This week had real hits. The key software got tampered with. Active bugs showed up in the tools people use every day. Some attacks didn’t even need much effort because the path was already there.

One weak spot now spreads wider than before. What starts small can reach a lot of systems fast. New bugs, faster use, less time to react.

That’s this week. Read through it.

⚡ Threat of the Week

Axios npm Package Compromised by N. Korean Hackers—Threat actors with ties to North Korea seized control of the npm account belonging to the lead maintainer of Axios, a popular npm package with nearly 100 million weekly downloads, to push malicious versions containing a cross-platform malware dubbed WAVESHAPER.V2. The activity has been attributed to a financially motivated threat actor known as UNC1069. The incident demonstrates how quickly the compromise of a popular npm package can have ripple effects through the ecosystem. The malware’s self-deleting anti-forensic cleanup points to a deliberate, planned operation. «The build pipeline is becoming the new front line. Attackers know that if they can compromise the systems that build and distribute software, they can inherit trust at scale,» Avital Harel, Security Researcher at Upwind, said. «That’s what makes these attacks so dangerous — they’re not just targeting one application, they’re targeting the process behind many of them. Organizations should be looking much more closely at CI/CD systems, package dependencies, and developer environments, because that’s increasingly where attackers are placing their bets.» Ismael Valenzuela, vice president of Labs, Threat Research, and Intelligence at Arctic Wolf, said the Axios npm compromise reflects a broader trend where attackers infiltrate trusted, widely used software components to obtain access to downstream customers at scale. «Even though the malicious versions were available for only a few hours, Axios is so deeply embedded across enterprise applications that organizations may have unknowingly pulled the compromised code into their environments through build pipelines or downstream dependencies,» Valenzuela added. «That downstream exposure is what makes these incidents particularly difficult to spot and contain, especially for teams that never directly chose to install Axios themselves. This incident reinforces that security teams need to treat build‑time tools and dependencies as part of the attack surface and not just trust tools by default.»

