🛡️ KENSAI Security Intelligence
Executive Summary
- Ericsson US breached via service provider hack — employee and customer data stolen
- Cisco SD-WAN 0-day (CVE-2026-20127) now widely exploited with public PoC
- CISA adds iOS exploit kit flaws — Coruna kit targets 23 vulnerabilities (iOS 13–17.2.1)
- Russian state hackers targeting Signal & WhatsApp accounts of government officials
- ShinyHunters actively exploiting Salesforce Aura bug for data theft
- FBI investigating suspicious activity on sensitive surveillance system
- OpenAI launches Codex Security — AI agent scanned 1.2M commits, found 10.5K high-severity issues
🔓 Data Breaches & Incidents
Ericsson US Discloses Data Breach After Service Provider Hack
Ericsson Inc. (US subsidiary) confirmed attackers stole employee and customer data after compromising one of its third-party service providers. The breach scope remains undisclosed. This is another supply-chain attack highlighting vendor risk management failures.
ShinyHunters Exploiting Salesforce Aura for Active Data Theft
Salesforce is warning customers about misconfigured Experience Cloud platforms granting guest users excessive data access. The ShinyHunters extortion gang claims to be exploiting a new vulnerability to actively steal data from Salesforce instances beyond the misconfiguration issue.
FBI Investigating Breach of Sensitive Surveillance System
The FBI is investigating "suspicious" cyber activity on a system holding sensitive surveillance information. The bureau notified Congress and is working to determine scope and impact. Details remain classified.
UNC4899 (North Korea) Breached Crypto Firm via AirDrop Trojan
North Korean threat actor UNC4899 (aka Jade Sleet/TraderTraitor) compromised a cryptocurrency organization by social-engineering a developer into AirDropping a trojanized file to their work device. Attackers pivoted to cloud infrastructure using living-off-the-cloud techniques to steal millions in cryptocurrency.
🚨 Critical CVEs & Vulnerabilities
Cisco Catalyst SD-WAN — Actively Exploited Zero-Day
Maximum-severity vulnerability in Cisco Catalyst SD-WAN Controller and SD-WAN Manager. Public PoC exploit released. WatchTowr reports widespread exploitation from numerous unique IPs. Allows authentication bypass and root access. Patch immediately.
Nginx UI — Unauthenticated Backup Download & Decryption
Critical vulnerability in Nginx UI allows unauthenticated attackers to download and decrypt full system backups, exposing configuration files, credentials, and sensitive data.
AVideo Platform — Zero-Click Command Injection
Maximum-severity zero-click flaw in AVideo open-source video hosting platform allows attackers to execute arbitrary commands on streaming servers without any user interaction.
MongoDB — Unauthenticated Server Crash
CVSS 7.5 vulnerability allows unauthenticated attackers to crash exposed MongoDB servers using minimal bandwidth. Discovered by Cato CTRL researchers.
WordPress Membership Plugin — Admin Account Creation
User Registration & Membership plugin for WordPress allows unauthenticated attackers to bypass security controls and create administrator accounts.
CISA Adds Coruna iOS Exploit Kit Flaws to KEV
Nation-state-grade iOS exploit kit ("Coruna") targets 23 vulnerabilities affecting iOS 13 through 17.2.1. CISA added these to the Known Exploited Vulnerabilities catalog on March 5. Active exploitation confirmed.
Cisco Secure Firewall Management Center — RCE & Auth Bypass
Two separate critical advisories for Cisco FMC: one enabling remote code execution (maximum severity), another allowing unauthenticated authentication bypass.
ExifTool Flaw — Malicious Images Trigger Code Execution on macOS
Kaspersky researchers discovered a vulnerability where malicious images can trigger code execution on macOS via ExifTool, challenging assumptions about macOS malware immunity.
Google Chrome Emergency Update — 10 Security Fixes
Google pushed Chrome Stable to 145.0.7632.159, fixing 10 security vulnerabilities including critical issues.
🕵️ Threat Actors & Campaigns
Russian State Hackers Hijacking Signal & WhatsApp Accounts
Dutch government issued a warning: Russian state-sponsored hackers are running a phishing campaign targeting government officials, military personnel, and journalists to hijack their Signal and WhatsApp accounts and access encrypted messages.
