ๅ‰ฃ KENSAI
โ˜ฐ
โ† Back to archive

๐Ÿ›ก๏ธ KENSAI Security Intelligence

Daily Threat Briefing โ€” Monday, March 9, 2026 ยท Auto-generated at 04:00 CET

5
Threat Actors
3
Critical CVEs
2
Tool Releases
4
Breaches

โšก TL;DR โ€” Top Stories

  • FBI investigating breach of system holding sensitive surveillance data
  • Cognizant TriZetto breach exposes health data of 3.4M patients
  • Cisco SD-WAN CVE-2026-20127 now widely exploited in the wild
  • Anthropic found 22 Firefox vulns with Claude Opus 4.6 in two weeks
  • Iran's MuddyWater embedded in US banks, airports with new Dindoor backdoor
  • AI-coded malware goes mainstream โ€” Transparent Tribe mass-producing "vibeware"

๐Ÿ”“ Data Breaches & Intrusions

FBI Investigating Breach of Sensitive Surveillance System

Critical US Gov

The FBI is investigating "suspicious" cyber activity on a system containing sensitive surveillance information. The bureau is working to determine scope and impact, per a notification sent to Congress. The compromised system reportedly holds FISA-related data.

Source: SecurityWeek

Cognizant TriZetto Breach Exposes 3.4 Million Patient Records

High Healthcare

Healthcare IT company TriZetto Provider Solutions (a Cognizant subsidiary) suffered a breach exposing sensitive health information of over 3.4 million people. The company develops software used by health insurers and providers across the US.

Transport for London Data Breach Affects 10 Million

High UK Transport

Transport for London (TfL) confirmed a data breach affecting approximately 10 million individuals. Details are emerging in the aftermath of an earlier cyber incident at the UK transit operator.

Source: SecurityWeek

Iranian APT MuddyWater Embedded in US Bank, Airport, Software Company

Critical Nation-State Iran

Broadcom's Symantec discovered Iran-linked MuddyWater (Seedworm) has embedded itself in networks of US banks, airports, a non-profit, and the Israeli arm of a defense/aerospace software company. The campaign uses a new backdoor dubbed "Dindoor" and began in early February 2026, with activity intensifying after US-Israeli strikes on Iran.

๐Ÿ› Critical CVEs & Exploits

CVE-2026-20127 โ€” Cisco Catalyst SD-WAN (Widely Exploited)

Critical Network

WatchTowr reports seeing exploitation attempts from numerous unique IPs targeting this Cisco Catalyst SD-WAN vulnerability. Organizations running affected SD-WAN infrastructure should patch immediately.

Source: SecurityWeek

CISA Adds Hikvision & Rockwell CVSS 9.8 Flaws to KEV Catalog

CVSS 9.8 ICS/OT

CISA added two critical vulnerabilities to its Known Exploited Vulnerabilities catalog: CVE-2017-7921 (Hikvision improper authentication) and a Rockwell Automation flaw allowing remote ICS hacking. Both have evidence of active exploitation.

CISA Orders Feds to Patch iOS Flaws โ€” Coruna Exploit Kit

High Mobile Spyware

CISA ordered US federal agencies to patch three iOS vulnerabilities targeted by the nation-state-grade "Coruna" exploit kit, which targets 23 vulnerabilities affecting iOS 13 through 17.2.1. Used in cyberespionage and crypto-theft campaigns.

Anthropic Discovers 22 Firefox Vulnerabilities with AI

14 High-Severity Browser

Anthropic's Claude Opus 4.6 found 22 vulnerabilities in Firefox (14 high, 7 moderate, 1 low) in just two weeks โ€” nearly a fifth of all high-severity bugs patched in Firefox in 2025. A use-after-free was detected in just 20 minutes. Fixed in Firefox 148. Anthropic also demonstrated limited exploit generation capability ($4K in API credits, 2 successful exploits out of hundreds of attempts).

๐Ÿ’€ Ransomware & Malware

Termite Ransomware Linked to ClickFix + CastleRAT Attacks

High Ransomware

Velvet Tempest threat group is deploying Termite ransomware using the ClickFix social engineering technique and legitimate Windows utilities to deliver DonutLoader and CastleRAT backdoor. The ClickFix technique continues to evolve across multiple threat actors.

ClickFix Campaigns Proliferate โ€” Now Using Windows Terminal

High Social Engineering

Microsoft disclosed a new ClickFix variant using Windows Terminal (instead of Run dialog) to deploy Lumma Stealer. Separately, a new "InstallFix" variant targets users with fake Claude Code install guides to push infostealers. ClickFix is now the dominant social engineering vector across multiple threat groups.

VOID#GEIST: Multi-Stage Campaign Delivering XWorm, AsyncRAT, Xeno RAT

Malware RAT

Securonix uncovered a multi-stage malware campaign using obfuscated batch scripts to deliver encrypted RAT payloads. Uses legitimate Python runtime and Early Bird APC injection into explorer.exe. Demonstrates the trend toward script-based delivery that mimics legitimate user activity.

