Date: 2026-03-02
Cyber Security News
Conduent Breach Grows to 25.9 Million: One of the Largest in U.S. History
What started as a 4-million-person estimate ballooned to 25.9 million affected individuals this week, as state-level impact figures came in from Texas (15.4M) and Oregon (10.5M). The Safepay ransomware group stole 8+ terabytes of data (Social Security numbers, medical histories, health insurance details) with access running undetected from October 21, 2024 through January 13, 2025. Texas AG Ken Paxton opened a formal investigation, calling it potentially the largest healthcare data breach in U.S. history.
Why it matters: Conduent processes payments and healthcare claims for government clients nationwide. A three-month undetected access window at that scale reveals the depth of the third-party risk problem. Supply chain security isn't a checkbox; it's the front line.
Sources: Cybersecurity News
Darktrace 2026 Threat Report: 72-Minute Attack Window, Identity Abuse at 70%
Darktrace's annual threat report documents a fundamental shift in how attacks unfold: nearly 70% of incidents in the Americas now begin with stolen or misused credentials rather than exploit-based intrusions. AI-assisted attacks can move from initial compromise to exfiltration in approximately 72 minutes. Meanwhile, publicly disclosed vulnerabilities jumped 20% year-over-year, even as attackers increasingly bypass them in favor of credential abuse.
Why it matters: The perimeter is gone. The frontline is now the identity layer. If your detection stack isn't watching for behavioral anomalies in legitimate accounts, you're watching the wrong door.
Sources: Industrial Cyber
CrowdStrike 2026 Global Threat Report: eCrime Breakout Time Drops to 29 Minutes
CrowdStrike's annual report lands with a number that should stop security teams cold: the average eCrime breakout time is now 29 minutes (down 65% from 2024. AI-enabled adversary attacks surged 89% year-over-year. 82% of detections are now malware-free, meaning signatures catch almost nothing. Zero-days exploited before public disclosure rose 42%. The report also documents a $1.46 billion cryptocurrency heist) the largest on record.
Why it matters: 29 minutes from compromise to lateral movement means manual IR is dead. If you don't have automated containment, you're writing the breach notification before the analyst finishes their first pivot.
Sources: CrowdStrike
PayPal Working Capital Breach: Six Months Undetected, Funds Stolen
PayPal confirmed a breach of its Working Capital loan application system with a six-month access window; July 1 through December 12, 2025. Breach letters went out February 10, 2026. Users are reporting unauthorized transactions and forced password resets. No aggregate dollar figure for stolen funds has been disclosed publicly.
Why it matters: Six months of dwell time in a financial services platform. The attacker didn't hammer the network; they targeted a specific high-value application layer. Application-layer monitoring is not optional when money moves through the system.
Sources: Bright Defense
Cisco SD-WAN Zero-Day CVE-2026-20127: Exploited Since 2023, CVSS 10.0
Cisco disclosed a CVSS 10.0 vulnerability in SD-WAN Manager that has been actively exploited since 2023; three years of silent compromise before public disclosure. CISA added it to the KEV catalog and mandated urgent remediation across federal agencies. The flaw allows unauthenticated admin access to SD-WAN infrastructure.
Why it matters: Three years. This wasn't a zero-day at disclosure; it was a n-day with a three-year head start for adversaries. Network infrastructure vulnerabilities of this severity in SD-WAN environments have upstream consequences for every segment they touch.
Sources: The Hacker News
AI News
DeepSeek V4 Is Coming: Trained on Blackwell Despite the Export Ban
Reuters and US News report that DeepSeek's forthcoming V4 model (a multimodal system capable of generating text, images, and video) was trained on Nvidia's Blackwell chips despite U.S. export restrictions blocking their sale to China. A senior Trump administration official confirmed this to Reuters. In a pointed follow-up, DeepSeek denied early access to Nvidia and AMD for hardware optimization, instead giving Chinese chipmakers Huawei and Cambricon a weeks-long head start.
Why it matters: Export controls aren't holding the line. DeepSeek V4 arriving on Huawei-optimized stacks signals China's accelerating push toward hardware sovereignty, validating every concern about the limits of chip export policy as a containment strategy.
