20 Mar 2026
Week in review
Greetings,
Identity protection company Aura has confirmed a data breach that exposed contact information belonging to nearly 900,000 people. The incident was disclosed this week after Aura determined that an unauthorised party gained temporary access to internal systems following a targeted voice phishing, or “vishing”, attack on one of its employees.
According to Aura, the attacker was able to access an employee account for approximately one hour, which they used to extract data from a marketing tool inherited through a company acquisition in 2021. The exposed information primarily consists of names and email addresses tied to marketing contacts, with the company estimating that fewer than 20,000 current customers and fewer than 15,000 former customers were affected directly. Aura emphasised that highly sensitive data such as Social Security numbers, passwords, and financial information were not compromised in the incident.
The breach came to public attention after the ShinyHunters cyber crime group claimed responsibility, alleging that they had stolen a significantly larger dataset and attempted to extort the company. While Aura has acknowledged the breach itself, it has not confirmed all the threat actor’s claims and says it is continuing to investigate the scope of the incident with the support of external cyber security experts and law enforcement.
Aura has begun the process of notifying affected individuals and says it is reviewing its security controls and internal processes.
Critical Unpatched Telnetd Flaw (CVE-2026-32746) Enables Unauthenticated Root RCE
Date: 2026-03-18
Author: The Hacker News
[AUSCERT has contacted affected members where applicable]
[See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2026.0059]
Cybersecurity researchers have disclosed a critical security flaw impacting the GNU InetUtils telnet daemon (telnetd) that could be exploited by an unauthenticated remote attacker to execute arbitrary code with elevated privileges.
The vulnerability, tracked as CVE-2026-32746, carries a CVSS score of 9.8 out of 10.0. It has been described as a case of out-of-bounds write in the LINEMODE Set Local Characters (SLC) suboption handler that results in a buffer overflow, ultimately paving the way for code execution.
Critical HPE AOS-CX Vulnerability Allows Admin Password Resets
Date: 2026-03-14
Author: Security Week
Hewlett Packard Enterprise (HPE) this week announced patches for a critical-severity vulnerability in Aruba Networking AOS-CX that could be exploited to reset administrator passwords.
The issue, tracked as CVE-2026-23813 (CVSS score of 9.8), impacts the web-based management interface of AOS-CX switches and can be exploited remotely, without authentication, to bypass authentication controls.
The bug impacts HPE Aruba Networking CX 4100i, CX 6000, CX 6100, CX 6200, CX 6300, CX 6400, CX 8320, CX 8325, CX 8360, CX 9300, and CX 10000 series switches.
Storm-2561 Uses Fake Fortinet, Ivanti VPN Sites to Drop Hyrax Infostealer
Date: 2026-03-17
Author: HackRead
In mid-January 2026, Microsoft Defender Experts identified a devious way that cybercriminals are tricking people into giving away their private information. A group known as Storm-2561 has been setting up fake websites that look exactly like official download pages for popular office software, specifically Virtual Private Networks (VPNs).
As we know it, a VPN is a tool many of us use to stay secure online. Ironically, the attackers are using this trust against us.
Open VSX extensions hijacked: GlassWorm malware spreads via dependency abuse
Date: 2026-03-16
Author: InfoWorld
Threat actors are publishing clean extensions that later update to depend on hidden payload packages, bypassing marketplace checks and silently installing malware onto developers’ systems.
Threat actors are abusing extension dependency relationships in the Open VSX registry to indirectly deliver malware in a new phase of the GlassWorm supply-chain campaign.
LeakNet ransomware uses ClickFix, Deno runtime in stealthy attacks
Date: 2026-03-17
Author: Bleeping Computer
The LeakNet ransomware gang is now using the ClickFix technique for initial access into corporate environments and deploys a malware loader based on the open-source Deno runtime for JavaScript and TypeScript.
The attacker is using the legitimate Deno to decode and execute a malicious payload directly into system memory, minimizing forensic evidence on the disk and lowering the chance of detection.
ASB-2026.0059 – GNU InetUtils telnetd: CVSS (Max): 9.8
A critical (CVSS 9.8) vulnerability in GNU InetUtils telnetd has been disclosed, that allows unauthenticated remote code execution as root via a buffer overflow.
ESB-2026.2593 – FreeRDP: CVSS (Max): 9.8
Multiple vulnerabilities in FreeRDP (CVE-2026-27951 and others) have been identified, caused by improper handling of RDP packets. These flaws could allow a remote attacker to crash the client (denial of service) or potentially execute arbitrary code.
ESB-2026.2567 – Splunk Universal Forwarder: CVSS (Max): 9.8
This bulletin addresses multiple high-severity vulnerabilities in Splunk Universal Forwarder caused by outdated OpenSSL components. Which could impact cryptographic security.
ESB-2026.2548 – CODESYS in Festo Automation Suite: CVSS (Max): 9.8
Multiple vulnerabilities have been reported in CODESYS within Festo Automation Suite (CVSS up to 9.8), including authentication bypass, weak/default security controls, path traversal, and improper access control. These flaws could allow unauthorized access, data exposure, and potential system compromise.
ESB-2026.2524 – Red Hat Insights Proxy: CVSS (Max): 8.1
This bulletin addresses multiple vulnerabilities in the Red Hat Insights proxy container image. These issues may impact security and privacy in environments using the proxy.
Stay safe, stay patched and have a good weekend!
The AUSCERT team
