Russian FSB's TA446 deploys DarkSword iOS exploit kit via Atlantic Council phishing. Targets include Russian opposition leader Volkov. Leaked exploit kits + state actors = dangerous combination. 📱🇷🇺

https://thehackernews.com/2026/03/ta446-deploys-leaked-darksword-ios.html

#infosec #cybersecurity #iOS #nationstate #exploit

Iran-linked hackers breach FBI Director Patel's personal email + hit Stryker with wiper. MOIS-linked Handala Hack Team. Nation-states don't just spy—they destroy. Personal accounts = intelligence targets. 🇮🇷🔓

https://thehackernews.com/2026/03/iran-linked-hackers-breach-fbi.html

#infosec #cybersecurity #nationstate #espionage

"The Invisible Front" — my book on cyberwarfare as a geopolitical pillar is now on Amazon.

The core argument: a well-crafted malware can be more strategically dangerous than a missile. Not hyperbole — the doctrine, the attribution problems, and the asymmetry of cost all point the same direction.

The book covers:
→ Cyberwarfare as modern geopolitical instrument — not a side channel, a primary front
→ Why attribution is the hardest problem and why states exploit that gap deliberately
→ The asymmetry: a nation-state attack costs thousands, defending against it costs billions
→ How the invisible front interacts with kinetic warfare, sanctions, and information ops

Written for security professionals, policymakers, and anyone trying to understand why the next major conflict will be decided before a single tank moves.

→ https://www.amazon.com/dp/B0GHSFJTVY

#infosec #cyberwarfare #geopolitics #threatintel #nationstate #research #cybersecurity

Iran’s MOIS-linked cybercrime operations highlight how state actors blur lines between espionage, crime, and disruption. In cyberspace, attribution and intent rarely come clean. 🕵️‍♂️⚠️ #NationState #CyberEspionage

https://www.theregister.com/2026/03/10/cybercrime_iran_mois/

Alright team, it's been a pretty packed week in cyber, with some notable breaches, a deep dive into nation-state TTPs, critical vulnerabilities under active exploitation, and some interesting discussions around AI's role in both attack and defence. Let's get into it:

Recent Cyber Attacks or Breaches 🚨

- The FBI is probing a breach of its unclassified systems, which reportedly contained "law enforcement sensitive information" related to wiretapping and foreign intelligence surveillance warrants, including PII of investigation subjects. This follows previous compromises of US law enforcement wiretapping systems by Chinese state-backed actors.
- Chinese EV charger manufacturer ELECQ suffered a ransomware attack on its AWS cloud platform, leading to the encryption and copying of customer databases containing names, email addresses, phone numbers, and home addresses. No financial data was compromised, and charging devices were unaffected.
- Ericsson Inc. disclosed a data breach affecting employees and customers, including SSNs and financial info for thousands, due to a hack on one of its service providers. This highlights persistent supply chain risks, even if no data misuse has been confirmed yet.
- The ShinyHunters threat actor claims to be actively exploiting misconfigured Salesforce Experience Cloud platforms, targeting the `/s/sfsites/aura` API endpoint to steal data. Salesforce attributes this to customer misconfigurations, not a platform vulnerability, and has issued guidance to restrict guest user permissions.
- Two popular Chrome extensions, "QuickLens" and "ShotBird," turned malicious after ownership transfer, enabling code injection and data theft by stripping security headers, injecting JavaScript from C2, and delivering fake browser updates leading to credential harvesting. This highlights a critical extension supply chain risk.
- The FBI is warning of phishing attacks impersonating US city and county planning/zoning officials, targeting businesses and individuals applying for land-use permits. Attackers use publicly available info to craft convincing emails, demanding fraudulent fees via wire transfer, P2P, or cryptocurrency.
- Dutch intelligence agencies have warned of a "large-scale" Russian cyber campaign targeting Signal and WhatsApp accounts of government officials, journalists, and military personnel globally. Attackers use social engineering to trick victims into sharing security codes or abuse the "linked devices" feature, bypassing end-to-end encryption.
- LastPass has alerted users to a new phishing campaign using display name spoofing and fake internal email threads to impersonate LastPass and direct victims to imitation SSO pages to harvest credentials. Users are reminded LastPass will never ask for their master password.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/03/08/fbi_investigates_wiretap_system_breach/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/03/09/ransomware_crooks_hit_ev_charger/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/ericsson-us-discloses-data-breach-after-service-provider-hack/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/shinyhunters-claims-ongoing-salesforce-aura-data-theft-attacks/
📰 The Hacker News | https://thehackernews.com/2026/03/chrome-extension-turns-malicious-after.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/fbi-warns-of-phishing-attacks-impersonating-us-city-county-officials/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/03/09/dutch_spies_say_russian_cybercrims/

