剣 KENSAI
← All posts · security · 2026-03-15 · 3 min

Microsoft Emergency RRAS Hotpatch, AppsFlyer SDK Supply-Chain Hijack, Chrome Two Zero-Days Patched, Chinese APT Targets SE Asian Militaries

Microsoft issues an emergency out-of-band hotpatch for a critical Windows 11 RRAS remote code execution flaw affecting enterprise hotpatch deployments. AppsFlyer's Web SDK is hijacked in a supply-chain attack injecting crypto-stealing JavaScript. Google patches two actively exploited Chrome zero-days in Chrome 146. And Palo Alto Networks reveals a Chinese state-backed APT campaign targeting Southeast Asian militaries with custom malware since 2020.


🔧 Microsoft Releases Emergency OOB Hotpatch for Windows 11 RRAS RCE Flaw

⚠️ CRITICAL — REMOTE CODE EXECUTION

Microsoft has released an out-of-band (OOB) security update specifically for Windows 11 Enterprise devices using the hotpatch update mechanism. The vulnerability affects the Routing and Remote Access Service (RRAS), enabling remote code execution. Enterprise environments relying on hotpatch deployments — designed for rebootless patching — are directly exposed.

Regulation Impact: NIS2 — Patch Management — DORA ICT Risk — CRA Vulnerability Handling

Microsoft took the unusual step of releasing an out-of-band security update on March 14 to address a critical remote code execution vulnerability in Windows 11's Routing and Remote Access Service (RRAS). The patch targets specifically Windows 11 Enterprise systems enrolled in hotpatch updates — the streamlined update mechanism that applies security fixes without requiring a reboot.

The irony is sharp: the hotpatch system designed to keep enterprises continuously protected had itself introduced a gap. Organizations that opted into hotpatching instead of receiving the standard March 2026 Patch Tuesday cumulative updates were left vulnerable to RRAS exploitation until this OOB fix.

RRAS is a critical networking component used by enterprises for VPN connectivity, NAT routing, and remote access services. A remote code execution flaw in RRAS means attackers could potentially compromise VPN gateways and remote access infrastructure — the very systems designed to secure remote connectivity.

Patch Management Under NIS2 and DORA

⚡ DACH Takeaway

German, Austrian, and Swiss enterprises running Windows 11 Enterprise with hotpatch enabled should apply this OOB update immediately. Organizations using RRAS for VPN or remote access — common in DACH's hybrid work environments — face direct exposure. The BSI should issue a technical advisory on hotpatch-specific risk assessment. DACH financial institutions under DORA must document this vulnerability assessment and patch timeline.


🔗 AppsFlyer Web SDK Hijacked in Crypto-Stealing Supply-Chain Attack

⚠️ SUPPLY-CHAIN ATTACK — ACTIVE EXPLOITATION

The AppsFlyer Web SDK, used by thousands of websites for mobile attribution and analytics, was temporarily compromised with malicious JavaScript code designed to steal cryptocurrency. The attack injected crypto-stealing code through the SDK's legitimate distribution channel, affecting every website loading the compromised version.

Regulation Impact: CRA Software Supply Chain — NIS2 Third-Party Risk — eIDAS Trust Services

AppsFlyer, a major mobile attribution and analytics platform used by brands worldwide, confirmed this week that its Web SDK was temporarily hijacked with malicious JavaScript code designed to steal cryptocurrency from end users. The attack represents a classic supply-chain compromise: by injecting malicious code into a trusted third-party SDK, attackers gained access to every website that loaded the affected version.

The crypto-stealing JavaScript intercepted cryptocurrency wallet interactions on compromised websites, redirecting transactions to attacker-controlled wallets. The attack was detected and the malicious code removed, but the window of exposure affected an unknown number of websites and end users.

This attack follows the same playbook as the Polyfill.io compromise in 2024 and the event-stream npm attack — targeting widely-used JavaScript libraries that are loaded directly into millions of web pages. The difference: AppsFlyer is an enterprise analytics platform, meaning the affected websites are likely major brands with significant traffic.

Supply-Chain Security Under the CRA

⚡ DACH Takeaway

DACH e-commerce and fintech companies using AppsFlyer should immediately audit their SDK versions and check for indicators of compromise. German data protection authorities (LfDIs) may investigate if EU user financial data was compromised. Swiss FINMA-regulated entities using AppsFlyer on customer-facing sites should assess DORA-equivalent obligations. Implement Subresource Integrity for all third-party JavaScript — it's a one-line defense against supply-chain SDK hijacks.


🌐 Chrome 146 Patches Two Actively Exploited Zero-Days

⚠️ ZERO-DAY — ACTIVE EXPLOITATION IN THE WILD

Google has released Chrome 146 with patches for two zero-day vulnerabilities that were actively exploited in the wild. The flaws allow attackers to manipulate data and bypass security restrictions, potentially leading to arbitrary code execution. Both vulnerabilities were discovered being used in targeted attacks.

