Zero-day ransomware exploits π΄, iOS exploit chain π±, credential phishing π£, critical infrastructure targeting π₯
Daily Threat Intel Digest - 2026-03-21
π΄ Critical Threats & Active Exploitation
[NEW] Critical unauthenticated RCE discovered in Ubiquiti UniFi Network Application A maximum-severity path-traversal vulnerability (CVE-2026-22557) has been identified in Ubiquiti’s UniFi Network Application, allowing attackers to access and manipulate files to take over user accounts without authentication. Rated CVSS 10.0, the flaw affects the software used to manage networking gear like access points, gateways, and switches. With roughly 88,000 instances publicly exposed to the internetβabout one-third located in the United Statesβthe attack surface is significant. Ubiquiti has released patches, but defenders must act quickly as the low complexity of the vulnerability makes it trivial to automate once the specific endpoint is identified. [CyberScoop]
[NEW] Oracle pushes emergency fix for critical Identity Manager RCE flaw Oracle has released an out-of-band security update to address a critical unauthenticated remote code execution vulnerability (CVE-2026-21992) in Oracle Identity Manager and Web Services Manager. The flaw, which carries a CVSS v3.1 severity score of 9.8, is remotely exploitable over HTTP without requiring user interaction or authentication. Oracle is strongly recommending that customers apply the updates immediately; patches are available for versions 12.2.1.4.0 and 14.1.2.1.0 of both products, while older unsupported versions remain vulnerable. [BleepingComputer; Canadian Centre for Cyber Security]
[UPDATE] DarkSword iOS exploit chain expands scope with “hit-and-run” tactics New intelligence reveals the “DarkSword” iOS exploit chain affects up to 270 million devices running iOS versions 18.4 to 18.7, significantly widening the risk beyond initial estimates. The attack chain, previously reported as targeting iOS, is now confirmed to be used by at least three distinct groups: UNC6748 (targeting Saudi Arabia), the Turkish vendor PARS Defense, and UNC6353 (suspected Russian group targeting Ukraine). Unlike traditional persistent spyware, DarkSword employs a “hit-and-run” model, exfiltrating data in seconds or minutes before deleting itself to evade forensic analysis. Technical analysis also points to poor OPSEC by actors like UNC6353, who appear to be using Large Language Models (LLMs) to bridge technical gaps, evidenced by AI-generated web templates and debug code in their payloads. [SocFortress]
[UPDATE] Cisco FMC zero-day exploited as ransomware gateway since January The Interlock ransomware gang exploited a critical zero-day vulnerability (CVE-2026-20131) in Cisco Secure Firewall Management Center (FMC) more than a month before Cisco released a patch, specifically targeting the flaw since the end of January 2026. This vulnerability allows unauthenticated, remote attackers to execute arbitrary Java code as root. Following active exploitation confirmation, CISA has ordered federal agencies to patch the flaw by March 22, 2026, and added it to the Known Exploited Vulnerabilities (KEV) catalog. Private organizations are urged to treat this directive with equal urgency given the active ransomware campaigns leveraging the bug. [BleepingComputer]
[UPDATE] SharePoint Server RCE added to CISA KEV amid active exploitation A critical deserialization vulnerability (CVE-2026-20963) in Microsoft SharePoint Server has been added to CISA’s Known Exploited Vulnerabilities Catalog following confirmed observations of active exploitation. The flaw allows an unauthenticated remote attacker to execute code over the network and impacts multiple versions of SharePoint Server, including Enterprise Server 2016, Server 2019, and Subscription Edition. Organizations are urged to upgrade to fixed versions immediately, particularly for on-premises instances exposed to the internet. [Canadian Centre for Cyber Security]
π― Threat Actor Activity & Campaigns
[NEW] Russian intelligence services target Signal via device-linking phishing Russian intelligence-linked threat actors are conducting a widespread phishing campaign targeting users of encrypted messaging apps, predominantly Signal, to hijack accounts and bypass end-to-end encryption protections. The FBI and CISA warn that the attacks do not break encryption but instead manipulate users into linking attacker-controlled devices or sharing verification codes through impersonated support accounts. Targets include individuals of high intelligence value, such as government officials, military personnel, and journalists. Once access is gained, attackers can read messages, harvest contact lists, and impersonate victims to launch further phishing attacks. [BleepingComputer; CyberScoop]