New Threat Research on Threat Actors/Groups, Ransomware, Malware, or Techniques and Tradecraft 🛡️

- CL-UNK-1068, a Chinese-speaking threat actor, has been conducting cyber-espionage against critical infrastructure sectors across South, Southeast, and East Asia since 2020. They use custom malware, open-source tools, and living-off-the-land binaries, gaining initial access via web server exploitation and web shells, then moving laterally for credential theft and data exfiltration.
- The Pakistan-aligned threat actor Transparent Tribe is leveraging AI-powered coding tools to generate "vibe-coded" malware in niche programming languages (Nim, Zig, Crystal) to target Indian government entities and embassies. This approach allows them to flood target environments with disposable, polyglot binaries, enhancing evasion.
- The Iranian hacking group MuddyWater (aka Seedworm) has targeted US companies, including banks, airports, and non-profits, as well as an Israeli software firm, in a campaign that intensified after US-Israel military strikes on Iran. This activity aligns with a broader trend of hacktivist-fueled cyberattacks and wiper campaigns.
- A Russian national, Evgenii Ptitsyn, has pleaded guilty in a US federal court for his role in the Phobos ransomware operation, which extorted over $39 million from more than 1,000 public and private entities globally. This conviction highlights ongoing international law enforcement efforts to disrupt ransomware ecosystems.

💡 Dark Reading | https://www.darkreading.com/threat-intelligence/chinese-cyber-threat-critical-asian-sectors
📰 The Hacker News | https://thehackernews.com/2026/03/transparent-tribe-uses-ai-to-mass.html
📰 The Hacker News | https://thehackernews.com/2026/03/iran-linked-muddywater-hackers-target.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/03/08/fbi_investigates_wiretap_system_breach/

Vulnerabilities, Exploits, and Zero-Days ⚠️

- A high-severity buffer over-read vulnerability (CVE-2026-21385, CVSS 7.8) in Qualcomm's Graphics component, affecting Android devices, is under "limited, targeted exploitation" in the wild. This flaw can lead to memory corruption and arbitrary code execution.
- Google has detailed "Coruna" (aka CryptoWaters), a powerful exploit kit featuring five full iOS exploit chains and 23 exploits, targeting Apple iPhones running iOS versions 13.0 to 17.2.1. The kit's evolution is noteworthy, starting as a commercial surveillance tool and later repurposed by Russian espionage and Chinese financial actors.
- Microsoft Azure CTO Mark Russinovich demonstrated how Anthropic's Claude Opus 4.6 AI successfully decompiled 40-year-old Apple II machine code and identified security vulnerabilities, including "silent incorrect behavior." Anthropic's Red Team previously warned that Claude Opus 4.6 found high-severity vulnerabilities, some decades-old, in well-tested codebases like Firefox (22 new bugs, 14 high-severity).