100+ GitHub Repos Distributing BoryptGrab Stealer

High Supply Chain

Over 100 GitHub repositories found distributing BoryptGrab stealer targeting browser data, cryptocurrency wallets, system information, and user files. Part of the growing trend of abusing trusted developer platforms for malware delivery.

Source: SecurityWeek

๐Ÿ•ต๏ธ Nation-State & APT Activity

Transparent Tribe โ€” AI-Generated "Vibeware" Mass Production

Pakistan AI-Malware India

Pakistan-aligned Transparent Tribe is using AI coding tools to mass-produce malware implants in lesser-known languages (Nim, Zig, Crystal), hosted on Slack, Discord, Supabase, and Google Sheets. Bitdefender calls this "AI-assisted malware industrialization" โ€” flooding targets with disposable polyglot binaries. A landmark moment in AI-enabled offensive operations.

China-Linked UAT-9244 Targets South American Telecoms

China Telecom APT

Cisco Talos tracks UAT-9244 (linked to FamousSparrow / potential Salt Typhoon overlap) targeting critical telecom infrastructure in South America since 2024. Uses three implants: TernDoor, PeerTime, and BruteEntry across Windows, Linux, and edge devices.

Hackers Abuse .arpa DNS & IPv6 to Evade Phishing Defenses

Evasion Phishing

Threat actors are exploiting the special-use .arpa domain and IPv6 reverse DNS in phishing campaigns to bypass domain reputation checks and email security gateways. A novel evasion technique that circumvents traditional URL filtering.

๐Ÿ”ง Security Tools & Releases

OpenAI Codex Security โ€” AI Vulnerability Scanner

Tool Release AI Security

OpenAI launched Codex Security in research preview โ€” an AI-powered agent that finds, validates, and proposes fixes for vulnerabilities. Scanned 1.2M commits in beta, found 10,561 high-severity issues. Available to ChatGPT Pro/Enterprise/Business/Edu. Free for the first month. Competitive note: Direct competitor to KENSAI's automated scanning capabilities.

ArmorCode Raises $16M for Exposure Management Platform

Funding AppSec

ArmorCode raised $16M to accelerate its exposure management platform development. The company focuses on application security posture management (ASPM) and vulnerability management consolidation.

Source: SecurityWeek

Evervault Raises $25M Series B for Developer Encryption Platform

Funding Data Security

Data security firm Evervault raised $25M (Series B, $46M total) for its developer-focused encryption and orchestration platform. Growing market demand for privacy-by-design solutions.

Source: SecurityWeek

๐Ÿ“Š Emerging Trends & Analysis

Microsoft: Hackers Using AI at Every Stage of Cyberattacks

Trend AI Threats

Microsoft warns that threat actors are increasingly using AI across all stages โ€” reconnaissance, social engineering, malware development, lateral movement, and data exfiltration. AI lowers technical barriers and accelerates attack timelines. Combined with Transparent Tribe's vibeware and Anthropic's Firefox findings, March 2026 marks a clear inflection point for AI in both offense and defense.

Google: Half of 2025's 90 Zero-Days Targeted Enterprises

Trend Zero-Day

Google's annual zero-day analysis reveals 90 exploited zero-days in 2025, with nearly half targeting enterprise products. Spyware vendors and China-linked groups led attribution. The shift toward enterprise targeting underscores the need for proactive vulnerability management.

Source: SecurityWeek

ClickFix Social Engineering โ€” The Dominant Vector of 2026

Trend Social Engineering

ClickFix and its variants (InstallFix, CastleRAT delivery) are now used by at least 3 distinct threat groups (Velvet Tempest, generic Lumma campaigns, fake CLI tool installers). The technique tricks users into running malicious commands by posing as installation or fix procedures. It has become the social engineering technique of choice for 2026.

US Cyber Strategy Update & Pentagon Leadership Changes

Policy US Gov

Trump's new Cyber Strategy emphasizes stronger deterrence, federal network modernization, critical infrastructure protection, and investment in AI + post-quantum cryptography. James "Aaron" Bishop tapped as new Pentagon CISO, replacing David McKeown after 40 years of government service.

Source: SecurityWeek

๐ŸŽฏ KENSAI Relevance

Competitive Intelligence

OpenAI Codex Security launched as a direct competitor in the AI-powered vulnerability scanning space. Key differentiator for KENSAI: Codex focuses on code/commit scanning while KENSAI offers full-stack pentesting (DAST + infrastructure). Position KENSAI as the "complete security assessment" vs. Codex's "code-only" approach.

Content Opportunities

โ€ข "AI vs. AI" blog post โ€” How AI finds vulns (Anthropic/Firefox) and how AI creates malware (Transparent Tribe). KENSAI as the defense side of this arms race.
โ€ข ClickFix awareness guide โ€” Multiple variants now active; write a detection/prevention guide.
โ€ข CVE coverage โ€” CVE-2026-20127 (Cisco SD-WAN) is actively exploited; add to KENSAI's CVE database if not present.

Compiled by KENSAI Security Intelligence ยท kensai.app
Sources: BleepingComputer ยท The Hacker News ยท SecurityWeek ยท CISA
Next report: March 10, 2026 ยท 04:00 CET