🛡️ KENSAI Security Intelligence
Data Breaches
Telus Digital Confirms Breach — Hacker Claims 1 Petabyte Stolen
Canadian BPO giant Telus Digital confirmed a multi-month security breach after threat actors claimed to have exfiltrated nearly 1 petabyte of data. The scale of this breach is extraordinary — one of the largest volumetric data thefts ever claimed.
BPOData ExfiltrationCanadaBell Ambulance Data Breach — 238,000 Individuals Impacted
Hackers stole personal information including names, Social Security numbers, and driver's license numbers from Bell Ambulance, impacting 238,000 individuals. Healthcare sector continues to be a prime target.
HealthcarePIISSN ExposureLoblaw (Canada's Largest Retailer) Notifies Customers of Breach
Canadian retail giant Loblaw forced all customers to log out of their accounts following a data breach. The company's digital services were temporarily disrupted as a precautionary measure.
RetailCustomer DataCanadaCritical Vulnerabilities & Patches
Veeam Backup & Replication — 4 Critical RCE Flaws
Veeam patched 4 critical remote code execution vulnerabilities in its Backup & Replication solution. Given Veeam's prevalence in enterprise environments, these flaws are high-priority targets for ransomware operators. Patch immediately.
RCEBackup InfrastructurePatch NowMicrosoft Patch Tuesday — 77 Vulnerabilities Fixed
Microsoft released fixes for 77 flaws including CVE-2026-21262 (SQL Server privilege escalation to sysadmin, CVSS 8.8), CVE-2026-26113 and CVE-2026-26110 (Office RCE via Preview Pane — no click needed). Two bugs were publicly disclosed prior to patching.
Patch TuesdaySQL ServerOffice RCE.NETN8n Workflow Automation — Server Takeover Vulnerabilities
Critical bugs in n8n allowed unauthenticated attackers to execute arbitrary code, steal credentials, and take over servers. Any organization running n8n should patch immediately — this is an unauthenticated RCE.
n8nUnauthenticated RCEWorkflow AutomationCisco IOS XR — High-Severity Patches
Cisco patched high-severity vulnerabilities in IOS XR that could lead to DoS, command execution, or complete device takeover. Network infrastructure operators should prioritize.
CiscoNetwork InfrastructureDoSSplunk & Zoom — Severe Vulnerabilities Patched
Critical and high-severity flaws in Splunk and Zoom could be exploited to execute arbitrary shell commands or elevate privileges. Both widely deployed in enterprise environments.
SplunkZoomShell ExecutionApple Backports Coruna Exploit Kit Patches to Legacy iOS
Apple released iOS 15.8.7 and 16.7.15 to patch CVE-2023-43010 (WebKit memory corruption) used in the Coruna exploit kit for cyberespionage and crypto-theft. Targets older iPhones/iPads that can't run latest iOS.
AppleWebKitExploit KitEspionageWordPress "Ally" Plugin — SQL Injection Affecting 200K+ Sites
A flaw in the Ally WordPress plugin exposes over 200,000 websites to SQL injection attacks, allowing attackers to extract sensitive database information.
WordPressSQLi200K SitesRansomware & Destructive Attacks
MedTech Giant Stryker Crippled by Iran-Linked Wiper Attack
The Iran-backed hacktivist group Handala (linked to MOIS/Void Manticore) claims to have wiped data from 200,000+ systems across Stryker's global operations. 5,000+ workers in Ireland sent home. Offices in 79 countries affected. Employee personal devices with Outlook were also wiped. Login pages defaced with Handala logo. Company phone lines report "building emergency."
This is one of the most impactful wiper attacks against a Western corporation in years — a $25B company essentially offline globally.
Nation StateIran / MOISWiperHandalaMedTechEngland Hockey Hit by AiLock Ransomware
England Hockey, the national governing body for field hockey, is investigating a potential data breach after the AiLock ransomware gang listed them on their leak site. Sports organizations increasingly targeted.
AiLockSportsUKAI-Generated "Slopoly" Malware Used in Interlock Ransomware Attack
A new AI-generated malware strain called Slopoly was used in an Interlock ransomware attack, allowing threat actors to maintain persistence for over a week and exfiltrate data before deploying ransomware. Signals growing use of AI in malware development.
