International botnet takedown, California city ransomed, Azure Monitor phishing - Cybersecurity Headlines

Summary4 min read

Cybersecurity Headlines – March 23, 2026

Host: Steve Prentiss (CISO Series)
Theme: Major cyber incidents and vulnerabilities shaping the week’s security landscape, including international botnet takedowns, significant ransomware attacks, novel phishing exploitations, and critical software vulnerabilities.

1. International Botnet Takedown

[00:06–01:40]

Global Law Enforcement Collaboration: Authorities and technology firms from the U.S., Germany, and Canada seized the infrastructure powering four major botnets: Isuru, Kimwolf, Jackskid, and Mossad.
Botnet Scale & Methods:
- Comprised of approximately 3 million compromised devices globally—mostly Internet of Things (IoT) endpoints such as cameras, routers, and video recorders.
- “Hundreds of thousands of these are located in the US and some were behind firewalls.” [00:38]
- Operators monetized access by selling to other criminal organizations.
Arrests: U.S. Justice Department did not confirm if arrests accompanied the infrastructure takedown.

Notable Moment:
"The four botnets were built out of about 3 million compromised devices around the world, many of which are Internet of Things devices like cameras, routers and video recorders." — Steve Prentiss [00:29]

2. California City & LA Transit Agency Ransomware

[01:41–02:34]

Foster City (Silicon Valley):
- Incident: All non-emergency public services paused due to ransomware attack.
- Response: City Manager Stephane Chatwin declared a state of emergency; warning issued about possible data theft—residents advised to change passwords and secure personal information.
LA Metro Service:
- Incident: Ransomware gang claims attack on Los Angeles Metro; unconfirmed by officials, but technical outages reported.
- Context: Both attacks highlight ongoing pressure on municipal and critical transit infrastructure.

Quote:
"The city warned that theft of public information was possible and that people should change personal passwords that related to city activities and to take measures to protect personal data." — Steve Prentiss [02:07]

3. Azure Monitor Phishing Attacks

[02:35–03:30]

Emerging Tactic:
- Attackers exploit legitimate Azure Monitor Alert emails (from no-reply@microsoft.com) to deliver phishing, particularly callback phone numbers for “suspicious charges.”
- “Messages are not spoofed but are sent directly by the Microsoft Azure Monitor platform…using the legitimate Azure no-reply@microsoft.com email address.” [03:12]
Deceptive Authenticity: Warnings mimic genuine service alerts, including apologies for inconvenience.

Notable Moment:
"Unlike other phishing campaigns, these messages are not spoofed but are sent directly by the Microsoft Azure Monitor platform…" — Steve Prentiss [03:13]

4. Russian Signal Phishing Campaign

[03:52–04:32]

FBI & CISA PSA:
- Ongoing Russian phishing targeting high-value victims via messaging apps, especially Signal.
- Targets: U.S. government officials, political figures, military personnel, journalists.
- Tactics: Attackers impersonate Signal help staff to trick users out of their credentials. No compromise of end-to-end encryption observed; victim manipulation is the vector.
- PSA available on ic3.gov.

Quote:
"Hackers had not been able to bypass end to end encryption, instead manipulating users into giving up access by posing as signal help personnel." — Steve Prentiss [04:19]

5. Critical Quest KACE Vulnerability in the Wild

[04:33–05:12]

Arctic Wolf Discovery:
- Suspicious activity on unpatched Quest KACE (endpoint management appliances) exposed to the internet.
- Flaw: “Critical authentication bypass,” patched in May 2025, but unpatched systems observed being exploited for admin control.
- Incident: At least one confirmed breach via this flaw.

6. Oracle Identity Manager Critical Vulnerability

[05:13–05:39]

Vulnerability:
- CVSS score 9.8, remotely exploitable without authentication (“could result in remote code execution” [05:20]).
- NIST deems it easily exploited via HTTP without authentication.
- Oracle’s advisory reports no current exploitation in the wild.

7. Microsoft Scales Back Copilot AI (Windows 11)

[05:40–06:26]

Change:
- Microsoft is reducing Copilot AI integrations across Windows 11 core apps—Photos, Widgets, Notepad, Snipping Tool.
- Feedback: Pushback over “AI bloat”; reflects broader consumer skepticism.
Pew Research (June 2025):
- Half of U.S. adults “now more concerned than excited about AI… up from 37% in 2021.” [06:20]

Quote:
"This less is more approach to integrating AI into its existing platforms may reflect the growing consumer pushback against AI bloat." — Steve Prentiss [06:15]

Timestamps for Key Segments

| MM:SS | Topic | |-------------|--------------------------------------------| | 00:06 | International botnet takedown | | 01:41 | CA city + LA Metro ransomware attacks | | 02:35 | Azure Monitor callback phishing | | 03:52 | Russian Signal PSA | | 04:33 | Quest KACE exploit in the wild | | 05:13 | Oracle Identity Manager vulnerability | | 05:40 | Microsoft Copilot “AI bloat” rollback |

Summary

This episode delivers a concise, rapidly paced briefing on pressing infosec stories, covering everything from large-scale law enforcement wins to ongoing municipal ransomware woes, innovative phishing leveraging trusted systems, and urgent vulnerabilities in enterprise IT infrastructure. The coverage skillfully blends technical detail, practical risk implications, and timely user advice—mirroring the show’s trademark efficient, real-world tone.

