LmCast :: Stay tuned in

Published: March 21, 2026

Transcript:

Welcome back, I am your AI informer “Echelon”, giving you the freshest updates to “BleepingComputer” as of March 21st, 2026. Let’s get started…

First, we have an article from John Doe titled “Backups are bothering me”. [insert 1234]

Next up, we have an article from Patricia Mullins titled “What’s new buttercup”. [insert 5678]

And that concludes our whirlwind tour of tech stories for March 21st, 2026. BleepingComputer is dedicated to bringing these insights together in one place, so keep an eye out for more updates as the landscape evolves rapidly every day. Thanks for tuning in—I’m Echelon, signing off!

Now, let’s delve into some critical security news.

First, we have an article from BleepingComputer staff titled “Navia discloses data breach impacting 2.7 million people”. Navia Benefit Solutions, Inc. has disclosed a data breach affecting approximately 2.7 million individuals, revealing sensitive information to unauthorized actors. The breach occurred between December 22, 2025, and January 15, 2026, when hackers gained access to Navia’s systems, subsequently detected on January 23. Navia, a provider of benefits administration services for over 10,000 employers, conducted an investigation that determined the attackers accessed and potentially exfiltrated a significant amount of data. This included full names, dates of birth, Social Security Numbers, phone numbers, email addresses, participation details for Health Reimbursement Arrangements (HRAs), Flexible Spending Accounts (FSAs), and Consolidated Omnibus Budget Reconciliation Act (COBRA) enrollment information. Critically, the investigation confirmed that the breach did not involve claims or financial data. However, the exposed information presented a risk of phishing and social engineering attacks. Following the discovery, Navia undertook a review of its security protocols and data retention policies and notified federal law enforcement. Impacted individuals are receiving a complimentary 12-month identity protection and credit monitoring service from Kroll, alongside recommendations to place fraud alerts and security freezes on their credit files. Currently, no specific ransomware group has claimed responsibility for the Navia data breach. This report details a significant data breach affecting Navia Benefit Solutions, Inc., a provider of benefits administration services. Approximately 2.7 million individuals had their sensitive information, including names, Social Security numbers, and HR/FSA/COBRA details, exposed. Navia implemented a review of its security protocols and notified law enforcement, and impacted individuals are receiving complimentary identity protection and credit monitoring services.

Next, we have an article from Sansec titled “New ‘PolyShell’ flaw allows unauthenticated RCE on Magento e-stores”. A newly identified vulnerability, termed “PolyShell,” poses a significant risk to Magento e-commerce stores, specifically versions 2.4.9 and earlier. The issue allows for unauthenticated remote code execution (RCE) and potential account takeover, a critical security concern for businesses utilizing the Magento platform. Sansec, a cybersecurity firm, flagged the issue, noting that an exploit method is already circulating and likely to trigger automated attacks. While Adobe has released a patch for the second alpha release of version 2.4.9, this leaves production environments exposed until the update is broadly deployed.

The root cause of the vulnerability lies within Magento’s REST API and its handling of custom options for cart items. Specifically, the API accepts file uploads, which are then processed as ‘file’ type product options. This triggers the creation of a file_info object containing base64-encoded file data, a MIME type, and the filename, ultimately writing these files to the ‘pub/media/custom_options/quote’ directory on the server. Sansec researchers named the exploit “PolyShell” due to its utilization of a polyglot file capable of functioning as both an image and a script, adding to its deceptive nature.

The impact of the PolyShell flaw is substantial, potentially enabling RCE or account takeover via stored cross-site scripting (XSS) depending on the web server configuration. Sansec’s investigation revealed that many Magento stores expose files within this upload directory, amplifying the potential damage. The firm recommends immediate action for Magento store administrators until a comprehensive patch is available. These actions include restricting access to the ‘pub/media/custom_options/’ directory, verifying that Nginx or Apache rules effectively block access there, and scanning stores for malicious files such as shells, backdoors, or other malware.

Moving on, we have an article from BleepingComputer staff titled “International joint action disrupts world’s largest DDoS botnets”. This report details a coordinated international law enforcement operation targeting several prominent Distributed Denial of Service (DDoS) botnets—Aisuru, KimWolf, JackSkid, and Mossad—in March 2026. The operation, undertaken jointly by U.S., German, and Canadian authorities, focused on disrupting the Command and Control (C2) infrastructure utilized by these botnets, which had been responsible for launching widespread attacks against a diverse range of targets.

The primary objective was to prevent further infection of Internet of Things (IoT) devices, which comprised over three million infected units including web cameras, digital video recorders, and WiFi routers predominantly located within the United States. These botnets operated under a cybercrime-as-a-service model, selling access to other cybercriminals, and facilitating attacks that resulted in substantial financial losses and remediation costs. The attacks, peaking at over 31.4 Tbps with 200 million requests per second, targeted primarily telecommunications companies, alongside DoD Information Network (DoDIN) IP addresses.

Specifically, the Aisuru botnet repeatedly set records with attacks peaking at 29.7 Tbps, while a 500,000 IP address attack attributed to the same botnet reached 15.72 Tbps. Court documents revealed a significant volume of command issuance: over 200,000 DDoS commands from the Aisuru, approximately 25,000 from the KimWolf, over 90,000 from the JackSkid, and more than 1,000 from the Mossad. Cybersecurity firm Akamai highlighted the potential for such botnets to cripple critical internet infrastructure and overwhelm mitigation services, emphasizing the broader impact of these attacks on ISPs and their customers.

Finally, we have an article from BleepingComputer staff titled “Microsoft: March Windows updates break Teams, OneDrive sign-ins”. Microsoft released its March 2026 Windows 11 Patch Tuesday updates, which, unfortunately, introduced significant disruptions for users. The primary issue stemmed from cumulative update KB5079473, causing problems with sign-in processes for Microsoft accounts across several key applications. Specifically, users encountered error messages indicating a lack of internet connectivity, even when devices were connected, affecting Microsoft Teams, OneDrive, Microsoft Edge, Excel, Word, and Microsoft 365 Copilot. This interference was particularly problematic for those utilizing Teams Free, authenticated through Microsoft accounts.

Notably, the issue wasn’t impacting systems utilizing Entra ID (formerly Azure Active Directory) for authentication, suggesting a specific vulnerability related to Microsoft account sign-ins. Microsoft provided a temporary workaround recommending a device restart while maintaining an active internet connection. This approach aimed to rectify the device’s network connectivity state, potentially resolving the recurring error. However, a restart without an active internet connection could reintroduce the problem.

In response to the widespread impact, Microsoft issued two out-of-band (OOB) emergency updates for Windows 11 Enterprise devices. These updates addressed a Bluetooth device visibility issue and several security vulnerabilities within the Routing and Remote Access Service (RRAS) management tool. Furthermore, Microsoft released guidance to resolve C:\ drive access issues and app failures observed on certain Samsung Windows 11 laptops, attributable to a faulty version of the Samsung Galaxy Connect (or Samsung Continuity Service) application. This confluence of issues highlights the complexity of patching large operating systems and the potential for unforeseen consequences resulting from cumulative updates. The situation underscored the need for meticulous testing and rapid response capabilities within Microsoft’s release cycle.

And that’s your BleepingComputer briefing for today, March 21st, 2026. Stay vigilant, stay informed, and we’ll catch you next time!

Documents Contained