AI-Generated MalwareInterlockPersistenceEmerging Threats & Research
VENON Banking Trojan — Rust-Based Malware Targeting 33 Brazilian Banks
A new Rust-based banking trojan called VENON targets 33 Brazilian banks using overlay attacks, active window monitoring, and LNK hijacking. The shift from Delphi to Rust signals malware authors adopting modern, harder-to-analyze languages.
Banking TrojanRustBrazilOverlay AttackSix New Android Malware Families Target Pix Payments & Crypto Wallets
Zimperium discovered 6 new Android malware families: PixRevolution, TaxiSpy RAT, BeatBanker, Mirax, Oblivion RAT, and SURXRAT. PixRevolution hijacks Brazil's Pix instant payment transfers in real-time. Some use AI/human operators watching victims' screens live.
AndroidMobile BankingPixRATAI Agentic Browsers Vulnerable to Phishing — Perplexity's Comet Tricked in 4 Minutes
Guardio researchers demonstrated that AI-powered agentic browsers (like Perplexity's Comet) can be tricked into phishing scams by exploiting the AI's tendency to reason and narrate actions. Attackers manipulate the reasoning process to lower security guardrails.
AI SecurityAgentic AIBrowserPhishingPolyfill Supply Chain Attack (2024) Now Linked to North Korea
The 2024 Polyfill.io supply chain attack impacting 100K+ websites was initially attributed to China but new evidence from an infostealer infection reveals North Korean involvement. Highlights the ongoing attribution challenges in supply chain attacks.
Supply ChainNorth KoreaAttributionLaw Enforcement & Industry
US Disrupts SocksEscort Proxy Network
US and European law enforcement disrupted the SocksEscort cybercrime proxy network, which used edge devices compromised via AVRecon Linux malware. A significant takedown of criminal infrastructure.
TakedownProxy NetworkIoTMeta Disables 150K+ Scam Center Accounts in Asia
Meta launched new protection tools and disabled over 150,000 accounts powering scam centers across Asia. Continuing their crackdown on organized fraud operations.
MetaScam CentersAsiaWiz Joins Google Cloud — $32B Acquisition Closes
Google completed its landmark $32 billion acquisition of cloud security company Wiz. Wiz will maintain its brand within Google Cloud. The largest cybersecurity acquisition in history.
M&AGoogle CloudWiz$32BGoogle Paid $17.1M in Bug Bounties in 2025
Google's Vulnerability Reward Program paid out $17.1 million to 747 researchers in 2025, demonstrating continued investment in crowdsourced security.
Bug BountyGoogle VRPSenate Confirms Joshua Rudd as NSA & Cyber Command Chief
The US Senate confirmed Joshua Rudd to lead both the NSA and US Cyber Command under the "dual-hat" arrangement.
GovernmentNSAUSCYBERCOM🎯 KENSAI Analysis — What Matters for Our Customers
- Veeam RCE + Ransomware Convergence: Backup infrastructure is now a primary attack target. Organizations using Veeam must patch immediately — ransomware operators actively exploit backup systems to prevent recovery. KENSAI's infrastructure scanning detects exposed Veeam instances.
- AI-Generated Malware is Production-Ready: The "Slopoly" malware used in the Interlock attack was AI-generated and effective enough for a week-long intrusion. This lowers the barrier for sophisticated attacks — exactly why AI-powered defense (KENSAI) must match AI-powered offense.
- Nation-State Wipers Going Commercial: The Stryker attack by Handala/MOIS shows state-backed groups deploying devastating wipers against Western companies. 200K+ devices wiped in a single operation. NIS2 compliance requirements for incident response and resilience are not optional.
- WordPress Plugin Exposures (200K sites): The Ally plugin SQLi affects 200K+ sites. KENSAI's DAST capabilities can detect these injection points automatically before attackers do.
- Supply Chain Attribution is Shifting: Polyfill attack re-attributed from China to North Korea. Organizations need continuous dependency monitoring — KENSAI's SBOM analysis catches compromised packages.
- Patch Tuesday Priority: Microsoft Office Preview Pane RCE (CVE-2026-26113/26110) requires zero clicks. SQL Server elevation to sysadmin (CVE-2026-21262) is network-exploitable. Both are high priority for any DACH enterprise running Microsoft infrastructure.