Daily Threat Intel Digest - 2026-03-07

🔴 Critical Threats & Active Exploitation

[NEW] Claude AI Discovers 22 Firefox Vulnerabilities in 14 Days
Anthropic’s Claude Opus 4.6 identified 22 novel Firefox vulnerabilities during a two-week period in February 2026, accounting for nearly 20% of all high-severity Firefox flaws fixed in the previous year. Mozilla deployed fixes for most issues in Firefox 148.0 after validating 112 crash reports, with 14 classified as high-severity including a Use-After-Free memory corruption flaw. While AI-generated exploits remained crude and ineffective against real-world sandbox protections, researchers developed functional exploits in two test cases at $4,000 in API costs, demonstrating accelerating automated vulnerability research capabilities [Cyberpress; GBHackers].

[NEW] Fake Google Meet Updates Enroll Devices in Attacker MDM
Attackers are distributing phishing pages impersonating Google Meet update notifications that use Windows’ ms-device-enrollment URI scheme to hijack device management. A single click triggers native Windows enrollment dialogs pointing to attacker-controlled MDM servers on legitimate platforms like Esper, granting full device control including software installation, data access, and remote wiping. The campaign bypasses traditional security detection by abusing legitimate OS features rather than deploying malware, with no credential theft required [Malwarebytes Blog].

[UPDATE] Coruna iOS Exploit Kit Added to CISA KEV List
CISA has added three iOS vulnerabilities from the Coruna exploit kit to its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch by March 26. The kit contains 23 exploits and five full chains affecting iOS 13.0-17.2.1, with GTIG tracking its proliferation from nation-state espionage (Operation Triangulation) through Russian APT UNC6353 to Chinese financially-motivated UNC6691 using fake crypto sites. While Apple addressed core flaws in iOS 17.3, the scale (42,000+ devices) and sophistication highlight government-grade exploits entering criminal ecosystems [BleepingComputer; SecurityWeek].

[NEW] pac4j-jwt Authentication Bypass Enables Full Impersonation
CVE-2026-29000 allows unauthenticated attackers to bypass JWT authentication in the pac4j-jwt Java library when processing encrypted JWTs (JWE). By knowing the server’s RSA public key, attackers can impersonate arbitrary users including administrators across deployments using the vulnerable JwtAuthenticator component. The flaw received a maximum severity rating from Arctic Wolf following pac4j’s March 3 patches [Arctic Wolf].

🎯 Threat Actor Activity & Campaigns

[UPDATE] North Korean Groups Operationalize AI Across Attack Lifecycle
Microsoft Threat Intelligence reports Coral Sleet, Sapphire Sleet, and Jasper Sleet are using AI to accelerate fake worker schemes, with Jasper Sleet leveraging generative AI to research job postings, generate tailored personas, and craft professional communications that sustain long-term employment. Actors use AI tools like Faceswap for identity document forgery and prompt models to produce code snippets meeting performance expectations. The research also observes early experimentation with agentic AI for semi-autonomous workflows [Microsoft Security Blog; CyberScoop].

[NEW] DPRK Campaign Steals Crypto Keys via Cloud Exploitation
Suspected North Korean actors exploited the React2Shell vulnerability (CVE-2025-55182) and compromised AWS credentials to target cryptocurrency organizations. Attackers escalated privileges via AWS IAM roles, accessed Kubernetes clusters by modifying kubeconfig files, and exfiltrated Docker images containing proprietary exchange software and secrets. The campaign used VShell and FRP reverse proxies for persistence and leveraged South Korean VPN infrastructure for obfuscation [Cyberpress].

[NEW] Middle East Conflict Drives Multi-Vector Cyber Campaigns
Zscaler ThreatLabz tracks 8,000+ newly registered domains exploiting geopolitical tensions, including: LOTUSLITE backdoor distribution via conflict-themed lures targeting GCC regions; StealC malware delivery through fake news blogs; and credential harvesting sites impersonating US SSA portals and Israeli toll systems. Persian-language code artifacts suggest Iran-aligned involvement in some campaigns. Threat actors also deploy conflict-themed donation scams and meme-coin pump-and-dump schemes [Zscaler].

📋 Policy & Industry News

[NEW] Trump Administration Releases Offensive Cyber Strategy
The White House issued a 7-page national cyber strategy emphasizing “unleashing the private sector” to disrupt adversaries and adopting offensive cyber capabilities. Six pillars include: shaping adversary behavior through offensive operations; securing critical infrastructure with U.S.-made products; sustaining AI and quantum superiority; and building cyber talent. The document references recent operations against Iran’s nuclear infrastructure and Maduro’s capture, while explicitly rejecting “partial measures” of prior administrations. A concurrent executive order combats cybercrime and establishes a fraud victim restoration program [Nextgov/FCW; CyberScoop].

[NEW] Anthropic Exits Pentagon Contracts Over Safety Restrictions
Anthropic ended its DoD partnership after refusing to allow AI use for “mass surveillance” or “fully autonomous weapons,” prompting Defense Secretary Pete Hegseth to label safety provisions “woke.” The administration then barred federal agencies from using Anthropic models and designated the company a supply-chain risk. OpenAI subsequently secured the displaced contracts, vowing to maintain similar safety constraints while working with defense systems [Schneier on Security].

[NEW] Congress Advances Rural Utility Cybersecurity Act
The House Energy Committee unanimously passed legislation reauthorizing the Rural and Municipal Utility Advanced Cybersecurity program with $250 million in funding over five years. The program provides critical cyber assistance to under-resourced electric cooperatives, addressing gaps highlighted by Volt Typhoon’s targeting of energy infrastructure. Companion bills clarify DOE’s cybersecurity leadership role and mandate state-level energy cyber planning [CyberScoop].