📰 The Hacker News | https://thehackernews.com/2026/03/google-confirms-cve-2026-21385-in.html
📰 The Hacker News | https://thehackernews.com/2026/03/coruna-ios-exploit-kit-uses-23-exploits.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/03/09/claude_legacy_code_vulns/
📰 The Hacker News | https://thehackernews.com/2026/03/anthropic-finds-22-firefox.html

Threat Landscape Commentary 🌍

- Ransomware attacks are increasingly frequent and impactful, with over 5,600 publicly disclosed incidents worldwide in 2024, costing an average of $2.73 million per incident and sometimes human lives. Former FBI and CISA leaders advocate for the administration's National Cyber Strategy, stressing the need for sustained, focused government-industry collaboration, prioritising critical sectors for resilience, and holding cryptocurrency exchanges accountable.
- Agentic AI is poised to deliver exponential productivity gains but simultaneously expands attack surfaces and scales attacker capabilities, creating an "AI arms race" in cybersecurity. While 88% of organisations are already using AI-driven remediation, concerns remain about trust in AI decisions and AI's own security risks.
- The ongoing US-Iran conflict marks a significant shift, with the cyber domain playing a central and openly acknowledged role, unlike previous military engagements. This highlights the increasing integration of cyber capabilities into modern warfare and its direct impact on geopolitical conflicts.

🤫 CyberScoop | https://cyberscoop.com/national-cyber-strategy-ransomware-prioritization-op-ed/
💡 Dark Reading | https://www.darkreading.com/application-security/auto-remediation-agentic-ai
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/03/09/kettle_2026_episode_01_iran_war/

Regulatory Issues or Changes ⚖️

- Europol, in coordinated operations, has successfully dismantled Tycoon2FA, a dominant phishing-as-a-service (PhaaS) platform responsible for 62% of Microsoft-blocked phishing attempts, and LeakBase, a vast stolen data marketplace with over 142,000 registered users. These takedowns represent significant wins against the cybercrime ecosystem.
- Dutch national police have launched a novel "Game Over?!" campaign, giving 100 alleged scammers less than two weeks to surrender or face public shaming through unblurred photos on roadside ads and TV. This aggressive tactic aims to identify suspects, deter new recruits, and combat a surge in fake police/bank employee scams.
- Microsoft Teams is rolling out a new feature in May 2026 that will automatically tag third-party bots in meeting lobbies, requiring explicit admission by organisers. This enhancement aims to prevent malicious or unrecognised non-human participants from accidentally joining meetings, giving organisers full control and improving security.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/03/08/fbi_investigates_wiretap_system_breach/
📰 The Hacker News | https://thehackernews.com/2026/03/europol-led-operation-takes-down-tycoon.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/03/09/dutch_police_fraud_shaming/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/microsoft/microsoft-teams-will-tag-third-party-bots-in-meeting-lobbies/

Government Staffing or Program Changes 🏛️

- National Cyber Director Sean Cairncross detailed upcoming initiatives for the Trump administration's cyber strategy, including an "interagency cell" to confront malign hackers through diplomatic efforts, arrests, and cyber offense. The strategy also involves pilot programs for critical infrastructure security tailored to specific industries and states, and a review of regulations like the SEC's incident disclosure rule.
- Cairncross emphasised better information sharing with industry, a call for private sector resource dedication, and plans for a cybersecurity academy, foundry, and accelerator to address workforce gaps and innovation.

🤫 CyberScoop | https://cyberscoop.com/national-cyber-director-trump-cyber-strategy-interagency-cell-critical-infrastructure-pilots/

Crypto Flows to Sanctioned Entities 💰

- Chainalysis research reveals that sanctioned entities conducted $154 billion worth of cryptocurrency transactions in 2025, a 694% year-over-year increase, with $104 billion going to sanctioned entities and the rest to illicit addresses. The ruble-backed A7A5 stablecoin alone processed $93.3 billion, serving as a crucial bridge for Russian businesses to access global markets despite sanctions.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/03/08/fbi_investigates_wiretap_system_breach/

#CyberSecurity #ThreatIntelligence #Ransomware #NationState #APT #ZeroDay #Vulnerability #Phishing #AI #DataBreach #IncidentResponse #LawEnforcement #CriticalInfrastructure #SupplyChainSecurity

