剣 KENSAI
← All posts · security · 2026-03-13 · 10 min

VENON: First Rust-Based Banking Malware Strikes Brazil, Apple Patches Coruna WebKit Exploit, Russian Hackers Target Signal & WhatsApp

VENON banking trojan — the first Rust-based malware targeting Latin American banks — hits 33 Brazilian financial institutions. Apple releases emergency patches for the Coruna WebKit exploit on legacy iOS. Russian hackers target Signal and WhatsApp accounts of government officials and journalists worldwide. Wiz warns of large-scale OAuth consent abuse. Plus: Cisco IOS XR patches, n8n server takeover, Polyfill supply chain attack linked to North Korea, and Meta disrupts 150K scam accounts.


🦀 VENON: First Rust-Based Banking Trojan Targets 33 Brazilian Banks

⚠️ CRITICAL: NEW MALWARE PARADIGM — RUST-BASED BANKING TROJAN

ZenoX researchers have discovered VENON, the first banking trojan written in Rust targeting Latin American financial institutions. It targets 33 Brazilian banks using DLL side-loading, banking overlay attacks, and LNK hijacking. The developer username "byst4" was leaked, and the malware shows signs of AI-assisted development.

The Latin American banking malware landscape has been dominated by Delphi-based trojans for over a decade — families like Grandoreiro, Casbaneiro, and Mekotio. VENON represents a fundamental paradigm shift: a banking trojan written entirely in Rust, demonstrating that threat actors are modernizing their toolkits with memory-safe, high-performance languages.

Discovered by researchers at ZenoX, VENON employs a sophisticated multi-stage attack chain:

Why Rust Matters for Malware

The shift to Rust is strategically significant for several reasons:

The leak of the developer username "byst4" provides a potential attribution lead, but also suggests operational security failures within the malware development team.

🛡️ Recommendations for Financial Institutions

  • Update detection rules: Ensure EDR solutions can detect Rust-compiled binaries with banking overlay behavior
  • DLL side-loading prevention: Implement application whitelisting and monitor for unsigned DLL loading from unexpected paths
  • LNK file monitoring: Alert on modifications to LNK files in startup folders and common locations
  • DORA compliance: Financial entities must report significant ICT-related incidents — a VENON infection qualifies under Article 19
  • NIS2: Banking sector entities must ensure threat intelligence feeds include LatAm-origin malware indicators

🍎 Apple Patches Coruna WebKit Exploit for Legacy iOS Devices

⚠️ CRITICAL: ACTIVELY EXPLOITED WEBKIT VULNERABILITY ON LEGACY iOS

Apple has released iOS 16.7.15 and iOS 15.8.7 to patch WebKit vulnerabilities exploited in the wild through the Coruna exploit. Older devices running iOS 15 and 16 that cannot upgrade to iOS 17/18 were vulnerable to remote code execution through malicious web content.

Apple has released emergency security updates for legacy iOS devices — those still running iOS 15 and iOS 16 because they cannot support newer versions. The patches address WebKit vulnerabilities that were actively exploited through what researchers call the Coruna exploit chain.

This is particularly significant because it affects devices that many organizations assume are "too old to matter" — but in practice, millions of iPhones and iPads in enterprise environments, especially in education, healthcare, and government sectors, still run iOS 15 or 16.

Affected Devices

Why Legacy Device Patching Matters

WebKit vulnerabilities are particularly dangerous because exploitation requires nothing more than visiting a malicious webpage. No app installation, no user interaction beyond clicking a link. The Coruna exploit leverages this to achieve remote code execution on unpatched devices.

🛡️ Immediate Actions

  • Inventory legacy iOS devices: Use MDM to identify all devices running iOS 15.x or 16.x in your fleet
  • Push updates immediately: Deploy iOS 15.8.7 and iOS 16.7.15 through your MDM solution
  • Plan device retirement: Devices stuck on iOS 15/16 should be scheduled for replacement as they represent a growing security liability
  • NIS2 compliance: Asset inventory requirements (Article 21) explicitly include mobile devices — unpatched legacy devices represent non-compliance
  • GDPR: If legacy devices access personal data, unpatched WebKit vulnerabilities represent a failure to implement appropriate technical measures (Article 32)

🕵️ Russian Hackers Target Signal & WhatsApp Accounts Globally

⚠️ CRITICAL: STATE-SPONSORED MESSAGING APP ACCOUNT THEFT

The Netherlands intelligence services MIVD and AIVD have issued a public warning that Russian-linked hackers are actively targeting Signal and WhatsApp accounts of government officials, journalists, and military personnel worldwide. Germany issued a similar warning last month.

