Weekly Threat Bulletin – March 11th, 2026

Security Alert: Android March 2026 Update Targets Actively Exploited Zero-Day

Google has released its March 2026 Android Security Bulletin, a substantial update addressing 129 vulnerabilities, including at least one actively exploited zero-day. The most critical flaw, CVE-2026-21385, is a high-severity memory corruption vulnerability within a Qualcomm display component, confirmed to be under limited, targeted exploitation and impacting 234 different chipsets due to improper memory allocation. The update is divided into two patch levels: the 2026-03-01 level fixes 63 core Android component vulnerabilities, notably critical Remote Code Execution (CVE-2026-0006) in the System component and Elevation of Privilege (CVE-2026-0047) in the Framework, both exploitable without user interaction. The 2026-03-05 level addresses 66 vulnerabilities in hardware-specific drivers and the Linux kernel, including critical patches for Protected Kernel-Based Virtual Machine (e.g., CVE-2026-0038) and Hypervisor (e.g., CVE-2026-0027). Android users are strongly urged to apply these security updates immediately through their device settings.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Use your Mobile Device Management (MDM) or Unified Endpoint Management (UEM) solution to generate an inventory of all managed Android devices, detailing their current OS patch level and hardware model.
• Configure your MDM/UEM policy to enforce the immediate installation of the March 2026 Android security update (patch level 2026-03-05 or later) on all managed corporate devices.
• Send a company-wide security alert to all employees instructing them to manually update their Android devices to the March 2026 security patch level, highlighting the risk from the actively exploited zero-day.
• Enhance monitoring of network logs for unusual outbound traffic patterns or connections to unknown domains originating from Android devices, which could indicate a successful compromise.

Compliance Best Practices

• If not already in place, evaluate and deploy a Mobile Device Management (MDM) or Unified Endpoint Management (UEM) solution to enforce security policies on all mobile devices accessing corporate data.
• Establish a formal mobile device security policy that mandates minimum OS versions and patch levels as a condition for accessing corporate network resources and applications.
• Implement a Mobile Threat Defense (MTD) solution that integrates with your MDM/UEM to protect against malware, network-based attacks, and vulnerability exploits on Android devices.
• Design and implement network segmentation to place all mobile devices, including BYOD, on an isolated network with strictly controlled access to sensitive internal resources.
• Develop and roll out a recurring security awareness training program that includes modules on mobile security hygiene, phishing awareness on mobile platforms, and the importance of timely software updates.

Cisco Patches Secure Firewall Management Center Software Vulnerabilities (CVE-2026-20079 CVE-2026-20131)

Cisco has released security updates to address two critical-severity vulnerabilities in Secure Firewall Management Center Software. CVE-2026-20131, a Remote Code Execution vulnerability, exists in the web-based management interface due to insecure deserialization of a user-supplied Java byte stream, allowing an unauthenticated, remote attacker to execute arbitrary Java code as root by sending a crafted serialized Java object. CVE-2026-20079, an Authentication Bypass vulnerability, is present in the web interface due to an improperly configured system process, enabling an unauthenticated, remote attacker to bypass authentication and execute script files, thereby obtaining root access to the underlying operating system, by sending crafted HTTP requests. Affected versions include 6.4.0.13 before 7.0.9, 7.0.0 before 7.0.9, 7.1.0 before 7.2.11, 7.3.0 before 7.4.6, 7.6.0 before 7.6.5, 7.7.0 before 7.7.12, and 10.0.0 before 10.0.1. Software updates have been released to mitigate these issues, and further details are available in Cisco Security Advisories cisco-sa-onprem-fmc-authbypass-5JPp45V2 and cisco-sa-fmc-rce-NKhnULJh.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Prioritize and apply the security updates from Cisco to all identified Cisco Secure Firewall Management Center (FMC) instances.
• Initiate a vulnerability scan using Qualys with QIDs 317769 and 317770 to create a definitive list of all vulnerable Cisco FMC devices on the network.
• Manually audit the software version of all Cisco Secure Firewall Management Center (FMC) instances and compare them against the list of affected versions provided in the article.
• Configure network firewalls to immediately block all access to the Cisco FMC web-based management interface from the internet and all internal networks, except for a small, designated set of administrator workstations.

Compliance Best Practices

• Initiate a network architecture review project to create a dedicated, out-of-band management network for all critical infrastructure, ensuring that management interfaces are physically or logically isolated from production and user network traffic.
• Develop and implement a comprehensive vulnerability management policy that includes automated asset inventory, regular scanning schedules, risk-based prioritization criteria, and defined Service Level Agreements (SLAs) for patching critical infrastructure.
• Evaluate and deploy a Web Application Firewall (WAF) in front of critical management interfaces that must remain accessible over the network to provide a virtual patching and defense-in-depth layer against web-based attacks.

Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit

The Coruna iOS exploit kit, identified by Google Threat Intelligence Group, targets Apple iPhone models running iOS versions 13.0 through 17.2.1, comprising five full exploit chains and 23 individual exploits that leverage non-public techniques and mitigation bypasses. Its proliferation was observed from initial use by a commercial surveillance vendor's customer in February 2025, to watering hole attacks against Ukrainian users by UNC6353 (a suspected Russian espionage group) in summer 2025, and finally in broad-scale campaigns by UNC6691 (a financially motivated Chinese threat actor) via fake financial websites by the end of 2025, indicating an active market for zero-day exploits. The kit's sophisticated JavaScript framework fingerprints devices, bypasses Lockdown Mode and private browsing, and delivers encrypted, compressed binary payloads. The final payload, PlasmaLoader (PLASMAGRID), injects into the `powerd` daemon to steal financial information, including QR codes, BIP39 word sequences, and bank account details from Apple Memos, and can remotely load modules to exfiltrate data from various cryptocurrency wallet applications, with its internal logging containing Chinese text. Users are strongly advised to update their iOS devices to the latest version and enable Lockdown Mode for protection.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Ensure all company-managed and BYOD iPhones are updated to the latest available version of iOS immediately.
• Enable Lockdown Mode on iPhones for high-risk users or any device that cannot be immediately updated to a patched iOS version.
• Add all URLs and domains from the article's 'Network Indicators' section to the blocklists on your firewall, web proxy, and DNS filtering services.
• Use endpoint detection tools to scan for the file hashes provided in the 'File Indicators' section on all managed iOS devices.
• Deploy the YARA rules provided in the article to scan network traffic and endpoint data for signs of the Coruna exploit kit and PLASMAGRID payload.

Compliance Best Practices

• Implement or enhance a Mobile Device Management (MDM) solution to gain visibility into iOS versions and enforce security policies, such as mandatory updates.
• Develop and implement a continuous security awareness training program that educates users on identifying and avoiding mobile-based phishing and malicious websites.
• Create or review corporate policies to restrict or secure the use of mobile devices for accessing sensitive financial data and cryptocurrency applications.
• Implement enhanced network egress filtering and DNS monitoring to detect and block anomalous outbound connections, such as those generated by a Domain Generation Algorithm (DGA).
• Develop and formalize an incident response plan specifically for handling security incidents involving compromised mobile devices.

HackerBot-Claw: An AI-Assisted Campaign Targeting GitHub Actions Pipelines

An automated campaign, dubbed "HackerBot-Claw," systematically scans public GitHub repositories for misconfigured GitHub Actions workflows, particularly those utilizing `pull_request_target` with elevated permissions, to gain privileged access. Active around February 27-28, 2026, this campaign exploits insecure CI/CD configurations to achieve remote code execution and privileged token theft across CI/CD pipelines. The attack chain involves inspecting `.github/workflows/*.yml` for patterns such as `pull_request_target` triggers, excessive token permissions, untrusted checkouts, or reuse of privileged secrets. Upon identifying a vulnerable workflow, the attacker generates a crafted pull request to trigger the CI pipeline, leading to arbitrary code execution or exposure of privileged tokens. Compromised tokens enable destructive or unauthorized API actions, including token exfiltration, direct commit pushes, release deletions, advisory creation, and repository manipulation, with some instances leading to full repository takeover. High-profile open-source projects, including microsoft/ai-discovery-agent, DataDog/datadog-iac-scanner, avelino/awesome-go, project-akri/akri, ambient-code/platform, aquasecurity/trivy, and RustPython/RustPython, were impacted. Mitigation strategies include secure workflow design, safe handling of ``pull_request_target`,` strict token scoping, input sanitization, preventing untrusted code from executing with elevated permissions, applying recommended updates, and rotating credentials. This campaign highlights a broader trend of CI/CD exploitation, as evidenced by past supply chain attacks like the one against `tj-actions/changed-files`.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Immediately audit all GitHub Actions workflows across all company repositories to identify any that use the `pull_request_target` trigger.
• For any workflow identified using `pull_request_target`, immediately review its `permissions` block and remove write permissions (e.g., `contents: write`) unless they are validated as absolutely necessary.
• In workflows using `pull_request_target`, search for and remove any steps that check out code from the pull request head reference (`${{ github.event.pull_request.head.sha }}`).
• Review all software and dependency lists to determine if the organization uses any of the 'Known Impacted Repositories' mentioned in the article and immediately apply recommended updates or credential rotation guidance from the maintainers.

Compliance Best Practices

• Configure organization-level GitHub settings to enforce read-only permissions for the `GITHUB_TOKEN` by default for all new repositories and workflows.
• Implement a mandatory code review process for all changes to GitHub Actions workflow files (`.github/workflows/*.yml`) by using GitHub's branch protection rules and CODEOWNERS files.
• Establish and enforce a policy requiring all third-party GitHub Actions in workflows to be pinned to a specific, immutable commit SHA instead of a mutable tag like `@v4`.
• Integrate an automated security scanner into the CI/CD pipeline to continuously audit GitHub Actions workflows for misconfigurations, such as the use of `pull_request_target` with write permissions, before code is merged.
• For workflows that must process pull requests from forks, re-architect them to use the `workflow_run` trigger, which safely separates the privileged workflow from the untrusted code execution by passing data via artifacts.
• Enforce input sanitization within GitHub Actions workflows for all data derived from pull requests, including branch names, titles, and filenames, to prevent injection attacks.

