剣 KENSAI
← Back to archive

🛡️ KENSAI Security Intelligence

Daily Threat Briefing — Thursday, March 12, 2026 • 04:00 CET
3
Major Breaches
84
MS Patches (2 Zero-Days)
4
New Malware Families
$32B
Wiz → Google Cloud

💥 Major Breaches & Attacks

CRITICAL Stryker ($25B MedTech) Crippled by Iran-Linked Wiper Attack

Iran-backed hacktivist group Handala (linked to MOIS/Void Manticore) claims to have wiped 200,000+ devices across Stryker's offices in 79 countries. Over 5,000 workers in Ireland sent home. Employee personal phones with Outlook were wiped, login screens defaced with Handala logo. The attack was claimed as retaliation for a Feb. 28 missile strike on an Iranian school.

Source: KrebsOnSecurityBleepingComputer • Mar 11, 2026

HIGH Michelin Confirms 300GB+ Data Breach via Oracle EBS Attack

Tire giant Michelin confirmed a data breach linked to an attack on their Oracle E-Business Suite infrastructure. Cybercriminals have leaked over 300GB of stolen files.

Source: SecurityWeek • Mar 11, 2026

HIGH Bell Ambulance Breach Impacts 238,000 People

Hackers stole personal information including names, Social Security numbers, and driver's license numbers from 238,000 individuals at Bell Ambulance.

Source: SecurityWeek • Mar 11, 2026

MEDIUM Meta Disables 150K Scam Accounts, 21 Arrests in Thailand

Meta took down 150,000+ accounts linked to Southeast Asian scam centers in a coordinated operation with authorities from 12 countries. The Royal Thai Police made 21 arrests. This follows a December 2025 pilot that removed 59,000 accounts.

Source: The Hacker News • Mar 11, 2026

🐛 Critical Vulnerabilities & Patches

CRITICAL Microsoft March Patch Tuesday — 84 Flaws, 2 Public Zero-Days

8 Critical, 76 Important. Key zero-days:

CVE-2026-21262 (CVSS 8.8) — SQL Server elevation of privilege to sysadmin over network
CVE-2026-26127 (CVSS 7.5) — .NET denial-of-service
• 46 privilege escalation, 18 RCE, 10 info disclosure flaws patched

Source: The Hacker News • Mar 11, 2026

CRITICAL n8n RCE Flaw Actively Exploited — CISA Emergency Directive

CISA ordered all federal agencies to patch an actively exploited RCE vulnerability in n8n (popular workflow automation platform). Attackers are exploiting this in the wild.

Source: BleepingComputer • Mar 11, 2026

HIGH SQLi in Elementor Ally Plugin — 400K+ WordPress Sites at Risk

Unauthenticated SQL injection vulnerability in Ally, an Elementor accessibility plugin with 400,000+ installations. Attackers can steal sensitive data without authentication.

Source: BleepingComputer • Mar 11, 2026

HIGH Fortinet, Ivanti, Intel Patch High-Severity Bugs

Patches for arbitrary code execution, privilege escalation, and authentication bypass across FortiGate, Ivanti, and Intel products. FortiGate NGFW appliances are being actively exploited to breach networks and steal service account credentials (AD/LDAP).

Source: SecurityWeekThe Hacker News • Mar 10–11, 2026

MEDIUM ICS Patch Tuesday — Siemens, Schneider, Moxa, Mitsubishi Electric

Industrial control system vendors released new security advisories. Critical infrastructure operators should review and patch immediately.

Source: SecurityWeek • Mar 11, 2026

🦠 New Malware & Threat Campaigns

CRITICAL BlackSanta — New EDR/AV Killer Targeting HR Departments

Russian-speaking threat actor has been targeting HR departments for over a year with a new EDR killer called BlackSanta. It disables antivirus and EDR protections at the kernel level, enabling credential harvesting and data exfiltration.

Source: BleepingComputer • Mar 10, 2026

HIGH KadNap Botnet — 14,000+ Edge Devices Infected

New malware KadNap targets ASUS routers, building a stealth proxy botnet using custom Kademlia DHT protocol. 14,000+ devices infected, 60% in the US. Detected by Lumen's Black Lotus Labs.

