The Lyceum: Cybersecurity Daily — Mar 14, 2026
Photo: lyceumnews.com
Saturday, March 14, 2026
The Big Picture
Google shipped emergency patches for two Chrome zero-days already being used in attacks, CISA slapped both on its mandatory-fix list, and the FBI went public asking Steam gamers to come forward after malware hid inside seven games for nearly two years. Meanwhile, the Cl0p ransomware gang's Oracle campaign quietly crossed 100 named victims — most of whom still haven't said a word. It's a patch-or-pray kind of weekend.
Today's Stories
Update Chrome Right Now — Two Zero-Days Are Already Being Used Against You
Your browser is nagging you to restart. This is the week you actually listen.
Google pushed an emergency Chrome update fixing two vulnerabilities attackers were already exploiting before patches existed. The first, CVE-2026-3909, is an out-of-bounds write in Skia — the graphics library Chrome uses to render everything you see on screen. The second, CVE-2026-3910, hits V8, Chrome's JavaScript engine — the part that runs scripts on every webpage you visit, and a goldmine for attackers who only need you to open the wrong link.
Both carry a CVSS severity of 8.8. CISA added them to its Known Exploited Vulnerabilities catalog on March 13, requiring federal agencies to patch by March 27. The patched version is Chrome 146.0.7680.75/76. Check yours now: three dots → Settings → About Chrome.
Here's the part most coverage buries: the same Chromium engine lives inside Edge, Brave, Arc, Opera, Vivaldi, and dozens of Electron-based desktop apps like Slack and VS Code. Vivaldi is already shipping fixes. Those internal tools your company built on Electron? They probably bundle a frozen Chromium build that won't auto-update. These are the second and third actively exploited Chrome zero-days of 2026. The year is three months old.
The FBI Wants to Hear From You If You Downloaded These Steam Games
The FBI's Seattle Division published a notice asking anyone who installed certain Steam games between May 2024 and January 2026 to come forward. The seven titles: BlockBlasters, Chemia, Dashverse/DashFPS, Lampy, Lunara, PirateFi, and Tokenova. All distributed information-stealing malware designed to harvest saved passwords, cryptocurrency wallets, and session tokens.
The FBI's notice references a singular "threat actor," suggesting investigators already believe one group is behind all seven. Valve has confirmed the investigation is real and sent targeted emails to affected users, meaning they have download telemetry and know who's exposed.
If you installed any of these titles: check your Steam library, run a malware scan, change your passwords, and submit a report to the FBI. Steam has 132 million monthly users. Even a niche campaign can touch a staggering number of people — especially when the malware sat undetected for nearly two years.
Cl0p's Oracle Rampage Just Crossed 100 Victims — And Most Haven't Said a Word
Cl0p now lists 103 organizations hit through Oracle E-Business Suite — the enterprise resource planning software that manages HR, financials, and customer records for thousands of large companies. The names include Michelin, Canon, Mazda, Estée Lauder, Broadcom, Harvard University, The Washington Post, Schneider Electric, Logitech, and Cox Enterprises. Seventy-seven victim datasets are already on torrent links.
The entry point: CVE-2025-61882, a CVSS 9.8 flaw in Oracle EBS's BI Publisher Integration that lets attackers run arbitrary code over HTTP — no password, no phishing, just a web request. Cl0p exploited it as a zero-day for at least two months before patches existed. Most listed organizations have neither confirmed nor denied the breach.
One darkly ironic detail: Oracle's own name briefly appeared on Cl0p's leak site before vanishing — suggesting the vendor itself may have been hit by the vulnerability it was slow to patch for customers. If you run Oracle EBS versions 12.2.3 through 12.2.14, patch CVE-2025-61882 and CVE-2025-61884 immediately.
Critical HPE/Aruba Switch Flaw Lets Anyone Reset the Admin Password
A CVSS 9.8 vulnerability in HPE/Aruba AOS-CX switches (CVE-2026-23813) lets an attacker reset admin credentials through the web management interface without any valid login. That hands over the switch — and with it, the ability to intercept, reroute, or persist on an entire network segment.
HPE has published patches. If you can't apply them immediately, restrict management-plane access with ACLs and management VLANs, and monitor for unexpected configuration changes. Network gear lives in a patching blind spot for most organizations — it shouldn't. A compromised switch is a compromised network.
⚡ What Most People Missed
- Veeam Backup just got two 9.9-severity CVEs (CVE-2026-21672 and CVE-2026-21708) affecting versions 12 and 13 — including "simple" non-domain-joined installations people forget about. Amid concerns that backup servers hold the keys to recovery, these vulnerabilities can accelerate ransomware attacks if attackers reach them. Patch immediately.
- A security scanner got its own CVE. Aqua Security's Trivy — a tool teams use to find vulnerable containers — has been assigned CVE-2026-28353, and public discussion is conspicuously quiet. When the tool you trust to find vulnerabilities is itself vulnerable, your CI/CD pipeline has a trust problem.
- A researcher found a bug exposing children's data, reported it responsibly, and got threatened with lawyers. Yannick Dixken's blog post hit #1 on Hacker News with 917 points. The vulnerability is fixed, but the chilling effect on disclosure is the real damage — when researchers get sued for doing the right thing, the next one quietly closes the tab.
- An AI agent independently found a critical Microsoft bug. CVE-2026-21536, a CVSS 9.8 RCE, was credited to XBOW — a fully autonomous penetration testing AI. Microsoft fixed it server-side. The signal: automated agents are moving from "assistive" to "discovering at scale," and that changes the velocity of vulnerability disclosure for everyone.
- Recent Japanese figures show small businesses absorbing roughly 60% of domestic ransomware damage in the latest reporting period. The trend is global: you are not too small to be interesting.
📅 What to Watch
- If exploit kits integrate CVE-2026-3909 and CVE-2026-3910, the Chrome zero-days shift from targeted attacks to commodity drive-bys against anyone running an outdated Electron app they forgot about.
- If Electron-based tools like Slack or VS Code ship urgent Chromium 146 updates, it means your asset inventory needs a "browser engine" column, not just a browser list — otherwise you will miss desktop apps that silently expose the same vector as browsers.
- If whistleblower allegations about the Social Security Administration's data handling are substantiated, the exposure would not be patchable in the short term — Numident records cover 500+ million Americans, and the remediation playbook for government-scale identity data loss does not exist yet.
- If Akira ransomware updates its encryption after the GPU-based decryptor gained renewed attention this week, the window for $1,200 cloud-GPU recovery closes — and every victim who waited loses their shot.
- If privacy groups file lawsuits over Meta's removal of Instagram DM encryption, expect regulatory scrutiny that could reshape platform encryption policy and force product teams to redesign messaging backends in ways that impact developer timelines and user experience.
The Closer
A browser that needs restarting, seven indie games that were actually heist tools, and a switch that lets strangers reset the admin password by asking nicely. Somewhere, a security researcher is staring at a bug, weighing whether reporting it will earn a thank-you note or a cease-and-desist — and that calculation is the most expensive vulnerability nobody's patching.
Stay sharp. Stay patched. Don't restart "later."
If someone you know is still running Chrome 145, do them a favor and forward this.