Pro-Iranian hackers claim cyberattack against Stryker.

Top stories.

• Pro-Iranian hackers claim cyberattack against Stryker.
• US Senate confirms Gen. Joshua Rudd as head of NSA and Cyber Command.
• White House releases US cyber strategy.
• ShinyHunters continues targeting misconfigured Salesforce instances.
• FBI warns of phishing attacks requesting phony zoning permit fees.
• Patch Tuesday notes.

Pro-Iranian hackers claim cyberattack against Stryker.

Pro-Iranian hackers have claimed responsibility for a major data-wiping attack against US medical manufacturing company Stryker, the Wall Street Journal reports. The company on Wednesday told its 56,000 employees to disconnect from all networks and avoid turning on company devices. The hacktivist group Handala claimed responsibility, saying the attack was retaliation for US-Israeli strikes on Iran. Palo Alto Networks has linked Handala to Iran’s Ministry of Intelligence and Security (MOIS). The hacktivist group Handala claimed responsibility, saying the attack was retaliation for US-Israeli strikes on Iran. Palo Alto Networks has linked Handala to Iran’s Ministry of Intelligence and Security (MOIS).

NBC News says the hackers likely gained access to the company’s Microsoft Intune account, which is used for managing corporate devices. Rafe Pilling, director of threat intelligence at Sophos, told NBC, “One of [Intune’s] features is the ability to remotely wipe a device if it’s lost/stolen etc. Looks like they triggered that for some or all of the enrolled devices.” Stryker hasn’t confirmed these details, but said ransomware was not involved and that its own systems were not hacked directly. KrebsOnSecurity notes that the attack has the potential to cause supply-chain disruptions, since most hospitals in the US use Stryker’s devices. Reuters reports that the incident has disrupted the company’s ability to process orders and manufacture products.

Separately, an intelligence group warned that all levels of the US government, including state and local officials, should be prepared for “low-level cyber activity” following the outbreak of war between the US and Iran, StateScoop reports. The Center for Internet Security’s Multi-State Information Sharing and Analysis Center (MS-ISAC) said in an online briefing last week that Pro-Iranian hacktivist and proxy groups are beginning to form a “collective,” which may enhance their capabilities. These groups frequently conduct disruptive activities such as DDoS and website defacements. Government entities are urged to implement security best practices to defend against these attacks.

US Senate confirms Gen. Joshua Rudd as head of NSA and Cyber Command.

The US Senate has confirmed Gen. Joshua Rudd as head of US Cyber Command and the National Security Agency (NSA), POLITICO reports. Lt. Gen. William Hartman has been serving as acting head of Cyber Command and NSA since April 2025, and plans to retire when Rudd is sworn in. Rudd has been in the US military for decades, most recently serving as deputy director of US Indo-Pacific Command. Rudd told lawmakers he will continue evaluating the long-debated dual-hat structure and defended Section 702 of the Foreign Intelligence Surveillance Act, which is set to expire in April.

The Senate voted 71-29 to approve Rudd, with some Democrats objecting to his limited cybersecurity background. The confirmation drew criticism from Senator Ron Wyden (Democrat of Oregon) in particular, who noted that Rudd has not previously held any cybersecurity leadership roles. Wyden also expressed concerns that Rudd has an insufficient understanding of NSA surveillance authorities.

White House releases US cyber strategy.

The White House on Friday released the Trump administration’s cyber strategy, CyberScoop reports. The document outlines six pillars, focusing on stronger offensive cyber operations, modernizing federal networks, protecting critical infrastructure, streamlined regulations, expanded use of emerging technologies like artificial intelligence and post-quantum cryptography, and building up America’s cyber workforce.

The document received generally positive feedback from industry groups who welcomed the strategy’s focus on deterrence, innovation, and regulatory reform, though some lawmakers criticized it as vague and lacking a detailed implementation plan. The White House said the strategy is deliberately high-level, and more detailed guidance will follow in future policy documents.

ShinyHunters continues targeting misconfigured Salesforce instances.

The ShinyHunters extortion group has announced a new campaign targeting vulnerable or misconfigured Salesforce instances, SecurityWeek reports. The extortion gang claims to have hacked “several hundreds of companies” as part of what it calls the “Salesforce Aura Campaign.” Criminal gangs frequently exaggerate their claims, but it’s worth noting that ShinyHunters was responsible for many confirmed attacks against Salesforce instances throughout 2025.

Salesforce published a report on this campaign last week, noting that the attackers are exploiting overly permissive Experience Cloud guest user configurations rather than a vulnerability in Salesforce itself. The company states, “Evidence indicates the threat actor is leveraging a modified version of the open-source tool Aura Inspector (originally developed by Mandiant) to perform mass scanning of public-facing Experience Cloud sites. While the original Aura Inspector is limited to identifying vulnerable objects by probing API endpoints that these sites expose (specifically the /s/sfsites/aura endpoint), the actor has developed a custom version of the tool capable of going beyond identification to actually extract data — exploiting overly permissive guest user settings.”

FBI warns of phishing attacks requesting phony zoning permit fees.

The FBI has published a PSA outlining a phishing campaign impersonating city and county officials to trick users into sending payments for zoning permits. The Bureau states, “Victims receive unsolicited emails citing their permit information, zoning application numbers, and/or property addresses. Victims are instructed to pay invoices for fees related to their permits and directed to make payments via wire transfer, peer-to-peer payment, or cryptocurrency.”

The threat actors tailor their attacks to the targeted regions, and in some cases the emails are timed to coincide with ongoing permit requests. The FBI notes that “[t]he emails contain detailed, accurate information about planning and zoning requests, including property addresses, case numbers, and the true names of city and county officials.”

Patch Tuesday notes.

Microsoft on Tuesday issued fixes for 83 vulnerabilities, including two publicly disclosed zero-days, though none of the flaws have been observed being exploited in the wild, Dark Reading reports. The zero-days are CVE-2026-26127, a denial-of-service flaw in .NET, and CVE-2026-21262, a privilege escalation vulnerability in SQL Server. Tenable researcher Satnam Narang notes, “These bugs are more bark than bite. The DoS vulnerability is assessed as unlikely to be exploited and requires an attacker to be authorized beforehand, while the privilege escalation bug was deemed less likely to be exploited.”

Fortinet, Ivanti, and Intel have issued dozens of fixes across their products, SecurityWeek reports. Fortinet patched several flaws in FortiWeb, FortiSwitchAXFixed, and FortiManager that could be exploited by remote, unauthenticated attackers to run arbitrary code. Ivanti addressed a high-severity privilege-escalation flaw in Desktop and Server Management (DSM). Intel has rolled out fixes for nine flaws in the UEFI for some Intel reference platforms.

SecurityWeek also has a summary of patches issued by ICS vendors, including Siemens, Schneider Electric, Mitsubishi Electric, and Moxa.