Security Check-in Quick Hits: FBI Probes Suspicious Breach in Surveillance Systems, Ongoing Geopolitical Cyber Risks, and Emerging Malware Threats
For March 6, 2026
Surge in Exploitation Attempts for Ivanti CVE-2025-0282 Targets US Infrastructure
In the ever-evolving landscape of cybersecurity threats, a notable spike in exploitation attempts for CVE-2025-0282 has been observed over the past 48 hours, primarily targeting US-based infrastructure. This vulnerability, a critical stack-based buffer overflow in Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways, was first disclosed in January 2025 with evidence of zero-day exploitation dating back to December 2024. Recent data from honeypots and sensors shows attempts jumping from 500-1500 per day to over 10,000, suggesting the integration of the flaw into automated tools or botnets.
The vulnerability allows unauthenticated remote code execution, enabling attackers to gain initial access and deploy malware like RESURGE, a variant linked to Chinese nation-state actors. CISA has issued alerts on this malware, noting its use in tampering with logs and persisting on compromised devices. Exploitation patterns include crafted HTTP requests to trigger overflows, leading to shell access and further network compromise.
This surge underscores the persistent risks to critical infrastructure, with attackers potentially aiming for espionage or disruption. Organizations using affected Ivanti products should apply patches immediately—available since January 2025 for most versions—and run the Integrity Checker Tool to detect compromises. Monitoring for unusual activity on VPN appliances is crucial to mitigate downstream effects.
As threats like this evolve, staying ahead requires proactive patching and robust detection mechanisms. This incident highlights why vulnerabilities in remote access tools remain a top priority for defenders.
LexisNexis Data Breach Exposes Government and Enterprise User Data
A recent data breach at LexisNexis Legal & Professional has come to light, with hackers from the group FulcrumSec claiming responsibility for stealing 2.04 GB of structured data from the company’s AWS infrastructure. Confirmed by the company on March 3, 2026, the incident involved unauthorized access to legacy servers containing data mostly from before 2020, including customer names, user IDs, business contacts, IP addresses from surveys, and support tickets.
The attackers allege deeper access, including 400,000 cloud user profiles with names, emails, phones, and job roles, as well as 21,000 enterprise customer accounts from government agencies, law firms, and universities. Notably, over 118 profiles were linked to .gov emails, belonging to federal judges, DOJ attorneys, SEC staff, and court clerks, raising concerns for the legal and government sectors. Additional compromised assets reportedly include AWS secrets, password hashes, and VPC maps.
While LexisNexis insists the breach is contained and affects limited, outdated data, the exposure of personal and professional information could lead to targeted phishing, identity theft, or further breaches. This follows previous incidents, such as a 2025 breach impacting 360,000 individuals.
Affected users should monitor for suspicious activity, update passwords, and enable MFA. For organizations, this serves as a reminder to audit cloud configurations and retire legacy data stores. The incident emphasizes the ongoing challenges in securing vast data analytics platforms against sophisticated threats.
International Takedown of Tycoon 2FA Phishing-as-a-Service Platform
In a major blow to cybercrime, a global coalition including Europol, Microsoft, and cybersecurity firms dismantled the Tycoon 2FA phishing-as-a-service (PhaaS) platform on March 4, 2026. Active since August 2023, this subscription-based toolkit enabled adversaries-in-the-middle (AitM) attacks to bypass multi-factor authentication (MFA), facilitating large-scale credential theft.
The platform, sold via Telegram for as little as $120 for 10 days, was linked to 64,000 attacks and sent fraudulent emails to over 500,000 organizations monthly, accounting for 62% of phishing attempts blocked by Microsoft by mid-2025. It targeted sectors like healthcare and education, leading to breaches at nearly 100,000 organizations worldwide. The operation seized 330 domains, including phishing pages and control panels, with support from a U.S. court order and a $10 million civil complaint.
This takedown disrupts a key enabler for low-skilled cybercriminals, but similar services may emerge. Users and organizations should adopt hardware-based MFA, monitor for AitM indicators, and use advanced email filtering. The collaboration highlights the effectiveness of public-private partnerships in combating PhaaS ecosystems.
As phishing evolves, this victory reinforces the need for layered defenses and international cooperation to stay ahead of adaptive threats.
Discovery of Coruna iOS Exploit Kit Reveals Advanced Mobile Threats
Google’s Threat Intelligence Group unveiled details on March 3, 2026, about Coruna (aka CryptoWaters), a sophisticated iOS exploit kit containing 23 exploits across five chains targeting iPhones running iOS 13.0 to 17.2.1. This powerful toolkit fingerprints devices and deploys WebKit-based exploits, using non-public techniques to bypass mitigations.
Initially spotted in February 2025 for surveillance, it shifted to state-linked watering-hole attacks on Ukrainian sites in July 2025, and by December 2025, to financially motivated campaigns via fake gambling and crypto sites. The kit’s proliferation from commercial vendors to nation-states and cybercriminals underscores the commoditization of advanced exploits.
Impacts include potential spyware deployment for espionage or financial theft, affecting users up to iOS 17.2.1 (December 2023 release). iPhone owners should update to the latest iOS version immediately, as newer releases mitigate these chains.
This revelation stresses the importance of timely updates and multi-layer mobile security, including app vetting and avoiding suspicious sites. It also calls for greater scrutiny of exploit markets to curb their spread.