- Cybersecurity With Sandra
- Posts
- Cyber News Bytes: 2.7M Records Stolen, Oracle Drops Emergency 9.8 Patch, Stryker Cyberattack
Cyber News Bytes: 2.7M Records Stolen, Oracle Drops Emergency 9.8 Patch, Stryker Cyberattack
This week's latest cybersecurity news and industry updates
Sandra L
March 24, 2026
Welcome back to another week of "the internet was not okay."
This week we had a Fortune 500 medical device company lose 80,000 devices in three hours, 2.7 million people's health and Social Security data stolen from a benefits administrator, Oracle quietly dropping a near-perfect severity emergency patch, and the DOJ dismantling a botnet network behind some of the largest DDoS attacks ever recorded.
Let's get into it!
🏥 Stryker Got Wiped Without a Single Piece of Malware
Iran-linked hacktivist group Handala remotely wiped nearly 80,000 devices at medical tech giant Stryker on March 11 without deploying any malware. Attackers compromised an existing Intune administrator account, created a new Global Admin, then issued mass device wipe commands across 61 countries in three hours. Laptops, smartphones, and managed endpoints were erased. Employees with personal devices enrolled in the network lost personal data too.
Stryker confirmed medical products remain safe but electronic ordering, manufacturing, and shipping systems are still disrupted. The FBI has since seized domains linked to Handala.
Why it matters: The attackers didn't need a zero-day or ransomware payload. They needed one compromised admin account and a management plane with no guardrails. If your org uses Intune or any cloud-native MDM, ask yourself: could a single compromised Global Admin wipe your entire fleet before anyone notices? CISA has updated guidance on hardening Intune environments, and Microsoft's Multi-Admin Approval feature (which requires a second admin to approve bulk wipe commands) should be enabled yesterday.
Read more on Reuters
🔐 2.7 Million People's Health and SSN Data Stolen from Navia Benefit Solutions
Navia Benefit Solutions, a national employee benefits administrator serving over 10,000 employers across the U.S., has notified 2,697,540 individuals that their data was stolen between December 22, 2025, and January 15, 2026. The compromised data includes names, dates of birth, Social Security numbers, phone numbers, email addresses, and health plan details tied to FSA, HSA, and COBRA enrollment. Notifications began going out by mail on March 18.
Why it matters: This is the definition of high-value breach data. SSNs combined with health plan enrollment details create rich profiles for identity fraud, targeted phishing, and social engineering. No ransomware group has claimed responsibility, which means the access method is still unknown. If you or anyone you know has FSA or COBRA benefits managed through Navia, assume the data is out there and consider placing a credit freeze now. Affected individuals are being offered 12 months of identity monitoring through Kroll.
Read more on BleepingComputer
🔴 Oracle Drops Emergency Patch for Near-Perfect Severity RCE
Oracle released an out-of-band emergency patch this week for CVE-2026-21992, a critical unauthenticated remote code execution vulnerability in Oracle Identity Manager and Oracle Web Services Manager. The flaw carries a CVSS score of 9.8 out of 10. An attacker with nothing more than HTTP access to an exposed endpoint can trigger full remote code execution with no credentials and no user interaction required.
Why it matters: Oracle Identity Manager is used by enterprises to manage identities, roles, and access policies across entire organizations. A successful exploit here doesn't just mean a compromised server. It potentially means an attacker can manipulate who has access to what across the entire enterprise. Oracle has not confirmed active exploitation, but given the low complexity of the attack and a near-maximum CVSS score, the window between patch release and weaponized exploit is short. If your organization runs Oracle Fusion Middleware, this is a this-weekend patch.
Read more on BleepingComputer
🌐 DOJ Takes Down Botnet Network Behind Record-Breaking 30 Tbps DDoS Attacks
The U.S. Department of Justice disrupted command-and-control infrastructure used by four IoT botnets this week, in a coordinated action involving authorities from Canada and Germany. The botnets, named AISURU, Kimwolf, JackSkid, and Mossad, were responsible for DDoS attacks measuring approximately 30 terabits per second, described as record-breaking in scale. Private sector partners in the operation included Amazon Web Services, Google, Cloudflare, Microsoft, Nokia, Oracle, PayPal, and Okta.
Why it matters: 30 Tbps is a staggering number. For context, large enterprises typically have internet connections measured in gigabits, not terabits. Attacks at this scale can knock entire ISPs or cloud regions offline. The joint public-private coordination here is worth noting. The fact that AWS, Google, Cloudflare, and others were directly involved in the takedown signals how much the private sector now operates as an active part of cyber law enforcement. These botnets primarily ran through compromised IoT devices, which remain largely unmanaged and unpatchable at scale.
Read more on The Hacker News
Big week. Whether it is 80,000 wiped devices, 2.7 million stolen records, a near-perfect severity Oracle patch, or record-breaking DDoS infrastructure being dismantled, the common thread is scale. The attacks are getting larger, faster, and harder to contain once they start.
As always, stay secure out there!
Sandra
Cyber With Sandra | withcybersecurity.com