CL-UNK-1068 — Chinese Espionage Across Asian Critical Infrastructure
Palo Alto Unit 42 uncovered a years-long Chinese espionage campaign (CL-UNK-1068) targeting aviation, energy, government, pharma, and telecom sectors across South, Southeast, and East Asia. Uses custom malware, modified open-source tools, and LOLBINs for persistence.
Microsoft Teams Phishing Delivers A0Backdoor Malware
Attackers contacted employees at financial and healthcare organizations via Microsoft Teams, tricking them into granting remote access through Quick Assist to deploy a new malware strain called "A0Backdoor."
ClickFix Attack Uses Windows Terminal to Evade Detection
New variant of fake CAPTCHA phishing pages now instructs victims to paste malicious commands in Windows Terminal instead of the Run dialog, evading traditional detection methods.
100+ GitHub Repos Distributing BoryptGrab Stealer
Over 100 GitHub repositories are distributing the BoryptGrab information stealer, targeting browser data, cryptocurrency wallets, system information, and user files.
Chrome Extensions Turn Malicious After Ownership Transfer
Two Chrome extensions (QuickLens, ShotBird) turned malicious after ownership transfer, enabling code injection and data theft for ~7,800 users. Highlights the ongoing supply-chain risk in browser extension ecosystems.
Malicious npm Package Deploys RAT (Credential Stealer)
JFrog discovered a malicious npm package stealing system credentials, browser data, crypto wallets, SSH keys, Apple Keychain, and iMessage history. Installs persistent RAT with SOCKS5 proxy and live browser session cloning. 178 downloads before discovery.
Mail2Shell — FreeScout Help Desk Zero-Click RCE
Critical zero-click vulnerability in FreeScout open-source help desk allows attackers to hijack mail servers simply by sending a crafted email — no user interaction required.
🔧 Security Tools & Industry Updates
OpenAI Launches Codex Security Agent
OpenAI rolled out Codex Security — an AI-powered security agent that finds, validates, and proposes fixes for vulnerabilities. In preview, it scanned 1.2 million commits and found 10,561 high-severity issues. Available to ChatGPT Pro/Enterprise/Business/Edu users. Free for the first month.
Google: Cloud Attacks Shifting from Weak Credentials to Vulnerability Exploitation
Google's H1 2026 Cloud Threat Horizons Report reveals attackers are increasingly exploiting newly disclosed third-party software flaws (not just weak creds) to compromise cloud environments. The exploitation window has shrunk from weeks to days.
Cybersecurity M&A: 42 Deals in February 2026
Major deals announced by Check Point, Booz Allen, Proofpoint, Sophos, Palo Alto Networks, and Zscaler. Consolidation continues at an aggressive pace in the cybersecurity market.
ArmorCode Raises $16M for Exposure Management
ArmorCode secured $16M to accelerate platform development for application security posture management and exposure management.
Trump Cyber Strategy: Adversaries, CI, Emerging Tech
The new US Cyber Strategy calls for stronger deterrence against cyber adversaries, modernization of federal networks, protection of critical infrastructure, and investment in AI and post-quantum cryptography.
EU Court: Banks Must Immediately Refund Phishing Victims
The EU Court of Justice Advocate General issued a formal opinion suggesting banks must immediately refund victims of phishing-related unauthorized transactions. Could become binding precedent across all EU member states.
📊 Emerging Threat Patterns
Key Trends This Week
1. Supply Chain Attacks Accelerating: Malicious npm packages, Chrome extension ownership transfers, and service provider compromises (Ericsson) — three different supply chain vectors in 24 hours. Trust chains are the new attack surface.
2. Cloud Exploitation Window Shrinking: Google's report confirms attackers are exploiting newly disclosed vulnerabilities within days, not weeks. Patching SLAs need to be measured in hours for cloud-exposed services.
3. Messaging App Targeting by Nation-States: Russian APTs specifically targeting Signal and WhatsApp for account hijacking. Encrypted messengers are high-value targets for espionage, not safe havens.
4. AI Security Tools Going Mainstream: OpenAI's Codex Security launch (1.2M commits scanned) signals AI-powered vulnerability detection is moving from niche to default DevSecOps tooling. Direct competition for KENSAI's market.
5. Cisco Infrastructure Under Siege: SD-WAN 0-day, Firewall Management RCE, and auth bypass — Cisco products are seeing a cluster of critical vulnerabilities. Organizations with Cisco infrastructure need emergency patching cycles.