March 2026 Cyber Roundup: Iran Wipers, Medusa Ransomware, and Critical Zero-Days

The Big Picture: March 2026 Was Relentless

March 2026 delivered one of the most intense months in recent cyber history. A geopolitical crisis drove state-sponsored wiper campaigns, ransomware gangs hit healthcare and government targets, and critical vulnerabilities were weaponized within hours of disclosure. Here's what matters and what to do about it.

Iran's Cyber Escalation Goes Kinetic

The most significant development this month: Iran has now surpassed 27 consecutive days of near-complete internet blackout, per Unit 42 at Palo Alto Networks. The conflict has spilled into cyberspace with wiper attacks — destructive malware designed to destroy data rather than hold it for ransom.

Unit 42 tracked 7,381 conflict-themed phishing URLs across 1,881 unique hostnames. The NY Department of Financial Services issued a cybersecurity advisory on March 3 reminding financial institutions of heightened risk from the global conflict.

This isn't theoretical. If your organization has any exposure to Middle Eastern operations, supply chains, or customers, your threat model just changed.

Medusa Ransomware Targets Healthcare and Government

The Medusa ransomware gang claimed two high-profile victims in March: the University of Mississippi Medical Center (UMMC) and Passaic County, New Jersey's local government systems. Healthcare continues to be the soft target ransomware operators love — critical systems, legacy infrastructure, and high pressure to pay.

The broader ransomware landscape is shifting fast. Per Recorded Future, 2026 marks the first year that new ransomware actors operating outside Russia outnumber those within it. Groups are forming strategic alliances to share stolen data and negotiation leverage. SentinelOne reports many groups are skipping encryption entirely — just stealing data and extorting victims, making traditional backup strategies less effective as a standalone defense.

Per Morphisec, ransomware groups are pivoting to identity-first compromise: credential theft over exploitation. Voice-based vishing attacks are also surging as an initial access vector, per Zscaler ThreatLabz.

Critical Zero-Days: Patched Today, Exploited Yesterday

Three critical vulnerabilities defined March:

• CVE-2026-33017 (Langflow): Per Sysdig and The Hacker News, exploitation began within 20 hours of disclosure on March 17. CISA added it to the KEV catalog on March 25 with a patch deadline of April 8.

• CVE-2026-32746 (GNU InetUtils Telnetd): A CVSS 9.8 unauthenticated root RCE via buffer overflow. Per Industrial Cyber, this directly exposes ICS and OT systems — critical infrastructure operators take note.

• CVE-2026-21858 (n8n): Maximum-severity flaw affecting approximately 100,000 servers globally, per CyberScoop.

The velocity is staggering: over 21,500 CVEs disclosed in the first half of 2026 alone — a 16-18% increase over 2024, per SC Media.

Attackers Hide in Your SaaS Stack

Per Cloudflare's 2026 Threat Report, threat actors are increasingly abusing legitimate SaaS, IaaS, and PaaS tools — Google Calendar, Dropbox, GitHub — to camouflage malicious actions within normal enterprise activity. Meanwhile, a payment skimmer using WebRTC data channels for payload delivery and data exfiltration was discovered, effectively bypassing traditional network security controls.

North Korea continues to operationalize its remote IT worker scheme, using deepfakes and fraudulent identities to embed state-sponsored operatives directly into Western company payrolls for espionage and revenue generation.

And Magento Open Source / Adobe Commerce saw mass exploitation starting March 19 with 50+ IP addresses scanning, per The Hacker News.

What This Means for Your Organization

• Review your Iran exposure. If you have operations, suppliers, or customers in the Middle East, elevate monitoring for wiper indicators and conflict-themed phishing. Review the Unit 42 advisory for specific IOCs.

• Patch the big three immediately. CVE-2026-33017 (Langflow), CVE-2026-32746 (Telnetd), and CVE-2026-21858 (n8n) are all actively exploited or trivially exploitable. If you run any of these, patch today — not next sprint.

• Assume ransomware without encryption. Your backup strategy is necessary but not sufficient. Data exfiltration detection, DLP controls, and network segmentation matter more when attackers skip encryption entirely.

• Audit your SaaS integrations. Legitimate tools being weaponized means your allow-list is your attack surface. Review OAuth tokens, API integrations, and third-party app permissions in your Google Workspace, Microsoft 365, and GitHub environments.

• Verify your employees are real. The North Korean IT worker scheme is not science fiction — it's happening now. Strengthen identity verification in hiring, especially for remote roles, and monitor for anomalous access patterns from new hires.

Sources

• Unit 42 — Iranian Cyberattacks 2026

• Cloudflare 2026 Threat Report

• Recorded Future — Ransomware Tactics 2026

• The Hacker News — Langflow CVE-2026-33017

• CyberScoop — n8n Critical Vulnerability

• Industrial Cyber — Telnetd CVE-2026-32746

• SC Media — CVE Volume 2026

• NY DFS — Cybersecurity Advisory March 2026

• Morphisec — Ransomware in 2026