剣 KENSAI
← Back to archive

Daily Threat Briefing

2026-03-27 · Friday · CW13
Compiled from BleepingComputer, The Hacker News, SecurityWeek & more
4
Critical CVEs
3
Data Breaches
2
Active Exploits
6
Threat Campaigns

🔓 Data Breaches & Leaks

Hightower Holding Data Breach — 130,000 Affected

Mar 26SecurityWeek
HIGH IMPACT

Financial holdings company Hightower disclosed that hackers exfiltrated names, Social Security numbers, and driver's license numbers from its environment. Approximately 130,000 individuals are impacted. The breach highlights ongoing targeting of financial services firms holding large PII datasets.

KENSAI Take: Financial services remain top targets. Companies handling PII at scale need continuous vulnerability monitoring — exactly what KENSAI's automated scanning provides.

securityweek.com

Ajax Amsterdam FC — Fan Data Exposed, Ticket Hijacking

Mar 26BleepingComputer
MEDIUM

Dutch football club AFC Ajax disclosed a breach where a hacker exploited vulnerabilities in its IT systems, accessing personal data of several hundred fans. The access enabled ticket hijacking capabilities. Demonstrates how even "non-tech" organizations face sophisticated attacks when they hold consumer data.

bleepingcomputer.com

LeakBase Admin Arrested in Russia

Mar 25–26Multiple Sources
LAW ENFORCEMENT

Russian police arrested a Taganrog resident believed to be the owner of LeakBase, a major cybercrime forum for trading stolen databases and hacking tools, operational since 2021. Technical equipment was seized. Separately, suspected RedLine infostealer administrator Hambardzum Minasyan was extradited from Armenia to the US to face criminal charges.

thehackernews.com

🚨 Critical CVEs & Vulnerabilities

CVE-2026-33017 — Langflow AI Framework RCE (CVSS 9.3)

ACTIVELY EXPLOITEDCISA KEV
CRITICAL 9.3

CISA added CVE-2026-33017 to its Known Exploited Vulnerabilities catalog. The flaw affects Langflow ≤1.8.1, a popular open-source AI workflow framework (145K GitHub stars). Allows unauthenticated remote code execution via a single crafted HTTP request due to unsandboxed flow execution. Exploitation began just 20 hours after disclosure — no public PoC existed; attackers reverse-engineered exploits from the advisory alone. Automated scanning → exploitation → data harvesting (.env, .db files) happened within 24 hours.

KENSAI Take: AI infrastructure is becoming a prime attack surface. 20-hour exploitation timelines mean organizations need continuous automated scanning, not quarterly pentests. This is KENSAI's core value proposition.

bleepingcomputer.com

PolyShell — Magento/Adobe Commerce Unauthenticated RCE

MASS EXPLOITATION56.7% of vulnerable stores
CRITICAL

A new vulnerability called PolyShell impacts Magento Open Source and Adobe Commerce, allowing unauthenticated file upload to RCE via the REST API. Under mass exploitation since March 19, with 50+ IPs scanning. Sansec reports 56.7% of vulnerable stores have been attacked. A novel WebRTC-based payment skimmer was deployed via this vector, bypassing Content Security Policy by using DTLS-encrypted UDP channels instead of HTTP. Patch available only in beta (2.4.9-beta1).

KENSAI Take: E-commerce platforms are critical infrastructure for businesses. The WebRTC exfiltration technique bypasses traditional CSP — DAST tools that only monitor HTTP will miss this entirely. KENSAI's multi-vector approach catches what legacy scanners miss.

thehackernews.com

BIND DNS — High-Severity OOM Vulnerabilities

Mar 26SecurityWeek
HIGH

ISC released updates patching high-severity vulnerabilities in BIND DNS resolvers. Specially crafted domains could trigger out-of-memory conditions leading to memory leaks and potential denial of service. DNS infrastructure operators should patch immediately.

securityweek.com

Cisco IOS — Multiple Vulnerabilities Patched

Mar 26SecurityWeek
HIGH

Cisco released patches for multiple vulnerabilities in IOS software, addressing flaws that could lead to denial-of-service, secure boot bypass, information disclosure, and privilege escalation. Network infrastructure running Cisco IOS should be updated.

securityweek.com

Apple iOS/macOS 26.4 — Security Patches

Mar 26SecurityWeek
MEDIUM

Apple released security fixes across iOS/macOS 26.4, plus backports for older versions: iOS 18.7.7, iPadOS 18.7.7, macOS Sequoia 15.7.5, and macOS Sonoma 14.8.5. Update all Apple devices promptly.

securityweek.com

☠️ Threat Campaigns & Malware

Red Menshen (China) — Deep in Telecom Backbone via BPFDoor

Mar 26The Hacker News / Rapid7
APTSTATE-SPONSORED

China-nexus threat actor Red Menshen (Earth Bluecrow / DecisiveArchitect) has embedded kernel-level implants and passive backdoors deep within telecom networks across the Middle East and Asia since 2021. Rapid7 described these as "some of the stealthiest digital sleeper cells" ever encountered. The BPFDoor implants enable persistent, long-term espionage against government networks through telecom infrastructure compromise.

