Originally reported by The Hacker News, Microsoft Security, Qualys, SANS ISC, MSRC Security Updates
TL;DR
A new iOS exploit kit called DarkSword uses three zero-days for complete device compromise, while Interlock ransomware actively exploits a critical Cisco FMC vulnerability with CVSS 10.0 severity. Meanwhile, AI coding agents like Claude Code are operating in enterprise environments without traditional security controls.
The DarkSword iOS exploit kit includes three zero-day vulnerabilities for full device takeover, and Interlock ransomware is actively exploiting a critical CVSS 10.0 Cisco FMC vulnerability. Both represent immediate, high-impact threats to enterprise security.
The cybersecurity landscape faces multiple critical threats this week, from sophisticated iOS exploit chains to active ransomware campaigns targeting network infrastructure. Simultaneously, the emergence of AI coding agents has created new security blind spots in enterprise environments.
Google Threat Intelligence Group, iVerify, and Lookout have documented a new iOS exploit kit dubbed DarkSword that has been active since at least November 2025. According to GTIG, the kit exploits six vulnerabilities total, including three zero-day flaws, to achieve full device takeover on Apple iOS devices.
Multiple commercial surveillance vendors and suspected state-sponsored actors have deployed the full-chain exploit kit. The sophisticated nature of the attack chain suggests significant resources and technical capabilities behind its development, marking a concerning escalation in mobile device targeting.
Amazon Threat Intelligence reports an active Interlock ransomware campaign exploiting CVE-2026-20131, a critical vulnerability in Cisco Secure Firewall Management Center (FMC) Software. The flaw, rated CVSS 10.0, stems from insecure deserialization of user-supplied Java byte streams, allowing unauthenticated remote attackers to gain root access.
The vulnerability enables attackers to completely compromise FMC deployments, providing a foothold for lateral movement and ransomware deployment across managed firewall infrastructure. Organizations using Cisco FMC should prioritize patching this critical exposure.
Ceros research highlights a significant security blind spot as AI coding agents like Claude Code operate across enterprise environments without traditional identity and access controls. These agents read files, execute shell commands, and call external APIs while remaining largely invisible to existing security frameworks.
Security teams have invested years in building controls for human users and service accounts, but AI agents represent an entirely new category of actor that operates outside these established boundaries. This gap requires immediate attention as AI coding tools scale across engineering organizations.
Microsoft Security published guidance on observability for AI systems, emphasizing the need for visibility into autonomous AI behavior to detect risks proactively. As AI systems grow more autonomous, traditional security monitoring approaches require adaptation to capture AI decision-making processes and potential security implications.
The framework addresses the growing need for security teams to understand and monitor AI system behavior, particularly as these systems gain greater autonomy and access to sensitive resources.
The U.S. Treasury's Office of Foreign Assets Control sanctioned six individuals and two entities involved in North Korean IT worker schemes designed to defraud U.S. businesses. The network uses fake remote job positions to generate illicit revenue for North Korea's weapons of mass destruction programs.
This action highlights the ongoing threat posed by DPRK IT workers infiltrating legitimate businesses, often using sophisticated identity fraud techniques to secure remote positions and access sensitive systems.
Microsoft Security Response Center published multiple CVE advisories covering Linux kernel vulnerabilities, including:
CVE-2026-23231: Use-after-free vulnerability in netfilter nf_tablesCVE-2026-23242: NULL pointer dereference in RDMA/siw header processingCVE-2026-23245: Race condition in network scheduler act_gateCVE-2026-23246: Bounds-check issue in Wi-Fi mac80211 implementationCVE-2026-23247: TCP sequence number security weaknessAdditional vulnerabilities include file system flaws in f2fs (CVE-2026-23233) and NTFS3 (CVE-2025-71266), along with Python cookie validation issues (CVE-2026-3644) and pyOpenSSL TLS bypass conditions (CVE-2026-27448).
SANS ISC documented interesting developments in attack patterns, including a specific payload signature "MAGIC_PAYLOAD_KILLER_HERE_OR_LEAVE_EMPTY_iranbot_was_here" appearing in Cowrie honeypot logs. The activity, traced to IP 64.89.161.198, included port scanning, successful Telnet authentication, and web-based attacks.
Separately, SANS researchers noted increased scanning activity targeting Adminer, the lightweight alternative to phpMyAdmin. While Adminer maintains a better security record than its predecessor, its single-file deployment model and minimal configuration requirements make it an attractive target for automated scanning campaigns.
Qualys outlined a five-step approach for transforming reactive compliance checks into continuous audit readiness. The framework addresses the persistent challenge of manual coordination when audit periods approach, despite continuous generation of security findings and control data across multiple systems.
Originally reported by The Hacker News, Microsoft Security, Qualys, SANS ISC, MSRC Security Updates