剣 KENSAI
← Back to archive
2026 — 03 — 15  •  SUNDAY

KENSAI Security Research

Daily threat intelligence briefing — last 24 hours
4
Critical CVEs
3
Breaches
3
Law Enforcement
4
Threat Campaigns
2
New Security Tools

🔴 Critical Vulnerabilities

Chrome 146 Patches Two Exploited Zero-Days (CVE-2026-3909 & CVE-2026-3910)

Google released emergency patches for two high-severity zero-days actively exploited in the wild. CVE-2026-3909 (CVSS 8.8) is an out-of-bounds write in the Skia 2D graphics library; CVE-2026-3910 targets the V8 JavaScript engine. Both allow remote code execution via crafted HTML pages. Update Chrome immediately.

CVSS 8.8 Zero-Day Chrome

Critical HPE AOS-CX Vulnerability Allows Admin Password Resets

A critical vulnerability in HPE Aruba AOS-CX network switches allows unauthenticated remote attackers to bypass authentication controls and reset administrator passwords. Organizations running HPE AOS-CX should patch urgently — no user interaction required for exploitation.

Critical Unauth RCE HPE / Aruba

9 "CrackArmor" Flaws in Linux AppArmor — Root Escalation & Container Escape

Qualys TRU disclosed nine confused deputy vulnerabilities in the Linux kernel's AppArmor module. Unprivileged users can escalate to root and break container isolation. These flaws undermine core Linux security guarantees. All major distributions are expected to release kernel patches this week.

Critical Root Escalation Linux Kernel

WordPress "Ally" Plugin SQLi Exposes 200,000+ Sites

A SQL injection vulnerability in the popular Ally WordPress plugin (200K+ installs) allows attackers to inject queries and extract sensitive database contents. No patch available at time of disclosure. Site admins should deactivate the plugin until a fix is released.

SQLi 200K Sites WordPress

💀 Data Breaches & Attacks

Starbucks Employee Data Breach via Phishing Campaign

Starbucks confirmed a data breach affecting employee data after phishing attacks targeted an internal employee portal. Hundreds of employees impacted with personal information exposed. Credential theft was the primary vector.

Data Breach Phishing

Iran-Linked Attack on Stryker Disrupts Manufacturing

Iranian threat actors attacked medical device manufacturer Stryker, disrupting manufacturing and shipping operations. Attackers used existing endpoint management tools (living off the land) rather than traditional malware to wipe devices. A significant supply chain impact for the healthcare sector.

Destructive Iran APT Healthcare

Poland's Nuclear Research Centre Targeted by Cyberattack

Poland's National Centre for Nuclear Research (NCBJ) reported a cyberattack targeting its IT infrastructure. The attack was detected and blocked before causing impact, but the targeting of nuclear research institutions signals escalating geopolitical cyber operations in Europe.

Nation-State Critical Infrastructure

🕷️ Threat Campaigns & Malware

Chinese APT CL-STA-1087 Targets SE Asian Militaries

Palo Alto Unit 42 uncovered a China-linked APT campaign targeting Southeast Asian military organizations since 2020. Using custom malware (AppleChris, MemFun), the group collected specific files on military capabilities and Western military cooperation. Demonstrates "strategic operational patience" — highly targeted intelligence collection, not bulk theft.

APT / China Espionage Military

Storm-2561: Trojanized Enterprise VPN Clients via SEO Poisoning

Microsoft disclosed Storm-2561's campaign distributing fake VPN clients from Ivanti, Cisco, and Fortinet through SEO poisoning. Users searching for legitimate enterprise VPN software are redirected to attacker-controlled sites serving digitally signed trojans that steal VPN credentials. All enterprise VPN admins should issue download source advisories.

Credential Theft Supply Chain VPN

GlassWorm Escalates: 72 Malicious Open VSX Extensions

A major escalation of the GlassWorm supply-chain campaign now abuses extensionPack and extensionDependencies in the Open VSX registry to create transitive infection chains across 72 extensions. Developers using VS Code alternatives with Open VSX should audit their installed extensions immediately.

Supply Chain Developer Tooling VSCode

AppsFlyer SDK Hijacked for Crypto-Stealing Supply Chain Attack

The AppsFlyer Web SDK was temporarily compromised with malicious JavaScript code designed to steal cryptocurrency. This supply-chain attack affected sites integrating the popular marketing analytics SDK. The malicious code has been removed, but sites that cached the SDK may still be serving it.