🔔 Top News

• Google Patches Actively Exploited Chrome 0-Day—Google released security updates for its Chrome web browser to address 21 vulnerabilities, including a zero-day flaw that it said has been exploited in the wild. The high-severity vulnerability, CVE-2026-5281 (CVSS score: N/A), concerns a use-after-free bug in Dawn, an open-source and cross-platform implementation of the WebGPU standard. Users are advised to update their Chrome browser to versions 146.0.7680.177/178 for Windows and Apple macOS, and 146.0.7680.177 for Linux. Google did not reveal how the vulnerability is being exploited and who is behind the exploitation effort.
• TrueConf 0-Day Exploited in Attacks Targeting Government Entities in Southeast Asia—Chinese hackers have exploited a zero-day vulnerability in the TrueConf video conferencing software in attacks against government entities in Southeast Asia. The exploited flaw, tracked as CVE-2026-3502 (CVSS score of 7.8), exists because of a lack of integrity checks when fetching application update code, allowing an attacker to distribute a tampered update. «The compromised TrueConf on-premises server was operated by the governmental IT department and served as a video conferencing platform for dozens of government entities across the country, which were all supplied with the same malicious update,» Check Point said. The activity, which began in January 2026, involved the deployment of the Havoc framework. Most infections likely began with a link sent to the victims. TrueConf is used widely across organizations in Asia, Europe, and the Americas, serving about 100,000 organizations globally.
• Fortinet FortiClient EMS Flaw Under Attack—Fortinet released out-of-band patches for a critical security flaw impacting FortiClient EMS (CVE-2026-35616) that it said has been exploited in the wild. The vulnerability has been described as a pre-authentication API access bypass leading to privilege escalation. Exploitation efforts against CVE-2026-35616 were first recorded against its honeypots on March 31, 2026, per watchTowr. The development comes days after another recently patched, critical vulnerability in FortiClient EMS (CVE-2026-21643) came under active exploitation.
• Apple Backports DarkSword Fixes to More Devices—Apple expanded the availability of iOS 18.7.7 and iPadOS 18.7.7 to a broader range of devices to protect users from the risk posed by a recently disclosed exploit kit known as DarkSword. The update targets customers whose devices are capable of upgrading to the newest operating system (iOS 26), but have chosen to remain on iOS 18. Apple has taken the unprecedented step to counter risks posed by an exploit kit called DarkSword. The broader availability of the patches underscores the level of threat that malware like DarkSword poses. The fact that a large number of users were still using iOS 18, combined with the leak of a new version of DarkSword on GitHub, has pushed Apple towards releasing the fix so that they can stay protected without the need for updating to iOS 26. The leak is significant as it puts it within reach of less technically savvy cybercriminals out there.
• ClickFix Attack Leads to DeepLoad Malware—The ClickFix technique is being used to deliver a stealthy malware named DeepLoad that’s capable of stealing credentials and intercepting browser interactions. The malware first emerged on a dark web cybercrime forum in early February 2026, when a threat actor, using the alias «MysteryHack,» advertised it as a «centralized panel for multiple types of malware.» According to ZeroFox, «DeepLoad’s design is explicitly focused on actively facilitating real-time cryptocurrency theft, which almost certainly makes it an attractive malware suite in the cybercrime-as-a-service (CaaS) environment.» The malware has since been distributed to Windows systems through ClickFix under the guise of resolving fake browser error messages. Besides stealing credentials, the malware drops a rogue browser extension to intercept sensitive data and spreads via removable USB drives. DeepLoad’s actual attack logic is buried under layers of obfuscation, raising the possibility that some parts of the malware were developed using an artificial intelligence (AI) model.
• Claude Code Source Code Leaks—Anthropic acknowledged that internal code for its popular artificial intelligence (AI) coding assistant, Claude Code, had been inadvertently released due to a human error. Essentially, what happened was this: When Anthropic pushed out version 2.1.88 of its Claude Code npm package, it accidentally included a map file that exposed nearly 2,000 source code files and more than 512,000 lines of code. The source code leak has since revealed various features the company appears to be working on or that are built into the service, including an Undercover mode to hide AI authorship from contributions to public code repositories, a persistent background agent called KAIROS, combat distillation attacks, and active monitoring of words and phrases that show signs of user frustration. The leak also quickly escalated into a cybersecurity threat, as attackers pounced on the surge in interest to lure developers into downloading stealer malware.

🔥 Trending CVEs

New vulnerabilities show up every week, and the window between disclosure and exploitation keeps getting shorter. The flaws below are this week’s most critical — high-severity, widely used software, or already drawing attention from the security community.

Check these first, patch what applies, and don’t wait on the ones marked urgent — CVE-2026-35616 (Fortinet FortiClient EMS), CVE-2026-20093 (Cisco Integrated Management Controller), CVE-2026-20160 (Cisco Smart Software Manager On-Prem), CVE-2026-5281 (Google Chrome), CVE-2026-3502 (TrueConf), CVE-2026-27876, CVE-2026-27880 (Grafana), CVE-2026-4789 (Kyverno), CVE-2026-2275, CVE-2026-2285, CVE-2026-2286, CVE-2026-2287 (CrewAI), CVE-2025-14819 (Notepad++), CVE-2026-34714, CVE-2026-34982 (Vim), CVE-2026-33660, CVE-2026-33696 (n8n), CVE-2026-25639 (Axios), CVE-2026-25075 (strongSwan), CVE-2026-34156 (NocoBase), CVE-2026-3308 (Artifex MuPDF), CVE-2026-1579 (PX4 Autopilot), CVE-2026-3991 (Symantec Data Loss Prevention Agent for Windows), CVE-2026-33026 (nginx-ui), CVE-2026-33416, CVE-2026-33636 (libpng), CVE-2026-3775, CVE-2026-3779 (Foxit PDF Editor), CVE-2026-34980, CVE-2026-34990 (CUPS), and CVE-2026-34121 (TP-Link).

