🛡️ KENSAI Security Intelligence
💥 Major Breaches & Attacks
CRITICAL Stryker ($25B MedTech) Crippled by Iran-Linked Wiper Attack
Iran-backed hacktivist group Handala (linked to MOIS/Void Manticore) claims to have wiped 200,000+ devices across Stryker's offices in 79 countries. Over 5,000 workers in Ireland sent home. Employee personal phones with Outlook were wiped, login screens defaced with Handala logo. The attack was claimed as retaliation for a Feb. 28 missile strike on an Iranian school.
HIGH Michelin Confirms 300GB+ Data Breach via Oracle EBS Attack
Tire giant Michelin confirmed a data breach linked to an attack on their Oracle E-Business Suite infrastructure. Cybercriminals have leaked over 300GB of stolen files.
HIGH Bell Ambulance Breach Impacts 238,000 People
Hackers stole personal information including names, Social Security numbers, and driver's license numbers from 238,000 individuals at Bell Ambulance.
MEDIUM Meta Disables 150K Scam Accounts, 21 Arrests in Thailand
Meta took down 150,000+ accounts linked to Southeast Asian scam centers in a coordinated operation with authorities from 12 countries. The Royal Thai Police made 21 arrests. This follows a December 2025 pilot that removed 59,000 accounts.
🐛 Critical Vulnerabilities & Patches
CRITICAL Microsoft March Patch Tuesday — 84 Flaws, 2 Public Zero-Days
8 Critical, 76 Important. Key zero-days:
• CVE-2026-21262 (CVSS 8.8) — SQL Server elevation of privilege to sysadmin over network
• CVE-2026-26127 (CVSS 7.5) — .NET denial-of-service
• 46 privilege escalation, 18 RCE, 10 info disclosure flaws patched
CRITICAL n8n RCE Flaw Actively Exploited — CISA Emergency Directive
CISA ordered all federal agencies to patch an actively exploited RCE vulnerability in n8n (popular workflow automation platform). Attackers are exploiting this in the wild.
HIGH SQLi in Elementor Ally Plugin — 400K+ WordPress Sites at Risk
Unauthenticated SQL injection vulnerability in Ally, an Elementor accessibility plugin with 400,000+ installations. Attackers can steal sensitive data without authentication.
HIGH Fortinet, Ivanti, Intel Patch High-Severity Bugs
Patches for arbitrary code execution, privilege escalation, and authentication bypass across FortiGate, Ivanti, and Intel products. FortiGate NGFW appliances are being actively exploited to breach networks and steal service account credentials (AD/LDAP).
MEDIUM ICS Patch Tuesday — Siemens, Schneider, Moxa, Mitsubishi Electric
Industrial control system vendors released new security advisories. Critical infrastructure operators should review and patch immediately.
🦠 New Malware & Threat Campaigns
CRITICAL BlackSanta — New EDR/AV Killer Targeting HR Departments
Russian-speaking threat actor has been targeting HR departments for over a year with a new EDR killer called BlackSanta. It disables antivirus and EDR protections at the kernel level, enabling credential harvesting and data exfiltration.
HIGH KadNap Botnet — 14,000+ Edge Devices Infected
New malware KadNap targets ASUS routers, building a stealth proxy botnet using custom Kademlia DHT protocol. 14,000+ devices infected, 60% in the US. Detected by Lumen's Black Lotus Labs.
HIGH PhantomRaven — 88 Malicious NPM Packages Stealing Dev Data
Supply-chain attack campaign PhantomRaven continues to hit npm with 88 malicious packages exfiltrating sensitive data from JavaScript developers.
HIGH BeatBanker Android Malware — Fake Starlink App
New Android banking trojan BeatBanker disguises itself as a Starlink app on fake Google Play Store websites to hijack devices.
MEDIUM "Zombie ZIP" — New Evasion Technique Bypasses EDR/AV
A new technique called Zombie ZIP conceals payloads in specially crafted compressed files to evade antivirus and EDR detection.
🔧 Industry Moves & Security Tools
INFO Google Completes $32B Acquisition of Wiz
Wiz officially joins Google Cloud in the largest cybersecurity acquisition in history. Wiz will maintain its brand within Google Cloud.
INFO OpenAI to Acquire Promptfoo (AI Security Startup)
OpenAI is acquiring Promptfoo ($23M+ raised), a platform for securing LLMs and AI agents. Signal that AI security is becoming a core competency.
INFO Scanner Raises $22M for AI-Powered Threat Hunting
Scanner connects AI agents to security data lakes for interactive investigations, detection engineering, and autonomous response.
INFO Quantro Security Emerges From Stealth ($2.5M)
New startup integrates with existing cybersecurity stacks, ingests and normalizes data, and delivers intelligence to reduce risk.
INFO Senate Confirms Joshua Rudd to Lead NSA & US Cyber Command
The dual-hat leadership arrangement continues with Rudd overseeing both NSA and USCYBERCOM.
📡 Emerging Threat Patterns
HIGH AI Browser Agents Vulnerable to Phishing via "Agentic Blabbering"
Researchers tricked Perplexity's Comet AI Browser into a phishing scam in under 4 minutes. AI browsers' tendency to narrate their reasoning ("Agentic Blabbering") can be exploited to lower security guardrails. Discovered by Guardio.
Key Trends Observed
1. Nation-state hacktivism escalating: Iran-linked Handala wiping 200K+ devices at a $25B company shows destructive capability is increasing.
2. Supply chain attacks accelerating: PhantomRaven (npm), FortiGate credential theft, and Oracle EBS exploitation all target the supply chain.
3. EDR/AV evasion maturing: BlackSanta kernel-level EDR killer + Zombie ZIP evasion technique — attackers are specifically designed to defeat defensive tools.
4. AI security becoming M&A hotspot: Google/Wiz ($32B), OpenAI/Promptfoo, Scanner ($22M) — massive capital flowing into AI security.
5. AI agents as attack surface: Agentic browsers phished in minutes — new attack surface that most organizations haven't addressed.
🎯 KENSAI Relevance & Content Opportunities
- n8n RCE (CISA directive) — KENSAI can detect this in customer environments. Blog post opportunity on workflow automation security.
- FortiGate exploitation campaign — Perfect NIS2 angle: "Your firewall is being used against you." KENSAI scans detect weak/exposed FortiGate configs.
- WordPress SQLi (Ally plugin) — 400K sites at risk. KENSAI's DAST capabilities can identify these. Mass-scan content opportunity.
- AI agent security — OpenAI acquiring Promptfoo validates the AI security market KENSAI operates in. Thought leadership opportunity.
- Stryker wiper attack — NIS2 compliance angle for healthcare/medtech companies in DACH region.
- ICS Patch Tuesday — DORA/NIS2 compliance content for industrial operators using Siemens/Schneider.