Dutch intelligence agencies have revealed a coordinated campaign by Russian state-linked actors to compromise secure messaging accounts. The attackers are using two primary techniques:

Attack Method 1: Fake Signal Support Chatbot

Attackers create a fake Signal Support chatbot that contacts targets claiming to verify their account or assist with a "security issue." The chatbot requests the victim's verification code or PIN, which is then used to register the victim's Signal account on the attacker's device. Once registered, the attacker has full access to all incoming messages.

Attack Method 2: Linked Devices Abuse

Signal's "linked devices" feature — designed to let users access Signal on multiple devices — is being exploited. Attackers trick victims into scanning a QR code that links the attacker's device to the victim's Signal account. This gives the attacker real-time access to all messages without the victim losing access, making detection much harder.

Germany's BSI issued a similar warning last month, confirming this is a Europe-wide campaign with global reach. The targets include diplomats, defense officials, journalists, and NGO workers — anyone whose communications would be of interest to Russian intelligence.

⚠️ WARNING: WhatsApp Also Targeted

The campaign extends beyond Signal to WhatsApp, using similar social engineering techniques to steal verification codes and abuse the multi-device feature. Organizations using WhatsApp for business communications should implement the same defensive measures.

🛡️ Defensive Measures

  • Enable Registration Lock: In Signal, enable the Registration Lock PIN (Settings → Account → Registration Lock) — this prevents account takeover even if the verification code is stolen
  • Audit linked devices regularly: Check Signal Settings → Linked Devices and remove any unfamiliar devices
  • Never share verification codes: Signal, WhatsApp, and other services will never ask for verification codes via chat
  • Be suspicious of QR codes: Never scan QR codes from untrusted sources claiming to be from Signal or WhatsApp
  • NIS2 awareness training: Government and essential sector personnel must receive specific training on secure messaging threats
  • Incident reporting: Report suspected compromises to your national CSIRT immediately

🔑 OAuth Consent Abuse Campaign — Wiz Warns of Large-Scale Token Theft

⚠️ WARNING: 19 MALICIOUS OAuth APPS EXPLOITING CONSENT FATIGUE

Cloud security firm Wiz has identified a large-scale campaign using 19 distinct malicious OAuth applications impersonating Adobe, DocuSign, and OneDrive to steal access tokens. The campaign exploits "consent fatigue" and has been active since early 2025.

Wiz researchers have uncovered an active and large-scale OAuth consent abuse campaign that exploits a fundamental weakness in cloud identity: users have been trained to click "Accept" on consent prompts without reading them.

The attack works as follows:

  1. Victim receives a legitimate-looking email or message referencing a shared document or required application
  2. Clicking the link presents an OAuth consent screen for an app impersonating Adobe Acrobat, DocuSign, or Microsoft OneDrive
  3. The consent screen requests permissions including email access, file read, and profile information
  4. Once the user clicks "Accept," the OAuth access token is sent to the attacker's redirect URL
  5. The attacker now has persistent API access to the victim's cloud account — no password, no MFA bypass needed

This attack is particularly dangerous because it bypasses MFA entirely. The victim authenticates with their own credentials and MFA, then grants the malicious app an access token. The attacker never needs the password.

NIS2 & DORA Implications

🛡️ Mitigation Steps

  • Restrict OAuth consent: In Microsoft 365, configure "User consent for applications" to require admin approval for all third-party apps
  • Audit existing grants: Review all OAuth application grants in your Microsoft Entra ID or Google Workspace admin console
  • Block unverified publishers: Only allow OAuth consent for apps from verified publishers
  • Monitor consent events: Alert on new OAuth application consent events in your SIEM
  • User education: Train users to recognize OAuth consent screens and report suspicious application requests

🌐 Cisco Patches High-Severity IOS XR Vulnerabilities

⚠️ WARNING: ENTERPRISE NETWORK INFRASTRUCTURE AT RISK

Cisco has released patches for high-severity vulnerabilities in IOS XR that could lead to denial of service, command execution, or complete device takeover. These affect enterprise routing and switching infrastructure.