We Are Witnessing The Return of Empires & The END of Nations

Nearly all of us on Earth live within a 'nation-state'. Nation-states are an invisible and seemingly inevitable and eternal part of the infrastructure that forms our society: the water we swim in. Rarely do we pause to consider how this global system of nation-states came into being, and what might replace it after it's gone

https://youtu.be/Mo88imJNWkU?si=c2kiW6eqKGpVad_E

#AaronBastani #RanaDasgupta #democracy #WorkersRights #NationState #WorldOrder

Good morning, cyber pros! ☕ It's been a busy 24 hours with some critical zero-day warnings, new insights into nation-state influence operations, and a few notable breaches. Let's dive into the details:

Recent Breaches: Medical, Retail, and Sports Hit 🚨

- Medical device manufacturer UFP Technologies confirmed a cyber incident on 14 February, leading to data theft and potential destruction, though primary IT systems remain operational.
- French football club Olympique de Marseille reported an "attempted cyberattack" after a threat actor leaked samples claiming 400,000 individuals' data and 2,050 Drupal CMS accounts were stolen.
- European DIY retailer ManoMano disclosed a data breach affecting 38 million customers, stemming from a compromised third-party customer service provider, exposing names, emails, phone numbers, and communications.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/medical-device-maker-ufp-technologies-warns-of-data-stolen-in-cyberattack/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/olympique-marseille-football-club-confirms-cyberattack-after-data-leak/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/european-dyi-chain-manomano-data-breach-impacts-38-million-customers/

Critical Zero-Days and RCE Flaws Under the Spotlight ⚠️

- Five Eyes agencies and CISA issued urgent warnings about two Cisco Catalyst SD-WAN zero-days (CVE-2026-20127, CVSS 10.0; CVE-2022-20775, CVSS 7.8) actively exploited since 2023 by a "highly sophisticated threat actor" UAT-8616 to gain root access on critical infrastructure.
- Check Point discovered multiple RCE and API key theft vulnerabilities in Anthropic's Claude Code, stemming from malicious configuration files in repositories, highlighting new supply chain risks in AI-driven development.
- A critical RCE flaw (CVE-2026-21902, CVSS 10.0) in Juniper Networks PTX Series routers allows unauthenticated root code execution due to an exposed internal service; immediate patching or access restriction is advised.
- Trend Micro patched two critical RCE path traversal flaws (CVE-2025-71210, CVE-2025-71211) in Apex One management console, allowing unprivileged code execution if the console is externally exposed.
- Previously harmless Google API keys, when exposed client-side, can now authenticate to Gemini AI, potentially allowing attackers to access private data and incur significant usage charges.

🤫 CyberScoop | https://cyberscoop.com/cisco-zero-days-cisa-emergency-directive-five-eyes/
📰 The Hacker News | https://thehackernews.com/2026/02/cisco-sd-wan-zero-day-cve-2026-20127.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/26/five_eyes_cisco_sdwan/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/26/clade_code_cves/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/critical-juniper-networks-ptx-flaw-allows-full-router-takeover/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/trend-micro-warns-of-critical-apex-one-rce-vulnerabilities/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/previously-harmless-google-api-keys-now-expose-gemini-ai-data/

Evolving Threat Actor TTPs: AI, Supply Chain, and Social Engineering 🛡️

- A coordinated campaign is targeting software developers with fake Next.js job interview repositories, using multiple execution triggers (VS Code, npm run dev, backend startup) to deliver in-memory JavaScript backdoors for RCE and data exfiltration.
- OpenAI reported nation-state actors, including a CCP-linked individual and a Russian group ("Operation No Bell"), are using ChatGPT for politically motivated influence operations, from drafting smear campaigns to generating geopolitical articles.
- A malicious NuGet package, StripeApi.Net, was discovered typosquatting the legitimate Stripe.net library, designed to steal Stripe API tokens from unsuspecting developers while maintaining application functionality.
- The cybercrime group Scattered Lapsus$ Hunters (SLSH) is actively recruiting women for vishing calls to IT helpdesks, aiming to enhance social engineering effectiveness by leveraging different voice profiles.
- Google disrupted a China-linked cyberespionage campaign (UNC2814) active since 2017, targeting telcos and governments in 42 countries, using a new Gridtide backdoor and abusing Google Sheets for C2 communications.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/fake-nextjs-job-interview-tests-backdoor-developers-devices/
📰 The Hacker News | https://thehackernews.com/2026/02/fake-nextjs-repos-target-developers.html
👁️ Dark Reading | https://www.darkreading.com/cyberattacks-data-breaches/chinese-police-chatgpt-smear-japan-pm-takaichi
📰 The Hacker News | https://thehackernews.com/2026/02/malicious-stripeapi-nuget-package.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/26/scattered_lapsus_hunters_female_recruits/
🗞️ The Record | https://therecord.media/google-disrupts-china-linked-cyberespionage-campaign-spanning-dozens-of-countries

