IBM's 2026 X-Force Threat Intelligence Index reveals that 56% of the nearly 40,000 vulnerabilities tracked in 2025 required no authentication to exploit — explaining why unauthenticated flaws like the Cisco SD-WAN bypass, the MSHTML zero-day, and the Coruna iOS exploit kit all converged in the same week. Exploitation of public-facing applications surged 44% to become the leading initial access vector. Supply chain compromises nearly quadrupled since 2020. Over 300,000 AI chatbot credentials appeared on dark web marketplaces. Actionable guidance focuses on prioritizing unauthenticated vulnerabilities in patch queues, auditing external attack surfaces, and assessing supply chain exposure across CI/CD and SaaS integrations.

• https://www.ibm.com/think/x-force/threat-intelligence-index-2026-securing-identities-ai-detection-risk-management
• https://uk.newsroom.ibm.com/ibm-2026-x-force-threat-index
• https://industrialcyber.co/reports/ibm-x-force-reports-44-surge-in-exploitation-of-public-facing-applications-as-supply-chain-and-identity-attacks-intensify/
• https://www.ibm.com/think/insights/more-2026-cyberthreat-trends
• https://www.securityweek.com/recent-cisco-catalyst-sd-wan-vulnerability-now-widely-exploited/
• https://thehackernews.com/2026/03/cisco-confirms-active-exploitation-of.html
• https://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit

Cisco confirmed active exploitation of two additional SD-WAN Manager vulnerabilities (CVE-2026-20122 and CVE-2026-20128) — bringing the total to four exploited Cisco SD-WAN flaws in eight days. The company also patched two maximum-severity (CVSS 10.0) Secure Firewall Management Center flaws enabling unauthenticated remote code execution as root. Hikvision and Rockwell Automation legacy vulnerabilities were added to the KEV catalog as actively exploited. The network management and OT layer is under simultaneous pressure across SD-WAN, firewall management, IP cameras, and industrial controllers.

• https://thehackernews.com/2026/03/cisco-confirms-active-exploitation-of.html
• https://www.securityweek.com/cisco-warns-of-more-catalyst-sd-wan-flaws-exploited-in-the-wild/
• https://www.helpnetsecurity.com/2026/03/05/cisco-cve-2026-20128-cve-2026-20122-exploited/
• https://www.bleepingcomputer.com/news/security/cisco-flags-more-sd-wan-flaws-as-actively-exploited-in-attacks/
• https://securityaffairs.com/189056/security/cisco-flags-ongoing-exploitation-of-two-recently-patched-catalyst-sd-wan-flaws.html
• https://socradar.io/blog/cisco-catalyst-sd-wan-manager-cve-2026-20122/
• https://thehackernews.com/2026/02/cisco-sd-wan-zero-day-cve-2026-20127.html

This week revealed pre-positioned access across every infrastructure layer simultaneously. Google and iVerify exposed Coruna, a nation-state iOS exploit kit with 23 exploits that proliferated from surveillance to espionage to mass criminal deployment in twelve months. Cisco disclosed a CVSS 10.0 SD-WAN zero-day exploited since 2023 with a three-year dwell time. Akamai traced APT28's exploitation of an MSHTML zero-day a month before Microsoft patched it. Google's Android update addressed 129 CVEs including a Qualcomm zero-day under active exploitation. Radware quantified 149 hacktivist DDoS attacks from 12 groups across 16 nations in 72 hours. VMware Aria Operations was added to the KEV catalog. The connecting pattern: the gap between capability creation and mass deployment is collapsing while the gap between compromise and detection continues to widen.