Supply Chain Crypto Theft JavaScript

⚖️ Law Enforcement Operations

INTERPOL Operation Synergia III: 45,000 IPs Sinkholed, 94 Arrested

INTERPOL's largest cybercrime crackdown yet involved 72 countries, sinkholing 45,000 malicious IPs and seizing 212 servers. 94 arrests made with 110 more under investigation. Targets included phishing, malware distribution, and ransomware infrastructure. Bangladesh alone saw 40 arrests and 134 devices seized.

Law Enforcement 72 Countries

SocksEscort Proxy Botnet Dismantled — 369,000 Devices Across 163 Countries

Court-authorized international operation took down SocksEscort, a criminal proxy botnet that infected 369,000 residential routers with AVrecon malware since 2020. The service sold access to compromised home routers for fraud operations, with 2,500 US-based devices among ~8,000 active nodes.

Takedown Botnet

FBI Investigates Malware Spread via Steam Games

The FBI is seeking victims who installed eight malicious games uploaded to Steam that contained malware. The investigation targets a campaign that used the gaming platform as a malware distribution vector. Gamers who installed unknown titles in recent weeks should scan their systems.

FBI Investigation Gaming / Steam

🛡️ Security Tools & Industry

Bold Security Emerges From Stealth — $40M Funding

Bold Security launched with $40M in funding, using AI to turn endpoints into active security agents that understand user behavior and provide real-time protection. Represents the industry's continued shift toward autonomous, AI-driven endpoint security.

Startup AI Security

Onyx Security Launches — $40M for AI Agent Oversight

Onyx Security launched with $40M to build a control plane for overseeing autonomous AI agents. Directly relevant to the emerging AI governance market — helping organizations safely adopt AI agents while maintaining security controls.

Startup AI Governance

Google Paid $17M in Bug Bounties in 2025

Google's 2025 bug bounty program paid out $17M total — $3.7M for Chrome vulnerabilities and $3.5M for cloud security defects. Signals the growing value (and volume) of vulnerability research in the market.

Bug Bounty $17M Paid

📌 Notable Mentions

Meta Killing Instagram E2E Encrypted Chats (May 2026)

Meta will discontinue end-to-end encryption for Instagram direct messages after May 8, 2026. A significant privacy regression affecting millions of users. Media and messages should be downloaded before the cutoff date.

Privacy Meta / Instagram

Iran-Linked Hackers Expanding US Targeting

Pro-Iranian hackers are expanding beyond Middle Eastern targets to US defense contractors, power stations, and water plants. The escalation during wartime conditions raises the risk profile for US critical infrastructure operators.

Iran APT Critical Infrastructure

Microsoft OOB Hotpatch for Windows 11 RRAS RCE

Microsoft released an out-of-band update fixing a security vulnerability in Windows 11 Enterprise's Routing and Remote Access Service (RRAS). Only affects hotpatch-enabled Enterprise deployments.

Patch Windows 11

Apple Patches Legacy iOS Against Coruna Exploits

Apple released iOS 16.7.15 and 15.8.7 to patch Coruna exploits on older devices. A US defense contractor was reportedly behind the Coruna exploit chain. Older iPhones and iPads still in use should be updated immediately.

Exploit Chain Apple iOS

🎯 KENSAI Relevance & Action Items

  • Supply chain attacks dominating: GlassWorm (VSX), AppsFlyer SDK, and Steam malware — KENSAI's SBOM scanning and dependency analysis capabilities are directly relevant content angles
  • CrackArmor Linux flaws: Container escape vulnerabilities affect cloud-hosted apps — strong angle for KENSAI infrastructure scanning content targeting DevOps teams
  • Two new AI security startups ($80M combined): Bold Security and Onyx Security validate the AI security market. KENSAI should position against/alongside in content strategy
  • Iran APT escalation: US critical infrastructure targeting + NIS2 compliance angles for DACH market content (energy, water, defense contractors)
  • WordPress SQLi (200K sites): Good candidate for KENSAI free scan promotion — "Is your WordPress site vulnerable?"
  • VPN credential theft (Storm-2561): Enterprise security hygiene content opportunity — credential monitoring, download verification