Cisco has published security advisories addressing multiple high-severity vulnerabilities in IOS XR, the operating system powering Cisco's carrier-grade and enterprise routing platforms. These vulnerabilities affect devices at the core of network infrastructure — routers and switches that handle critical traffic flows.

The vulnerabilities could allow attackers to:

Impact on Critical Infrastructure

IOS XR powers Cisco ASR, NCS, and CRS series routers — devices deployed by ISPs, telecoms, data centers, and large enterprises. A successful exploit could disrupt backbone connectivity affecting thousands of downstream users and services.

🛡️ Patch Prioritization

  • Immediate: Patch internet-facing and backbone IOS XR devices within 48 hours
  • Verify exposure: Audit which IOS XR features and services are enabled — disable unnecessary management protocols
  • NIS2: Telecom and digital infrastructure providers are essential entities — mandatory incident reporting and patch management timelines apply
  • Segment management access: Ensure IOS XR management interfaces are only accessible from dedicated out-of-band management networks

🔧 Splunk & Zoom Patch Severe Vulnerabilities

⚠️ WARNING: CRITICAL FLAWS IN WIDELY DEPLOYED ENTERPRISE SOFTWARE

Both Splunk and Zoom have released patches for critical and high-severity vulnerabilities. Splunk flaws allow arbitrary shell command execution. Zoom vulnerabilities enable privilege escalation.

Splunk — used by security operations centers worldwide for log management and SIEM — has patched vulnerabilities that allow authenticated attackers to execute arbitrary shell commands on the Splunk server. Given that Splunk instances typically have access to logs from across the entire infrastructure, a compromised Splunk server gives attackers visibility into the entire security posture.

Zoom has simultaneously released patches for privilege escalation vulnerabilities. With Zoom deployed across virtually every organization for video conferencing, these flaws represent a broad attack surface.

🛡️ Actions Required

  • Splunk: Patch immediately — a compromised SIEM is a catastrophic security event, as attackers can see (and modify) your detection logic
  • Zoom: Push updates through your software deployment pipeline within 7 days
  • Audit Splunk access: Review and restrict which accounts have shell access to Splunk instances
  • DORA: Financial entities using Splunk for ICT risk monitoring must ensure SIEM integrity as part of digital operational resilience

⚡ n8n Critical Vulnerabilities Allow Unauthenticated Server Takeover

⚠️ CRITICAL: UNAUTHENTICATED RCE IN AUTOMATION PLATFORM

Critical vulnerabilities in the n8n workflow automation platform allow unauthenticated attackers to execute arbitrary code, steal credentials, and take over servers. n8n instances often have broad access to internal systems, APIs, and databases.

The n8n open-source workflow automation platform — used for API integration, data pipelines, and business process automation — has critical vulnerabilities that allow unauthenticated attackers to completely compromise n8n servers.

This is particularly dangerous because n8n instances are typically configured with credentials for dozens of connected services — databases, cloud APIs, email servers, CRM systems, and more. A single compromised n8n instance can cascade into breaches across the entire connected infrastructure.

Attack Surface

🛡️ Immediate Actions

  • Identify all n8n instances: Check for both sanctioned and shadow IT deployments (Docker, self-hosted)
  • Patch or isolate: Update immediately or take n8n instances offline until patched
  • Rotate all connected credentials: Assume any credentials stored in n8n may be compromised
  • Network segmentation: n8n instances should never be directly exposed to the internet
  • NIS2: Automation platform compromises that affect essential services must be reported within 24 hours

💉 Ally WordPress Plugin SQL Injection — 200K+ Sites Exposed

⚠️ WARNING: SQL INJECTION AFFECTS 200,000+ WORDPRESS SITES

A SQL injection vulnerability in the Starter Templates by flavor (Starter Templates) WordPress plugin exposes over 200,000 websites to database extraction attacks. Attackers can extract sensitive information including user credentials, personal data, and configuration details.

A critical SQL injection vulnerability has been discovered in a popular WordPress plugin installed on over 200,000 websites. The flaw allows attackers to inject malicious SQL queries to extract sensitive database information — including admin credentials, user personal data, and configuration secrets.