🎥 Cybersecurity Webinars

• Learn How to Close Identity Gaps Using Insights from IT Leaders → Identity programs face rising risk from disconnected apps, manual credentials, and expanding AI access. Based on 2026 insights from 600+ IT and security leaders, this session shows what to measure, fix, and do now to close identity gaps and regain control.
• Learn How to Build Secure AI Agents Using Identity, Visibility, and Control → AI agents are already being used, but most teams don’t know how to secure them properly. This session shows a clear, practical way to do it using three key ideas: identity, visibility, and control.You will see what real deployment looks like, how to track what agents do, and how to manage their behavior safely.It also explains how to secure AI systems today without waiting for standards to settle.

📰 Around the Cyber World

• Device Code Phishing Attacks Surge —Device code phishing attacks, which abuse the OAuth device authorization grant flow to hijack accounts, have surged more than 37.5x this year. Push Security said it detected a 15x increase in device code phishing pages at the start of March 2026, indicating that the technique has finally entered mainstream adoption. «The technique tricks a user into issuing access tokens for an attacker-controlled application (not a device, confusingly),» the company said. «Any app that supports device code logins can be a target. Popular examples include Microsoft, Google, Salesforce, GitHub, and AWS. That said, Microsoft is, as always, much more heavily targeted at scale now than any other app.» This has been fueled by the emergence of EvilTokens (aka ANTIBOT), the first reported criminal PhaaS (Phishing-as-a-Service) toolkit that supports device code pushing. EvilTokens features a Cloudflare Workers frontend and a Railway backend for authentication. Early iterations of the PhaaS kit emerged in January 2026. Another closed-source PhaaS kit called Venom offers device code phishing capabilities similar to EvilTokens. Some of the other PhaaS kits that have incorporated this technique include SHAREFILE, CLURE, LINKID, AUTHOV, DOCUPOLL, FLOW_TOKEN, PAPRIKA, DCSTATUS, and DOLCE.
• LinkedIn Comes Under Scanner for BrowserGate —A newly published report called BrowserGate alleged that Microsoft’s LinkedIn is using hidden JavaScript scripts on its website to scan visitors’ browsers for thousands of installed Google Chrome extensions and collect device data without users’ consent. «LinkedIn scans for over 200 products that directly compete with its own sales tools, including Apollo, Lusha, and ZoomInfo,» the report said. «Because LinkedIn knows each user’s employer, it can map which companies use which competitor products. It is extracting the customer lists of thousands of software companies from their users’ browsers without anyone’s knowledge. Then it uses what it finds. LinkedIn has already sent enforcement threats to users of third-party tools, using data obtained through this covert scanning to identify its targets.» The report also claimed LinkedIn loads an invisible tracking pixel from HUMAN Security, along with a separate fingerprinting script that runs from LinkedIn’s servers and a third script from Google that runs silently on every page load. In response to the findings, LinkedIn told Bleeping Computer it scans for certain extensions that scrape data without members’ consent in violation of its terms of service. The company also claimed the report is from an individual who is «subject to an account restriction for scraping and other violations of LinkedIn’s Terms of Service.»
• ICE Confirms Use of Paragon Spyware —The U.S. Immigration and Customs Enforcement (ICE) confirmed it uses spyware developed by Paragon to «identify, disrupt, and dismantle Foreign Terrorist Organizations, addressing the escalating fentanyl epidemic and safeguarding national security.» Paragon’s Graphite spyware has been found on the phones of journalists. WhatsApp last year said it disrupted a campaign that deployed the spyware against its users. The governments of Australia, Canada, Cyprus, Denmark, Israel, and Singapore are suspected to be customers of the Israeli company.
• Ex-Engineer Pleads Guilty to Extortion Campaign —Daniel Rhyne, 59, of Kansas City, Missouri, pleaded guilty to a failed data extortion campaign that targeted his former employer. Rhyne was arrested in September 2024. According to court documents, Rhyne worked as a core infrastructure engineer at a U.S.-based industrial company headquartered in New Jersey. In November 2023, the defendant executed a ransomware attack against the company and sent an extortion email to its employees, threatening to continue shutting down the firm’s servers unless he was paid about 20 Bitcoin, which was valued at $750,000 at the time. Last month, the U.S. Justice Department (DoJ) announced the conviction of Cameron Curry (aka Loot), a 27-year-old from Charlotte, North Carolina, for carrying out a cyber extortion scheme against a D.C.-based international technology company called Brightly Software. «Trial evidence established that Curry misused his position to access the victim company’s personnel and other sensitive corporate records, which he then used to carry out the cyber extortion scheme after he learned that his contract was not going to be renewed and that he would no longer be employed by the company,» the DoJ said. Between December 11, 2023, and January 24, 2024, Curry sent more than 60 emails to company executives and employees, stating he would disclose sensitive information unless he was paid $2.5 million in cryptocurrency. Brightly ended up paying $7,540 in Bitcoin.
