← Zurück zum Sicherheitsblog
Sicherheitsbriefing 6. März 2026 7 Min. Lesezeit

März 2026 Sicherheitsbriefing: Chinese APT Telco Attacks, iOS Coruna Exploits & Major Forum Takedowns

Chinese state hackers bereitstellen new Malware toolkit targeting South American telecoms. Nation-state iOS Exploit-Kit "Coruna" now powers crypto theft Kampagnen. FBI dismantles LeakBase forum with 142,000 cybercriminals. Cisco SD-WAN Schwachstellen aktiv ausgenutzt. 90 Zero-Days ausnutzened in 2025.


🎯 Chinese APT UAT-9244 Ziels South American Telecoms

Kritisch — Nation-State APT Campaign

A China-linked Advanced Persistent Bedrohung actor UAT-9244 has been conducting an ongoing Kampagne against telecommunication service providers in South America since 2024, compromising Windows, Linux, and Netzwerk-edge devices with a ausgeklügelt new Malware toolkit.

Attack Profile

Why it matters: Telecommunications infrastructure represents critical national security interests. Persistent access to telco Netzwerke enables mass surveillance, call interception, SMS monitoring, and Netzwerk mapping for future operations.


📱 Coruna iOS Exploit Kit Goes Commercial

A previously undocumented iOS Exploit-Kit named "Coruna" containing 23 separate ausnutzens has been identified in freier Wildbahn. Originally developed and used by Russian state actors for targeted espionage, the toolkit has now spread to financially motivated Bedrohungsakteure conducting cryptocurrency theft Kampagnen.

Technische Details

Google and iVerify analysis reveals Coruna represents spyware-grade capabilities now accessible to criminal Organisationen. This marks a concerning trend: staatlich unterstützt Exploit-Kits migrating to financially motivated cybercrime.

Action: Update all iOS devices to the latest version sofort. Avoid clicking links in unsolicited SMS messages. Review installed configuration profiles.


🚨 FBI Dismantles LeakBase Cybercrime Forum

A joint FBI and Europol operation has seized LeakBase, one of the world's largest online forums for trading stolen Zugangsdaten, hacked Datumnbanks, and cybercrime tools.

Operation Auswirkung

Law Enforcement Message

"All forum content, including users' accounts, posts, credit details, private messages, and IP logs, has been secured and preserved for evidentiary purposes." — FBI Seizure Banner

Context: This follows the recent takedown of Tycoon 2FA, a phishing-as-a-service platform that sent fraudulent emails to over 500,000 Organisationen monthly. Combined, these operations represent significant disruption to the cybercrime ecosystem.


🔥 Cisco SD-WAN Flaws Actively Exploited

Cisco has flagged two Catalyst SD-WAN Manager Schwachstellen as aktiv ausgenutzt in freier Wildbahn:

Risk Assessment

SD-WAN infrastructure is bereitgestellt at the Netzwerk perimeter of thousands of Unternehmen Netzwerke. Successful Ausnutzung provides attackers with:

Immediate action required: Cisco customers must upgrade Catalyst SD-WAN Manager to gepatchent versions sofort. These Schwachstellen are bestätigt under aktive Ausnutzung.


📊 2025 Zero-Day Landscape: 90 Exploited Schwachstellen

Google Bedrohungsanalyse Group (GTIG) tracked 90 Zero-Day Schwachstellen ausnutzened in attacks throughout 2025 — almost half targeting Unternehmen software and appliances.

Key Findings

Trend alert: The shift toward Unternehmen appliances (VPNs, Firewalls, SD-WAN, Netzwerk management) reflects attacker focus on Netzwerk perimeter devices that provide persistent access and are difficult to patchen.


🛡️ Additional Bedrohung Activity

Dust Specter Ziels Iraqi Regierung

Iran-nexus Bedrohungsakteur Dust Specter targeted Iraqi Ministry of Foreign Affairs officials with new Malware strains: SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. The Kampagne used kompromittiert Iraqi Regierung infrastructure to stage payloads and employed checksum-based C2 validation and geofencing techniques.

Wikipedia Self-Propagating Worm

Wikimedia Foundation suffered a Sicherheitsvorfall involving a self-propagating JavaScript worm that vandalized pages and modified user scripts across multiple wikis. The worm ausnutzened Cross-Site-Scripting (XSS) vectors in user-editable content.

Fake OpenClaw Malware Campaign

Bing AI search results promoted fake OpenClaw GitHub repositories containing information-stealing Malware. The Kampagne instructed users to run commands that bereitgestellt credential stealers and proxy Malware.

WordPress Plugin Exploitation

Attackers nutzen aktiv aus a kritische Schwachstelle in the User Registration & Membership plugin (60,000+ installations) to create unbefugt WordPress admin accounts.


🎯 Empfohlene Maßnahmen

  1. Immediate: Patch Cisco Catalyst SD-WAN Manager (CVE-2026-20128, CVE-2026-20122)
  2. Immediate: Update all iOS devices to latest version (Coruna ausnutzens)
  3. Diese Woche: Review Netzwerk perimeter devices for unbefugter Zugriff
  4. Diese Woche: Audit WordPress installations for User Registration plugin
  5. Laufend: Monitor telco infrastructure for UAT-9244 indicators of compromise
  6. Laufend: Implement zero-trust architecture to limit lateral movement from kompromittiert edge devices

Schützen Sie Ihre Organisation mit KENSAI

KI-gestützt Schwachstelle intelligence with 331,910+ CVEs indexed. Get real-time threat alerts tailored to your infrastructure.

Start Free Trial

Stay secure. Stay vigilant.

🗡️ KENSAI Sicherheitsteam

6. März 2026