Cybersecurity Weekly — Mar 10, 2026

The people we hired to stop ransomware were running it, an AI found security holes that human experts missed for 28 years, and law enforcement dismantled a phishing empire that was responsible for most of the MFA-bypass attacks Microsoft blocked last year. This was the week the inside-out nature of modern cybersecurity became impossible to ignore — the threats are coming from trusted professionals, trusted tools, and trusted code that nobody thought to re-examine until a machine did it for them.

Two U.S. cybersecurity professionals pleaded guilty this week to conspiracy charges for deploying BlackCat/ALPHV ransomware — one of the most destructive ransomware operations of the past few years. One defendant, Ryan Goldberg, worked as an incident response manager at cybersecurity firm Sygnia. His literal job was to show up after ransomware attacks and help clean them up. Instead, he and his co-conspirators were hacking into company systems, stealing data, and deploying the same ransomware he was paid to fight — operating as affiliates who kicked 20% of every ransom back to the gang's administrators. In one case, they collected $1.2 million in Bitcoin from a single victim.

The insider threat angle here is genuinely chilling. These weren't outsiders guessing at how corporate defenses work — they knew exactly where to look, which alerts to avoid, and how incident response timelines unfold. Sentencing is scheduled for Thursday, March 12, 2026. Both face up to 20 years. If the judge hands down anything close to maximum sentences, it will signal that courts are treating cybersecurity professionals who weaponize their access as a distinct and more serious category of defendant. Watch for it.

OpenSSL is the unsung hero protecting almost every secure connection on the internet — your banking website, your email, your company's VPN. It's been reviewed by expert eyes for decades. That wasn't enough.

AISLE's autonomous AI analyzer found all 12 vulnerabilities in OpenSSL's January 2026 coordinated release. Several of those flaws had existed in the code for years — one dating back to 1998, meaning a security hole sat in the world's most critical encryption library for 28 years before a machine caught it. The most serious, CVE-2025-15467, was a stack buffer overflow that could allow remote code execution, rated 9.8 out of 10 in severity.

Then AISLE turned its scanner on Amazon's own cryptographic stack — the libraries Amazon uses across AWS, Python, NGINX, and HAProxy — and reported 13 more issues, two receiving formal CVE designations. Amazon confirmed all issues were addressed; no AWS services were impacted. Meanwhile, Anthropic reported its Claude model found 22 vulnerabilities in Mozilla Firefox in two weeks, 14 of them high-severity, and Mozilla validated and patched most of them.

The headline isn't "AI found bugs." It's "AI found bugs that armies of human experts missed for nearly three decades." Expect every foundational open-source library — the kind of code nobody audits because everyone assumes someone else already did — to come under similar AI scrutiny next.

A CVSS score of 10.0 out of 10 is the cybersecurity equivalent of a five-alarm fire. This week, one of those fires is burning in software that quietly runs the networks of thousands of organizations.

A critical authentication bypass flaw in Cisco Catalyst SD-WAN — tracked as CVE-2026-20127 — has been actively exploited since at least 2023 by a threat actor designated UAT-8616. SD-WAN is the technology large companies use to connect their offices, retail locations, and cloud services into a single managed network. An attacker with unauthenticated admin access to SD-WAN infrastructure has, functionally, a skeleton key to distributed enterprise environments. CISA issued Emergency Directive 26-03 on March 9, 2026, instructing all federal agencies to patch and inventory affected systems within a near-term deadline.

The fact that this flaw was exploited silently for over two years is what makes it alarming. Organizations that deployed SD-WAN as part of "zero-trust transformation" initiatives may have inadvertently centralized their attack surface. If your employer uses Cisco SD-WAN, this patch conversation shouldn't wait for a quarterly review meeting.

![Law enforcement seizes phishing infrastructure and domains — USS Rentz confiscates cocaine. (9789043406) / Official U.S. Navy Page from United States of America

A coordinated global operation led by Europol, with help from Microsoft, Cloudflare, and multiple national law enforcement agencies, shuttered a large phishing-as-a-service platform that intercepted two-factor authentication codes and session cookies — the digital tokens that prove you're logged in. Authorities seized over 300 web domains. Microsoft said the service, commonly referenced as Tycoon 2FA, accounted for roughly 62% of the phishing attempts Microsoft blocked at the service's peak.

Phishing-as-a-service works like any other subscription business: criminals pay a monthly fee and get access to ready-made phishing kits, hosting infrastructure, and tools to intercept the one-time codes your bank sends to your phone. This takedown disrupts the supply chain of mass phishing operations and makes MFA-bypass attacks more expensive — at least temporarily. But expect copycats and splinter services to emerge. This is a window of reduced capability, not a permanent fix.

Everyone knows not to click a suspicious link in email. Fewer people have been trained to distrust a message from "IT Support" on their company's internal chat platform.

Attackers contacted employees at financial and healthcare organizations over Microsoft Teams, posing as IT support, and asked them to share their screen using Quick Assist — Microsoft's legitimate remote-access tool built into Windows. Once the employee complied, the attackers had full control of the machine, and a new piece of malware called A0Backdoor got quietly installed in the background.

What makes this attack genuinely clever is that it exploits trust in corporate infrastructure. Quick Assist is a real tool. Teams is your real, company-issued chat platform. Nothing about the interaction looks like a phishing email. Separately, BleepingComputer reported that Russia's APT28 is using a custom variant of an open-source post-exploitation framework for long-term espionage — suggesting the overlap between criminal ransomware tactics and nation-state spy tools is narrowing fast.

If someone contacts you on Teams claiming to be IT and asking for remote access, call IT directly on a known number first.