Ransomware Trends and AI's Double-Edged Sword 📊

- Despite a 50% surge in ransomware attacks, the payment rate dropped to a record low of 28% in 2025, though the median ransom paid significantly increased to $59,556, indicating a shift in victim behaviour and attacker tactics.
- Veracode's report highlights a growing "security debt," with 82% of companies having unresolved vulnerabilities for over a year, suggesting that the rapid pace of AI-driven development is creating more flaws than can be fixed, making comprehensive security "unattainable."
- The UK government has implemented a new Vulnerability Monitoring Service, significantly reducing the median fix time for critical public sector vulnerabilities from 50 to 8 days, addressing long-standing issues with digital defences.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/ransomware-payment-rate-drops-to-record-low-despite-attack-surge/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/26/veracode_security_ai/
🗞️ The Record | https://therecord.media/united-kingdom-vulnerability-scanning-cyber

FTC Clarifies COPPA for Age Verification 🔒

- The Federal Trade Commission (FTC) issued a policy statement clarifying that it will not enforce COPPA against companies using age verification technologies, provided strict conditions are met regarding data use, retention, notice, and security.
- This aims to encourage the adoption of age verification tools without fear of COPPA violations, with the FTC planning a broader review of the COPPA Rule to address this area.

🗞️ The Record | https://therecord.media/ftc-says-it-wont-enforce-coppa-age-verification

#CyberSecurity #ThreatIntelligence #ZeroDay #RCE #Vulnerability #APT #NationState #SupplyChainAttack #SocialEngineering #AI #Ransomware #DataBreach #DataPrivacy #InfoSec #CyberAttack #IncidentResponse

It's been a busy 24 hours in the cyber world with significant updates on nation-state activity, several actively exploited vulnerabilities, major data breaches, and a stark reminder about insider threats and the evolving regulatory landscape. Let's dive in:

Recent Cyber Attacks and Breaches ⚠️

- Wynn Resorts confirmed an employee data breach after the ShinyHunters extortion gang listed them, claiming over 800k records with PII (including SSNs) were stolen. Wynn stated the attackers claimed to have deleted the data, a claim security experts view with scepticism, often implying a ransom payment.
- Medical device manufacturer UFP Technologies reported a cyberattack where some IT systems were isolated and data was stolen or destroyed, though backups facilitated restoration. The company is investigating the extent of sensitive data exfiltration and expects cyber insurance to cover most costs.
- Marquis Software Solutions is suing SonicWall, alleging gross negligence led to a ransomware attack affecting 74 US banks. The breach was traced to a security flaw in SonicWall's MySonicWall cloud backup service, exposing configuration data and MFA scratch codes, rather than an unpatched firewall vulnerability.
- Health insurance tech provider TriZetto Provider Solutions updated a 2024 data breach figure, now impacting over 3.4 million people. A hacker accessed historical eligibility reports via a web portal, exposing sensitive healthcare data including SSNs and health insurance numbers.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/wynn-resorts-confirms-employee-data-breach-after-extortion-threat/
🗞️ The Record | https://therecord.media/ufp-technologies-medical-devices-sec-filing-cyberattack
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/marquis-sues-sonicwall-over-backup-breach-that-led-to-ransomware-attack/
🗞️ The Record | https://therecord.media/trizetto-healthcare-tech-company-data-breach-update
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/25/wynn_resorts_shinyhunters/