• Residential Proxies Bypass Reputation Systems —Threat intelligence firm GreyNoise’s analysis of 4 billion sessions targeting the edge over a 90-day period from November 29, 2025, to February 27, 2026, found that 39% of unique IP addresses targeting the edge originated from home internet connections, and that 78% vanish before any reputation system can flag them. «78% of residential IPs appear in only 1–2 sessions and are never observed again,» it said. «IP reputation is structurally broken against residential proxies. The rotation rate exceeds the update cycle of any feed-based defense.» This behavior also makes source IPs indistinguishable from a legitimate user’s connection. The data also showed that 0.1% of residential sessions carry exploitation payloads, in contrast to 1.0% from hosting infrastructure, indicating that they are primarily used for network scanning and reconnaissance. The residential proxy traffic is generated by IoT botnets and infected computers, with the networks also resilient against takedown efforts. «After IPIDEA lost 40% of its nodes, operators backfilled within weeks,» GreyNoise said. «Every major takedown produces the same result — temporary disruption, then regeneration.» The company also recommended that «Detection must shift from ‘where is the traffic from?’ to ‘what is the traffic doing?» Device fingerprinting provides more durable detection because fingerprints survive IP rotation.»
• Suspected N. Korea Campaign Targets Cryptocurrency Companies Using React2Shell —A new campaign has been observed systematically compromising cryptocurrency organizations by exploiting web application vulnerabilities such as React2Shell (CVE-2025-55182), pillaging AWS tenants with valid credentials, and exfiltrating proprietary exchange software containing hardcoded secrets. «Their targeting spans the crypto supply chain, from staking platforms, to exchange software providers, to the exchanges themselves,» Ctrl-Alt-Intel said. The threat intelligence firm has assessed the activity with moderate confidence to be aligned with North Korean cryptocurrency theft operations.
• India Extends SIM-Binding Mandate —The Indian government has extended its SIM-binding mandate through December 31, 2026, while shelving plans to require messaging apps to forcibly log out web-based sessions like WhatsApp Web every six hours. The decision comes after the Broadband India Forum, which represents Meta and Google, warned the Department of Telecommunications (DoT) that the directions were unconstitutional. Under the framework announced in November 2025, a messaging app account would be tied exclusively to the physical SIM card during registration. This meant that the users could access the messages and other content only when that SIM is present in the device. Companies were given 90 days (i.e., until the end of February 2026) to comply. While SIM binding has been proposed as a way to combat spammers and conduct cross‑border fraud, the move has raised feasibility and user experience concerns. According to Moneycontrol, WhatsApp is said to be beta testing SIM binding on Android.
• Russian Threat Actors Looking to Regain Access Through Compromised Infrastructure —Russian threat actors like APT28 and Void Blizzard are attempting to regain access to computer systems they previously compromised to check if access is still available and whether the obtained credentials remain valid, CERT-UA has warned. «Unfortunately, these attempts sometimes succeed if the root cause of the initial incident has not been completely eliminated,» the agency said.
• OkCupid Settles with FTC for Privacy Violations —OkCupid and its owner, Match Group, reached a settlement with the U.S. Federal Trade Commission over allegations that it did not inform its customers that nearly three million user photos were shared with Clarifai, a company that develops AI systems to identify and analyze images and videos. The complaint also accused the dating site of sharing users’ location information and other details without their consent. As part of the settlement, OkCupid and Match did not admit or deny the allegations but agreed to a permanent prohibition that prevents them from misrepresenting how they use and share personal data.
• New Android Malware Mirax Advertised —A sophisticated new Android banking trojan named Mirax is being advertised as a private malware-as-a-service (MaaS) offering for up to $2,500 per month. The malware enables customers to gain remote control over devices and includes specialized overlays for more than 700 different financial applications to steal credentials and other sensitive information. It can also capture keystrokes, intercept SMS messages, record lock screen patterns, and use the infected device as a SOCKS5 proxy.
