DarkSword exploit chain compromises iOS devices.

Summary

By the N2K CyberWire staff

DarkSword exploit chain compromises iOS devices.

WIRED reports that a new iOS exploit chain and payload called "DarkSword" allows infected websites to silently compromise iOS devices that visit the sites. iVerify, Lookout, and Google jointly published their own reports on the technique yesterday. Google says the suspected Russian espionage group UNC6353 recently began using DarkSword in watering-hole campaigns targeting Ukrainian users.

Lookout explains, "DarkSword is a complete exploit chain and infostealer written in JavaScript. It leverages multiple vulnerabilities to establish privileged code execution to access sensitive information and exfiltrate it off the device. The kill chain begins with Safari encountering the malicious iframe embedded in a web page. Once loaded, Darksword breaks out of the WebContent sandbox and then leverages WebGPU to inject into mediaplaybackd. From there it can craft Kernel read/write access, which it leverages to gain access to privileged processes and modify sandbox restrictions, gaining access to restricted parts of the filesystem."

DarkSword is effective against devices running iOS 18 or earlier, meaning nearly a quarter of iPhones are vulnerable to the attack. iVerify cofounder and researcher Matthias Frielingsdorf notes that the Russian hackers who most recently used the exploit carelessly left the full code exposed on their sites, meaning "[a]nyone who manually grabbed all the different parts of the exploit could put them onto their own web server and start infecting phones."

Cloud outages are routine. Rapid recovery isn't.

When cloud outages hit, speed to recovery turns into a business advantage. Explore how to build multi-cloud resilience and lead through disruption so when outages happen, operations can keep running. Read now.

Ubiquiti fixes a maximum-severity UniFi vulnerability.

Ubiquiti has patched two vulnerabilities in its UniFi Network Application, including a maximum-severity path-traversal flaw (CVE-2026-22557) that can allow attackers to hijack user accounts, BleepingComputer reports. Ubiquiti stated in its advisory, "A malicious actor with access to the network could exploit a Path Traversal vulnerability found in the UniFi Network Application to access files on the underlying system that could be manipulated to access an underlying account." Users should ensure their UniFi Network applications are updated to version 10.1.89 or later.

Experience the Power of Community at RSAC 2026 Conference

RSAC™ 2026 Conference returns to San Francisco March 23–26, bringing together the global cybersecurity community for four days of expert insights, hands-on learning, and breakthrough innovation. Join thousands of practitioners, executives, and innovators as they tackle today’s toughest challenges and explore solutions shaping tomorrow. From cutting-edge ideas to immersive programs and vibrant networking, this is where meaningful progress happens. Register today and be part of the conversations driving cybersecurity forward.

CISA urges organizations to secure Intune accounts following Stryker attack.

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory urging organizations to implement best practices to secure their Microsoft Intune instances. The warning follows an Iran-linked cyberattack against US medtech firm Stryker, in which the attackers breached the company's Intune account and used the service's built-in "wipe" command to erase nearly 80,000 corporate devices.

Microsoft's guidance for securing Intune includes implementing the principle of least privilege, using phishing-resistant multifactor authentication and privileged access hygiene, and enabling Multi Admin Approval in Intune for sensitive changes.

Notes.

Today's issue includes events affecting Iran, Russia, Ukraine, and the United States.

Attacks, Threats, and Vulnerabilities

AWS Warns Hackers Have Abused Cisco Firewall Zero-Day Since January (Infosecurity Magazine) Notorious ransomware group Interlock has been exploiting a Cisco zero-day bug since January, AWS says

New ‘Perseus’ Android malware checks user notes for secrets (BleepingComputer) A new Android malware called Perseus is checking user-curated notes to steal sensitive information, like passwords, recovery phrases, or financial data.

Russian hackers exploit Zimbra flaw to breach Ukrainian maritime agency (The Record) The Russian state-backed hacker group APT28 targeted a Ukrainian government agency by exploiting a vulnerability in Zimbra webmail software.

Legislation, Policy, and Regulation

DHS nominee Mullin pressed on restoring CISA staffing (The Record) Senator Maggie Hassan (D-NH) asked Mullin about Noem’s decision to cut CISA’s workforce by one third and remove hundreds of millions of dollars from the agency’s budget after Trump took office.

Litigation, Investigation, and Law Enforcement

FBI is buying data that can be used to track people, Patel says (Politico) This is the first confirmation that the FBI has resumed actively buying people's data for investigations.

Industry Events

For a complete running list of events, please visit the Event Tracker.

Events

RSAC 2026 (San Francisco, California, USA, Mar 23 - 26, 2026) Ideas become breakthroughs when shared. Challenges become opportunities when tackled together. That’s the Power of Community—a key focus for RSAC™ 2026 Conference. Real change happens when cybersecurity professionals unite.

Wicked6 Cyber Games (Virtual, Mar 27 - 29, 2026) The premier global event spotlighting WOMEN in Cyber and Tech through exciting, team-based cyber competitions, mentorship, and community engagement. Our virtual, global "Hack and Chat" inspires and empowers women in cybersecurity from over 40 countries across six continents and there's lots of excitement building behind this year's theme. Your investment will enable women from across the globe to meet, learn from each other, play cyber games together and compete in a quality Attack and Defend competition.

SO-CON 2026 (Arlington, Virginia, USA, Apr 13 - 14, 2026) SO-CON is the only conference dedicated to identity-based security and attack path management. The week begins with a two-day main conference packed with talks, research, and community exchange, followed by four days of deep-dive, hands-on trainings led by adversary-experienced practitioners. Training to follow on April 15-18, 2026.

Space Symposium 2026 (Colorado Springs, Colorado, USA, Apr 13 - 16, 2026) Space Symposium is the premier event uniting global space professionals from all sectors, providing a unique platform to explore critical space issues, foster dialogue, and drive innovation across the space industry.

Philadelphia Cybersecurity Summit (Philadelphia, PA, Apr 15, 2026) Maximize your networking opportunities by meeting with fellow industry executives and leading security experts at the upcoming 9th Annual Philadelphia Official Cybersecurity Summit on Wednesday, April 15, 2026. Secure your admission now! Use Code CSS26-CRA before February 18 for Free Admission.*

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.

Daily Briefing for 03.19.26

Top stories.

DarkSword exploit chain compromises iOS devices.

Ubiquiti fixes a maximum-severity UniFi vulnerability.

CISA urges organizations to secure Intune accounts following Stryker attack.

Notes.

Attacks, Threats, and Vulnerabilities

Legislation, Policy, and Regulation

Litigation, Investigation, and Law Enforcement

Events