabilities in Ubiquiti UniFi, a targeted attack on Ukraine’s maritime agency, a massive health data breach at Navia, and the emergence of a sophisticated Android banking malware. The tone is urgent yet informative, guiding security professionals and organizations toward immediate action.

Key Stories & Insights

1. Critical Microsoft SharePoint Flaw Now Exploited

Summary: A critical deserialization vulnerability in Microsoft SharePoint (CVE specified, patched January) is now being actively exploited.
Affected Versions: SharePoint Enterprise Server 2016, 2019, and Subscription Edition. End-of-support versions (2007, 2010, 2013) also vulnerable but no longer patched.
Impact: Unprivileged remote code execution possible via low-complexity attacks.
Advice: Admins are urged to patch supported systems and upgrade unsupported versions.

“Successful exploitation enables threat actors without privileges to achieve remote code execution on unpatched servers in low complexity.” – Steve Prentiss (00:20)

2. First Protect Launches Real-Time Endpoint Security Platform

Summary: Startup First Protect (1st Protect) unveils an endpoint security tool focusing on system behavior and user intent to prevent cyberattacks in real time.
Key Features:
- Policy enforcement at runtime.
- Operates at the OS level — decisions are local, not cloud-dependent.
- Capable of defending disconnected/restricted systems.
Leadership: Kervin Pillay (CEO, ex-CTO Automation at Cisco); Rafael (CTO, formerly at SentinelOne, CrowdStrike, Symantec, Forcepoint).

“Their solution enforces security policies at runtime, blocking malicious behavior at the operating system level instead of relying on a cloud architecture for decision making.” – Steve Prentiss (01:23)

3. CISA Urges Hardening of Microsoft Intune Systems (Post-Stryker Breach)

Summary: CISA issues warning after a catastrophic breach at Stryker, traced to compromised Intune administrative controls.
Incident Details:
- 50TB stolen, 80,000 devices wiped.
- Attack used a new global admin account created post-compromise.
- Breach attributed to Iranian-linked group Handala.
Action Needed: Immediate hardening of administrative controls for Intune per Microsoft’s guidance.

“CISA is now urging all US organizations to harden their Intune environments to make them more resilient against similar attacks that could target their own networks.” – Steve Prentiss (02:15)

4. SALT Security Launches Agentic Security Platform for the AI Stack

Summary: SALT Security announces their Agentic Security Platform—engineered to make AI agent adoption secure and scalable.
Key Innovations:
- Visibility into relationships between LLMs, MCP servers, APIs.
- Focus on agent actions, not just prompts or models.
Quote:

“Most security systems focus on prompts and models, but the real enterprise risk is not just in what an agent can say, it is in what an agent can do through MCP servers and APIs.” – Roy Eliahoo, CEO & Co-founder, SALT Security (03:13)

5. Maximum Severity Ubiquiti UniFi Flaw Allows Account Takeover

Summary: Ubiquiti has patched a major vulnerability in UniFi Network Application (pre-10.1.1), which could allow privilege-free account takeovers via a path traversal exploit.
Details:
- Low complexity.
- No user interaction required.
- Fixed as of version 10.1.1+.

“Successful exploitation enables threat actors without privileges to exploit a path traversal vulnerability to access files on the targeted devices and potentially hijack user accounts.” – Steve Prentiss (04:12)

6. Russian Hackers Exploit Zimbra Flaw to Target Ukrainian Maritime Agency

Summary: APT28/Fancy Bear, a Russian state-linked threat group, breached the State Hydrographic Service of Ukraine through a Zimbra webmail cross-site scripting (XSS) vulnerability using carefully crafted phishing emails.
Attack Vector: No attachments—malicious code embedded in email body.
Target: Agency responsible for maritime infrastructure.