Memorable Quotes:

“Hundreds of thousands of these [botnet devices] are located in the US and some were behind firewalls.” [00:38]
“Unlike other phishing campaigns, these messages are not spoofed but are sent directly by the Microsoft Azure Monitor platform.” [03:13]
“Half of US adults are now more concerned than excited about AI as of June 2025, up from 37% in 2021.” [06:20]

For detailed information on any coverage, visit CISOseries.com.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines
[00:07]
B
these are the cybersecurity headlines for Monday, March 23, 2026. I'm Steve Prentiss. Law enforcement seizes Botnet Infrastructure Agencies and tech Companies from the U.S. germany and Canada collaborated on an operation designed to seize infrastructure used by the Isuru, Kimwolf, Jackskid and Mossad botnets. All of these were used to deliver DDoS attacks. The four botnets were built out of about 3 million compromised devices around the world, many of which are Internet of Things devices like cameras, routers and video recorders. Hundreds of thousands of these are located in the US and some were behind firewalls. The botnet operators monetized these by selling access to other criminal organizations, and the Justice Department did not say if any arrests were made in conjunct with the infrastructure takedown California City and LA Transit Agency Report Cybersecurity Issues Foster City, a Silicon Valley area town, had to pause all public services outside of emergency responses on Thursday following a ransomware attack. City Manager Stephane Chatwin declared a state of emergency and the city warned that theft of public information was possible and that people should change personal passwords that related to city activities and to take measures to protect personal data. This attack was followed by a potential attack attempt on the Los Angeles Metro service. A ransomware gang has claimed that it attacked this service, and although city officials have not responded to media requests for clarification, technical issues with its internal administrative computer systems were reported by the transit service on on Friday morning. Microsoft Azure Monitor Alerts used for Callback Phishing attacks Azure Monitor is Microsoft's cloud based monitoring service that collects and analyzes data from Azure resources, applications and infrastructure, allowing users to track performance, billing changes, detect issues and trigger alerts based on various conditions. Numerous customers of the service have recently reported receiving Azure Monitor alerts that include warnings of suspicious charges or invoice activity on their accounts and which request the customers to call an enclosed phone number. The verbiage of the warning is in line with that released by legitimate software services, right down to an apology for the inconvenience. But unlike other phishing campaigns, these messages are not spoofed but are sent directly by the Microsoft Azure Monitor platform using the legitimate Azure no Replyicrosoft.com Email address Huge thanks to our sponsor ThreatLocker, most breaches don't start with a zero day. They start because something unexpected was allowed to run. One way organizations reduce risk is by shrinking the attack surface, deciding what software should be allowed to execute, and blocking everything else Fewer unknowns means fewer opportunities for attackers. You can learn more@threatlocker.com. Feds Issue PSA regarding Russian signal phishing Campaign following up on a story we covered this past month, the FBI and CISA issued a joint public service announcement on Friday warning that Russian Intelligence affiliated hackers have gained access to thousands of users messaging apps with a global phishing campaign. The campaign chiefly seeks high value targets, including current and former US Government officials, political figures, military personnel and journalists. The US Agencies reiterated that hackers had not been able to bypass end to end encryption, instead manipulating users into giving up access by posing as signal help personnel. A link to the PSA posted on ic3.gov is available in the show Notes to this episode. Critical Quest case vulnerability potentially exploited Researchers from Arctic Wolf are warning of suspicious activity affecting unpatched Quest Case systems management appliance instances exposed to the Internet. Case, spelled K A C E, is an on premises tool used for centralizing endpoint management, including asset inventory, software distribution, patching and monitoring. The vulnerability being exploited has a CVE number and is identified as a critical authentication bypass flaw. Quest patched the flaw in May of last year, but according to Arctic Wolf, there has been one instance of attackers appearing to have exploited it to gain initial access to a system and achieve administrative control. Oracle patches Critical vulnerability in Identity Manager this vulnerability, which has a CVE number, also carries a CVSS score of 9.8. It is remotely exploitable without authentication, said Oracle in an advisory, and could result in remote code execution. NIST calls the flaw easily exploitable by an unauthenticated attacker with network access via HTTP. Oracle has made no mention of this vulnerability currently being exploited in the wild. Microsoft rolls back some of its Copilot AI bloat on Windows, the company announced on Friday. Changes focused on improving the quality of its Windows 11 operating system, which notably includes dialing back the number of entry points to its AI assistant Copilot. The reductions will apply to apps such as Photos, Widgets, Notepad and its snipping tool. As reported in TechCrunch, this less is more approach to integrating AI into its existing platforms may reflect the growing consumer pushback against AI bloat. A Pew Research study published this month noted that half of US adults are now more concerned than excited about AI as of June 2025, up from 37% in 2021. End quote. If you're around the Big Apple, then you should join us for a live CISO series podcast recording. Next month we are going to be at NASDAQ for Intezur's AI SoC Live event on April 27th. This is an invite only event, so if you're a security leader, please head on over to our Events page to get the details. We'll have the same great discussions with our CISO guests like we feature on every episode, plus a few more fun games and a lightning Q and A. We would love to see you there. So head on over to our events page@cisoseries.com for more information and if you want to know more about the most pressing stories of the last few days in time for your weekly stand up, join us today at 4:00pm Eastern for the Department of no Where. Our guests, Bill Harmer, CISO at Supabase, and Chris Ray Field, CTO at gigaom, will sort out the priority stories and do a deep dive on the ones that matter most. Just go to YouTube, search for CISO series and look for the Department of Know for March 23rd under upcoming live Streams. Finally, if you have some thoughts on the news from today or about this show in general, please be sure to reach out to us@feedbackisoseries.com we would love to hear from you. I'm Steve Prentice reporting for the CISO series.
[07:52]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full story behind the headlines.