Regulation Impact: NIS2 Patch Management — ENISA Vulnerability Reporting — Browser Security

Google shipped an urgent Chrome 146 update patching two zero-day vulnerabilities that were being actively exploited in targeted attacks. The vulnerabilities allow attackers to manipulate browser data and bypass Chrome's security sandbox restrictions, potentially achieving remote code execution on victim machines.

Chrome zero-days are high-value targets for both nation-state actors and commercial spyware vendors. Google's Threat Analysis Group (TAG) has consistently attributed Chrome zero-day exploitation to surveillance vendors selling to governments — a practice the EU has increasingly scrutinized.

With Chrome commanding over 65% of global browser market share, these vulnerabilities represent an enormous attack surface. Every unpatched Chrome installation — on desktops, laptops, and Android devices — is a potential entry point.

Browser Zero-Days and Regulatory Response

⚡ DACH Takeaway

All DACH organizations — especially NIS2 essential entities — must verify Chrome 146 deployment across their environments immediately. German federal agencies should follow BSI guidance on browser hardening. Swiss financial institutions must document Chrome patch timelines for FINMA audit readiness. Enterprise Chrome management policies should target sub-24-hour deployment for actively exploited zero-days.


🐉 Chinese State-Backed APT Targets Southeast Asian Militaries with Custom Malware

Regulation Impact: NIS2 Defense Sector — EU Cyber Diplomacy — NATO Cyber Defense

Palo Alto Networks Unit 42 has uncovered a long-running Chinese state-backed cyber espionage campaign targeting Southeast Asian military organizations, tracked as CL-STA-1087. The operation, active since at least 2020, deployed two previously unknown malware families — AppleChris and MemFun — specifically designed for military intelligence collection.

Unlike bulk data exfiltration campaigns, CL-STA-1087 demonstrated "strategic operational patience" — the attackers carefully searched for and collected highly specific files concerning military capabilities, organizational structures, and collaborative efforts with Western armed forces. This targeting of Western military cooperation documents has direct implications for NATO and EU defense partnerships.

The campaign used carefully crafted delivery methods, advanced defense evasion techniques, stable operational infrastructure, and custom tooling — hallmarks of a well-resourced, state-directed operation rather than opportunistic cybercrime.

Implications for EU Defense and Cyber Diplomacy

⚡ DACH Takeaway

Germany's Bundeswehr Cyber and Information Domain Service (CIR) should assess whether similar APT activity targets German military cooperation programs in Southeast Asia. Switzerland's defense sector, though neutral, maintains partnerships that could be intelligence targets. Austrian defense cooperation with EU PESCO projects may also be in scope. DACH defense contractors should hunt for AppleChris and MemFun indicators of compromise published by Unit 42.


🏢 HPE AOS-CX Critical Vulnerability Allows Remote Admin Password Reset

Regulation Impact: NIS2 Network Security — CRA Device Security — KRITIS

A critical vulnerability in HPE Aruba AOS-CX network switches allows remote, unauthenticated attackers to reset administrator passwords, effectively taking complete control of enterprise network infrastructure. The flaw bypasses existing authentication controls entirely — no credentials required.

HPE Aruba AOS-CX powers enterprise campus networks, data centers, and branch offices worldwide. A vulnerability that allows unauthenticated admin password reset is as severe as network security flaws get: an attacker who can reach the management interface can take over the entire switching infrastructure.

Network Infrastructure Under NIS2

⚡ DACH Takeaway

DACH enterprises running HPE Aruba AOS-CX should patch immediately and audit management interface exposure. Verify that switch management planes are on isolated management VLANs not reachable from user networks. German KRITIS operators must document remediation timelines. The BSI should add this to its actively exploited vulnerability advisories.


☕ Starbucks Employee Data Breach via Phishing Attack

Regulation Impact: GDPR Employee Data — NIS2 Incident Reporting — Social Engineering

Starbucks has disclosed a data breach affecting employee personal information after phishing attacks targeted an internal employee portal. The incident affected hundreds of employees, with attackers using social engineering to compromise login credentials for the portal.

While Starbucks is a US company, the breach has implications for its European operations — Starbucks operates thousands of locations across the EU and employs tens of thousands of workers subject to GDPR protections.

Employee Data Protection Under GDPR

⚡ DACH Takeaway

DACH organizations should use this breach as a prompt to audit their own employee portal security. Verify MFA enforcement on all HR and employee self-service systems. German works councils (Betriebsräte) have co-determination rights on employee data processing — a breach of employee data requires works council notification in addition to DPA reporting. Swiss employers must comply with the revised FADP's breach notification requirements.