Cyber Security News
Google Exposes "Coruna" iOS Exploit Kit: Government-Grade Spyware Now in Criminal Hands
Google Threat Intelligence and iVerify revealed "Coruna," a sophisticated iOS exploit kit containing 23 exploits across five full exploit chains targeting iPhones running iOS 13 through 17.2.1. Originally suspected to be a U.S. government surveillance capability, the toolkit has now proliferated to foreign espionage actors and financially motivated criminal groups. Apple has patched all vulnerabilities in iOS 26, but hundreds of millions of devices running older versions remain exposed.
Why it matters: This is the first documented case of a government-grade iOS exploit kit leaking into the broader criminal ecosystem at scale, collapsing the barrier between state-level offensive capabilities and commodity cybercrime.
Sources: Google Cloud Blog | WIRED | The Hacker News
Conduent Breach Exposes 25 Million Records via SafePay Ransomware
The SafePay ransomware group breached Conduent Business Services, a Fortune 500 HIPAA Business Associate, exfiltrating 25 million records spanning healthcare, insurance, and government sectors. The attackers remained undetected for an extended period before data exfiltration, impacting hundreds of downstream organizations that rely on Conduent as a third-party vendor.
Why it matters: A single vendor compromise cascaded into exposure for entire ecosystems of clients, the textbook supply chain nightmare that makes vendor risk management a board-level conversation.
Sources: UNDERCODE NEWS | BleepingComputer
MuddyWater Infiltrates U.S. Banks, Airports, and Defense Supply Chain
Symantec researchers confirmed that MuddyWater (Seedworm), an Iranian MOIS-linked threat group, has maintained persistent access inside U.S. bank, software firm, and airport networks since early February 2026 using custom implants. The intrusions target critical infrastructure and defense supply chain entities amid escalating U.S.-Iran tensions.
Why it matters: This is pre-positioning for broader cyber operations; Iranian state actors embedding themselves in critical sectors as the geopolitical situation deteriorates, with direct implications for national security.
Sources: Security Affairs | Symantec Threat Hunter Team
France's FICOBA Registry Breach Exposes 1.2 Million Bank Accounts
French authorities confirmed that attackers accessed the national FICOBA bank account registry using stolen government credentials, exposing personal and financial data for approximately 1.2 million accounts. The breach, confirmed in February 2026, was followed days later by a separate healthcare breach affecting 15 million French citizens.
Why it matters: Credential theft against a single government official unlocked a national financial database, a stark demonstration that centralized registries are single points of catastrophic failure.
Sources: Security Boulevard | Les Echos
Qilin Ransomware Group Claims Malaysia Airlines and U.S. Power Grid Cooperative
The Russia-linked Qilin ransomware group listed Malaysia Airlines on its dark web leak site, claiming exfiltration of passenger booking data, personnel files, and vendor contracts. Days later, Qilin also claimed a breach of a U.S. power grid cooperative and Tulsa International Airport, leaking operational documents and executive data.
Why it matters: Qilin is executing a rapid multi-sector campaign hitting aviation, energy, and critical infrastructure in the same week, signaling operational maturity and an aggressive expansion of targets.
Cisco Discloses 48 Firewall Vulnerabilities Including Two CVSS 10.0 Critical Flaws
Cisco released patches for 48 vulnerabilities across its firewall ecosystem, including two critical zero-days rated CVSS 10.0 that allow remote code execution without user interaction. Separately, Cisco warned that two recently patched Catalyst SD-WAN flaws (CVE-2026-20128, CVE-2026-20122) are already being actively exploited for file overwrites and privilege escalation.
Why it matters: Fifty vulnerabilities in a single vendor's perimeter defense products, with two scoring perfect 10s, means attackers can bypass firewalls entirely before most enterprises finish reading the advisory.
Sources: Security Affairs | The Register
FBI Investigates Breach of Wiretapping Surveillance Systems
The FBI is actively investigating a breach affecting systems related to its wiretapping and surveillance tools after identifying suspicious activity that required immediate containment. While the scope of exfiltration remains under investigation, any compromise of law enforcement surveillance infrastructure poses severe national security risk by potentially exposing intelligence methods and ongoing investigations.
