Security Briefing
⚡ TL;DR — What Matters Today
- DarkSword iOS exploit kit — second full-chain iOS kit in a month, 3 zero-days, Russian espionage group UNC6353 targeting Ukraine. iOS 18.4–18.7 affected.
- Handala hacktivists wiped 80,000 Stryker devices via Microsoft Intune — FBI seized their leak site. CISA issued Intune hardening guidance.
- PolyShell RCE in all Magento/Adobe Commerce v2 — unauthenticated code execution via polyglot file uploads. No production patch yet.
- Cisco FMC zero-day exploited by Interlock ransomware since January — Amazon found Russia links.
- Navia breach impacts 2.7M people — sensitive benefits data exposed.
- APT28 (Russia) exploiting Zimbra CSS sanitization flaw against Ukrainian government.
- 9 critical IP KVM vulnerabilities across 4 vendors — unauthenticated root access at BIOS level.
Data Breaches
Navia Benefit Solutions — 2.7 Million Records Exposed
Benefits administration company Navia disclosed a breach affecting nearly 2.7 million individuals. Attackers accessed sensitive personal information including benefits data, SSNs, and financial records. The company is providing credit monitoring services to affected individuals.
Aura Security — 900,000 Records via Phishing
Ironic twist: identity protection firm Aura disclosed a breach impacting 900,000 records. An employee fell victim to a targeted phone phishing (vishing) attack, giving attackers access to a marketing tool containing customer data.
Marquis Data Breach — 672,000 Confirmed
Revised downward from an initial estimate of 1.6 million, the Marquis breach now confirms 672,000 individuals affected. Data types and attack vector details remain under investigation.
Critical Vulnerabilities
DarkSword iOS Exploit Kit — 6 Flaws, 3 Zero-Days
Google Threat Intelligence, iVerify, and Lookout jointly disclosed "DarkSword" — a full-chain iOS exploit kit targeting iOS 18.4–18.7. Exploits 6 vulnerabilities including 3 zero-days (CVE-2026-20700, CVE-2025-43529, CVE-2025-14174). Used by Russian group UNC6353, commercial surveillance vendors, and state-sponsored actors targeting Ukraine, Saudi Arabia, Turkey, and Malaysia. Takes a "hit-and-run" approach, exfiltrating data within seconds. Second iOS exploit kit after Coruna discovered within a month.
PolyShell — Unauthenticated RCE on All Magento/Adobe Commerce v2
Sansec discovered "PolyShell", a vulnerability in Magento's REST API file upload handling. Attackers upload polyglot files (valid as both image and script) to achieve unauthenticated remote code execution or stored XSS account takeover. Affects all production Magento Open Source and Adobe Commerce v2 installations. Patch only available in alpha 2.4.9 — no production fix yet. Exploit method is already circulating.
Ubiquiti UniFi — Max Severity Account Takeover
Ubiquiti patched two vulnerabilities in the UniFi Network Application, including a maximum-severity flaw enabling account takeover. Administrators should update immediately.
ScreenConnect — Critical Machine Key Exposure
ConnectWise patched a critical ScreenConnect vulnerability that exposed machine keys, potentially allowing unauthorized remote access. Latest version adds encrypted storage and management for key protection.
SharePoint RCE (CVE-2026-20963) — Active Exploitation
CISA added Microsoft SharePoint CVE-2026-20963 to its Known Exploited Vulnerabilities catalog. The RCE flaw, patched in January's Patch Tuesday, is now confirmed exploited in the wild.
9 Critical IP KVM Flaws — Unauthenticated Root Access
Eclypsium discovered 9 vulnerabilities across 4 IP KVM products (GL-iNet Comet RM-1, Angeet/Yeeso ES3, Sipeed NanoKVM, JetKVM). Missing firmware signature validation, no brute-force protection, broken access controls, exposed debug interfaces. Attackers can gain root access at BIOS/UEFI level — bypassing all OS-level security.
Ransomware & Major Attacks
Handala Hacktivists Wipe 80,000 Stryker Devices via Microsoft Intune
The Handala hacktivist group conducted a devastating destructive attack on medical technology giant Stryker, wiping approximately 80,000 devices by weaponizing Microsoft Intune endpoint management. The FBI has seized two Handala-operated data leak websites. CISA subsequently issued urgent guidance for all U.S. organizations to harden their Microsoft Intune deployments.
