ๅ‰ฃ KENSAI
โ˜ฐ
โ† Back to archive
KENSAI Intelligence

๐Ÿ›ก๏ธ Daily Security Brief

Saturday, March 7, 2026 ยท Compiled from BleepingComputer, The Hacker News, SecurityWeek

TL;DR: The FBI is investigating a breach of its surveillance/wiretap systems. CISA added iOS zero-days from the Coruna exploit kit to KEV. Chinese APT UAT-9244 hit South American telcos with three new implants. Iranian MuddyWater embedded in US critical infrastructure. A massive healthcare breach exposed 3.4M patient records. AI-generated malware is industrializing threat actor operations.

3
Nation-State Campaigns
3.4M
Records Exposed
23
iOS Vulns (Coruna Kit)
90
2025 Zero-Days (Google)

๐Ÿ”“ Data Breaches & Intrusions

FBI Investigating Breach of Surveillance & Wiretap Systems

The FBI confirmed it is investigating "suspicious cyber activity" on systems used to manage surveillance and wiretap warrants. The breach โ€” first reported by CNN โ€” affected networks handling court-authorized wiretapping and foreign intelligence surveillance. While the FBI says the incident has been "addressed," the scope remains unclear. Possible links to the Salt Typhoon campaign that compromised U.S. telecoms in 2024 are being examined.

Critical U.S. Government

Cognizant TriZetto Breach Exposes 3.4 Million Patient Records

TriZetto Provider Solutions, a Cognizant-owned healthcare IT company serving health insurers and providers, disclosed a breach exposing sensitive health data of over 3.4 million patients. The compromised data includes PII and protected health information (PHI). This is one of the largest healthcare breaches reported in 2026 so far.

Critical Healthcare

Iranian APT MuddyWater Embedded in U.S. Airport, Bank, Software Company

Symantec and Carbon Black researchers discovered MuddyWater (Seedworm), an Iranian MOIS-affiliated APT, has established persistent access inside several U.S. organizations โ€” including banks, airports, and a non-profit โ€” using a new "Dindoor" backdoor. Activity began in February 2026 and escalated after U.S./Israeli strikes on Iran. A software company serving defense and aerospace was also targeted via its Israeli operations.

High Iran / APT

LeakBase Cybercrime Forum Shut Down, Suspects Arrested

The stolen credential marketplace LeakBase, active since 2021 with 142,000 users, has been seized by law enforcement and suspects arrested. The forum specialized in trading leaked credentials and personal data.

Law Enforcement
Source: SecurityWeek

๐Ÿ› Critical CVEs & Exploited Vulnerabilities

CISA Adds 23 iOS Flaws From Coruna Exploit Kit to KEV

CISA ordered federal agencies to patch iOS vulnerabilities exploited by the Coruna exploit kit โ€” a nation-state-grade toolkit targeting 23 vulnerabilities across iOS 13 through 17.2.1. The flaws have been used in cyberespionage and cryptocurrency theft operations. This is a significant escalation in mobile-targeted attacks.

Critical iOS / Mobile KEV

Cisco Catalyst SD-WAN Flaws Exploited in the Wild (CVE-2026-20128 & CVE-2026-20122)

Cisco added two recently patched Catalyst SD-WAN vulnerabilities to its list of exploited-in-the-wild flaws. CVE-2026-20128 and CVE-2026-20122 are being actively targeted. Organizations using Catalyst SD-WAN should patch immediately.

Critical Network Infrastructure
Source: SecurityWeek

Rockwell ICS Vulnerability Now Exploited in Attacks

A Rockwell Automation vulnerability originally disclosed and mitigated in 2021 is now being actively exploited in attacks targeting industrial control systems (ICS). The flaw enables remote hacking of ICS environments, posing risks to critical infrastructure.

Critical ICS / OT
Source: SecurityWeek

Google: Half of 2025's 90 Zero-Days Targeted Enterprises

Google's annual zero-day analysis reveals 90 zero-day vulnerabilities were exploited in the wild in 2025 โ€” with nearly half targeting enterprise products. Spyware vendors and Chinese state actors were the top attributed threat groups. The shift toward enterprise-focused zero-days signals increasing attacker investment in high-value targets.

