剣 KENSAI
← Back to archive
KENSAI Intelligence

Security Briefing

2026-03-20 · Thursday → Friday · 04:00 CET
3
Data Breaches
6
Critical CVEs
3
Zero-Days
4
Funding Rounds

⚡ TL;DR — What Matters Today

  • DarkSword iOS exploit kit — second full-chain iOS kit in a month, 3 zero-days, Russian espionage group UNC6353 targeting Ukraine. iOS 18.4–18.7 affected.
  • Handala hacktivists wiped 80,000 Stryker devices via Microsoft Intune — FBI seized their leak site. CISA issued Intune hardening guidance.
  • PolyShell RCE in all Magento/Adobe Commerce v2 — unauthenticated code execution via polyglot file uploads. No production patch yet.
  • Cisco FMC zero-day exploited by Interlock ransomware since January — Amazon found Russia links.
  • Navia breach impacts 2.7M people — sensitive benefits data exposed.
  • APT28 (Russia) exploiting Zimbra CSS sanitization flaw against Ukrainian government.
  • 9 critical IP KVM vulnerabilities across 4 vendors — unauthenticated root access at BIOS level.
🔓

Data Breaches

Navia Benefit Solutions — 2.7 Million Records Exposed

Benefits administration company Navia disclosed a breach affecting nearly 2.7 million individuals. Attackers accessed sensitive personal information including benefits data, SSNs, and financial records. The company is providing credit monitoring services to affected individuals.

CRITICAL 2.7M AFFECTED source →

Aura Security — 900,000 Records via Phishing

Ironic twist: identity protection firm Aura disclosed a breach impacting 900,000 records. An employee fell victim to a targeted phone phishing (vishing) attack, giving attackers access to a marketing tool containing customer data.

HIGH 900K RECORDS source →

Marquis Data Breach — 672,000 Confirmed

Revised downward from an initial estimate of 1.6 million, the Marquis breach now confirms 672,000 individuals affected. Data types and attack vector details remain under investigation.

HIGH 672K AFFECTED source →
⚠️

Critical Vulnerabilities

DarkSword iOS Exploit Kit — 6 Flaws, 3 Zero-Days

Google Threat Intelligence, iVerify, and Lookout jointly disclosed "DarkSword" — a full-chain iOS exploit kit targeting iOS 18.4–18.7. Exploits 6 vulnerabilities including 3 zero-days (CVE-2026-20700, CVE-2025-43529, CVE-2025-14174). Used by Russian group UNC6353, commercial surveillance vendors, and state-sponsored actors targeting Ukraine, Saudi Arabia, Turkey, and Malaysia. Takes a "hit-and-run" approach, exfiltrating data within seconds. Second iOS exploit kit after Coruna discovered within a month.

3 ZERO-DAYS UNC6353 / RUSSIA iOS 18.4–18.7 source →

PolyShell — Unauthenticated RCE on All Magento/Adobe Commerce v2

Sansec discovered "PolyShell", a vulnerability in Magento's REST API file upload handling. Attackers upload polyglot files (valid as both image and script) to achieve unauthenticated remote code execution or stored XSS account takeover. Affects all production Magento Open Source and Adobe Commerce v2 installations. Patch only available in alpha 2.4.9 — no production fix yet. Exploit method is already circulating.

CRITICAL — NO PATCH ALL MAGENTO V2 source →

Ubiquiti UniFi — Max Severity Account Takeover

Ubiquiti patched two vulnerabilities in the UniFi Network Application, including a maximum-severity flaw enabling account takeover. Administrators should update immediately.

CVSS 10.0 PATCHED source →

ScreenConnect — Critical Machine Key Exposure

ConnectWise patched a critical ScreenConnect vulnerability that exposed machine keys, potentially allowing unauthorized remote access. Latest version adds encrypted storage and management for key protection.

CRITICAL PATCHED source →

SharePoint RCE (CVE-2026-20963) — Active Exploitation

CISA added Microsoft SharePoint CVE-2026-20963 to its Known Exploited Vulnerabilities catalog. The RCE flaw, patched in January's Patch Tuesday, is now confirmed exploited in the wild.

ACTIVELY EXPLOITED PATCH AVAILABLE source →

9 Critical IP KVM Flaws — Unauthenticated Root Access

Eclypsium discovered 9 vulnerabilities across 4 IP KVM products (GL-iNet Comet RM-1, Angeet/Yeeso ES3, Sipeed NanoKVM, JetKVM). Missing firmware signature validation, no brute-force protection, broken access controls, exposed debug interfaces. Attackers can gain root access at BIOS/UEFI level — bypassing all OS-level security.

CRITICAL 4 VENDORS source →
💀

Ransomware & Major Attacks

Handala Hacktivists Wipe 80,000 Stryker Devices via Microsoft Intune

The Handala hacktivist group conducted a devastating destructive attack on medical technology giant Stryker, wiping approximately 80,000 devices by weaponizing Microsoft Intune endpoint management. The FBI has seized two Handala-operated data leak websites. CISA subsequently issued urgent guidance for all U.S. organizations to harden their Microsoft Intune deployments.

