剣 KENSAI
← Back to archive

Daily Threat Intelligence

2026-03-24 — Tuesday — 04:00 CET
2 Critical CVEs Supply Chain Attack iOS 0-Day Chain State-Sponsored Activity Mass Phishing
3
Data Breaches
4
Critical CVEs
1
Ransomware
5
State-Sponsored

⛓️ Supply Chain Attack — Trivy Scanner Compromised

Trivy Vulnerability Scanner Backdoored — Spreading via Docker & GitHub

Supply Chain Active Exploitation

The TeamPCP hacking group compromised the widely-used open-source Trivy vulnerability scanner by Aqua Security. Malicious versions (0.69.4–0.69.6) were pushed to Docker Hub containing information-stealer malware. The attack expanded beyond Docker — TeamPCP hijacked Aqua Security's GitHub organization to tamper with dozens of repositories. The last known clean release is 0.69.3. Malicious images have been removed but the blast radius across developer environments remains significant.

KENSAI Relevance

This is exactly the type of supply chain compromise that KENSAI's SBOM analysis and dependency scanning can detect. If your CI/CD pulled Trivy images between the compromised window, you need immediate audit. Organizations using KENSAI's continuous monitoring would have been alerted to the unexpected binary changes.

Sources: BleepingComputer, The Hacker News, SecurityWeek — Mar 23

TeamPCP Deploys Iran-Targeted Kubernetes Wiper

Hacktivist Wiper

The same TeamPCP group behind the Trivy compromise is also targeting Kubernetes clusters with a destructive wiper. The malicious script detects if systems are configured for Iran-based infrastructure and wipes all machines if the condition is met. This represents a significant escalation from data theft to full destructive capability within containerized environments.

Source: BleepingComputer — Mar 23

🔴 Critical Vulnerabilities

CVE-2026-21992 — Oracle Identity Manager RCE (Emergency Patch)

Critical CVE Possibly Exploited

Oracle released an emergency out-of-band patch for CVE-2026-21992, a critical vulnerability in Oracle Identity Manager. The flaw allows unauthenticated remote code execution and may have already been exploited in the wild. Organizations running Oracle Identity Manager should apply the patch immediately — this is pre-auth RCE on an identity management system, making it extremely high-value for attackers.

Source: SecurityWeek — Mar 23

CVE-2025-32975 (CVSS 10.0) — Quest KACE SMA Under Active Attack

CVSS 10.0 Active Exploitation

A maximum-severity vulnerability in Quest KACE Systems Management Appliance is being actively exploited, particularly targeting the education sector. Arctic Wolf observed exploitation activity starting the week of March 9 on unpatched SMA systems exposed to the internet. Given the CVSS 10.0 score and confirmed exploitation, this demands immediate patching.

Source: The Hacker News, SecurityWeek — Mar 23

DarkSword iOS Exploit Chain — CISA KEV Addition

6 CVEs Chained Active Exploitation State-Sponsored

CISA added three DarkSword vulnerabilities (CVE-2025-31277, CVE-2025-43510, CVE-2025-43520) to its Known Exploited Vulnerabilities catalog. DarkSword is a sophisticated iOS exploit kit chaining 6 vulnerabilities for sandbox escape, privilege escalation, and RCE on iPhones (iOS 18.4–18.7). Linked to Turkish commercial surveillance vendor PARS Defense (UNC6748) and Russian espionage group UNC6353. Three malware families deployed: GhostBlade, GhostKnife, GhostSaber. Federal agencies have until April 3 to patch.

Source: BleepingComputer, CISA — Mar 23

QNAP Patches Four Pwn2Own Vulnerabilities

Pwn2Own

QNAP patched four vulnerabilities that were demonstrated at Pwn2Own, allowing information disclosure, code execution, and unexpected behavior on NAS devices. Given QNAP's history as a ransomware target, prompt patching is essential.

Source: SecurityWeek — Mar 23

💾 Data Breaches

Crunchyroll Investigates Breach — 6.8M Users Claimed Stolen

Data Breach

The popular anime streaming platform Crunchyroll (owned by Sony) is investigating after hackers claimed to have stolen personal data for approximately 6.8 million users. The breach is under active investigation — scope and authenticity are still being verified.

Source: BleepingComputer — Mar 23

Mazda Discloses Employee & Partner Data Breach

Data Breach

Mazda Motor Corporation confirmed a security incident first detected in December 2025 that exposed employee and business partner data. The disclosure came in March 2026, highlighting the continued gap between detection and public disclosure in the automotive sector.

Source: BleepingComputer — Mar 23

Trio-Tech Semiconductor Subsidiary Hit by Ransomware

Ransomware Data Breach

Chip services firm Trio-Tech International disclosed that a subsidiary in Singapore was hit by file-encrypting ransomware. The semiconductor supply chain continues to be targeted, with manufacturing and chip services firms facing increasing ransomware pressure.