Why it matters: When the watchers get watched, the implications ripple through every active investigation and intelligence operation that relied on the compromised tools.
Sources: BleepingComputer | The Record
GitHub Supply Chain Attack Distributes BoryptGrab Stealer via 100+ Malicious Repositories
Trend Micro uncovered a campaign distributing the BoryptGrab information stealer through more than 100 malicious GitHub repositories, stealing browser data, cryptocurrency wallets, and system files. Some variants deploy a PyInstaller backdoor for persistent access after initial credential theft.
Why it matters: Attackers are poisoning the developer workflow itself; not dependencies, but entire repositories on a platform developers trust implicitly, bypassing traditional network perimeter defenses.
Sources: Trend Micro Research | BleepingComputer
Ransomware Gangs Pivot to Data Theft as Encryption Payouts Decline
Coalition's analysis of 100,000+ U.S. policyholders reveals that initial ransomware demands surged 47% in 2026, but most businesses are refusing to pay. In response, attackers are prioritizing data exfiltration over encryption, with business email compromise and funds transfer fraud comprising 58% of all cyber insurance claims filed in 2025.
Why it matters: The ransomware business model is evolving; "backup and restore" no longer neutralizes the threat when the real leverage is leaking your data, not locking it.
Sources: Coalition Cyber Claims Report | Chainalysis
Hamas-Linked Spyware Disguised as Emergency Alert Apps Targets Israeli Smartphones
Hamas-linked attackers are distributing spyware disguised as legitimate emergency-alert applications via SMS to Israeli smartphones, stealing SMS messages, location data, and contact lists. The Acronis Threat Research Unit identified the campaign, which exploits fear of emergency situations to trick users into installing malware that bypasses standard security warnings.
Why it matters: Cyber operations are now tightly coupled with kinetic conflict, exploiting civilian fear during active hostilities to conduct mass surveillance through social engineering.
Sources: The Register
AI News
OpenAI Launches GPT-5.4 with Native Computer Control and 1M Token Context
OpenAI released GPT-5.4, featuring native computer-use capability that allows autonomous operation of desktop and web applications without wrapper code, a 1-million-token context window, and a 33% reduction in error rates. Three variants ship: standard API, Pro for maximum performance, and Thinking for deep reasoning workflows. The accompanying Agents SDK enables production multi-agent orchestration.
Why it matters: AI shifts from generating text to executing actions; computer use as a commodity rewrites the economics of software automation and forces every competitor to ship agentic capabilities or become irrelevant.
Anthropic Publishes Claude Opus 4.6 "Soul Doc" and Launches Claude Marketplace
Anthropic released the full model specification for Claude Opus 4.6, providing unprecedented transparency into its architecture and alignment protocols. Simultaneously, the company launched the Claude Marketplace; a centralized platform for enterprises to purchase and deploy third-party AI tools from providers like Replit, GitLab, and Snowflake using existing spending commitments.
Why it matters: Anthropic is betting that trust and ecosystem lock-in beat raw benchmarks, while publishing your model's "soul" while building a one-stop procurement platform is a play for enterprise stickiness.
Sources: Udit Goenka | Evermx
Google Deploys Gemini 3.1 Pro for Enterprise Data Agents on Vertex AI
Google advanced its enterprise strategy with Gemini 3.1 Pro on Vertex AI, architected for building enterprise-grade data agents that execute complex workflows rather than simple chat interactions. The release targets organizations transitioning from experimental pilots to production-scale deployments where autonomous agents handle specific business functions.
Why it matters: The competitive landscape is shifting from "smartest model" to "most reliable infrastructure for managing fleets of agents"; and Google's cloud infrastructure gives it a structural advantage.
Sources: Medium | The Signal
NIST Launches AI Agent Security Standards Initiative
The National Institute of Standards and Technology released a Request for Information on security standards specifically designed for autonomous agents that write code, manage infrastructure, and execute workflows. The comment deadline was March 9, 2026, the first formal government framework addressing the safety risks of agents acting independently.
Why it matters: The regulatory honeymoon for AI agents is over. Autonomous systems will soon require built-in guardrails and audit trails comparable to traditional software security standards before production deployment.
