It’s a Paper Trail for the week ending in March 21, 2026, and we’ll cover what happened last week in the Information Security space.
Last Week, in Review
- Zero Day Clock tracks the speed at which adversaries are exploiting vulnerabilities. The time from when an advisory is published to first exploitation has been shrinking – from years, to months, to days – with a current mean time to exploitation of ~1.3 days. This highlights the need for organizations to adapt their patch and remediation capabilities to respond faster to truly critical vulnerabilities. [Zero Day Clock]
- INTERPOL’s 2026 Global Financial Fraud Threat Assessment puts global fraud losses at an estimated $442 billion in 2025 – driven by a 4.5x greater profitability for AI-enhanced scams compared to traditional methods, with 77% of business leaders worldwide reporting a rise in fraud over the past year. The report underscores the emergence of Agentic AI capable of autonomous fraud cycles and the global expansion of industrial-scale scam centers now operating across multiple continents. [Interpol, The Register]
Pulse
Trend Micro identified an active, sophisticated multi-stage credential theft campaign delivering PureLog Stealer that harvests sensitive data, including Chrome browser credentials, extensions, cryptocurrency wallets, and system information. Adversaries disguise the malware as a legitimate legal document – specifically copyright violation notices written in the local language of the target region – that, when opened, triggers a multi-stage process of malware execution in memory (fileless execution) using a Python-based loader and dual .NET loaders, evading traditional endpoint detection. [Trend Micro]
Fix-it Frank
A critical remote code execution vulnerability CVE-2026-33017 in Langflow version 1.8 or lower – a popular open-source AI workflow builder with 146K+ stargazers – was exploited within 20 hours of public disclosure of advisory, with adversaries building working exploits directly from the advisory description alone. Organizations should upgrade their instances of Langflow to version 1.9.0 or higher to remediate the vulnerability in their environment. [Sysdig, TheHackerNews, GitHub, SecurityWeek]
ConnectWise disclosed a critical severity vulnerability (CVE-2026-3564) for its on-premises ScreenConnect – a remote access platform widely used by managed service providers (MSPs), IT departments, and help desk teams. This vulnerability allowed an adversary, with access to server-level cryptographic material, to escalate privileges and gain elevated access to remote management infrastructure. Organizations should upgrade their ScreenConnect software to the version 26.1 or later and regenerate machine key material after upgrading to remediate the vulnerability. [ConnectWise, Bleeping Computer]
Cisco Secure disclosed two critical severity vulnerabilities – one related to deserialization flaw (CVE-2026-20131) and another related to improperly created system process at boot (CVE-2026-20079) in Firewall Management Center (FMC) Software which could allow an unauthenticated, remote attacker to bypass authentication and gain access as root on an affected device. Cisco recommends that affected devices be upgraded to the latest/patched versions of the software. [Cisco, Cisco, Arctic Wolf, Amazon, The Hacker News]
The Fine Print
Navia Benefit Solutions – a Washington-based employee benefits administrator serving 10,000+ employers nationwide – disclosed a data breach affecting approximately 2.7 million individuals. Adversaries gained unauthorized access to their environment and accessed their systems from December 22, 2025 to January 15, 2026, and were discovered on January 23, 2026. Data exposed may include names, dates of birth, Social Security Numbers, phone numbers, email addresses, health plan details and records dating back to 2018. Navia needed to file with the Maine Attorney General, notify HHS under HIPAA, issue media notices, notify the Washington State HCA and mail letters to individuals beginning March 18, 2026 – highlighting the complex web of multi-jurisdiction notification requirements that organizations may have to navigate through and codify in their incident response plans. [The HIPAA Journal, LifeHacker, The Record]
Cybersecurity audit requirements and risk assessment mandates under CCPA/CPRA began phasing in on January 1, 2026. Organizations selling or processing data of consumers in California and meeting certain thresholds, are required to demonstrate compliance. With North Dakota, Rhode Island, and Nevada enacting cybersecurity regulation similar to NYDFS, new tightening of state-level cyber obligations introduces compliance complexities that come with multi-state operations, for instance, the Rhode Island law requires notification of a breach within three business days, while NYDFS remains at 72 hours – a subtle but critical difference for incident response teams. [Ropes & Gray, Alston & Bird]
The Bottom Line
As the mean time to exploitation continues its aggressive slide towards sub-24-hour mark, scheduled patches seem like a luxury of the past. Furthermore, with the first wave of 2026 CCPA/CPRA enforcement actions likely on the horizon, the focus will shift from simple perimeter defense to the “Fine Print” – specifically, how well an organization’s IR plan can navigate the nuanced notification timelines of a multi-state.
—
Thanks for tuning-in to this edition of Paper Trail. We’d love your ideas and suggestions, so email us at feedback@hackwithheart.com. You can follow Paper Trail wherever you like best – read it on hackwithheart.com, listen on Spotify or Apple Podcasts, or watch on YouTube.