China Floods the Zone: Qwen 3.5, Seedance 2.0, and Five More Models in Weeks
Alibaba released Qwen 3.5 on February 17, pitching it as purpose-built for the agentic AI era; native multimodal capabilities, improved cost-per-inference, and benchmark performance competitive with Western frontier models. ByteDance followed with Seedance 2.0, a video-generation model now in limited rollout on the Jimeng AI platform that sent related Chinese media stocks up 20%. CNBC reports five major Chinese AI models have launched in the past few weeks, with UBS highlighting one as their top pick.
Why it matters: The pace of Chinese model releases has broken into a new gear. This isn't catch-up anymore; it's a parallel frontier. Western AI labs no longer have a comfortable lead on capability or cost.
Apple to Replace Core ML with Core AI Framework at WWDC 2026
Reports from Bloomberg's Power On newsletter and 9to5Mac confirm Apple plans to unveil a new Core AI framework at WWDC 2026, replacing (or superseding) Core ML. The new framework is expected to ship with iOS 27 and is designed to give developers unified, modern APIs for on-device generative AI, with tighter integration with Apple Silicon and Apple Intelligence than Core ML currently provides.
Why it matters: Apple has 2+ billion active devices. A first-class on-device AI framework at that scale changes the privacy calculus for AI deployment; and sets the stage for a wave of AI-native apps that don't touch the cloud. For enterprise security, on-device inference removes a class of data exfiltration vectors. For AI labs, it raises the stakes on edge efficiency.
Sources: 9to5Mac | AppleInsider
MiniMax M2.5: China's Affordable Frontier Model Rivals Claude Opus
MiniMax released M2.5 this week, a model that benchmarks competitively with Anthropic's Claude Opus 4.6 at significantly lower inference cost. The startup edition framing signals MiniMax is targeting the enterprise and developer market directly, not just research. Combined with Qwen 3.5, the Chinese AI stack now offers credible alternatives at every tier of the cost curve.
Why it matters: The price pressure on Western AI APIs is intensifying from below. When a Chinese model rivals your flagship at a fraction of the cost, enterprise procurement conversations get complicated; and geopolitical risk enters the vendor evaluation process.
Sources: blog.mean.ceo
Active Exploitation Watchlist
| CVE | Product | Severity | Status | Action |
|---|---|---|---|---|
| CVE-2026-20127 | Cisco SD-WAN Manager | CVSS 10.0 | Exploited in wild since 2023; KEV added Feb 2026 | Patch immediately; restrict management-plane access |
| CVE-2026-25108 | FileZen (v4.2.1–4.2.8, v5.0.0–5.0.10) | CVSS 8.7 | Active exploitation confirmed by vendor; KEV added Feb 25 | Update to patched version; audit file transfer logs |
| CVE-2022-20775 / CVE-2022-20776 | Cisco Catalyst SD-WAN | Critical | KEV added Feb 25, 2026; federal agencies under mandatory patch deadline | Apply Cisco security advisories; segment SD-WAN management |
| Roundcube RCE | Roundcube Webmail | CVSS 9.9 | Weaponized within 48 hours of disclosure; KEV listed | Patch now; audit mail server access logs for anomalies |
| Chrome RCE | Google Chrome | High | Actively exploited; KEV flagged alongside Zimbra SSRF, Windows ActiveX | Update Chrome to latest stable; enforce auto-update policy |
The Edge
The week's data points converge on a single thesis: the window between disclosure and weaponization is gone, and the window between compromise and exfiltration is closing fast. CrowdStrike's 29-minute breakout time and Darktrace's 72-minute exfiltration window aren't statistics; they're an indictment of every IR playbook written before 2024. The adversary has automated their kill chain. Most defenders haven't.
The identity shift is the harder reckoning. When 70% of breaches start with stolen credentials and 82% of detections are malware-free, the entire architecture of enterprise security (perimeter controls, signature-based detection, network segmentation) becomes a backdrop to the actual fight happening at the identity layer. Conduent and PayPal both had six-month dwell times. Not because they had bad security by yesterday's standards. Because yesterday's standards don't apply anymore.
On the AI side, the China story this week isn't about any one model (it's about tempo. Five major model releases in a matter of weeks, DeepSeek V4 arriving on Huawei-optimized chips in apparent defiance of export controls, and now Alibaba and MiniMax offering frontier-competitive inference at prices that undercut Western providers. Export controls are buying time, not solving the problem. The question that matters isn't whether DeepSeek used Blackwell chips) it's what happens when Chinese AI infrastructure doesn't need them anymore.