Check Point Weekly Threat Report: FBI Director's Gmail Breached, Port of Vigo Ransomware, and Critical Cisco, Citrix Patches
Check Point's weekly threat intelligence report details a breach of FBI Director Patel's personal Gmail by Iranian group Handala Hack, a ransomware attack on Spain's Port of Vigo, and critical patches for Cisco and Citrix products.
Check Point Research has released its weekly threat intelligence bulletin for March 30, 2026, covering a wide range of active attacks, critical vulnerabilities, and emerging threats. The report highlights a significant breach of FBI Director Kash Patel's personal Gmail account by the Iranian state-affiliated group Handala Hack, which leaked personal photos and documents. This incident follows the FBI's seizure of domains linked to the group's sustained targeting of Israeli and American entities amid the ongoing Iran conflict.
In a separate major incident, Spain's Port of Vigo in Galicia suffered a ransomware attack that forced officials to disconnect parts of its network and revert to manual cargo handling processes. The attack locked equipment and disrupted digital logistics, though physical ship movement continued without digital communication. The Netherlands' Ministry of Finance also confirmed a March 19 cyberattack that breached internal systems in its policy department, disrupting work for some employees while tax, customs, and benefits services remained unaffected.
The decentralized finance platform Resolv lost $24.5 million after a compromised private key allowed an attacker to mint approximately $80 million in uncollateralized USR tokens and swap them for 11,408 ETH. Resolv confirmed the incident, paused the application, and offered a 10% bounty for the return of funds.
On the vulnerability front, Cisco patched CVE-2026-20131, a critical CVSS 10 vulnerability in Secure Firewall Management Center that allows unauthenticated attackers to execute code as root through the web interface. Cisco confirmed attempted exploitation in March 2026 and released fixes, with no workaround available for on-premises customers. Check Point IPS provides protection against this threat. Citrix also released patches for CVE-2026-3055 and CVE-2026-4368 affecting NetScaler ADC and Gateway, where a critical memory flaw can expose sensitive data in SAML Identity Provider deployments.
TP-Link issued firmware updates addressing CVE-2025-15517 and related critical flaws in Archer NX200, NX210, NX500, and NX600 5G Wi-Fi routers, which could allow attackers to access administrative functions without logging in, upload rogue firmware, and execute system commands. Additionally, researchers warned that a leaked 'DarkSword' iOS exploit chain enables no-click attacks via Safari, threatening up to 270 million unpatched iPhones and iPads, with Apple issuing emergency updates for iOS 15 and 16 on March 11.
The report also covers AI-related threats, including a supply chain compromise of LiteLLM that harvested API keys and cloud credentials, three high-severity vulnerabilities in LangChain and LangGraph enabling file access and secret leakage, and a zero-click flaw in Anthropic's Claude Chrome extension allowing prompt injection. Threat intelligence sections detail cybercriminals abusing the Keitaro adtech tracker for phishing and malware distribution, China-aligned clusters targeting a Southeast Asian government, and Russian group APT28 targeting Ukraine and European defense supply chain partners with the PRIXMES toolset.