New Threat Research: Actors, Malware, and Tradecraft 🛡️

- North Korea's Lazarus Group has been observed deploying Medusa ransomware in recent attacks, including against a Middle Eastern organisation and an unsuccessful attempt on a US healthcare entity. This highlights Lazarus's continued financial motivation and willingness to target critical infrastructure.
- Google's Threat Intelligence Group (GTIG) and Mandiant disrupted a global espionage campaign by suspected Chinese threat actor UNC2814, impacting 53 organisations in 42 countries. The group used a new C-based backdoor, 'GRIDTIDE,' which abuses the Google Sheets API for evasive command-and-control (C2) operations, blending malicious traffic with normal activity.
- A financially motivated group, "Diesel Vortex," is targeting freight and logistics operators in the US and Europe with sophisticated phishing campaigns using 52 domains. They stole over 1,600 unique credentials, employing Cyrillic homoglyph tricks, voice phishing, and a multi-stage cloaking process to evade detection and facilitate cargo diversion.
- A new cybercrime service, '1Campaign,' enables threat actors to run persistent malicious Google Ads by cloaking techniques. It filters out security researchers, showing benign content to them while directing real victims to phishing or crypto-drainer sites, effectively evading scrutiny.
- Telephone-Oriented Attack Delivery (TOAD) phishing emails, which contain only a phone number in a fake billing notification, are increasingly bypassing secure email gateways. This is due to their indistinguishability from legitimate business contacts, often combined with other evasion tactics like QR codes and multi-hop redirects.
- Hackers are luring Next.js developers with malicious GitHub repositories disguised as legitimate job interview projects. These repos execute secret-stealing malware in memory, often triggered by Visual Studio Code's workspace automation or running the project's development server, exfiltrating sensitive data like source code and secrets.
- OpenAI has banned a user with links to Chinese law enforcement who attempted to use ChatGPT to plan and track smear campaigns against critics of the Chinese Communist Party, including the Japanese Prime Minister. This highlights the use of AI in sophisticated influence operations and transnational repression tactics like creating fake obituaries and mass-reporting social media accounts.

🕶️ Dark Reading | https://www.darkreading.com/cyberattacks-data-breaches/lazarus-group-new-position-medusa-ransomware
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/chinese-cyberspies-breached-dozens-of-telecom-firms-govt-agencies/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/25/google_and_friends_disrupt_unc2814/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/phishing-campaign-targets-freight-and-logistics-orgs-in-the-us-europe/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/1campaign-platform-helps-malicious-google-ads-evade-detection/
🕶️ Dark Reading | https://www.darkreading.com/threat-intelligence/why-call-this-number-toad-emails-beat-gateways
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/25/fake_interview_repos_lure_nextjs_devs_into_running_secret_stealing_malware/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/25/chinese_law_enforcement_chatgpt_abuse/
🤫 CyberScoop | https://cyberscoop.com/chinese-chatgpt-online-harassment-campaign-against-critics-dissidents/

Vulnerabilities: RCE, Active Exploitation, and Zero-Days 🔒

- Five Eyes agencies issued urgent warnings about a critical authentication bypass vulnerability (CVE-2026-20127) in Cisco Catalyst SD-WAN, actively exploited as a zero-day since 2023. Attackers can gain high-privileged access, add rogue peers, and potentially escalate to root by exploiting CVE-2022-20775. Immediate patching, restricted WAN exposure, and hunting for IoCs are crucial.
- Zyxel has released security updates for a critical Remote Code Execution (RCE) vulnerability (CVE-2025-13942) affecting over a dozen router models. The flaw in the UPnP function allows unauthenticated attackers to execute OS commands via crafted SOAP requests, though WAN access must also be enabled for remote exploitation.

