Originally reported by The Hacker News, SANS ISC, MSRC Security Updates
TL;DR
Security researchers linked the Coruna iOS exploit kit to the 2023 Operation Triangulation campaign and discovered a WebRTC-based payment skimmer that bypasses Content Security Policy controls. Apple released patches for 85 vulnerabilities across all platforms with no active exploitation reported.
The Coruna iOS exploit kit represents active exploitation using updated code from the sophisticated Operation Triangulation campaign, while the WebRTC skimmer demonstrates novel bypass techniques for established security controls.
Kaspersky researchers have confirmed that the Coruna iOS exploit kit uses kernel exploit code derived from the sophisticated Operation Triangulation campaign that targeted iOS devices in 2023. The security firm's analysis revealed that while initial public evidence was insufficient to establish the connection, deeper technical examination shows Coruna represents an updated version of the same exploitation framework.
The link between these campaigns suggests threat actors are iterating on proven zero-day exploitation techniques rather than developing entirely new capabilities. This evolution pattern indicates the persistence and refinement of advanced mobile targeting operations.
Sansec researchers have identified a novel payment card skimmer that leverages WebRTC data channels to circumvent Content Security Policy (CSP) protections on e-commerce sites. Unlike traditional skimmers that rely on HTTP requests or image beacons for payload delivery and data exfiltration, this malware exploits WebRTC's peer-to-peer communication capabilities to bypass established security controls.
The technique represents a significant evolution in web-based payment fraud, demonstrating how attackers adapt to defensive measures by exploiting legitimate browser APIs in unexpected ways. Organizations relying solely on CSP for skimmer protection should reassess their defense strategies.
The GlassWorm malware campaign has evolved to deploy a multi-stage framework that installs remote access trojans and cryptocurrency-focused information stealers. The latest variant deploys a malicious Chrome extension masquerading as an offline Google Docs version, which captures keystrokes, dumps cookies and session tokens, and takes screenshots of victim systems.
Notably, the campaign uses Solana blockchain dead drops for command and control communications, highlighting how threat actors leverage decentralized technologies for operational security.
Russian law enforcement authorities have arrested the alleged administrator of the LeakBase cybercrime forum in Taganrog. The suspect is accused of creating and managing a criminal marketplace that facilitated the sale of stolen credentials and personal data. This arrest represents continued international cooperation in dismantling major cybercrime infrastructure, though the forum's operations and user base impact remains unclear.
Apple released comprehensive security updates addressing 85 vulnerabilities across macOS, iOS, iPadOS, tvOS, watchOS, and visionOS. The patches cover the last three macOS generations and two iOS/iPadOS versions, with current versions receiving updates for Apple's newer platforms. Importantly, Apple reported no active exploitation of these vulnerabilities at the time of disclosure.
The update also introduces Background Security Improvements, though specific details about these enhancements were not disclosed. Security teams should prioritize deployment of these updates across their Apple device fleets.
Microsoft's Security Update Guide added 29 new CVE entries covering various software components and libraries. Notable disclosures include:
CVE-2026-33186: gRPC-Go authorization bypass via missing leading slash in path validationCVE-2026-25075: strongSwan EAP-TTLS AVP parsing integer underflow affecting versions 4.5.0 through 6.0.5CVE-2026-2297: Python SourcelessFileLoader vulnerability related to io.open_code() usageCVE-2026-29111: systemd local privilege escalation allowing unprivileged users to trigger assertionsAdditional CVEs address kernel-level issues in Linux subsystems including networking, BPF, HID, and various device drivers. Organizations should review these disclosures for applicable components in their environments.
The Hacker News announced an upcoming webinar focused on validating security defenses against real-world attacks. The session addresses the gap between deployed security controls and their effectiveness against actual threat scenarios, emphasizing the need for continuous validation rather than assumption-based security postures.
Originally reported by The Hacker News, SANS ISC, MSRC Security Updates