“The attackers exploited a CVE numbered cross-site scripting flaw, allowing them to inject malicious code directly into an email viewed through Zimbra's browser based interface.” – Steve Prentiss (04:57)

7. Navia Incident Exposes Health Plan Information

Summary: Navia Benefit Solutions, provider to 10,000+ companies, suffered a breach affecting nearly 2.7 million people—SSNs and other sensitive data stolen.
Incident Timeline: Attack began in December.
Impacted Data: Health plan details, Social Security numbers, personal data.

“Almost 2.7 million people had health plan, Social Security numbers and other sensitive data stolen during a security incident that began in December.” – Steve Prentiss (05:39)

8. Perseus Android Banking Malware

Summary: ThreatFabric discloses new Android banking malware “Perseus,” designed for device takeover and financial fraud—more capable than Cerberus or Phoenix.
Key Behaviors:
- Focuses on notes apps, seeking valuable personal/financial info.
- Latest campaigns seen in Turkey and Italy.

“Perseus monitors user notes indicating a focus on extracting high value personal or financial information.” – Steve Prentiss (06:13)

Notable Quotes & Moments

On SharePoint’s Risk:
“Admins of these systems are advised to upgrade to a supported version to help block the attacks.” (00:38)
On First Protect's Self-Defending Design:
“...Operates as a self-defending system even in disconnected or restricted environments.” (01:40)
On AI Security Risks:
“The real enterprise risk is not just in what an agent can say, it is in what an agent can do...” – Roy Eliahoo, SALT Security (03:18)
On Zimbra Exploit Tactics:
“The attack did not use an attachment, but instead embedded the exploit within the body of a single email.” (05:05)
On Navia Breach Magnitude:
“Navia manages company healthcare benefits... almost 2.7 million people had health plan... and other sensitive data stolen...” (05:43)

Timestamps for Critical Segments

Critical SharePoint Flaw Explained: 00:20–01:15
First Protect Endpoint Security Launch: 01:18–02:03
CISA / Intune Warning (Stryker Breach): 02:06–02:38
SALT Agentic Security Platform: 03:13–03:44
Ubiquiti UniFi Vulnerability: 04:12–04:49
Russian Hackers and Zimbra Exploit: 04:57–05:14
Navia Health Data Breach: 05:39–06:08
Perseus Android Banking Malware: 06:13–06:38

Conclusion

This episode spotlights evolving threats and urgent action items for InfoSec leaders: rapid patching (SharePoint, Ubiquiti), adoption of real-time endpoint protection, hardening admin controls (Intune), and safeguarding AI agent pipelines. It underscores both the sophistication of modern attackers—from nation-state threats to AI-driven deepfakes—and the breadth of their targets, from health data to infrastructure and financial systems.