KENSAI Take: State-sponsored actors operating at kernel level in telecom backbones — NIS2 compliance requires organizations to account for supply chain risks exactly like this. Telecom providers in the DACH region should assess their exposure.

thehackernews.com

Sandworm (Russia) — Backdoors via Pirated Software

Mar 26The Hacker News
APTSTATE-SPONSORED

Russian APT Sandworm is distributing backdoors (Tambur, Sumbur, Kalambur, DemiMur) through pirated software like "Microsoft.Office.2025x64". Uses Telegram as distribution vector targeting Ukrainian users seeking software cracks. DemiMur forces import of forged root certificates into the OS trust store, enabling persistent trust chain manipulation.

thehackernews.com

Coruna iOS Exploit Framework — Evolution of Operation Triangulation

Mar 26BleepingComputer
ZERO-CLICK

The Coruna exploit kit has been identified as an evolution of the framework used in Operation Triangulation, the 2023 campaign that targeted iPhones via zero-click iMessage exploits. This represents continued development of sophisticated mobile exploitation capabilities.

bleepingcomputer.com

Keenadu — Android Firmware-Level Backdoor Spreading

Mar 26Sophos / The Hacker News
FIRMWARE

Sophos detected Keenadu, a firmware backdoor embedded in Android's libandroid_runtime.so that injects into the Zygote process (parent of all Android apps), giving attackers total device control. Over 500 compromised devices across ~50 models detected, mostly low-cost devices from Allview, BLU, Dcode, DOOGEE, and others. Ships pre-installed from factory.

thehackernews.com

TeamPCP — OSS Supply Chain Compromise Across Ecosystems

Mar 26SecurityWeek
SUPPLY CHAIN

Threat group TeamPCP expanded from compromising GitHub Action tags (initially Trivy) to attacking NPM, Docker Hub, VS Code Extensions, and PyPI. The group has reportedly teamed up with Lapsus$ for broader supply chain attacks across multiple package ecosystems.

securityweek.com

TikTok for Business — Phishing Campaign with Bot Evasion

Mar 26BleepingComputer
PHISHING

New phishing campaign targeting TikTok for Business accounts uses anti-bot techniques to prevent security tools from analyzing malicious pages. Social media business accounts remain high-value targets for credential theft.

bleepingcomputer.com

UK Sanctions Xinbi Marketplace

Mar 26BleepingComputer
SANCTIONS

The UK sanctioned Xinbi, a Chinese-language crypto marketplace selling stolen data and satellite internet equipment to scam networks in Southeast Asia. Connected to "pig butchering" and other organized fraud operations.

bleepingcomputer.com

🛡️ Security Tools & Industry

RSAC 2026 Conference — Day 2 Announcements

Mar 26SecurityWeek
RSAC 2026

RSAC 2026 is underway with major vendor announcements. Key themes include AI-powered security operations, post-quantum cryptography readiness, and identity-centric defense strategies.

securityweek.com

Dell & HP — Quantum-Resistant Device Security

Mar 26SecurityWeek
PQC

Both Dell and HP announced new quantum-resistant security capabilities for PCs and printers, aligning with Google's recently published 2029 PQC migration timeline. Google is integrating ML-DSA (Module-Lattice-Based Digital Signature Algorithm) into Android 17's verified boot process.

securityweek.com

GitHub — AI-Powered Vulnerability Detection

Mar 26The Hacker News
AI SECURITY

GitHub announced AI-powered security detections in GitHub Code Security, complementing CodeQL to find vulnerabilities that traditional static analysis misses. The hybrid detection model surfaces issues and suggested fixes within pull request workflows. Public preview expected early Q2 2026.

thehackernews.com

Onit Security — $11M for Exposure Management

Mar 26SecurityWeek
FUNDING

Onit Security raised $11M to invest in its exposure management platform, expanding into new sectors. The exposure management space continues to attract investment as organizations seek continuous visibility into their attack surface.

securityweek.com

FCC Bans Foreign-Made Consumer Routers

Mar 26SecurityWeek
REGULATION

The FCC banned new consumer routers manufactured outside the US, citing national security risks. The ban aligns with a White House determination that all foreign-produced routers constitute a security threat. Significant supply chain implications for the networking industry.

securityweek.com

📊 Emerging Patterns

1. AI Infrastructure Is the New Attack Surface

CVE-2026-33017 (Langflow) exploited within 20 hours. AI workflow tools are internet-exposed, often unpatched, and hold API keys + cloud credentials. Expect more AI-specific CVEs as adoption accelerates. Organizations deploying AI tools must treat them as critical infrastructure.

2. CSP Bypass via Non-HTTP Channels

The WebRTC payment skimmer represents a paradigm shift: attackers using DTLS-encrypted UDP data channels to exfiltrate data completely invisible to HTTP-focused security tools. CSP alone is no longer sufficient. Security monitoring must expand beyond HTTP to cover WebRTC, WebSocket, and other browser APIs.

3. Supply Chain Attacks Go Cross-Ecosystem

TeamPCP's expansion from GitHub Actions → NPM → Docker Hub → VS Code → PyPI shows attackers treating the entire OSS ecosystem as a single attack surface. Compromising one package manager gives footholds in others. SBOM and dependency monitoring are now essential, not optional.

4. Post-Quantum Cryptography Timeline Crystallizing

Google's 2029 PQC migration deadline + Dell/HP hardware announcements + Android 17 ML-DSA integration signal that PQC is moving from theoretical to practical. "Store now, decrypt later" attacks make this a current, not future, threat. NIS2-covered organizations should begin PQC readiness assessments.

5. Identity Remains the Weakest Link

PwC's research confirms AI is amplifying attack speed and scale, while identity theft evolves into a full cybercriminal supply chain. The RedLine admin extradition and LeakBase takedown show how credential theft has become industrialized. MFA bypass techniques continue to advance alongside AITM phishing kits.

6. Firmware-Level Compromise at Scale

Keenadu shipping pre-installed on 500+ devices across 50 models shows firmware supply chain attacks are real and widespread. Budget devices remain vectors for mass surveillance. Organizations with BYOD policies face increased risk from compromised consumer hardware.