Source: SecurityWeek — Mar 23

🕵️ State-Sponsored & APT Activity

FBI/CISA: Russian Hackers Mass-Phishing Signal & WhatsApp Users

Russia / Intelligence Mass Phishing

The FBI and CISA issued a joint warning that Russian Intelligence Services are conducting large-scale phishing campaigns targeting Signal and WhatsApp accounts of high-value individuals — government officials, military personnel, political figures, and journalists. Thousands of accounts have been compromised globally. Once inside, attackers view messages, exfiltrate contacts, and conduct further phishing from trusted identities.

Source: The Hacker News, FBI — Mar 21–23

FBI Warns of Iranian Handala Hackers Using Telegram for Malware

Iran / MOIS

The FBI warned that Iranian hackers linked to the Ministry of Intelligence and Security (MOIS) — known as Handala — are using Telegram to distribute malware. The US has confirmed Handala's link to the Iranian government and seized several domains used in their cyber-enabled psychological operations.

Source: BleepingComputer, SecurityWeek — Mar 23

North Korean Hackers Abuse VS Code for StoatWaffle Malware

North Korea / WaterPlum

The Contagious Interview threat actor (WaterPlum) is distributing StoatWaffle malware through malicious VS Code projects. The attack abuses VS Code's tasks.json auto-run feature — a relatively new tactic adopted since December 2025. This targets developers who open seemingly legitimate VS Code projects, executing malware automatically.

Source: The Hacker News — Mar 23

🎣 Phishing & Social Engineering

Tycoon2FA PhaaS Platform Back to Full Strength After Police Disruption

Phishing-as-a-Service

The Tycoon2FA phishing platform that Europol disrupted on March 4 has already returned to pre-disruption activity levels. Attack volumes and tactics remain unchanged, demonstrating the resilience of cybercriminal infrastructure against law enforcement takedowns. The platform specializes in bypassing two-factor authentication.

Source: BleepingComputer, SecurityWeek — Mar 23

Microsoft: IRS Tax Season Phishing Hits 29,000 Users

Phishing Campaign

Microsoft warned of large-scale phishing campaigns exploiting US tax season urgency. Over 29,000 users targeted with fake IRS refund notices, payroll forms, and filing reminders. Campaigns deploy Remote Monitoring & Management (RMM) malware and leverage PhaaS platforms. Targets include both individuals and tax professionals with access to sensitive financial data.

Source: The Hacker News, Microsoft — Mar 23

📊 Emerging Trends & Research

M-Trends 2026: Initial Access Handoff Drops to 22 Seconds

Research / Mandiant

Mandiant's M-Trends 2026 report, based on 500,000+ hours of incident response, reveals that the time between initial access broker compromise and handoff to ransomware operators has shrunk from hours to just 22 seconds. This dramatically reduces the window for defenders to detect and respond to intrusions before ransomware deployment.

KENSAI Relevance

22-second handoff times mean manual SOC triage is no longer viable for initial access detection. Automated, continuous scanning — like KENSAI's approach — becomes the only realistic defense. Organizations without automated response capabilities are essentially defenseless against this speed of attack.

Source: SecurityWeek / Mandiant — Mar 23

Eight Attack Vectors Discovered in AWS Bedrock

AI Security Research

XM Cyber's threat research team mapped eight validated attack vectors in AWS Bedrock AI platform: log manipulation, knowledge base compromise, agent hijacking, flow injection, guardrail degradation, and prompt poisoning. As AI agents gain access to enterprise data (Salesforce, Lambda, SharePoint), they become high-value attack surfaces with permissions and reachability to critical assets.

KENSAI Relevance

AI infrastructure security is an emerging frontier. As enterprises connect AI agents to production systems, the attack surface expands dramatically. This aligns with KENSAI's positioning in AI security — scanning and securing the infrastructure that powers AI systems.

Source: The Hacker News / XM Cyber — Mar 23

Browser-Based Attacks Bypassing Traditional Security Controls

Research / Push Security

A new report from Push Security documents how browser-based attacks — AITM phishing, ClickFix, malicious OAuth apps, and session hijacking — are driving today's biggest breaches and evading traditional security controls. The browser is increasingly the primary attack surface.

Source: BleepingComputer / Push Security — Mar 23

💰 Industry & Funding

Cape Raises $100M for Cellular Security

Funding

Cape, a privacy-focused mobile virtual network operator (MVNO), raised $100 million for protection against cellular security threats — serving consumers, enterprises, and government customers.

Source: SecurityWeek — Mar 23

Eclypsium Raises $25M for Device Supply Chain Security

Funding

Eclypsium secured $25 million to expand its device supply chain security platform and grow channel partnerships. Timely given the Trivy supply chain attack dominating today's news.

Source: SecurityWeek — Mar 23

3 Men Charged for Smuggling AI Hardware to China

Export Controls

Three men were charged with conspiring to violate US export controls by diverting massive quantities of high-performance AI servers assembled in the US to China. Reflects continued geopolitical tension around AI hardware access.

Source: SecurityWeek — Mar 23

📋 Compliance & Regulation

UK Toughens Cyber Reporting Requirements

Regulation

The UK is strengthening mandatory cyber incident reporting requirements. Along with NIS2 enforcement ramping up across the EU, organizations face an increasingly complex web of reporting obligations. Automated compliance reporting — a KENSAI differentiator — becomes essential.

Source: SecurityWeek — Mar 23