DESTRUCTIVE 80K DEVICES WIPED FBI SEIZURE source →

Cisco FMC Zero-Day Exploited by Interlock Ransomware

Amazon discovered that a Cisco Firewall Management Center (FMC) vulnerability has been exploited as a zero-day since late January by the Interlock ransomware group. Evidence points to links with Russia. Cisco's recent vulnerability spree shows a troubling pattern of firewall and SD-WAN flaws being actively exploited.

ZERO-DAY INTERLOCK RUSSIA-LINKED source →

Bitrefill Attributes Attack to North Korean Lazarus/Bluenoroff

Crypto gift card platform Bitrefill disclosed that their early March cyberattack was likely conducted by North Korea's Bluenoroff group (Lazarus subgroup). Continues the pattern of DPRK targeting crypto and fintech platforms for revenue generation.

LAZARUS / BLUENOROFF CRYPTO source →

North Carolina Insider Attack — $2.5M Ransom

A tech worker in North Carolina was found guilty of conducting an insider attack against a Washington technology company, netting a $2.5 million ransom payment. Highlights the persistent insider threat risk.

INSIDER THREAT $2.5M RANSOM source →
🎯

State-Sponsored & APT Activity

APT28 (Russia/GRU) Exploiting Zimbra Against Ukraine

Russian military intelligence-linked APT28 is actively exploiting a Zimbra Collaboration Suite vulnerability in attacks on Ukrainian government entities. The flaw involves insufficient CSS sanitization in HTML emails, enabling inline script execution when messages are opened in a browser.

APT28 / FANCY BEAR UKRAINE source →

Iran Cyber Infrastructure Buildup Revealed

Analysis reveals a six-month buildup of Iran-linked cyber infrastructure, including US-based shell companies, designed to ensure resilience of global hacking operations and weather potential kinetic strikes. Feds are on high alert for Iranian cyberattacks in the wake of the Stryker incident.

IRAN INFRASTRUCTURE source →

The Gentlemen RaaS — FortiGate-Focused Operation

Group-IB detailed "The Gentlemen", a nascent Ransomware-as-a-Service operation of ~20 members specifically exploiting FortiGate firewall vulnerabilities. Part of the continuing trend of edge device exploitation for initial access.

RAAS FORTIGATE source →
🛠️

Security Tools & Industry

Oasis Security — $120M for Agentic Access Management

Oasis Security raised $120M to expand its agentic access management platform. Focus on R&D, AI framework product expansion, and go-to-market scaling. Signals growing investor interest in AI agent security controls.

$120M RAISED source →

Cloaked Privacy Platform — $375M Funding

Privacy platform Cloaked raised $375M to expand into enterprise markets. Plans to introduce AI agents that monitor, manage, and enforce privacy preferences and security postures on behalf of users.

$375M RAISED source →

1stProtect — $20M Stealth Launch

Endpoint security startup 1stProtect emerged from stealth with $20M. Their platform monitors behavior and verifies user intent to stop attacks in real time — a novel approach to endpoint protection.

$20M RAISED source →

Raven — $20M for Runtime Anomaly Detection

Raven emerged from stealth with $20M. Their platform observes applications at runtime to detect anomalous behavior and prevent cyberattacks — targeting the gap between static analysis and real-world exploitation.

$20M RAISED source →

Ceros — AI Trust Layer for Claude Code

Beyond Identity launched Ceros, an "AI Trust Layer" providing real-time visibility, runtime policy enforcement, and cryptographic audit trails for Claude Code agent operations. Addresses the emerging risk of AI coding agents operating with full developer permissions outside existing security controls.

AI AGENT SECURITY source →
📊

Emerging Threat Patterns

iOS Exploit Proliferation

Two full-chain iOS exploit kits (Coruna and DarkSword) discovered within a month, used by a mix of state actors and commercial surveillance vendors. Demonstrates a thriving secondary market where even financially motivated groups can acquire nation-state-grade mobile exploits. The "hit-and-run" exfiltration approach — seconds, not hours — makes forensic detection extremely difficult.

TREND: MOBILE EXPLOITS

Edge Device Exploitation Continues

FortiGate (The Gentlemen RaaS), Cisco FMC (Interlock ransomware), Ubiquiti UniFi, Zimbra, IP KVM devices — the pattern is clear. Attackers are systematically targeting network edge infrastructure. The new IP KVM research shows even BIOS-level access is at risk through cheap, poorly secured hardware. Organizations must treat every edge device as a critical attack surface.

TREND: EDGE DEVICES

Microsoft Intune as Attack Vector

Handala's weaponization of Microsoft Intune to wipe 80,000 Stryker devices is a wake-up call. Endpoint management tools designed to protect devices can be turned into weapons for mass destruction when compromised. CISA's response guidance signals this is now a recognized attack pattern that enterprises must defend against.

TREND: MDM WEAPONIZATION

AI Agent Security Emerges as Category

Multiple startups ($535M+ in funding this week alone) are building products specifically for AI agent security — access management, runtime monitoring, privacy enforcement. Ceros (for Claude Code), Oasis (agentic access), and Cloaked (AI privacy agents) all signal that securing AI agents is becoming a distinct security discipline. Relevant for KENSAI's roadmap.

TREND: AI AGENT SECURITY