剣 KENSAI
← Back to archive

Daily Threat Briefing

Sunday, March 8, 2026 — 04:00 CET
3
Critical
5
Data Breaches
13
New CVEs
2
Tool Releases
🔓

Major Data Breaches

BREACHCRITICALMar 6, 2026
Healthcare IT provider TriZetto Provider Solutions (a Cognizant subsidiary) disclosed a breach exposing sensitive health data — including medical records, insurance info, and PII — of 3.4 million patients. The breach impacts health insurers and providers using TriZetto's software platform. HIPAA notification underway.
BREACHCRITICALMar 6–7, 2026
The FBI confirmed it is investigating a breach of systems used to manage surveillance warrants and wiretap operations. Congressional notification issued. The scope and attribution remain under investigation, raising serious national security concerns about law enforcement data exposure.
BREACHMar 7, 2026
Transport for London (TfL) disclosed that a data breach affecting its systems has impacted approximately 10 million customer records, including Oyster card data and contact details.
FRAUDMar 6, 2026
A Ghanaian national pleaded guilty to his role in a massive fraud ring that stole over $100 million from US victims through business email compromise (BEC) and romance scams. Multi-year operation targeted businesses and individuals.
RANSOMWAREMar 7, 2026
Russian national Evgenii Ptitsyn, extradited from South Korea in November 2024, pleaded guilty in a US federal court for operating ransomware infrastructure targeting American organizations.
🛡️

Critical CVEs & Vulnerabilities

CISA KEV: Coruna Exploit Kit Targets iOS 13–17.2.1
CRITICALAdded to KEV Mar 6
CISA ordered US federal agencies to patch three iOS vulnerabilities actively exploited by the Coruna exploit kit — a nation-state-grade toolkit targeting 23 iOS vulnerabilities across iOS 13 through 17.2.1. Used in cyberespionage and cryptocurrency theft attacks.
Rockwell ICS Vulnerability — In-the-Wild Exploitation Confirmed
CRITICALICS / OT
A Rockwell Automation vulnerability (disclosed and patched in 2021) enabling remote ICS hacking is now confirmed as actively exploited in the wild. Organizations running unpatched Rockwell systems face immediate risk to industrial control environments.
OpenAI Codex Security — New CVEs Found in Open-Source Software
HIGH13 new CVEs
OpenAI's Codex Security scanner identified 792 critical and 10,561 high-severity findings across 1.2M commits. New CVEs issued for:
  • CVE-2026-24881/82 GnuPG — cryptographic implementation flaws
  • CVE-2025-32988/89 GnuTLS — TLS library vulnerabilities
  • CVE-2025-64175 GOGS — Git hosting server vulnerability
  • CVE-2026-25242 GOGS — additional security issue
  • CVE-2025-35430–36 Thorium — 7 vulnerabilities in CISA's radiation detection tool
100+ GitHub Repos Distributing BoryptGrab Stealer
HIGHSupply Chain
Over 100 malicious GitHub repositories discovered distributing the BoryptGrab stealer malware, targeting browser data, cryptocurrency wallet credentials, system information, and user files. Masquerades as legitimate open-source projects.
⚔️

Ransomware & APT Activity

RANSOMWAREAPTMar 7, 2026
Ransomware group "Velvet Tempest" is deploying Termite ransomware via the ClickFix social engineering technique, using legitimate Windows utilities to side-load DonutLoader and the CastleRAT backdoor. Combines social engineering with LOLBins for defense evasion.
APTCRITICALMar 6, 2026
Iranian APT MuddyWater (Seedworm), affiliated with MOIS, embedded in US banks, airports, a Canadian non-profit, and the Israeli arm of a defense/aerospace software company. New "Dindoor" backdoor deployed. Activity intensified following US/Israeli military strikes on Iran.
APTPakistan-aligned / Targeting India
Pakistan-aligned APT Transparent Tribe using AI coding tools to mass-produce disposable malware implants in Nim, Zig, and Crystal. Leverages Slack, Discord, Supabase, and Google Sheets for C2. Bitdefender calls this "AI-assisted malware industrialization" — flooding targets with polyglot, AI-generated ("vibeware") binaries to overwhelm detection.
HIGHMar 6, 2026
Securonix discovered a multi-stage campaign using obfuscated batch scripts to deliver XWorm, AsyncRAT, and Xeno RAT. Uses embedded Python runtime and Early Bird APC injection into explorer.exe — entirely in-memory execution. Script-based delivery mimics legitimate user activity.
APTChina / Telecom
Cisco Talos tracks China-linked group UAT-9244 (associated with FamousSparrow, overlapping with Salt Typhoon) targeting South American telecom infrastructure since 2024. Three implants deployed: TernDoor, PeerTime, and BruteEntry — targeting Windows, Linux, and edge devices.
🔧

