Cyber Threat Intelligence

Exploited Browsers and Cloud Identity Abuse

Written by Kyle Gill, Information Security Officer | Mar 19, 2026 7:28:42 PM

1) Executive Summary

This update window shows a sharper emphasis on exploited browser flaws, exposed workflow automation, and privileged cloud administration abuse. The most operationally relevant items were CISA's March 11 addition of n8n RCE to KEV, CISA's March 13 addition of two actively exploited Google Chrome flaws to KEV, continued financial-sector relevance of BeyondTrust Remote Support exploitation, and Unit 42 reporting that destructive actors are increasingly abusing identities and Microsoft Intune rather than relying only on custom wipers.

Threat level
Elevated

Most relevant risk
Identity and management-plane abuse

Immediate management ask
Patch exploited assets and tighten privileged cloud admin controls

Key Developments

Date

Theme

What changed

Bank relevance

Mar 11

n8n added to KEV

CISA added CVE-2025-68613, a critical n8n remote code execution issue, to the KEV catalog after evidence of active exploitation.

Review any self-hosted or vendor-embedded workflow automation platforms tied to data movement, AI workflows, or internal APIs.

Mar 13

Chrome zero-days

CISA added CVE-2026-3909 and CVE-2026-3910 to KEV. Google issued emergency Chrome updates and noted exploitation in the wild.

Prioritize browser patching and restart enforcement because browser access underpins Microsoft 365, admin portals, and vendor SaaS sessions.

Window active

BeyondTrust exploitation

Unit 42 reported ongoing exploitation of CVE-2026-1731 in BeyondTrust Remote Support, including reconnaissance, account creation, webshell activity, C2, lateral movement, and data theft.

Remote support and privileged access tooling remain management-plane risk; verify exposure and remediation status with urgency.

Mar 12 / 16

Identity weaponization

Unit 42 warned that Iran-aligned destructive operations are using phishing and Microsoft Intune administrative abuse, then described a broader shift from custom wipers to identity weaponization.

Treat Entra, Intune, and privileged cloud administration as Tier 0 infrastructure and monitor for authenticated destructive actions.

Mar 13

INTERPOL disruption

Operation Synergia III removed more than 45,000 malicious IPs/servers and led to 94 arrests across 72 countries and territories.

The scale confirms that phishing, malware, and ransomware infrastructure remains abundant even after public disruptions.

 

Next 72 hours

  • Confirm whether the bank or critical vendors use n8n, BeyondTrust Remote Support, or Chrome/Chromium builds that may lag the current patches.
  • Enforce Chrome and Chromium restarts where needed so patched browser versions are actually active on endpoints.
  • Review Entra and Intune privileged activity for unfamiliar sign-ins, standing admin roles, risky session patterns, and any mass administrative actions such as remote wipe or factory reset.
  • Tune SIEM detections for management-plane abuse, not only malware execution - especially destructive actions initiated through trusted cloud administration.

Source References

  1. CISA, "CISA Adds One Known Exploited Vulnerability to Catalog," March 11, 2026.
  2. CISA, "CISA Adds Two Known Exploited Vulnerabilities to Catalog," March 13, 2026.
  3. Google Chrome Releases, "Stable Channel Update for Desktop," March 12, 2026, updated March 13, 2026.
  4. Palo Alto Networks Unit 42, "VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)," February 19, 2026.
  5. Palo Alto Networks Unit 42, "Insights: Increased Risk of Wiper Attacks," March 12, 2026.
  6. Palo Alto Networks Unit 42, "Iranian Cyber Threat Evolution: From MBR Wipers to Identity Weaponization," March 16, 2026.
  7. INTERPOL, "45,000 malicious IP addresses taken down in international cyber operation," March 13, 2026.
View full post