剣 KENSAI
← Back to archive

🛡️ KENSAI Security Intelligence

Tuesday, March 10, 2026 · Daily Threat Briefing

Executive Summary

  • Ericsson US breached via service provider hack — employee and customer data stolen
  • Cisco SD-WAN 0-day (CVE-2026-20127) now widely exploited with public PoC
  • CISA adds iOS exploit kit flaws — Coruna kit targets 23 vulnerabilities (iOS 13–17.2.1)
  • Russian state hackers targeting Signal & WhatsApp accounts of government officials
  • ShinyHunters actively exploiting Salesforce Aura bug for data theft
  • FBI investigating suspicious activity on sensitive surveillance system
  • OpenAI launches Codex Security — AI agent scanned 1.2M commits, found 10.5K high-severity issues

🔓 Data Breaches & Incidents

HIGH IMPACT

Ericsson US Discloses Data Breach After Service Provider Hack

Ericsson Inc. (US subsidiary) confirmed attackers stole employee and customer data after compromising one of its third-party service providers. The breach scope remains undisclosed. This is another supply-chain attack highlighting vendor risk management failures.

CRITICAL

ShinyHunters Exploiting Salesforce Aura for Active Data Theft

Salesforce is warning customers about misconfigured Experience Cloud platforms granting guest users excessive data access. The ShinyHunters extortion gang claims to be exploiting a new vulnerability to actively steal data from Salesforce instances beyond the misconfiguration issue.

HIGH IMPACT

FBI Investigating Breach of Sensitive Surveillance System

The FBI is investigating "suspicious" cyber activity on a system holding sensitive surveillance information. The bureau notified Congress and is working to determine scope and impact. Details remain classified.

Source: SecurityWeek
HIGH IMPACT

UNC4899 (North Korea) Breached Crypto Firm via AirDrop Trojan

North Korean threat actor UNC4899 (aka Jade Sleet/TraderTraitor) compromised a cryptocurrency organization by social-engineering a developer into AirDropping a trojanized file to their work device. Attackers pivoted to cloud infrastructure using living-off-the-cloud techniques to steal millions in cryptocurrency.

🚨 Critical CVEs & Vulnerabilities

CVSS 10.0 CVE-2026-20127

Cisco Catalyst SD-WAN — Actively Exploited Zero-Day

Maximum-severity vulnerability in Cisco Catalyst SD-WAN Controller and SD-WAN Manager. Public PoC exploit released. WatchTowr reports widespread exploitation from numerous unique IPs. Allows authentication bypass and root access. Patch immediately.

CRITICAL CVE-2026-27944

Nginx UI — Unauthenticated Backup Download & Decryption

Critical vulnerability in Nginx UI allows unauthenticated attackers to download and decrypt full system backups, exposing configuration files, credentials, and sensitive data.

CRITICAL CVE-2026-29058

AVideo Platform — Zero-Click Command Injection

Maximum-severity zero-click flaw in AVideo open-source video hosting platform allows attackers to execute arbitrary commands on streaming servers without any user interaction.

HIGH CVE-2026-25611

MongoDB — Unauthenticated Server Crash

CVSS 7.5 vulnerability allows unauthenticated attackers to crash exposed MongoDB servers using minimal bandwidth. Discovered by Cato CTRL researchers.

CRITICAL CVE-2026-1492

WordPress Membership Plugin — Admin Account Creation

User Registration & Membership plugin for WordPress allows unauthenticated attackers to bypass security controls and create administrator accounts.

CRITICAL iOS EXPLOIT KIT

CISA Adds Coruna iOS Exploit Kit Flaws to KEV

Nation-state-grade iOS exploit kit ("Coruna") targets 23 vulnerabilities affecting iOS 13 through 17.2.1. CISA added these to the Known Exploited Vulnerabilities catalog on March 5. Active exploitation confirmed.

Source: SecurityWeek
HIGH

Cisco Secure Firewall Management Center — RCE & Auth Bypass

Two separate critical advisories for Cisco FMC: one enabling remote code execution (maximum severity), another allowing unauthenticated authentication bypass.

HIGH

ExifTool Flaw — Malicious Images Trigger Code Execution on macOS

Kaspersky researchers discovered a vulnerability where malicious images can trigger code execution on macOS via ExifTool, challenging assumptions about macOS malware immunity.

MEDIUM

Google Chrome Emergency Update — 10 Security Fixes

Google pushed Chrome Stable to 145.0.7632.159, fixing 10 security vulnerabilities including critical issues.

🕵️ Threat Actors & Campaigns

RUSSIA APT

Russian State Hackers Hijacking Signal & WhatsApp Accounts

Dutch government issued a warning: Russian state-sponsored hackers are running a phishing campaign targeting government officials, military personnel, and journalists to hijack their Signal and WhatsApp accounts and access encrypted messages.

