๐ก๏ธ KENSAI Security Intelligence
Daily Threat Briefing โ Monday, March 9, 2026 ยท Auto-generated at 04:00 CET
โก TL;DR โ Top Stories
- FBI investigating breach of system holding sensitive surveillance data
- Cognizant TriZetto breach exposes health data of 3.4M patients
- Cisco SD-WAN CVE-2026-20127 now widely exploited in the wild
- Anthropic found 22 Firefox vulns with Claude Opus 4.6 in two weeks
- Iran's MuddyWater embedded in US banks, airports with new Dindoor backdoor
- AI-coded malware goes mainstream โ Transparent Tribe mass-producing "vibeware"
๐ Data Breaches & Intrusions
FBI Investigating Breach of Sensitive Surveillance System
Critical US GovThe FBI is investigating "suspicious" cyber activity on a system containing sensitive surveillance information. The bureau is working to determine scope and impact, per a notification sent to Congress. The compromised system reportedly holds FISA-related data.
Cognizant TriZetto Breach Exposes 3.4 Million Patient Records
High HealthcareHealthcare IT company TriZetto Provider Solutions (a Cognizant subsidiary) suffered a breach exposing sensitive health information of over 3.4 million people. The company develops software used by health insurers and providers across the US.
Transport for London Data Breach Affects 10 Million
High UK TransportTransport for London (TfL) confirmed a data breach affecting approximately 10 million individuals. Details are emerging in the aftermath of an earlier cyber incident at the UK transit operator.
Iranian APT MuddyWater Embedded in US Bank, Airport, Software Company
Critical Nation-State IranBroadcom's Symantec discovered Iran-linked MuddyWater (Seedworm) has embedded itself in networks of US banks, airports, a non-profit, and the Israeli arm of a defense/aerospace software company. The campaign uses a new backdoor dubbed "Dindoor" and began in early February 2026, with activity intensifying after US-Israeli strikes on Iran.
๐ Critical CVEs & Exploits
CVE-2026-20127 โ Cisco Catalyst SD-WAN (Widely Exploited)
Critical NetworkWatchTowr reports seeing exploitation attempts from numerous unique IPs targeting this Cisco Catalyst SD-WAN vulnerability. Organizations running affected SD-WAN infrastructure should patch immediately.
CISA Adds Hikvision & Rockwell CVSS 9.8 Flaws to KEV Catalog
CVSS 9.8 ICS/OTCISA added two critical vulnerabilities to its Known Exploited Vulnerabilities catalog: CVE-2017-7921 (Hikvision improper authentication) and a Rockwell Automation flaw allowing remote ICS hacking. Both have evidence of active exploitation.
CISA Orders Feds to Patch iOS Flaws โ Coruna Exploit Kit
High Mobile SpywareCISA ordered US federal agencies to patch three iOS vulnerabilities targeted by the nation-state-grade "Coruna" exploit kit, which targets 23 vulnerabilities affecting iOS 13 through 17.2.1. Used in cyberespionage and crypto-theft campaigns.
Anthropic Discovers 22 Firefox Vulnerabilities with AI
14 High-Severity BrowserAnthropic's Claude Opus 4.6 found 22 vulnerabilities in Firefox (14 high, 7 moderate, 1 low) in just two weeks โ nearly a fifth of all high-severity bugs patched in Firefox in 2025. A use-after-free was detected in just 20 minutes. Fixed in Firefox 148. Anthropic also demonstrated limited exploit generation capability ($4K in API credits, 2 successful exploits out of hundreds of attempts).
๐ Ransomware & Malware
Termite Ransomware Linked to ClickFix + CastleRAT Attacks
High RansomwareVelvet Tempest threat group is deploying Termite ransomware using the ClickFix social engineering technique and legitimate Windows utilities to deliver DonutLoader and CastleRAT backdoor. The ClickFix technique continues to evolve across multiple threat actors.
ClickFix Campaigns Proliferate โ Now Using Windows Terminal
High Social EngineeringMicrosoft disclosed a new ClickFix variant using Windows Terminal (instead of Run dialog) to deploy Lumma Stealer. Separately, a new "InstallFix" variant targets users with fake Claude Code install guides to push infostealers. ClickFix is now the dominant social engineering vector across multiple threat groups.
VOID#GEIST: Multi-Stage Campaign Delivering XWorm, AsyncRAT, Xeno RAT
Malware RATSecuronix uncovered a multi-stage malware campaign using obfuscated batch scripts to deliver encrypted RAT payloads. Uses legitimate Python runtime and Early Bird APC injection into explorer.exe. Demonstrates the trend toward script-based delivery that mimics legitimate user activity.