• https://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit
• https://iverify.io/blog/coruna-inside-the-nation-state-grade-ios-exploit-kit-we-ve-been-tracking
• https://cyberscoop.com/coruna-ios-exploit-kit-leaked-us-framework/
• https://thehackernews.com/2026/02/cisco-sd-wan-zero-day-cve-2026-20127.html
• https://www.akamai.com/blog/security-research/inside-the-fix-cve-2026-21513-mshtml-exploit-analysis
• https://thehackernews.com/2026/03/google-confirms-cve-2026-21385-in.html
• https://thehackernews.com/2026/03/149-hacktivist-ddos-attacks-hit-110.html
• https://thehackernews.com/2026/03/coruna-ios-exploit-kit-uses-23-exploits.html

Google Threat Intelligence Group and iVerify published simultaneous research on Coruna, a nation-state-grade iOS exploit kit containing 23 exploits across five full attack chains targeting iOS 13 through 17.2.1. The kit proliferated from a commercial surveillance vendor to state-linked espionage operations to mass criminal deployment in under twelve months — marking the first observed mass exploitation of mobile devices using nation-state-grade tools. Combined with this week's Cisco SD-WAN three-year dwell time (compliance deadline tonight), APT28's MSHTML zero-day, and a Qualcomm Android zero-day under active exploitation, defenders face a convergence of advanced capabilities being deployed simultaneously across network, desktop, and mobile layers.

• https://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit
• https://thehackernews.com/2026/03/coruna-ios-exploit-kit-uses-23-exploits.html
• https://www.helpnetsecurity.com/2026/03/03/coruna-ios-exploit-kit/
• https://iverify.io/blog/coruna-inside-the-nation-state-grade-ios-exploit-kit-we-ve-been-tracking
• https://cyberscoop.com/coruna-ios-exploit-kit-leaked-us-framework/
• https://thehackernews.com/2026/02/cisco-sd-wan-zero-day-cve-2026-20127.html
• https://www.akamai.com/blog/security-research/inside-the-fix-cve-2026-21513-mshtml-exploit-analysis
• https://thehackernews.com/2026/03/google-confirms-cve-2026-21385-in.html

Palo Alto Unit 42 published a live threat brief confirming sixty hacktivist groups are now active in coordinated cyber operations, with allied foreign collectives joining the fight. An Electronic Operations Room was established within hours of the strikes to synchronize targeting across the coalition. Check Point Research confirmed that Handala Hack is routing attacks through Starlink IP ranges from inside the nationwide internet blackout, creating a detection blind spot for defenders relying on geographic IP filtering. A national CERT intercepted an OT attack on SCADA systems managing civilian food reserves — representing an escalation from traditional energy targeting to food infrastructure. Actionable guidance covers Starlink ASN blocking, OT exposure hunting, and DDoS preparation for allied foreign convergence.

• https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/
• https://blog.checkpoint.com/research/what-defenders-need-to-know-about-irans-cyber-capabilities/
• https://www.infosecurity-magazine.com/news/iran-cyber-attacks-global-google/
• https://www.nextgov.com/cybersecurity/2026/03/intelligence-firms-watch-uptick-iran-cyber-activity-after-us-israel-strikes/411802/
• https://www.sentinelone.com/blog/sentinelone-intelligence-brief-iranian-cyber-activity-outlook/
• https://industrialcyber.co/industrial-cyber-attacks/us-israeli-campaign-triggers-iranian-counteroffensive-targeting-gulf-energy-critical-infrastructure/
• https://cybernews.com/editorial/iran-us-conflict-blackout-cyberattacks-misinformation/
• https://www.digit.in/features/general/elon-musks-starlink-shaping-2026-iran-us-israel-cyber-war-heres-how.html

With conventional military options destroyed in this weekend's coordinated strikes, threat intelligence firms assess that cyber operations are now the sole remaining instrument of asymmetric retaliation — and state-linked cyber units were activated before the kinetic trigger was pulled. This briefing reveals that the wiper malware scenario already happened: a Shamoon 4.0 variant struck Gulf energy infrastructure in January, compromising 15,000 workstations, while port disruptions and rolling blackouts hit weeks before the current escalation. New threat vectors include deepfake social engineering deployed during communications blackouts, with staff receiving fake CEO evacuation messages while internet and news are degraded. CISA is operating at reduced staffing during the most acute threat period in years. Actionable guidance covers wiper preparedness, deepfake countermeasures, OT/ICS hardening, and supply chain contingency planning for simultaneous disruption of the Strait of Hormuz and Red Sea shipping lanes.