• Venom Stealer Spreads via ClickFix —A new malware-as-a-service (MaaS) platform dubbed Venom Stealer is being sold on cybercrime forums as a subscription ($250/month to $1,800 for lifetime access). It’s marketed as «the Apex Predator of Wallet Extraction.» Unlike other stealers, it automates credential theft and enables continuous data exfiltration. «It builds ClickFix social engineering directly into the operator panel, automates every step after initial access, and creates a continuous exfiltration pipeline that does not end when the initial payload finishes running,» BlackFog said. The development coincides with a new ClickFix variant that replaces PowerShell with a «rundll32.exe» command to download a DLL from an attacker-controlled WebDAV resource. The attack leads to the execution of a secondary loader called SkimokKeep, which then downloads additional payloads, while incorporating anti-sandboxing and anti-debugging mechanisms. In the meantime, recent ClickFix campaigns have also leveraged searches for installation tutorials for OpenClaw, Claude, and other AI tools, as well as for common macOS issues to push stealer malware like MacSync.
• More Information Stealers Spotted —Speaking of stealers, recent campaigns have also been observed using procurement-themed email lures and fake Homebrew install guides served via sponsored search results to deliver Phantom Stealer and SHub Stealer. Some other newly discovered infostealer malware families include Storm, MioLab, and Torg Grabber. In a related development, CyberProof said it observed a surge in PXA Stealer activity targeting global financial institutions during Q1 2026. Another malware that has gained notoriety is BlankGrabber, which is distributed through social engineering and phishing campaigns. Data gathered by Flare shows that a single stealer log can be devastating, with individual logs containing up to 1,381 pieces of personally identifiable information. In an analysis published by Whiteintel last month, the company found that a single careless download of cracked software by one employee can hand criminal groups direct access to an entire corporate network in under two days. «An employee downloads cracked software on Tuesday afternoon,» it said. «By Thursday morning, their credentials are listed on the Russian Market for $15. Corporate VPN access, AWS credentials, session tokens that bypass MFA – all packaged and ready for purchase.»
• Phishing Campaign Targets Philippine Banking Users —An ongoing phishing campaign targeting major banks in the Philippines is using email phishing via compromised accounts as the initial vector to harvest online banking credentials and one-time passwords (OTPs) for financial fraud. According to Group-IB, the campaign began in early 2024, distributing over 900 malicious links as part of the coordinated scheme. Clicking on the link embedded in the email message triggers a redirection chain that uses trusted services like Google Business, AMP CDN, Cloudflare Workers, and URL shorteners before taking the victims to the final landing page. «The campaign enables real-time financial fraud by bypassing MFA mechanisms through the theft of valid One-Time Passwords (OTP), allowing attackers to perform unauthorized fund transfers,» the company said. «Telegram bots were used as exfiltration channels, enabling threat actors to automatically collect victims’ login information in real time.» The activity has been attributed to a threat group called PHISLES.
• Chrome Extensions Harvests ChatGPT Conversations —A malicious Chrome extension, named «ChatGPT Ad Blocker» (ID: ipmmidjikiklckbngllogmggoofbhjikgb), found on the Chrome Web Store masquerades as an ad-blocking tool for the AI chatbot, but contains functionality to «steal the user’s ChatGPT conversations data by systematically copying the HTML page and sending to it to a webhook on a private Discord channel,» DomainTools said.
• Iran Conflict Triggers Espionage Activity in Middle East —In the aftermath of the U.S.-Israel-Iran conflict, Proofpoint said it has recorded an increase in campaigns from state-sponsored threat actors likely affiliated with China (UNK_InnerAmbush, which uses phishing emails to deliver Cobalt Strike payload), Belarus (TA473, which has used HTML attachments in emails for reconnaissance), Pakistan (UNK_RobotDreams, which has sent spear-phishing emails to India-based offices of Middle East government entities to deliver a Rust backdoor), and Hamas (TA402, which has used compromised Iraq government email addresses to conduct Microsoft account credential harvesting) targeting Middle East government organizations. The enterprise security company said it also identified the Charming Kitten actor targeting a think tank in the U.S. to trick recipients into entering their Microsoft account credentials. One activity cluster that remains unattributed is UNK_NightOwl. The email messages include a domain that spoofed Microsoft OneDrive, leading the victim to a credential harvesting page. If the user enters credentials and clicks the sign-in button, the target is redirected to «hxxps://iran.liveuamap[.]com/,» a legitimate open-source platform called Liveuamap with news updates on the Middle East conflict.
• U.K. Warns of Messaging App Targeting —The U.K. National Cyber Security Centre (NCSC) became the latest cybersecurity agency to warn of malicious activity from messaging apps like WhatsApp, Messenger, and Signal, where threat actors could trick high-risk individuals into sharing their login or account recovery codes, or linking an attacker-controlled device under their accounts.

