Cybersecurity Headlines – March 20, 2026

Host: Steve Prentiss, CISO Series
Episode Focus: Key vulnerabilities, emerging cyberattack tactics, major data breaches, and new security technologies shaping the information security landscape.

Episode Overview

This episode breaks down the latest pressing stories in cybersecurity, highlighting a critical Microsoft SharePoint flaw actively exploited in attacks, advances in real-time endpoint protection, urgent warnings around Microsoft Intune following a high-profile breach, the launch of an AI agent security platform, significant vulnerabilities in Ubiquiti UniFi, a targeted attack on Ukraine’s maritime agency, a massive health data breach at Navia, and the emergence of a sophisticated Android banking malware. The tone is urgent yet informative, guiding security professionals and organizations toward immediate action.

Key Stories & Insights

1. Critical Microsoft SharePoint Flaw Now Exploited

• Summary: A critical deserialization vulnerability in Microsoft SharePoint (CVE specified, patched January) is now being actively exploited.
• Affected Versions: SharePoint Enterprise Server 2016, 2019, and Subscription Edition. End-of-support versions (2007, 2010, 2013) also vulnerable but no longer patched.
• Impact: Unprivileged remote code execution possible via low-complexity attacks.
• Advice: Admins are urged to patch supported systems and upgrade unsupported versions.

“Successful exploitation enables threat actors without privileges to achieve remote code execution on unpatched servers in low complexity.” – Steve Prentiss (00:20)

2. First Protect Launches Real-Time Endpoint Security Platform

• Summary: Startup First Protect (1st Protect) unveils an endpoint security tool focusing on system behavior and user intent to prevent cyberattacks in real time.
• Key Features:
  • Policy enforcement at runtime.
  • Operates at the OS level — decisions are local, not cloud-dependent.
  • Capable of defending disconnected/restricted systems.
• Leadership: Kervin Pillay (CEO, ex-CTO Automation at Cisco); Rafael (CTO, formerly at SentinelOne, CrowdStrike, Symantec, Forcepoint).

“Their solution enforces security policies at runtime, blocking malicious behavior at the operating system level instead of relying on a cloud architecture for decision making.” – Steve Prentiss (01:23)

3. CISA Urges Hardening of Microsoft Intune Systems (Post-Stryker Breach)

• Summary: CISA issues warning after a catastrophic breach at Stryker, traced to compromised Intune administrative controls.
• Incident Details:
  • 50TB stolen, 80,000 devices wiped.
  • Attack used a new global admin account created post-compromise.
  • Breach attributed to Iranian-linked group Handala.
• Action Needed: Immediate hardening of administrative controls for Intune per Microsoft’s guidance.

“CISA is now urging all US organizations to harden their Intune environments to make them more resilient against similar attacks that could target their own networks.” – Steve Prentiss (02:15)

4. SALT Security Launches Agentic Security Platform for the AI Stack

• Summary: SALT Security announces their Agentic Security Platform—engineered to make AI agent adoption secure and scalable.
• Key Innovations:
  • Visibility into relationships between LLMs, MCP servers, APIs.
  • Focus on agent actions, not just prompts or models.
• Quote:

“Most security systems focus on prompts and models, but the real enterprise risk is not just in what an agent can say, it is in what an agent can do through MCP servers and APIs.” – Roy Eliahoo, CEO & Co-founder, SALT Security (03:13)

5. Maximum Severity Ubiquiti UniFi Flaw Allows Account Takeover

• Summary: Ubiquiti has patched a major vulnerability in UniFi Network Application (pre-10.1.1), which could allow privilege-free account takeovers via a path traversal exploit.
• Details:
  • Low complexity.
  • No user interaction required.
  • Fixed as of version 10.1.1+.

“Successful exploitation enables threat actors without privileges to exploit a path traversal vulnerability to access files on the targeted devices and potentially hijack user accounts.” – Steve Prentiss (04:12)

6. Russian Hackers Exploit Zimbra Flaw to Target Ukrainian Maritime Agency

• Summary: APT28/Fancy Bear, a Russian state-linked threat group, breached the State Hydrographic Service of Ukraine through a Zimbra webmail cross-site scripting (XSS) vulnerability using carefully crafted phishing emails.
• Attack Vector: No attachments—malicious code embedded in email body.
• Target: Agency responsible for maritime infrastructure.

“The attackers exploited a CVE numbered cross-site scripting flaw, allowing them to inject malicious code directly into an email viewed through Zimbra's browser based interface.” – Steve Prentiss (04:57)

7. Navia Incident Exposes Health Plan Information

• Summary: Navia Benefit Solutions, provider to 10,000+ companies, suffered a breach affecting nearly 2.7 million people—SSNs and other sensitive data stolen.
• Incident Timeline: Attack began in December.
• Impacted Data: Health plan details, Social Security numbers, personal data.

“Almost 2.7 million people had health plan, Social Security numbers and other sensitive data stolen during a security incident that began in December.” – Steve Prentiss (05:39)

8. Perseus Android Banking Malware

• Summary: ThreatFabric discloses new Android banking malware “Perseus,” designed for device takeover and financial fraud—more capable than Cerberus or Phoenix.
• Key Behaviors:
  • Focuses on notes apps, seeking valuable personal/financial info.
  • Latest campaigns seen in Turkey and Italy.

“Perseus monitors user notes indicating a focus on extracting high value personal or financial information.” – Steve Prentiss (06:13)

Notable Quotes & Moments

• On SharePoint’s Risk:
  “Admins of these systems are advised to upgrade to a supported version to help block the attacks.” (00:38)
• On First Protect's Self-Defending Design:
  “...Operates as a self-defending system even in disconnected or restricted environments.” (01:40)
• On AI Security Risks:
  “The real enterprise risk is not just in what an agent can say, it is in what an agent can do...” – Roy Eliahoo, SALT Security (03:18)
• On Zimbra Exploit Tactics:
  “The attack did not use an attachment, but instead embedded the exploit within the body of a single email.” (05:05)
• On Navia Breach Magnitude:
  “Navia manages company healthcare benefits... almost 2.7 million people had health plan... and other sensitive data stolen...” (05:43)

Timestamps for Critical Segments

• Critical SharePoint Flaw Explained: 00:20–01:15
• First Protect Endpoint Security Launch: 01:18–02:03
• CISA / Intune Warning (Stryker Breach): 02:06–02:38
• SALT Agentic Security Platform: 03:13–03:44
• Ubiquiti UniFi Vulnerability: 04:12–04:49
• Russian Hackers and Zimbra Exploit: 04:57–05:14
• Navia Health Data Breach: 05:39–06:08
• Perseus Android Banking Malware: 06:13–06:38

Conclusion

This episode spotlights evolving threats and urgent action items for InfoSec leaders: rapid patching (SharePoint, Ubiquiti), adoption of real-time endpoint protection, hardening admin controls (Intune), and safeguarding AI agent pipelines. It underscores both the sophistication of modern attackers—from nation-state threats to AI-driven deepfakes—and the breadth of their targets, from health data to infrastructure and financial systems.

Stay vigilant and follow up on patches, protection strategies, and the latest CISA and vendor advisories.