• https://www.govexec.com/defense/2026/02/strikes-iran-will-test-us-cyber-strategy-abroad-and-defenses-home/411784/
• https://www.khaleejtimes.com/world/asia/usisraeliran-trigger-unprecedented-cyberattacks
• https://fortune.com/2026/03/01/cyber-retaliation-iran-hack-corporate-security/
• https://fortune.com/2026/02/28/iran-death-ground-existential-threat-us-attacks-retaliation-terrorism-cyberattacks-strait-of-hormuz/
• https://time.com/7381884/iran-missiles-dubai-palm-gulf/
• https://www.cnn.com/world/live-news/israel-iran-attack-02-28-26-hnk-intl
• https://en.wikipedia.org/wiki/2026_Israeli%E2%80%93United_States_strikes_on_Iran
• https://www.ic3.gov/CSA/2025/250630.pdf
• https://windward.ai/blog/middle-east-on-the-precipice-gps-jamming-in-the-arabian-gulf-and-strait-of-hormuz-disrupts-970-ships-daily/
• https://vinciworks.com/blog/the-compliance-fallout-from-the-2026-iran-war-key-risks-and-red-flags/

Ballistic missiles struck targets across multiple Gulf states this weekend in retaliatory strikes following a coordinated military operation that included the largest cyber operation in recorded history. Gulf-wide airspace closures grounded major airlines, the US Navy declared a maritime warning zone across the Strait of Hormuz, and GPS jamming is disrupting nearly a thousand vessels per day. Behind the hacktivist DDoS claims now targeting Gulf organizations, a state-sponsored espionage campaign running since January is accelerating — abusing legitimate remote management tools for persistent access while OT-focused groups target water and energy infrastructure. This special edition delivers prioritized response actions from P0 through P2 drawn from a TLP:CLEAR joint advisory by CISA, FBI, NSA, and DC3.

• https://www.ic3.gov/CSA/2025/250630.pdf
• https://www.cnn.com/world/live-news/israel-iran-attack-02-28-26-hnk-intl
• https://www.cbsnews.com/live-updates/israel-us-attack-iran-trump-says-major-combat-operations/
• https://channel16.dryadglobal.com/heightened-risk-of-gps/ais-interference-in-the-gulf-of-oman-and-strait-of-hormuz-19-february-2026
• https://www.lloydslist.com/LL1156475/Maritime-warning-zone-in-place-as-US-and-Israel-launch-massive-strikes-on-Iran
• https://windward.ai/blog/middle-east-on-the-precipice-gps-jamming-in-the-arabian-gulf-and-strait-of-hormuz-disrupts-970-ships-daily/
• https://www.cisecurity.org/insights/blog/hacktivist-group-dienet-claims-ddos-attacks-against-u-s-c-n-i
• https://www.csis.org/blogs/strategic-technologies-blog/beyond-hacktivism-irans-coordinated-cyber-threat-landscape
• https://www.argusmedia.com/en/news-and-insights/latest-market-news/2794517-mideast-gulf-ships-receive-hormuz-ban-message-ukmto
• https://the420.in/uae-ai-cyberattack-government-systems-foiled/

North Korea's ScarCruft built Ruby Jumper, a five-component toolchain that breaches air-gapped networks by installing a disguised Ruby runtime, weaponizing USB drives as bidirectional command channels, and deploying full-spectrum surveillance including keylogging, audio, and video capture inside physically isolated environments. Separately, Aeternum C2 is a new botnet that writes encrypted commands to smart contracts on the Polygon blockchain, eliminating all traditional takedown mechanisms — no servers to seize, no domains to sinkhole, and $1 of MATIC funds 150 command transactions. Together with the week's coverage of AI supply chain attacks, government database breaches, vishing recruitment, and cloud-based espionage, a clear pattern emerges: every assumption of isolation — physical, logical, legal, and operational — is being systematically dissolved.