🔧 Cybersecurity Tools

• Dev Machine Guard → It is an open-source script that scans a developer machine to list installed tools and detect security risks across IDEs, AI agents, extensions, and configurations, without accessing source code or secrets, helping expose gaps traditional tools miss in developer environments.
• Pius → It is an open-source tool that maps a company’s external attack surface by discovering and cataloging internet-facing assets, helping security teams identify exposure and reconnaissance risks that could be targeted by attackers.

Disclaimer: For research and educational use only. Not security-audited. Review all code before use, test in isolated environments, and ensure compliance with applicable laws.

Conclusion

The lesson is simple. Small things matter. Most issues now start from normal parts of the system, not big, obvious gaps.

Don’t trust anything just because it looks routine. Updates, tools, and background systems can all be used in the wrong way. If it seems low risk, check it again. That’s where the problems are starting now.

Apple ahora envía notificaciones de pantalla de bloqueo a iPhones y iPads que ejecutan versiones anteriores de iOS y iPadOS para alertar a los usuarios sobre ataques basados ​​en web e instarlos a instalar la actualización.

El desarrollo fue reportado por primera vez por MacRumors.

«Apple es consciente de los ataques dirigidos a software iOS desactualizado, incluida la versión de su iPhone. Instale esta actualización crítica para proteger su iPhone», se lee en la notificación emitida por Apple.

El desarrollo se produce una semana después de que Apple publicara un documento de soporte, pidiendo a los usuarios que ejecutan versiones anteriores de iOS y iPadOS que actualicen sus dispositivos tras el descubrimiento de nuevos kits de exploits para iOS como Coruna y DarkSword.

Se ha descubierto que múltiples actores de amenazas con diversas motivaciones aprovecharon estos kits durante el año pasado para entregar cargas útiles maliciosas cuando usuarios desprevenidos visitan un sitio web comprometido. Mientras que Coruña apunta a versiones de iOS entre 13.0 y 17.2.1, DarkSword está diseñado para iPhones que ejecutan versiones de iOS entre 18.4 y 18.7.

Un nuevo informe de Kaspersky esta semana encontró que el kit de exploits Coruna es una evolución del marco utilizado en la Operación Triangulación, una sofisticada campaña dirigida a iPhones a través de exploits de iMessage sin hacer clic. Salió a la luz por primera vez en junio de 2023.

«Coruña no es un mosaico de exploits públicos; es una evolución mantenida continuamente del marco de Operación Triangulación original», dijo el proveedor ruso de ciberseguridad.

Actualmente no se sabe cómo los dos kits llegaron a manos de varios actores de amenazas y ciberdelincuentes, pero una investigación reciente ha planteado la posibilidad de que exista un mercado activo para exploits de día cero de segunda mano.