Security Tool Releases & Industry

TOOLMar 7, 2026
OpenAI launched Codex Security in research preview — an agentic security scanner that builds project-level threat models and validates findings in sandboxed environments. Scanned 1.2M commits, found 10,561 high-severity issues with 50%+ reduction in false positives vs. prior iterations. Free for 30 days for ChatGPT Pro/Enterprise/Business users. KENSAI Relevance: Potential competitor in AI-powered vulnerability detection — but operates at code-level, not infrastructure-level like KENSAI.
Starkiller — New Phishing-as-a-Service Platform (Threat Alert)
CRITICALPhishing / MFA Bypass
New PhaaS platform "Starkiller" uses headless Chrome in Docker containers to dynamically proxy real login pages (Apple, Google, Microsoft, etc.), capturing credentials and MFA tokens in real-time. Uses URL "@" trick for visual deception (e.g., login.microsoft.com@malicious.ru). Analyzed by Abnormal AI. Bypasses traditional static phishing detection.
Funding Rounds: ArmorCode ($16M) & Evervault ($25M Series B)
INDUSTRY
ArmorCode raised $16M for its exposure management platform. Evervault raised $25M Series B (total $46M) for developer-focused encryption and data orchestration. Both signal continued investor appetite for AppSec and data security tooling.
📡

Emerging Threat Patterns

AI Weaponization Reaches Critical Mass
TREND
Microsoft warned that hackers are abusing AI "at every stage of cyberattacks" — from reconnaissance to payload generation to post-exploitation. Combined with Transparent Tribe's "vibeware" (AI-mass-produced malware) and fake Claude Code InstallFix attacks, we're seeing three converging patterns:

1. AI-generated malware at scale — APTs using AI tools to produce high-volume disposable implants in exotic languages
2. AI tool impersonation — fake install guides for Claude Code, Codex, and other AI CLIs delivering infostealers
3. AI-powered defense — OpenAI Codex Security entering the market as an AI security agent
Google: Half of 2025's 90 Zero-Days Targeted Enterprises
REPORT
Google's annual zero-day analysis shows that 45 of the 90 zero-days exploited in 2025 targeted enterprise products (not consumers). Spyware vendors and Chinese state actors lead attribution. The shift toward enterprise targeting continues to accelerate — network appliances, security tools, and collaboration platforms are primary targets.
US Cyber Strategy Overhaul Under Trump Administration
POLICY
The new US Cyber Strategy calls for stronger deterrence against cyber adversaries, federal network modernization, critical infrastructure protection mandates, and investment in AI and post-quantum cryptography. New Pentagon CISO James "Aaron" Bishop appointed, replacing David McKeown.

🎯 KENSAI Action Items

  • ClickFix/InstallFix detection: Termite ransomware and fake AI CLI install guides both use ClickFix variants — update detection signatures and blog about this trend
  • Competitive intel: OpenAI Codex Security is now live — differentiate KENSAI's infrastructure-level scanning vs. Codex's code-level approach in marketing materials
  • NIS2 angle: TriZetto healthcare breach (3.4M records) is a perfect case study for NIS2 healthcare compliance content
  • ICS/OT: Rockwell exploitation confirms that unpatched legacy ICS systems remain high-value targets — relevant for KENSAI's infrastructure scanning capabilities
  • Supply chain: 100+ malicious GitHub repos (BoryptGrab) reinforces need for SBOM and dependency scanning — KENSAI feature opportunity