🗞️ The Record | https://therecord.media/five-eyes-warn-hackers-exploit-cisco-sd-wan
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/critical-cisco-sd-wan-bug-exploited-in-zero-day-attacks-since-2023/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/zyxel-warns-of-critical-rce-flaw-affecting-over-a-dozen-routers/

Threat Landscape Commentary 🌍

- A VulnCheck report highlights that despite over 40,000 new vulnerabilities published in 2025, only 422 (1%) were actively exploited in the wild. This underscores the need for defenders to prioritise based on known exploited vulnerabilities, as network edge devices remain prime targets.
- While AI models like Anthropic's Claude Code Security are effective at identifying software vulnerabilities (500+ in open-source codebases), security researchers note a significant gap in their ability to propose actionable fixes. The sheer volume of AI-generated reports is overwhelming maintainers, highlighting that discovery is cheap, but remediation is hard.
- Researchers from Georgia Tech found that the global threat intelligence (TI) ecosystem is vulnerable to adversarial actions and geopolitical fragmentation. Their study revealed many security vendors conduct shallow malware analysis and rarely share binaries, leading to slow information propagation.
- A new "Operational Technology Incident (OTI) Impact Score" model, inspired by the Richter Scale, has been developed to provide a standardised way to measure the impact of OT cybersecurity incidents. It scores events based on severity, reach, and duration, aiming to offer clearer communication for executives, governments, and insurers.

🤫 CyberScoop | https://cyberscoop.com/vulncheck-exploited-vulnerabilities-report-2025/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/24/ai_finding_bugs/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/25/threat_intelligence_supply_chain_research/
🕶️ Dark Reading | https://www.darkreading.com/ics-ot-security/richter-scale-model-measures-cyber-incidents

Regulatory Issues and Changes ⚖️

- Peter Williams, former general manager of L3Harris's cybersecurity unit, was sentenced to 87 months in prison for stealing and selling eight zero-day exploits to Russian broker Operation Zero. The US Treasury also sanctioned Operation Zero (Matrix LLC), its owner Sergey Zelenyuk, and associated entities, marking the first use of the Protecting American Intellectual Property Act (PAIPA).
- Interpol, with law enforcement from 16 African countries and private companies, conducted "Operation Red Card 2.0," leading to 651 arrests and recovering over $4.3 million. The operation targeted investment fraud, mobile loan fraud, and cybercrime syndicates, highlighting growing efforts against cybercrime in Africa.
- China's top prosecutorial agency is intensifying criminal enforcement against commercial espionage and technology leaks to protect domestic innovation. Over 1,200 business secret infringement cases were handled from 2021-2024, focusing on AI, biomanufacturing, and energy sectors.

🤫 CyberScoop | https://cyberscoop.com/l3harris-executive-peter-williams-sentenced-zero-day-exploits-russian-broker/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/ex-l3harris-exec-jailed-for-selling-zero-days-to-russian-exploit-broker/
🚨 The Hacker News | https://thehackernews.com/2026/02/defense-contractor-employee-jailed-for.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/25/former_l3harris_exec_jailed/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/us-sanctions-russian-exploit-broker-for-buying-stolen-zero-days/
🕶️ Dark Reading | https://www.darkreading.com/cybersecurity-operations/operation-red-card-2-0-leads-to-651-arrests-in-africa
🗞️ The Record | https://therecord.media/china-domestic-ip-theft-crackdown

Government Staffing or Program Changes 🏛️

- The Cybersecurity and Infrastructure Security Agency (CISA) is reportedly "decimated" and "in trouble" a year into the second Trump administration. The agency has lost roughly a third of its personnel, shuttered divisions (like election security), and seen a decline in morale due to political backlash, leading to diminished capabilities.

🤫 CyberScoop | https://cyberscoop.com/cisa-personnel-cuts-trump-second-term-analysis/

Everything Else 🌐

- A Moscow resident, Ruslan Satuchin, is accused of attempting to extort money from the notorious Conti ransomware group by posing as an FSB officer. He allegedly contacted Conti members in September 2022, demanding payment to avoid criminal prosecution.

🗞️ The Record | https://therecord.media/moscow-man-accused-of-extorting-conti-gang

#CyberSecurity #ThreatIntelligence #Ransomware #NationState #APT #ZeroDay #Vulnerability #Phishing #AI #DataBreach #IncidentResponse #Cybercrime #InfoSec #CISA #OTSecurity