[NEW] PureLog Stealer campaign targets critical infrastructure with copyright lures Threat actors are distributing the PureLog Stealer through a sophisticated, multi-stage campaign disguised as localized copyright violation notices. The operation heavily targets sectors including healthcare, government, and education in countries such as the US, Germany, and Australia. The infection chain relies on fileless execution and encrypted payloads fetched dynamically from attacker-controlled infrastructure, including a renamed WinRAR utility disguised as a PNG image. The malware patches the Windows Antimalware Scan Interface (AMSI) in memory to evade detection before exfiltrating browser credentials, cryptocurrency wallets, and system information. [CyberPress; GBHackers]
π‘οΈ Defense & Detection
[UPDATE] Tycoon2FA Phishing-as-a-Service platform persists following takedown Despite previous law enforcement efforts to dismantle the infrastructure, the Tycoon2FA Phishing-as-a-Service (PaaS) platform remains operational. The service continues to facilitate adversary-in-the-middle (AiTM) attacks, allowing threat actors to bypass multi-factor authentication (MFA) by intercepting authentication cookies. The persistence of Tycoon2FA highlights the resilience of modern cybercrime ecosystems and the need for continuous monitoring of phishing infrastructure rather than relying solely on initial takedowns. [CrowdStrike]
[NEW] Microsoft releases CTI-REALM benchmark for AI detection engineering Microsoft has open-sourced CTI-REALM, a new benchmark designed to evaluate the effectiveness of AI agents in generating detection rules from cyber threat intelligence (CTI). Unlike previous benchmarks that test theoretical knowledge, CTI-REALM measures end-to-end workflows, requiring agents to read threat reports, explore telemetry, and produce validated Sigma rules and KQL queries. Initial results indicate that while models like Anthropic’s Claude lead in performance, cloud detection remains a significant challenge for AI-driven security tools. [Microsoft Security Blog]
π Policy & Industry News
[UPDATE] FBI seizes Iran-linked MOIS leak sites after Handala attack The FBI and Justice Department have seized four domains allegedly tied to Iranβs Ministry of Intelligence and Security (MOIS), linking them to the “Handala” operation. This group was previously responsible for a disruptive attack on Stryker that wiped devices using Microsoft Intune privileges. The seizure connects these sites to other Iran-linked activities, including the 2022 Albania hacks, disrupting the actor’s ability to leak stolen data. [Cyberwarzone]
[UPDATE] Three men sentenced for facilitating North Korean IT worker scheme Three American men have been sentenced for their roles in a scheme that provided remote access to U.S. company networks for North Korean IT workers. The trio facilitated over $1.28 million in fraudulent salary payments by hosting laptops at their homes and passing drug tests for the remote operatives. The sentences range from probation to one year in prison, highlighting ongoing legal efforts to disrupt the revenue streams funding North Korean state-sponsored activities. [CyberScoop]
[NEW] Operation Alice takes down 373,000 fake CSAM sites An international law enforcement action led by Germany and supported by Europol has dismantled “Alice with Violence CP,” a dark web platform hosting over 373,000 sites that advertised fake child sexual abuse material (CSAM) packages. The platform, operated by a suspect in China, defrauded users of roughly $400,000 by promising illegal content that was never delivered. Authorities have identified 440 buyers across 23 countries for further investigation. [BleepingComputer]
β‘ Quick Hits
- Insider Breach: Weill Cornell Medicine disclosed that an insider accessed the electronic medical records of 516 patients without authorization. [DataBreaches]
- Ransomware OpSec Fail: The Beast ransomware group inadvertently exposed its entire toolset after hosting an open server on a German cloud provider, revealing TTPs shared with other gangs. [DataBreaches]
- UK Precedent: The UKβs cyber watchdog warned that the governmentβs Β£1.5 billion bailout of Jaguar Land Rover (JLR) following a cyber incident sets a troubling precedent for handling major cyber crises. [DataBreaches]