Inside Tycoon2FA: How a Leading AiTM Phishing Kit Operated at Scale

Tycoon2FA emerged in August 2023 as a prominent phishing-as-a-service (PhaaS) platform, enabling campaigns that generated tens of millions of phishing messages monthly, impacting over 500,000 organizations across various sectors. Operated by the threat actor Storm-1747, this kit provided adversary-in-the-middle (AiTM) capabilities, allowing even less skilled attackers to bypass multifactor authentication (MFA) by intercepting session cookies and credentials. The service, advertised on platforms like Telegram and Signal for as little as $120 for 10 days, featured a web-based administration panel for configuring campaigns, selecting lure templates (impersonating services like Microsoft 365, Outlook, Gmail), managing redirect logic, and tracking victims. Its infrastructure evolved from static domains to a dynamic ecosystem of short-lived FQDNs and diverse TLDs, often hosted on Cloudflare, using readable subdomains to evade detection. Tycoon2FA employed sophisticated evasion techniques, including anti-bot screening, browser fingerprinting, heavy code obfuscation, custom CAPTCHAs, dynamic decoy pages, and complex redirect chains involving legitimate services like Azure Blob Storage and Firebase. Phishing emails typically contained malicious attachments (PDF, DOCX, SVG, HTML) or redirect links, often leveraging compromised accounts. Captured credentials and session tokens were exfiltrated via encrypted channels, frequently Telegram bots, enabling attackers to gain persistent access. To counter such threats, implementing phishing-resistant MFA (e.g., FIDO2, Windows Hello for Business, authenticator passkeys) is crucial, especially for privileged roles. Immediate remediation for compromised accounts includes resetting credentials, revoking active sessions, re-registering MFA devices, reverting unauthorized financial changes, and removing malicious inbox rules. Proactive defenses involve configuring email security solutions for link rechecking and zero-hour auto purge, enabling network protection, using secure browsers with threat intelligence, and deploying cloud-delivered antivirus protection. Additionally, organizations should simulate attacks to train users and configure automatic attack disruption and conditional access policies requiring strong authentication.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• In Microsoft Defender, run the provided KQL query against 'AADSignInEventsBeta' logs to hunt for suspicious sign-in attempts that lack device trust information and have a medium or high risk level.
• In Microsoft Defender, run the provided KQL query against 'UrlClickEvents' logs to identify users who clicked potentially malicious URLs shortly before a risky sign-in event occurred.
• Review user mailboxes, particularly those flagged in other alerts, for recently created or suspicious inbox rules, especially rules that forward email to external domains or delete messages.
• For any user account identified as compromised, immediately revoke all active Microsoft Entra ID sessions and refresh tokens.
• In Microsoft Defender for Office 365, enable and configure the 'Safe Links' policy to scan and rewrite inbound URLs, ensuring time-of-click verification is active for all users.
• In Microsoft Defender for Office 365, enable and configure the 'Safe Attachments' policy to detonate and scan all incoming email attachments in a sandbox environment before delivery.
• Verify that Zero-hour auto purge (ZAP) is enabled in Microsoft Defender for Office 365 to automatically remove phishing emails from user inboxes after delivery if they are later identified as malicious.
• Enable 'Network Protection' in block mode via Microsoft Defender for Endpoint policies to prevent endpoints from connecting to known malicious domains and IP addresses.
• Ensure that Microsoft Defender SmartScreen or an equivalent web filtering service is enabled and enforced on all company web browsers to block access to known phishing and malware sites.

Compliance Best Practices

• Develop and execute a project to deploy phishing-resistant Multi-Factor Authentication (MFA), such as FIDO2 security keys, for all administrative and privileged-access user accounts.
• Create a phased, long-term plan to roll out phishing-resistant Multi-Factor Authentication (MFA), such as FIDO2 security keys or Microsoft Authenticator passkeys, to the general user population.
• Implement Microsoft Entra ID Conditional Access policies that enforce the use of 'phishing-resistant' authentication strength for user access to critical business applications and sensitive data.
• Establish a continuous security awareness training program that includes regular phishing simulations focused on credential harvesting, QR code lures, and MFA bypass techniques.
• Configure and tune 'automatic attack disruption' in Microsoft Defender XDR to automatically contain compromised identities and endpoints involved in AiTM phishing attacks.
• Develop, document, and test an incident response playbook specifically for handling Adversary-in-the-Middle (AiTM) attacks, with clear steps for session revocation, credential reset, and mailbox rule inspection.