Cisco FMC Zero-Day Exploited by Interlock Ransomware
Amazon discovered that a Cisco Firewall Management Center (FMC) vulnerability has been exploited as a zero-day since late January by the Interlock ransomware group. Evidence points to links with Russia. Cisco's recent vulnerability spree shows a troubling pattern of firewall and SD-WAN flaws being actively exploited.
Bitrefill Attributes Attack to North Korean Lazarus/Bluenoroff
Crypto gift card platform Bitrefill disclosed that their early March cyberattack was likely conducted by North Korea's Bluenoroff group (Lazarus subgroup). Continues the pattern of DPRK targeting crypto and fintech platforms for revenue generation.
North Carolina Insider Attack — $2.5M Ransom
A tech worker in North Carolina was found guilty of conducting an insider attack against a Washington technology company, netting a $2.5 million ransom payment. Highlights the persistent insider threat risk.
State-Sponsored & APT Activity
APT28 (Russia/GRU) Exploiting Zimbra Against Ukraine
Russian military intelligence-linked APT28 is actively exploiting a Zimbra Collaboration Suite vulnerability in attacks on Ukrainian government entities. The flaw involves insufficient CSS sanitization in HTML emails, enabling inline script execution when messages are opened in a browser.
Iran Cyber Infrastructure Buildup Revealed
Analysis reveals a six-month buildup of Iran-linked cyber infrastructure, including US-based shell companies, designed to ensure resilience of global hacking operations and weather potential kinetic strikes. Feds are on high alert for Iranian cyberattacks in the wake of the Stryker incident.
The Gentlemen RaaS — FortiGate-Focused Operation
Group-IB detailed "The Gentlemen", a nascent Ransomware-as-a-Service operation of ~20 members specifically exploiting FortiGate firewall vulnerabilities. Part of the continuing trend of edge device exploitation for initial access.
Security Tools & Industry
Oasis Security — $120M for Agentic Access Management
Oasis Security raised $120M to expand its agentic access management platform. Focus on R&D, AI framework product expansion, and go-to-market scaling. Signals growing investor interest in AI agent security controls.
Cloaked Privacy Platform — $375M Funding
Privacy platform Cloaked raised $375M to expand into enterprise markets. Plans to introduce AI agents that monitor, manage, and enforce privacy preferences and security postures on behalf of users.
1stProtect — $20M Stealth Launch
Endpoint security startup 1stProtect emerged from stealth with $20M. Their platform monitors behavior and verifies user intent to stop attacks in real time — a novel approach to endpoint protection.
Raven — $20M for Runtime Anomaly Detection
Raven emerged from stealth with $20M. Their platform observes applications at runtime to detect anomalous behavior and prevent cyberattacks — targeting the gap between static analysis and real-world exploitation.
Ceros — AI Trust Layer for Claude Code
Beyond Identity launched Ceros, an "AI Trust Layer" providing real-time visibility, runtime policy enforcement, and cryptographic audit trails for Claude Code agent operations. Addresses the emerging risk of AI coding agents operating with full developer permissions outside existing security controls.
Emerging Threat Patterns
iOS Exploit Proliferation
Two full-chain iOS exploit kits (Coruna and DarkSword) discovered within a month, used by a mix of state actors and commercial surveillance vendors. Demonstrates a thriving secondary market where even financially motivated groups can acquire nation-state-grade mobile exploits. The "hit-and-run" exfiltration approach — seconds, not hours — makes forensic detection extremely difficult.
Edge Device Exploitation Continues
FortiGate (The Gentlemen RaaS), Cisco FMC (Interlock ransomware), Ubiquiti UniFi, Zimbra, IP KVM devices — the pattern is clear. Attackers are systematically targeting network edge infrastructure. The new IP KVM research shows even BIOS-level access is at risk through cheap, poorly secured hardware. Organizations must treat every edge device as a critical attack surface.
Microsoft Intune as Attack Vector
Handala's weaponization of Microsoft Intune to wipe 80,000 Stryker devices is a wake-up call. Endpoint management tools designed to protect devices can be turned into weapons for mass destruction when compromised. CISA's response guidance signals this is now a recognized attack pattern that enterprises must defend against.
AI Agent Security Emerges as Category
Multiple startups ($535M+ in funding this week alone) are building products specifically for AI agent security — access management, runtime monitoring, privacy enforcement. Ceros (for Claude Code), Oasis (agentic access), and Cloaked (AI privacy agents) all signal that securing AI agents is becoming a distinct security discipline. Relevant for KENSAI's roadmap.