La aparición de estos kits, junto con la filtración de una versión más nueva de DarkSword, ha generado preocupaciones de que podrían democratizar el acceso a exploits que antes estaban reservados para los estados-nación, convirtiéndolos potencialmente en herramientas de explotación masiva. En el proceso, corren el riesgo de transformar los iPhone y iPad en una superficie de ataque mayor que la que tienen actualmente.

Se recomienda a los usuarios que no puedan actualizar a una versión compatible que consideren habilitar el modo de bloqueo, si está disponible, para protegerse contra contenido web malicioso. El modo de bloqueo se introdujo en 2022 y está disponible en dispositivos con versiones de iOS 16 y posteriores.

En una declaración compartida con TechCrunch, Apple dicho«No tenemos conocimiento de ningún ataque exitoso de software espía mercenario contra un dispositivo Apple con modo de bloqueo habilitado».

ThreatsDay Bulletin is back on The Hacker News, and this week feels off in a familiar way. Nothing loud, nothing breaking everything at once. Just a lot of small things that shouldn’t work anymore but still do.

Some of it looks simple, almost sloppy, until you see how well it lands. Other bits feel a little too practical, like they’re already closer to real-world use than anyone wants to admit. And the background noise is getting louder again, the kind people usually ignore.

A few stories are clever in a bad way. Others are just frustratingly avoidable. Overall, it feels like quiet pressure is building in places that matter.

Skim it or read it properly, but don’t skip this one.

Some of this will fade by next week. Some of it won’t. That’s the annoying part, figuring out which “minor” thing quietly sticks around and turns into a real problem later.

Anyway, that’s the rundown. Take what you need, ignore what you can, and keep an eye on the stuff that feels a little too easy.

Un kit de explotación que puede haberse originado a partir de un marco de trabajo filtrado del gobierno de EE. UU. está detrás de lo que los investigadores llaman el primer ataque a gran escala contra iOS, el sistema operativo de los iPhone de Apple.

Rastros de los exploits, encontrados en el trabajo de ciberdelincuentes chinos, también han sido detectados en ataques rusos a Ucrania y utilizados por un cliente de un proveedor de software espía.

Esas conclusiones provienen de dos investigaciones que Grupo de inteligencia sobre amenazas de Google y iVerificar publicado por separado el martes. Rocky Cole, cofundador de iVerify, dijo que representaba un potencial “momento EternalBlue”, con ecos de ese software de explotación que escapó de la Agencia de Seguridad Nacional para alimentar el ransomware global WannaCry y los ataques NotPetya en 2017.

Google dijo que el llamado kit de exploits Coruña que es el tema de la investigación del martes «proporciona otro ejemplo de cómo proliferan las capacidades sofisticadas», como escribió en una publicación de blog sobre los exploits de día cero, o no divulgados ni parcheados previamente.

«No está claro cómo se produjo esta proliferación, pero sugiere un mercado activo para exploits de día cero de 'segunda mano'», escribió Google. «Más allá de estos exploits identificados, múltiples actores de amenazas han adquirido técnicas de explotación avanzadas que pueden reutilizarse y modificarse con vulnerabilidades recientemente identificadas».

Dijo iVerify: «Si bien iVerify tiene alguna evidencia de que esta herramienta es un marco del gobierno de EE. UU. filtrado, eso no debería eclipsar el conocimiento de que estas herramientas encontrarán su camino hacia la naturaleza y serán utilizadas sin escrúpulos por malos actores».

La semana pasada, un tribunal estadounidense condenó a prisión a un ex ejecutivo de L3 Harris por vender exploits de día cero a un corredor ruso.

Tanto Google como iVerify conectaron el kit de exploits a la Operación Triangulación, que según la firma rusa de ciberseguridad Kaspersky en 2023 había apuntado a la compañía y al gobierno ruso atribuido al gobierno de Estados Unidos. La NSA se negó a comentar sobre esa acusación.