High Research / Trend
Source: SecurityWeek

๐ŸŒ Nation-State & Espionage Campaigns

Chinese APT UAT-9244 Hits South American Telcos With 3 New Implants

Cisco Talos identified a China-linked APT (UAT-9244, associated with FamousSparrow) targeting South American telecom infrastructure since 2024. Three previously undocumented implants were deployed: TernDoor (Windows), PeerTime/angrypeer (Linux), and BruteEntry (edge devices). The cluster shares tactical overlaps with Salt Typhoon but no definitive link has been established.

China / APT Telecom

Transparent Tribe Uses AI to Mass-Produce Polyglot Malware

Pakistan-aligned Transparent Tribe has adopted AI-assisted coding tools to generate high volumes of "disposable, polyglot binaries" written in Nim, Zig, and Crystal. Implants leverage trusted services (Slack, Discord, Supabase, Google Sheets) for C2. Bitdefender researchers describe this as "AI-assisted malware industrialization" โ€” a shift from sophistication to volume. Targets: India.

Pakistan / APT High

๐Ÿ’€ Malware & Ransomware

Russian Ransomware Operator Pleads Guilty in U.S.

Evgenii Ptitsyn, a Russian national extradited from South Korea in November 2024, has pleaded guilty to ransomware-related charges in a U.S. court. Details of the specific ransomware variant and victim count were not fully disclosed, but the case underscores continued international cooperation against ransomware operators.

Ransomware Law Enforcement
Source: SecurityWeek

VOID#GEIST: Multi-Stage Campaign Delivering XWorm, AsyncRAT, Xeno RAT

Securonix researchers documented a stealthy multi-stage campaign using obfuscated batch scripts to deploy encrypted RAT payloads (XWorm, AsyncRAT, Xeno RAT) via legitimate Python runtimes and Early Bird APC injection into explorer.exe. The technique closely mimics legitimate user activity to evade detection.

High RAT / Malware

Fake Claude Code Install Guides Push Infostealers ("InstallFix")

A new social engineering variation dubbed "InstallFix" tricks users into running malicious commands while supposedly installing legitimate CLI tools like Claude Code. This ClickFix-derivative technique capitalizes on the popularity of AI development tools to distribute information-stealing malware.

High Social Engineering

Wikipedia Hit by Self-Propagating JavaScript Worm

The Wikimedia Foundation suffered a security incident involving a self-propagating JavaScript worm that vandalized pages and spread across the platform. While not a traditional malware attack, the incident demonstrates how trusted platforms remain vulnerable to creative attack vectors.

Web Security

๐Ÿข Security Industry & Funding

ArmorCode Raises $16M for Exposure Management Platform

ArmorCode secured $16 million in funding to accelerate its application security posture management (ASPM) and exposure management platform. The investment will go toward product innovation and go-to-market expansion.

Funding
Source: SecurityWeek

Evervault Raises $25M Series B for Developer Encryption Platform

Data security firm Evervault raised $25 million in Series B funding, bringing its total to $46 million. The developer-focused platform provides encryption and data orchestration capabilities.

Funding
Source: SecurityWeek

Reclaim Security Raises $20M for Remediation Acceleration

Reclaim Security raised $20 million to expand its engineering team, deepen integrations, and accelerate go-to-market for its remediation-focused security platform.

Funding
Source: SecurityWeek

๐Ÿ“Š Emerging Threat Patterns

AI-Assisted Malware Industrialization

Multiple reports this week confirm threat actors are weaponizing AI coding tools โ€” not for sophistication, but for volume. Transparent Tribe's "vibeware" approach floods targets with disposable polyglot binaries. The InstallFix campaign exploits AI tool popularity for social engineering. Bing AI was caught promoting fake OpenClaw repos with info-stealers. The trend is clear: AI lowers the barrier to mass-produce malware and lures.

High Trend

Telecom Infrastructure Under Sustained APT Pressure

Chinese APTs continue to aggressively target global telecom infrastructure. UAT-9244's new toolset (TernDoor, PeerTime, BruteEntry) joins Salt Typhoon's earlier campaigns. With the FBI now investigating breaches of its own wiretap systems, the convergence of telecom and surveillance infrastructure creates compounding risk for national security.

Critical Trend

Enterprise Zero-Days Outpace Consumer Targets

Google's 2025 zero-day report confirms a structural shift: half of 90 exploited zero-days targeted enterprise products (not browsers/mobile). Spyware vendors and state actors are investing more in enterprise attack surfaces โ€” VPNs, SD-WAN appliances, ICS systems โ€” where detection is weaker and impact is higher.

High Trend