KENSAI Security Intelligence
Daily Threat Briefing
Automated security research — last 24 hours
2026-03-21 · Friday March 20 → Saturday March 21
Critical Vulnerabilities & Active Exploits
Critical missing-authentication + code-injection flaw in Langflow (CVSS 9.3) is being actively exploited. Unauthenticated attackers can achieve remote code execution via POST /api/v1 endpoints. Exploitation began within 20 hours of public disclosure — patch immediately.
Oracle released an out-of-band security update for a critical unauthenticated RCE vulnerability in Identity Manager and Web Services Manager. This is outside Oracle's regular quarterly patch cycle — indicating severity and potential exploitation risk.
CISA ordered all federal agencies to patch a maximum-severity vulnerability in Cisco Secure Firewall Management Center by Sunday March 22. The urgency of the weekend deadline signals active or imminent exploitation.
ConnectWise ScreenConnect patched a critical vulnerability that exposed machine keys, potentially allowing unauthorized access to remote management sessions. Latest version adds encrypted storage and key management.
Sansec discovered a critical flaw in Magento's REST API allowing unauthenticated attackers to upload disguised executables (images hiding malicious code) for RCE and account takeover. Thousands of Magento sites already hit in an ongoing defacement campaign since Feb 27.
Supply Chain & Software Supply Chain Attacks
Aqua Security's Trivy scanner was compromised for the second time in a month. Attackers hijacked 75 tags across "aquasecurity/trivy-action" and "aquasecurity/setup-trivy" GitHub Actions to steal CI/CD secrets. Any pipeline using these actions may have leaked credentials.
New malware "Speagle" hijacks legitimate Cobra DocGuard software, using compromised servers to exfiltrate data while masking traffic as legitimate application communication. A sophisticated supply-chain-adjacent attack.
Analysis reveals 54 EDR killer programs abuse 35 legitimately signed but vulnerable drivers to disable endpoint security before deploying ransomware. BYOVD (Bring Your Own Vulnerable Driver) is now a standard ransomware playbook technique.
Data Breaches & Insider Threats
Hackers stole personal and health plan information from Navia's environment between late December 2025 and mid-January 2026. 2.7 million individuals affected. Healthcare data breaches continue to be the most impactful by volume.
A North Carolina man was found guilty of stealing company data and extorting a D.C.-based technology company (Brightly Software) for $2.5M — while still employed as a contractor. Insider threat remains a top-tier risk.
Michael Smith pleaded guilty to using AI bots to generate over $10M in fraudulent streaming royalties across Spotify, Apple Music, Amazon Music, and YouTube Music. AI-enabled fraud at scale.
Law Enforcement & Geopolitical
US, Germany, and Canada took down C2 infrastructure for AISURU, KimWolf, JackSkid, and Mossad botnets (3 million IoT devices). These botnets powered record-breaking 31.4 Tbps DDoS attacks. Major private-sector collaboration (Akamai, AWS, Cloudflare, Google, Oracle, and others).
International law enforcement shut down 373,000 dark web sites in "Operation Alice." One of the largest coordinated takedowns of illicit infrastructure to date.
FBI issued a PSA warning that Russian intelligence-linked actors are actively running phishing campaigns against Signal and WhatsApp users. Thousands of encrypted messaging accounts already compromised. Targets include journalists, activists, and government officials.
The US confirmed that Handala hacker group is linked to the Iranian government and seized several domains used in cyber-enabled psychological operations.
Three individuals charged with violating US export control laws by conspiring to divert high-performance AI servers assembled in the US to China. Part of the escalating tech cold war.
Emerging Threats & Trends
Cybercriminals using AI to generate personalized phishing, deepfakes, and malware that evades traditional detection by impersonating normal user activity. Behavioral analytics emerging as the necessary counter — signature-based detection increasingly insufficient.
Apple urges iOS updates against web-based exploit kits (Coruna, DarkSword) targeting outdated devices. These kits trigger infection chains through malicious web content leading to data theft.
Google introduced mandatory 24-hour cooling period for sideloading apps from unverified developers on Android. Part of the developer verification mandate announced last year. Balances openness with scam/malware reduction.
The Gentlemen — New RaaS Operation Emerges
Group-IB detailed "The Gentlemen," a new Ransomware-as-a-Service operation with ~20 members exploiting FortiGate vulnerabilities. Emerging RaaS groups continue to lower the barrier to entry for ransomware attacks.
Security Industry & Funding
Massive round focused on identity and access management for AI agents. Investing in R&D, AI framework expansion, and go-to-market. Signal: the market sees AI agent security as a critical emerging category.
Privacy-focused MVNO for consumers, enterprises, and governments. Addresses cellular-level surveillance and interception threats.
Expanding platform capabilities for firmware and hardware supply chain integrity.
Monitors behavior and verifies user intent to stop attacks in real time. Emerged from stealth.
Scaling digital brand protection against phishing, impersonation, and brand abuse.
KENSAI Relevance & Takeaways
For KENSAI's positioning:
- Langflow CVE-2026-33017 — exploited in 20 hours. This is KENSAI's core value prop: continuous scanning catches these before attackers do. Content opportunity for a "20-hour window" blog post.
- Magento PolyShell — thousands of e-commerce sites hit. NIS2-regulated EU companies running Magento are perfect KENSAI targets for DAST scanning.
- 54 EDR Killers using BYOVD — endpoint security alone isn't enough. KENSAI's multi-layer approach (DAST + SAST + secrets + infrastructure) is the answer.
- $282M in security funding this week — market is hot. Oasis raising $120M for "agentic access management" validates the AI security category KENSAI occupies.
- Trivy supply chain compromise — CI/CD pipeline security is an underserved area. Potential future KENSAI module.
- Russian state phishing on Signal — NIS2 compliance requires secure communications. Content angle for DACH market.