Un portavoz de Apple no respondió a una solicitud de comentarios el martes por la tarde. Apple emitió varios parches en respuesta a la Operación Triangulación y trabajó con Google en la investigación más reciente.

Spencer Parker, director de productos de iVerify, dijo que el ataque afectó al menos a 42.000 dispositivos, una «cifra enorme» para iOS, aunque parezca pequeña para otras plataformas. Ese número tiene el potencial de expandirse a medida que los investigadores profundicen en los detalles técnicos, dijo Cole.

Otras señales apuntan al desarrollo del kit de exploits en Estados Unidos, dijo Cole.

«La base del código para el marco y los exploits fue excelente», dijo. «Estaba escrito con elegancia. Es fluido y se mantiene muy bien. Había comentarios en el código que, como alguien que ha estado en la base industrial de defensa de EE. UU. durante años, realmente recuerdan el tipo de bromas y comentarios internos que podrías ver de un codificador con sede en EE. UU. Sin duda, eran hablantes nativos de inglés».

Google dijo que rastreó el uso del kit de explotación a lo largo del año pasado en operaciones desde un cliente anónimo de un proveedor de vigilancia hasta ataques a usuarios ucranianos por parte de un presunto grupo de espionaje ruso, antes de recuperar el kit de explotación completo de un grupo con motivación financiera que opera desde China.

El investigador de seguridad de Apple, Patrick Wardle, observó en el sitio de redes sociales X sobre la investigación de Coruña: «Resulta que incluso los ciberdelincuentes más humildes estaban (ab)usando 0days para piratear dispositivos Apple».

Un ex ejecutivo de L3 Harris fue sentenciado a más de siete años de prisión el martes después de declararse culpable de vender ocho exploits de día cero a un corredor ruso a cambio de millones de dólares.

Peter Williams, de 39 años, admitió dos cargos de robo de secretos comerciales en el Tribunal de Distrito de Estados Unidos en Washington, DC, el año pasado, reconociendo que tomó al menos ocho exploits o componentes de exploits mientras trabajaba en Trenchant, una unidad especializada en ciberseguridad propiedad de L3Harris. Los fiscales dijeron que los materiales estaban destinados a un uso restringido por parte del gobierno de Estados Unidos y sus socios aliados.

Las autoridades dijeron que Williams vendió la información robada a un corredor que se anunciaba como revendedor de herramientas de piratería y lo describió como un servicio a múltiples clientes, incluido el gobierno ruso. En el tribunal, el gobierno se refirió al comprador como “Compañía 3”, pero los detalles leídos en voz alta durante la audiencia de declaración de culpabilidad apuntaban a Operation Zero, un corredor de exploits ruso que se comercializa públicamente en línea como una plataforma para comprar vulnerabilidades de día cero.

Además, la Operación Cero fue una de las dos corredurías de día cero sancionado por el Tesoro de Estados Unidos en un anuncio separado hecho el martes.

Los fiscales dijeron que Williams usó su acceso a Trenchant durante aproximadamente tres años para obtener materiales patentados y celebró varios acuerdos con el corredor, recibiendo pagos en criptomonedas. Las autoridades dijeron que utilizó las ganancias para comprar artículos de lujo. El Departamento de Justicia ha estimado que el robo causó pérdidas por 35 millones de dólares al contratista, mientras que los fiscales dijeron que Williams ganó 1,3 millones de dólares vinculados a las ventas y se le debería ordenar que pague esa cantidad en restitución.

Los antecedentes de Williams agregaron otra capa que se observó en el tribunal. Los fiscales dijeron que anteriormente trabajó en la Dirección de Señales de Australia, la agencia de inteligencia de señales extranjeras de Australia. Los orígenes de Trenchant también son parte del historial: se formó después de que L3Harris adquiriera Azimuth Security y Linchpin Labs, empresas australianas asociadas con el desarrollo de exploits.

Ni Trenchant ni L3Harris están acusados ​​de irregularidades en el caso penal.

Para mayo está prevista una audiencia para una mayor restitución relacionada con las pérdidas de 35 millones de dólares.