← Retour au blog sécurité
Briefing sécurité 6 mars 2026 7 min de lecture

Mars 2026 Briefing sécurité: Chinese APT Telco Attacks, iOS Coruna Exploits & Major Forum Takedowns

Chinese state hackers déployer new malware toolkit targeting South American telecoms. Nation-state iOS kit d'exploiteration "Coruna" now powers crypto theft campagnes. FBI dismantles LeakBase forum with 142,000 cybercriminals. Cisco SD-WAN vulnérabilités activement exploiteré. 90 zero-days exploitered in 2025.


🎯 Chinese APT UAT-9244 Cibles South American Telecoms

Critique — Nation-State APT Campaign

A China-linked menace persistante avancée actor UAT-9244 has been conducting an ongoing campagne against telecommunication service providers in South America since 2024, compromising Windows, Linux, and réseau-edge devices with a sophistiqué new malware toolkit.

Attack Profile

Why it matters: Telecommunications infrastructure represents critical national security interests. Persistent access to telco réseaux enables mass surveillance, call interception, SMS monitoring, and réseau mapping for future operations.


📱 Coruna iOS Exploit Kit Goes Commercial

A previously undocumented iOS kit d'exploiteration named "Coruna" containing 23 separate exploiters has been identified dans la nature. Originally developed and used by Russian state actors for targeted espionage, the toolkit has now spread to financially motivated acteurs malveillants conducting cryptocurrency theft campagnes.

Détails techniques

Google and iVerify analysis reveals Coruna represents spyware-grade capabilities now accessible to criminal organisations. This marks a concerning trend: étatique kit d'exploiterations migrating to financially motivated cybercrime.

Action: Update all iOS devices to the latest version immédiatement. Avoid clicking links in unsolicited SMS messages. Review installed configuration profiles.


🚨 FBI Dismantles LeakBase Cybercrime Forum

A joint FBI and Europol operation has seized LeakBase, one of the world's largest online forums for trading stolen identifiants, hacked base de donnéess, and cybercrime tools.

Operation Impact

Law Enforcement Message

"All forum content, including users' accounts, posts, credit details, private messages, and IP logs, has been secured and preserved for evidentiary purposes." — FBI Seizure Banner

Context: This follows the recent takedown of Tycoon 2FA, a phishing-as-a-service platform that sent fraudulent emails to over 500,000 organisations monthly. Combined, these operations represent significant disruption to the cybercrime ecosystem.


🔥 Cisco SD-WAN Flaws Actively Exploited

Cisco has flagged two Catalyst SD-WAN Manager vulnérabilités as activement exploiteré dans la nature:

Risk Assessment

SD-WAN infrastructure is déployé at the réseau perimeter of thousands of entreprise réseaux. Successful exploiteration provides attackers with:

Immediate action required: Cisco customers must upgrade Catalyst SD-WAN Manager to corrigé versions immédiatement. These vulnérabilités are confirmé under exploiteration active.


📊 2025 Zero-Day Landscape: 90 Exploited Vulnérabilités

Google Renseignement sur les menaces Group (GTIG) tracked 90 zero-day vulnérabilités exploitered in attacks throughout 2025 — almost half targeting entreprise software and appliances.

Key Findings

Trend alert: The shift toward entreprise appliances (VPNs, pare-feux, SD-WAN, réseau management) reflects attacker focus on réseau perimeter devices that provide persistent access and are difficult to corriger.


🛡️ Additional Menace Activity

Dust Specter Cibles Iraqi Gouvernement

Iran-nexus acteur malveillant Dust Specter targeted Iraqi Ministry of Foreign Affairs officials with new malware strains: SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. The campagne used compromis Iraqi gouvernement infrastructure to stage payloads and employed checksum-based C2 validation and geofencing techniques.

Wikipedia Self-Propagating Worm

Wikimedia Foundation suffered a incident de sécurité involving a self-propagating JavaScript worm that vandalized pages and modified user scripts across multiple wikis. The worm exploitered Cross-Site Scripting (XSS) vectors in user-editable content.

Fake OpenClaw Malware Campaign

Bing AI search results promoted fake OpenClaw GitHub repositories containing information-stealing malware. The campagne instructed users to run commands that déployé credential stealers and proxy malware.

WordPress Plugin Exploitation

Attackers exploiterent activement a vulnérabilité critique in the User Registration & Membership plugin (60,000+ installations) to create non autorisé WordPress admin accounts.


🎯 Actions recommandées

  1. Immediate: Correctif Cisco Catalyst SD-WAN Manager (CVE-2026-20128, CVE-2026-20122)
  2. Immediate: Update all iOS devices to latest version (Coruna exploiters)
  3. Cette semaine: Review réseau perimeter devices for accès non autorisé
  4. Cette semaine: Audit WordPress installations for User Registration plugin
  5. En continu: Monitor telco infrastructure for UAT-9244 indicators of compromise
  6. En continu: Implement zero-trust architecture to limit lateral movement from compromis edge devices

Protégez votre organisation avec KENSAI

alimenté par l'IA vulnérabilité intelligence with 331,910+ CVEs indexed. Get real-time threat alerts tailored to your infrastructure.

Start Free Trial

Stay secure. Stay vigilant.

🗡️ Équipe de sécurité KENSAI

6 mars 2026