CHINA APT

CL-UNK-1068 — Chinese Espionage Across Asian Critical Infrastructure

Palo Alto Unit 42 uncovered a years-long Chinese espionage campaign (CL-UNK-1068) targeting aviation, energy, government, pharma, and telecom sectors across South, Southeast, and East Asia. Uses custom malware, modified open-source tools, and LOLBINs for persistence.

SOCIAL ENGINEERING

Microsoft Teams Phishing Delivers A0Backdoor Malware

Attackers contacted employees at financial and healthcare organizations via Microsoft Teams, tricking them into granting remote access through Quick Assist to deploy a new malware strain called "A0Backdoor."

PHISHING

ClickFix Attack Uses Windows Terminal to Evade Detection

New variant of fake CAPTCHA phishing pages now instructs victims to paste malicious commands in Windows Terminal instead of the Run dialog, evading traditional detection methods.

Source: SecurityWeek
MALWARE

100+ GitHub Repos Distributing BoryptGrab Stealer

Over 100 GitHub repositories are distributing the BoryptGrab information stealer, targeting browser data, cryptocurrency wallets, system information, and user files.

Source: SecurityWeek
SUPPLY CHAIN

Chrome Extensions Turn Malicious After Ownership Transfer

Two Chrome extensions (QuickLens, ShotBird) turned malicious after ownership transfer, enabling code injection and data theft for ~7,800 users. Highlights the ongoing supply-chain risk in browser extension ecosystems.

SUPPLY CHAIN

Malicious npm Package Deploys RAT (Credential Stealer)

JFrog discovered a malicious npm package stealing system credentials, browser data, crypto wallets, SSH keys, Apple Keychain, and iMessage history. Installs persistent RAT with SOCKS5 proxy and live browser session cloning. 178 downloads before discovery.

ZERO-CLICK

Mail2Shell — FreeScout Help Desk Zero-Click RCE

Critical zero-click vulnerability in FreeScout open-source help desk allows attackers to hijack mail servers simply by sending a crafted email — no user interaction required.

🔧 Security Tools & Industry Updates

AI SECURITY

OpenAI Launches Codex Security Agent

OpenAI rolled out Codex Security — an AI-powered security agent that finds, validates, and proposes fixes for vulnerabilities. In preview, it scanned 1.2 million commits and found 10,561 high-severity issues. Available to ChatGPT Pro/Enterprise/Business/Edu users. Free for the first month.

CLOUD SECURITY

Google: Cloud Attacks Shifting from Weak Credentials to Vulnerability Exploitation

Google's H1 2026 Cloud Threat Horizons Report reveals attackers are increasingly exploiting newly disclosed third-party software flaws (not just weak creds) to compromise cloud environments. The exploitation window has shrunk from weeks to days.

M&A

Cybersecurity M&A: 42 Deals in February 2026

Major deals announced by Check Point, Booz Allen, Proofpoint, Sophos, Palo Alto Networks, and Zscaler. Consolidation continues at an aggressive pace in the cybersecurity market.

Source: SecurityWeek
FUNDING

ArmorCode Raises $16M for Exposure Management

ArmorCode secured $16M to accelerate platform development for application security posture management and exposure management.

Source: SecurityWeek
POLICY

Trump Cyber Strategy: Adversaries, CI, Emerging Tech

The new US Cyber Strategy calls for stronger deterrence against cyber adversaries, modernization of federal networks, protection of critical infrastructure, and investment in AI and post-quantum cryptography.

Source: SecurityWeek
LEGAL

EU Court: Banks Must Immediately Refund Phishing Victims

The EU Court of Justice Advocate General issued a formal opinion suggesting banks must immediately refund victims of phishing-related unauthorized transactions. Could become binding precedent across all EU member states.

📊 Emerging Threat Patterns

Key Trends This Week

1. Supply Chain Attacks Accelerating: Malicious npm packages, Chrome extension ownership transfers, and service provider compromises (Ericsson) — three different supply chain vectors in 24 hours. Trust chains are the new attack surface.

2. Cloud Exploitation Window Shrinking: Google's report confirms attackers are exploiting newly disclosed vulnerabilities within days, not weeks. Patching SLAs need to be measured in hours for cloud-exposed services.

3. Messaging App Targeting by Nation-States: Russian APTs specifically targeting Signal and WhatsApp for account hijacking. Encrypted messengers are high-value targets for espionage, not safe havens.

4. AI Security Tools Going Mainstream: OpenAI's Codex Security launch (1.2M commits scanned) signals AI-powered vulnerability detection is moving from niche to default DevSecOps tooling. Direct competition for KENSAI's market.

5. Cisco Infrastructure Under Siege: SD-WAN 0-day, Firewall Management RCE, and auth bypass — Cisco products are seeing a cluster of critical vulnerabilities. Organizations with Cisco infrastructure need emergency patching cycles.