Stay vigilant and follow up on patches, protection strategies, and the latest CISA and vendor advisories.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines
[00:07]
B
these are the cybersecurity headlines for Friday, March 20, 2026. I'm Steve Prentiss. Critical Microsoft SharePoint flaw now exploited in attacks According to CISA, this CVE numbered flaw, which was patched in January, is now being exploited. It affects SharePoint Enterprise Server 2016 and 2019 and SharePoint Server subscription edition. Successful exploitation enables threat actors without privileges to achieve remote code execution on unpatched servers in low complexity. Attacks that exploit a deserialization of untrusted data weakness. SharePoint Server 2007 and 2010 and SharePoint Server 2013 are also vulnerable to these attacks, but being end of support, they no longer receive security updates. Consequently, admins of these systems are advised to upgrade to a supported version to help block the attacks. First Protect reveals Endpoint security platform intended to prevent cyber attacks in real time A startup by the name of First Protect, I.e. 1st Protect, emerged from stealth mode yesterday to announce its Endpoint security platform that monitors system behavior and user intent to prevent cyber attacks attacks in real time. Their solution enforces security policies at runtime, blocking malicious behavior at the operating system level instead of relying on a cloud architecture for decision making. End quote. It does this by analyzing the attack's destination and intent and operates as a self defending system even in disconnected or restricted environments. The startup's Chief Executive officer, Kervin Pillay, previously served as Chief Technology Officer of Automation at Cisco while its Chief Technology officer, Rafael, held senior leadership positions at Sentinel One, CrowdStrike, Symantec and Forcepoint. CISA urges U.S. organizations to secure Microsoft intune systems following Stryker breach this warning refers to Microsoft's published guidance on hardening intune administrative controls shortly after, Stryker was breached in an incident that has been since claimed by Iranian linked hackivist group Handala. A source familiar with the incident in which 50 terabytes of data were stolen and nearly 80,000 devices were wiped, said the attack used a new global administrator account created after compromising an administrator account. CISA is now urging all US organizations to harden their intune environments to make them more resilient against similar attacks that could target their own networks. End quote SALT Security launches agentic security platform for the AI stack this release, named the SALT Agentic Security Platform, has been designed to enable organizations to adopt AI agents safely and at scale to enhance connectivity. The platform allows visibility into the full set of relationships between LLMs, MCP servers and APIs that enable agent behavior, according to Roy Eliahoo, CEO and co founder of SALT Security Most security systems focus on prompts and models, but the real enterprise risk is not just in what an agent can say, it is in what an agent can do through McP servers and APIs. Huge thanks to our sponsor Adaptive Security. This episode is brought to you by Adaptive Security, the first security awareness platform built to stop AI powered social engineering. Picture a new hire who interviews well, except they're synthetic AI, video AI, voice AI backstory. Once they're in, they go after payroll, internal documents and access. That's the new reality. The attack surface is trust itself. Adaptive fights back with realistic deepfake simulations and training that actually sticks. Learn more@adaptivesecurity.com that's the two words adaptive security.com maximum severity ubiquiti UNIFI flaw may allow account takeover Ubiquiti has now patched two vulnerabilities in the UNIFI network application, including a maximum severity flaw that may allow attackers to take over user accounts. The flaw, which has a CVE number, impacts UNIFI Network application version 10.1.1 and earlier and is addressed in versions 10.1.1 or later. Successful exploitation enables threat actors without privileges to exploit a path traversal vulnerability to access files on the targeted devices and potentially hijack user accounts in low complexity attacks that do not require user interaction. Russian hackers exploit Zimbra flaw to breach Ukrainian Maritime agency A Russian state backed hacker group, likely APT28, who we all know as Fancy Bear, has targeted a Ukrainian government agency by sending phishing emails through a vulnerability in Zimbra webmail software. The victim was the State Hydrographic Service of Ukraine, which plays a role in maritime navigation and other critical infrastructure services. The attackers exploited a CVE numbered cross site scripting flaw, allowing them to inject malicious code directly into an email viewed through Zimbra's browser based interface. The attack did not use an attachment, but instead embedded the exploit within the body of a single email. Navia incident exposes Health plan information Navia Benefit Solutions, a third party administrator for more than 10,000 companies, has announced that almost 2.7 million people had health plan Social Security numbers and other sensitive data stolen during a security incident that began in December. Navia manages company healthcare benefits like health reimbursement arrangements and flexible spending accounts. Perseus Android Banking Malware exploits Notes apps Researchers at ThreatFabric are warning of a new Android malware family called Perseus, whose mission is device takeover and financial fraud as a more flexible and capable platform than its parents Cerberus and Phoenix. Perseus monitors user notes indicating a focus on extracting high value personal or financial information. Campaigns are currently focusing on areas in Turkey and Italy have you joined us for a live Department of no show yet? I know you've heard it in your podcast feed, but if you can please join us this Monday at 4pm Eastern Time for the livestream. We love featuring our favorite comments during the show and you can get your questions answered directly by our security leader guests. Plus you get to meet some of your fellow Cybersecurity Headlines fans in the chat. So why not set a calendar reminder to join the stream on the CISO Series YouTube channel Monday at 4pm Eastern. And if you have some thoughts on the news from today or about this show in general, please be sure to reach out to us@feedbackisoseries.com we would love to hear from you. I'm Steve Prentiss reporting for the CISO Series.
[07:45]
A
Cybersecurity Headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.