← 블로그로 돌아가기
보안 브리핑 8분 읽기 2026년 3월 10일

Teams 피싱으로 A0Backdoor 배포, Signal 하이재킹 캠페인, Salesforce Aura 공격

Hackers deploy the new A0Backdoor 악성코드 via Microsoft Teams 피싱 campaigns targeting financial and healthcare sectors. Russian GRU-linked actors hijack Signal and WhatsApp accounts of government officials. ShinyHunters actively 익스플로잇s a Salesforce Aura 취약점. Cisco SD-WAN CVE-2026-20127 sees widespread 익스플로잇ation.


1. Microsoft Teams 피싱으로 A0Backdoor 악성코드 배포

🚨 치명적 — 활성 캠페인 Targeting Finance & Healthcare

Threat actors are leveraging Microsoft Teams messages to target employees in the financial and healthcare sectors. After initiating contact via Teams, attackers convince victims to grant remote access through Quick Assist, a legitimate Windows remote-support tool. Once connected, they deploy a previously undocumented 백도어 dubbed A0Backdoor.

The attack chain is notable for its 소셜 엔지니어링 sophistication — attackers impersonate IT support personnel and create urgency around supposed security issues. A0Backdoor provides persistent access, 자격 증명 harvesting, and 횡적 이동 capabilities.

필수 조치: Restrict Quick Assist usage via Group Policy. Educate employees about unsolicited Teams support requests. 모니터링 for unusual remote access tool activity.


2. Google: 클라우드 공격이 자격 증명에서 취약점 악용으로 전환

Google's latest threat intelligence report reveals a significant shift in cloud attack tactics. Hackers are increasingly 익스플로잇ing newly disclosed 취약점 in third-party software rather than relying on weak or stolen 자격 증명s for initial cloud access.

The most alarming finding: the window between 취약점 disclosure and active 익스플로잇ation has shrunk from weeks to just days, sometimes hours. This puts enormous pressure on 보안팀 to patch immediately.

MetricPreviousCurrent
Avg. time to 익스플로잇ation2–4 weeks1–3 days
Top 초기 접근 vectorStolen 자격 증명s취약점 익스플로잇ation
Third-party software involvementModeratePrimary target

3. 러시아 GRU 해커, Signal & WhatsApp 계정 하이재킹

🚨 국가 지원 — Dutch Government Warning

The Dutch government has issued a formal warning about an ongoing Russian 국가 지원 피싱 campaign linked to the GRU (Russian military intelligence). 이 캠페인은 targets government officials, military personnel, and journalists, attempting to hijack their Signal and WhatsApp accounts.

Attackers use sophisticated 소셜 엔지니어링 to trick targets into linking their messaging accounts to attacker-controlled devices. Once compromised, the actors gain full access to encrypted conversations, contacts, and shared media.

필수 조치: Review linked devices in Signal and WhatsApp settings. Enable registration lock on Signal. Brief high-value personnel on this specific threat.


4. Ericsson 미국 데이터 침해

Ericsson's US subsidiary has disclosed a data breach resulting from a compromise of a third-party service provider. Employee and customer data was stolen, including personal identifiable information.

This incident highlights the persistent risk of supply chain attacks — even when your own security is robust, vendors and service providers can become the weak link.


5. ShinyHunters, Salesforce Aura 취약점 악용

⚠️ ACTIVE EXPLOITATION — Salesforce Experience Cloud

The notorious ShinyHunters extortion gang is actively 익스플로잇ing a new bug in Salesforce Experience Cloud (Aura framework) to steal data from misconfigured instances. Organizations with exposed Salesforce Experience Cloud sites 즉각적인 위험에 처해 있습니다.

ShinyHunters has a track record of massive data breaches and typically extorts victims by threatening to leak stolen data. The Salesforce Aura 취약점 allows unauthorized access to sensitive records when instances are improperly configured.

필수 조치: Audit Salesforce Experience Cloud configurations immediately. Review guest user permissions. Check for unexpected data access patterns.