Source: The Hacker News • Mar 10, 2026

HIGH PhantomRaven — 88 Malicious NPM Packages Stealing Dev Data

Supply-chain attack campaign PhantomRaven continues to hit npm with 88 malicious packages exfiltrating sensitive data from JavaScript developers.

Source: BleepingComputer • Mar 11, 2026

HIGH BeatBanker Android Malware — Fake Starlink App

New Android banking trojan BeatBanker disguises itself as a Starlink app on fake Google Play Store websites to hijack devices.

Source: BleepingComputer • Mar 10, 2026

MEDIUM "Zombie ZIP" — New Evasion Technique Bypasses EDR/AV

A new technique called Zombie ZIP conceals payloads in specially crafted compressed files to evade antivirus and EDR detection.

Source: BleepingComputer • Mar 10, 2026

🔧 Industry Moves & Security Tools

INFO Google Completes $32B Acquisition of Wiz

Wiz officially joins Google Cloud in the largest cybersecurity acquisition in history. Wiz will maintain its brand within Google Cloud.

Source: SecurityWeek • Mar 11, 2026

INFO OpenAI to Acquire Promptfoo (AI Security Startup)

OpenAI is acquiring Promptfoo ($23M+ raised), a platform for securing LLMs and AI agents. Signal that AI security is becoming a core competency.

Source: SecurityWeek • Mar 11, 2026

INFO Scanner Raises $22M for AI-Powered Threat Hunting

Scanner connects AI agents to security data lakes for interactive investigations, detection engineering, and autonomous response.

Source: SecurityWeek • Mar 11, 2026

INFO Quantro Security Emerges From Stealth ($2.5M)

New startup integrates with existing cybersecurity stacks, ingests and normalizes data, and delivers intelligence to reduce risk.

Source: SecurityWeek • Mar 11, 2026

INFO Senate Confirms Joshua Rudd to Lead NSA & US Cyber Command

The dual-hat leadership arrangement continues with Rudd overseeing both NSA and USCYBERCOM.

Source: SecurityWeek • Mar 11, 2026

📡 Emerging Threat Patterns

HIGH AI Browser Agents Vulnerable to Phishing via "Agentic Blabbering"

Researchers tricked Perplexity's Comet AI Browser into a phishing scam in under 4 minutes. AI browsers' tendency to narrate their reasoning ("Agentic Blabbering") can be exploited to lower security guardrails. Discovered by Guardio.

Source: The Hacker News • Mar 11, 2026

Key Trends Observed

1. Nation-state hacktivism escalating: Iran-linked Handala wiping 200K+ devices at a $25B company shows destructive capability is increasing.

2. Supply chain attacks accelerating: PhantomRaven (npm), FortiGate credential theft, and Oracle EBS exploitation all target the supply chain.

3. EDR/AV evasion maturing: BlackSanta kernel-level EDR killer + Zombie ZIP evasion technique — attackers are specifically designed to defeat defensive tools.

4. AI security becoming M&A hotspot: Google/Wiz ($32B), OpenAI/Promptfoo, Scanner ($22M) — massive capital flowing into AI security.

5. AI agents as attack surface: Agentic browsers phished in minutes — new attack surface that most organizations haven't addressed.

🎯 KENSAI Relevance & Content Opportunities

  • n8n RCE (CISA directive) — KENSAI can detect this in customer environments. Blog post opportunity on workflow automation security.
  • FortiGate exploitation campaign — Perfect NIS2 angle: "Your firewall is being used against you." KENSAI scans detect weak/exposed FortiGate configs.
  • WordPress SQLi (Ally plugin) — 400K sites at risk. KENSAI's DAST capabilities can identify these. Mass-scan content opportunity.
  • AI agent security — OpenAI acquiring Promptfoo validates the AI security market KENSAI operates in. Thought leadership opportunity.
  • Stryker wiper attack — NIS2 compliance angle for healthcare/medtech companies in DACH region.
  • ICS Patch Tuesday — DORA/NIS2 compliance content for industrial operators using Siemens/Schneider.