WordPress plugins remain one of the most exploited attack vectors on the web. Many organizations treat their WordPress sites as "just a website" without applying the same security rigor as their core infrastructure — a dangerous oversight given that these sites often process customer data, lead generation forms, and payment information.

🛡️ WordPress Security Steps

  • Update immediately: Check for and apply the latest plugin update
  • Web Application Firewall: Deploy a WAF to block SQL injection attempts
  • Database audit: Check for signs of unauthorized data extraction
  • GDPR: If personal data was exposed, this may trigger a 72-hour breach notification obligation under Article 33
  • Principle of least privilege: Ensure WordPress database users have minimal necessary permissions

🇰🇵 Polyfill Supply Chain Attack Now Linked to North Korea

⚠️ CRITICAL: MAJOR SUPPLY CHAIN ATTACK ATTRIBUTION UPDATE

The 2024 Polyfill.io supply chain attack — which compromised over 100,000 websites — was initially attributed to Chinese threat actors. New evidence from an infostealer infection has now revealed North Korean involvement in the campaign.

The Polyfill.io incident was one of the most significant software supply chain attacks of 2024. The Polyfill.io CDN — used by over 100,000 websites to provide JavaScript polyfills for browser compatibility — was taken over by malicious actors who injected malicious code into the JavaScript served to visitors.

The attack was initially attributed to Chinese entities after the Polyfill.io domain was acquired by a Chinese company. However, new intelligence from an infostealer infection on a device connected to the operation has revealed North Korean involvement — suggesting the campaign may have been a collaboration or that North Korean actors were behind the Chinese front company.

Implications

🛡️ Supply Chain Security Measures

  • Self-host JavaScript libraries: Do not rely on third-party CDNs for critical frontend dependencies
  • Subresource Integrity (SRI): Implement SRI hashes on all externally loaded scripts
  • Content Security Policy: Use strict CSP headers to limit which domains can serve JavaScript to your pages
  • NIS2 supply chain requirements: Article 21(2)(d) mandates supply chain security — this includes frontend JavaScript dependencies

🚔 Meta Launches New Protection Tools, Disrupts 150K Scam Accounts

Meta has announced the disabling of over 150,000 accounts powering scam centers primarily operating out of Southeast Asia. These accounts were linked to pig-butchering scams, romance fraud, and investment fraud operations that have caused billions in losses worldwide.

Alongside the account disruptions, Meta is launching new protection tools designed to identify and warn users about potential scam interactions in real-time. The tools use AI to detect patterns consistent with scam operations, including unusual messaging patterns and financial solicitations.

Enterprise Relevance


🏥 Bell Ambulance Data Breach — 238,000 Individuals Impacted

⚠️ WARNING: HEALTHCARE DATA BREACH AFFECTING 238,000 PEOPLE

Bell Ambulance has disclosed a data breach affecting approximately 238,000 individuals. Stolen data includes Social Security numbers, driver's licenses, and personal health information.

Bell Ambulance, an emergency medical services provider, has confirmed a significant data breach that exposed sensitive personal information of 238,000 individuals. The compromised data includes:

This breach highlights the ongoing vulnerability of healthcare organizations to cyber attacks. Ambulance services and emergency medical providers often operate with legacy IT systems, limited cybersecurity budgets, and high-pressure operational environments that prioritize availability over security.

🛡️ Lessons for Healthcare Organizations

  • Encrypt sensitive data at rest: SSNs and health records must be encrypted even in internal databases
  • Network segmentation: Isolate patient data systems from general IT infrastructure
  • NIS2 healthcare requirements: Healthcare is an essential sector with mandatory security measures and incident reporting
  • GDPR/HIPAA: Cross-border data protection obligations apply — notify affected individuals without undue delay

🏛️ Senate Confirms Joshua Rudd to Lead NSA and US Cyber Command

The U.S. Senate has confirmed Joshua Rudd as the new head of both the National Security Agency (NSA) and U.S. Cyber Command — the "dual-hat" role that combines signals intelligence with military cyber operations. Rudd takes command at a critical time as nation-state cyber threats escalate.

The confirmation comes amid heightened concerns about:

For European organizations, the change in US cyber leadership is relevant because NSA and Cyber Command intelligence sharing with allied nations (through Five Eyes and NATO) directly impacts threat intelligence feeds and defensive capabilities available to European CERTs and security teams.