6. 악성 npm 패키지, OpenClaw 사칭

A malicious npm package named @openclaw-ai/openclawai 발견되었습니다 masquerading as a legitimate installer. The package deploys a Remote Access Trojan (RAT) and steals sensitive data from macOS systems including:

The package accumulated 178 downloads before detection. This is a classic supply chain attack 익스플로잇ing the trust in package managers.


7. 북한 UNC4899, 암호화폐 기업 침해

Google's Mandiant attributes a crypto firm breach to UNC4899 (also known as TraderTraitor), a 아니오rth Korean threat group. 공격자는s compromised the target via a trojanized AirDrop file, then pivoted into cloud infrastructure using living-off-the-cloud techniques — abusing legitimate cloud services to blend in with normal activity.

This represents an evolution in 아니오rth Korean cyber operations, demonstrating growing sophistication in cloud-native attack techniques.


8. Chrome 확장 프로그램, 소유권 이전 후 악성화

Two Chrome extensions 발견되었습니다 to turn malicious after their ownership was transferred to new developers. The new owners pushed updates that enabled code injection and 데이터 탈취, affecting users who had the extensions installed with auto-update enabled.

필수 조치: Audit browser extensions across your organization. Implement extension allow-listing. 모니터링 for unexpected extension updates.


9. Cisco Catalyst SD-WAN CVE-2026-20127 광범위 공격 중

🚨 CRITICAL CVE — Active Mass Exploitation

A critical 취약점 in Cisco Catalyst SD-WAN (CVE-2026-20127) is now seeing widespread 익스플로잇ation from numerous IP addresses. 다음을 운영하는 조직은 affected Cisco SD-WAN infrastructure should patch immediately or apply mitigations.

필수 조치: Apply Cisco's 보안 권고 patches immediately. If patching is not possible, implement recommended 임시 해결책s and monitor for 침해 지표(IoC).


10. ClickFix 공격, Windows Terminal로 진화

The ClickFix 소셜 엔지니어링 technique has evolved. Attackers now use fake CAPTCHA pages that instruct victims to paste malicious commands into Windows Terminal instead of the traditional Run dialog. This evasion technique bypasses several security controls that monitor the Run dialog.

The shift to Windows Terminal is significant because it provides a more powerful execution environment and may not be monitored by legacy endpoint detection tools.


11. 추가 헤드라인

기사영향
FBI Investigating Surveillance System BreachFBI probing suspicious cyber activity on a system holding sensitive surveillance information
CISA Adds iOS Flaws to KEVCoruna 익스플로잇 kit targets 23 취약점 across iOS 13–17.2.1; 국가 수준 grade
US Cyber Strategy UpdateNew strategy targets adversaries, critical infrastructure protection, and AI/post-quantum cryptography

KENSAI가 보호하는 방법

Real-time CVE 모니터링ing — CVE-2026-20127 and all critical 취약점 tracked 공개 후 수 시간 내

Supply Chain Analysis — Detect malicious packages like the fake OpenClaw npm installer

Cloud Configuration Auditing — Identify Salesforce misconfigurations before ShinyHunters does

Continuous Attack Surface Management — 모니터링 your exposure across all vectors


권장 조치

  1. 즉시: Patch Cisco SD-WAN CVE-2026-20127. Restrict Quick Assist via Group Policy.
  2. 오늘: Audit Salesforce Experience Cloud configurations. Review linked devices in Signal/WhatsApp.
  3. 이번 주: Audit browser extensions across the organization. Review npm dependencies for malicious packages.
  4. 지속: Implement continuous 취약점 management. Brief staff on Teams 피싱 and ClickFix techniques.

KENSAI로 조직을 보호하세요

AI 기반 취약점 스캐닝 및 지속적 보안 모니터링. 지금 무료 스캔을 시작하세요.

무료 스캔 시작 →

Stay satisfactorily secure. Stay vigilant.

🗡️ KENSAI 보안팀