100+ GitHub Repos Distributing BoryptGrab Stealer
High Supply ChainOver 100 GitHub repositories found distributing BoryptGrab stealer targeting browser data, cryptocurrency wallets, system information, and user files. Part of the growing trend of abusing trusted developer platforms for malware delivery.
๐ต๏ธ Nation-State & APT Activity
Transparent Tribe โ AI-Generated "Vibeware" Mass Production
Pakistan AI-Malware IndiaPakistan-aligned Transparent Tribe is using AI coding tools to mass-produce malware implants in lesser-known languages (Nim, Zig, Crystal), hosted on Slack, Discord, Supabase, and Google Sheets. Bitdefender calls this "AI-assisted malware industrialization" โ flooding targets with disposable polyglot binaries. A landmark moment in AI-enabled offensive operations.
China-Linked UAT-9244 Targets South American Telecoms
China Telecom APTCisco Talos tracks UAT-9244 (linked to FamousSparrow / potential Salt Typhoon overlap) targeting critical telecom infrastructure in South America since 2024. Uses three implants: TernDoor, PeerTime, and BruteEntry across Windows, Linux, and edge devices.
Hackers Abuse .arpa DNS & IPv6 to Evade Phishing Defenses
Evasion PhishingThreat actors are exploiting the special-use .arpa domain and IPv6 reverse DNS in phishing campaigns to bypass domain reputation checks and email security gateways. A novel evasion technique that circumvents traditional URL filtering.
๐ง Security Tools & Releases
OpenAI Codex Security โ AI Vulnerability Scanner
Tool Release AI SecurityOpenAI launched Codex Security in research preview โ an AI-powered agent that finds, validates, and proposes fixes for vulnerabilities. Scanned 1.2M commits in beta, found 10,561 high-severity issues. Available to ChatGPT Pro/Enterprise/Business/Edu. Free for the first month. Competitive note: Direct competitor to KENSAI's automated scanning capabilities.
ArmorCode Raises $16M for Exposure Management Platform
Funding AppSecArmorCode raised $16M to accelerate its exposure management platform development. The company focuses on application security posture management (ASPM) and vulnerability management consolidation.
Evervault Raises $25M Series B for Developer Encryption Platform
Funding Data SecurityData security firm Evervault raised $25M (Series B, $46M total) for its developer-focused encryption and orchestration platform. Growing market demand for privacy-by-design solutions.
๐ Emerging Trends & Analysis
Microsoft: Hackers Using AI at Every Stage of Cyberattacks
Trend AI ThreatsMicrosoft warns that threat actors are increasingly using AI across all stages โ reconnaissance, social engineering, malware development, lateral movement, and data exfiltration. AI lowers technical barriers and accelerates attack timelines. Combined with Transparent Tribe's vibeware and Anthropic's Firefox findings, March 2026 marks a clear inflection point for AI in both offense and defense.
Google: Half of 2025's 90 Zero-Days Targeted Enterprises
Trend Zero-DayGoogle's annual zero-day analysis reveals 90 exploited zero-days in 2025, with nearly half targeting enterprise products. Spyware vendors and China-linked groups led attribution. The shift toward enterprise targeting underscores the need for proactive vulnerability management.
ClickFix Social Engineering โ The Dominant Vector of 2026
Trend Social EngineeringClickFix and its variants (InstallFix, CastleRAT delivery) are now used by at least 3 distinct threat groups (Velvet Tempest, generic Lumma campaigns, fake CLI tool installers). The technique tricks users into running malicious commands by posing as installation or fix procedures. It has become the social engineering technique of choice for 2026.
US Cyber Strategy Update & Pentagon Leadership Changes
Policy US GovTrump's new Cyber Strategy emphasizes stronger deterrence, federal network modernization, critical infrastructure protection, and investment in AI + post-quantum cryptography. James "Aaron" Bishop tapped as new Pentagon CISO, replacing David McKeown after 40 years of government service.
๐ฏ KENSAI Relevance
Competitive Intelligence
OpenAI Codex Security launched as a direct competitor in the AI-powered vulnerability scanning space. Key differentiator for KENSAI: Codex focuses on code/commit scanning while KENSAI offers full-stack pentesting (DAST + infrastructure). Position KENSAI as the "complete security assessment" vs. Codex's "code-only" approach.
Content Opportunities
โข "AI vs. AI" blog post โ How AI finds vulns (Anthropic/Firefox) and how AI creates malware (Transparent Tribe). KENSAI as the defense side of this arms race.
โข ClickFix awareness guide โ Multiple variants now active; write a detection/prevention guide.
โข CVE coverage โ CVE-2026-20127 (Cisco SD-WAN) is actively exploited; add to KENSAI's CVE database if not present.
Sources: BleepingComputer ยท The Hacker News ยท SecurityWeek ยท CISA
Next report: March 10, 2026 ยท 04:00 CET