China's Five-Year Plan Places Quantum and AI at Center of National Strategy
China placed quantum technology and artificial intelligence at the center of its next five-year national development strategy, signaling an aggressive push to secure leadership in emerging computing and advanced science. The plan includes massive state investment in domestic chip manufacturing, AI research infrastructure, and quantum computing research.
Why it matters: This is industrial policy at civilizational scale; China is explicitly targeting the same technological domains that U.S. export controls are trying to constrain, setting up the next decade of strategic competition.
Sources: The Quantum Insider
White House Announces AI Industry Pledge to Fund Power Infrastructure
Companies including Google, Microsoft, and OpenAI committed to pay for the power plants and grid upgrades needed to run their data centers, responding to growing concerns about AI's energy footprint. The pledge, announced at the White House, represents an industry-led attempt to defuse political opposition to data center expansion.
Why it matters: AI companies are now in the energy business, voluntarily taking on infrastructure costs to keep the regulatory environment favorable, a tacit admission that power is the binding constraint on AI scaling.
Sources: The New York Times
Agentic AI Hits Inflection Point: 40% of Enterprise Apps to Embed Agents by Year-End
Industry analysts project that 40% of enterprise applications will embed task-specific AI agents by end of 2026, with the agentic AI market expected to grow from $7.8 billion to over $52 billion by 2030. The shift from single-agent assistance to coordinated teams of agents marks the most significant inflection point in software architecture since cloud computing.
Why it matters: We're past the "will it work?" phase; the question is now who captures the orchestration layer as AI agents become as ubiquitous as APIs.
Sources: Learnia Blog | Machine Learning Mastery
Active Exploitation Watchlist + Notable CVEs
| CVE | Product | Severity | Status | Action |
|---|---|---|---|---|
| CVE-2026-22719 | Broadcom VMware Aria Operations | High (8.1) | Active exploitation; KEV added Mar 3 | Patch immediately; command injection → RCE |
| CVE-2026-21385 | Qualcomm chipsets (multiple) | High | Active exploitation; KEV added Mar 3 | Firmware update; memory corruption at chipset level |
| CVE-2026-20128 | Cisco Catalyst SD-WAN | High | Active exploitation confirmed | Patch immediately; file overwrite → full network compromise |
| CVE-2026-20122 | Cisco Catalyst SD-WAN | High | Active exploitation confirmed | Patch immediately; privilege escalation |
| CVE-2024-37079 | VMware vCenter Server | Critical (9.8) | KEV; active exploitation | Patch; out-of-bounds write |
| CVE-2026-25253 | OpenClaw AI Assistant | High (8.8) | 42K exposed instances identified | Patch + isolate; RCE via malicious skills |
The Edge
The story of this week isn't any single breach or model launch; it's the collision of two acceleration curves that most people are tracking in isolation.
On one axis, the offensive capability curve just jumped. Google's Coruna disclosure proves that government-grade exploit kits don't stay government-grade. Twenty-three iOS exploits across five chains, built with the kind of engineering discipline that used to be the exclusive province of three-letter agencies, now circulating among criminal groups who can barely spell "opsec." MuddyWater is sitting inside American banks and airports. Qilin hit an airline, a power grid, and an airport in the same week. The ransomware economy is evolving faster than the insurance industry can price it.
On the other axis, we just entered the age of autonomous agents that can control computers, manage infrastructure, and execute multi-step workflows without human intervention. OpenAI, Anthropic, and Google all shipped production agent capabilities in the same week. NIST scrambled to publish security standards before the deadline. Forty percent of enterprise apps will have embedded agents by December. The attack surface isn't expanding linearly; it's compounding.
The uncomfortable question nobody in the industry wants to answer: what happens when the first axis meets the second? When exploit kits get orchestrated by autonomous agents? When MuddyWater's custom implants are managed by systems that don't sleep, don't make typos, and can adapt faster than any SOC analyst? We're building the most powerful tools in human history and deploying them into an environment where the perimeter already doesn't exist. The clock is ticking on whether governance catches up before the intersection gets ugly.