• https://thehackernews.com/2026/02/scarcruft-uses-zoho-workdrive-and-usb.html
• https://www.bleepingcomputer.com/news/security/apt37-hackers-use-new-malware-to-breach-air-gapped-networks/
• https://www.threatintelreport.com/2026/02/26/articles/apt37-ruby-jumper-campaign-bridges-air-gapped-networks-using-usb-and-a-portable-ruby-runtime/
• https://thehackernews.com/2026/02/aeternum-c2-botnet-stores-encrypted.html
• https://www.infosecurity-magazine.com/news/aeternum-botnet-c2-polygon/
• https://www.securityweek.com/aeternum-botnet-loader-employs-polygon-blockchain-cc-to-boost-resilience/
• https://hackread.com/aeternum-c2-botnet-polygon-blockchain/
• https://www.scworld.com/brief/aeternum-c2-botnet-leverages-blockchain-for-resilient-command-and-control

Check Point Research disclosed critical vulnerabilities in Anthropic's Claude Code where simply opening an untrusted repository could silently execute commands on a developer's machine, steal API credentials, and compromise an entire team's workspace — all through configuration files treated as harmless metadata. Separately, Google and Mandiant dismantled GRIDTIDE, a China-linked espionage campaign that used Google Sheets as command-and-control infrastructure to breach 53 organizations across 42 countries, targeting telecoms and governments for surveillance. Both stories reveal the same pattern: trusted, inert-looking data becoming active attack surfaces.

• https://research.checkpoint.com/2026/rce-and-api-token-exfiltration-through-claude-code-project-files-cve-2025-59536/
• https://thehackernews.com/2026/02/claude-code-flaws-allow-remote-code.html
• https://www.theregister.com/2026/02/26/clade_code_cves/
• https://www.darkreading.com/application-security/flaws-claude-code-developer-machines-risk
• https://www.securityweek.com/claude-code-flaws-exposed-developer-devices-to-silent-hacking/
• https://securityaffairs.com/188508/security/untrusted-repositories-turn-claude-code-into-an-attack-vector.html
• https://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign
• https://www.bleepingcomputer.com/news/security/chinese-cyberspies-breached-dozens-of-telecom-firms-govt-agencies/
• https://www.securityweek.com/google-disrupts-chinese-cyberespionage-campaign-targeting-telecoms-governments/
• https://www.infosecurity-magazine.com/news/google-prolific-china-hacking/

Scattered LAPSUS$ Hunters — the cybercrime supergroup behind over 1.5 billion stolen records and the Jaguar Land Rover ransomware attack — is now recruiting women for voice phishing campaigns targeting IT help desks, paying $500-$1,000 per call with scripts provided. CISA simultaneously issued an emergency directive giving federal agencies 48 hours to patch actively exploited Cisco SD-WAN vulnerabilities, while a former U.S. defense contractor executive was sentenced to 7+ years for selling zero-day exploits to a Russian broker.

• https://www.dataminr.com/resources/intel-brief/slh-recruiting-women-for-vishing/
• https://thehackernews.com/2026/02/slh-offers-5001000-per-call-to-recruit.html
• https://pushsecurity.com/blog/scattered-lapsus-hunters
• https://www.immersivelabs.com/resources/blog/scattered-lapsus-hunters-the-cybercrime-group-redefining-threats
• https://www.picussecurity.com/resource/blog/scattered-lapsus-hunters-2025s-most-dangerous-cybercrime-supergroup
• https://federalnewsnetwork.com/cybersecurity/2026/02/cisa-gives-agencies-until-friday-to-patch-critical-cyber-bug/
• https://www.bleepingcomputer.com/