By the N2K CyberWire staff
Top stories.
- Cyber operations accompany the war in Iran.
- GPS jamming hits the Strait of Hormuz.
- Maximum-severity FreeScout flaw enables full server compromise.
- A possible US-developed exploit framework surfaces in global iOS attacks.
- Law enforcement disrupts Tycoon 2FA phishing-as-a-service platform.
- FBI investigates breach of wiretap management systems.
Cyber operations accompany the war in Iran.
Disruptive cyberattacks followed the outbreak of war between the US, Israel, and Iran, SecurityWeek reports. After coordinated US and Israeli airstrikes on February 28th killed Iranian Supreme Leader Ali Khamenei and other senior officials, Iran responded with missile and drone attacks on US bases and Israel, causing some casualties and damage.
In cyberspace, reported US-Israeli operations disrupted Iranian news outlets, government services, and Islamic Revolutionary Guard Corps communications, and allegedly included distributed denial-of-service attacks and deeper intrusions into energy and aviation systems. A prolonged nationwide internet blackout followed, though it remains unclear whether that outage stemmed from external cyber activity or internal government controls. Pro-Western hackers also hijacked a popular Iranian prayer app, sending out push notifications that called for Iranians to take up arms against their government.
Pro-Iranian groups also launched cyberattacks against their adversaries, claiming to have breached fuel infrastructure in Jordan and manufacturing and energy distribution systems in Israel. Radware is tracking pro-Iranian hacktivist activity following the launch of the US-Israeli military offensive in Iran on February 28th, noting, "The hacktivist threat in the Middle East is highly lopsided, with two groups, Keymous+ and DieNet, driving nearly 70% of all attack activity between February 28 and March 2." DDoS attacks targeted multiple Israeli telecommunications providers and technology organizations, as well as Saudi Arabian government entities, the government website of Qatar, and government, transportation, and infrastructure sites in Bahrain and the UAE.
Physical attacks are also causing disruptions of online services: Amazon disclosed that Iranian drone strikes damaged three of its AWS data centers in the United Arab Emirates and one in Bahrain, causing extensive cloud outages, the BBC reports.
From AI Ambition to Secure Agents at Scale
Join Glean’s virtual Security Showcase on March 12 to receive a new security framework for AI agents, hear a candid CIO–CISO conversation on real-world risk decisions, and see new controls for data protection, agent guardrails, and private‑by‑design deployment. Register to walk away with a practical blueprint for deploying secure, governed AI agents at scale. Register now.
GPS jamming hits the Strait of Hormuz.
WIRED reports that GPS jamming attacks have disrupted more than 1,100 ships in the Strait of Hormuz since the first US-Israeli strikes against Iran on February 28th. Maritime intelligence firm Windward said in a report that interference attacks against GPS or automatic identification system (AIS) technology have made ships appear in the wrong locations on maps, including on Iranian land, at airports, and inside a nuclear power plant. GPS interference was common in the region before the outbreak of war, but Windward is now tracking "at least 21 new AIS jamming clusters across the UAE, Qatari, Omani, and Iranian waters." The researchers note, "Traffic through the Strait of Hormuz slowed, with some Western-affiliated tankers transiting dark or reversing course."
Maximum-severity FreeScout flaw enables full server compromise.
FreeScout, an open-source help desk and shared mailbox service, has issued a fix for a maximum-severity patch bypass flaw (CVE-2026-28289), SecurityWeek reports. FreeScout released an initial patch for an authenticated remote code execution flaw (CVE-2026-27636) several days ago. Researchers at Ox Security then discovered a patch bypass that exacerbates the issue into a zero‑click, unauthenticated RCE flaw with a CVSS score of 10.0. Users are urged to update to FreeScout v1.8.207 as soon as possible.
Vellox Reverser: Accelerate cyber defense at machine speed
Vellox Reverser is an autonomous malware reverse engineering and threat intelligence product from Booz Allen. It delivers deep insights and actionable countermeasures in minutes, dramatically accelerating response time to today’s most complex cyber threats. Fully automated. Built for speed. A true force multiplier for cyber defense. Request a demo or start your 30-day free trial and experience cybersecurity at machine speed.
A possible US-developed exploit framework surfaces in global iOS attacks.
Researchers have identified an iOS exploit framework that compromised at least 42,000 devices, CyberScoop reports. Notably, the framework appears to have been developed by the US government before being leaked into the wild and repurposed by criminals and foreign nation-states. Researchers at iVerify and the Google Threat Intelligence Group (GTIG) have published separate reports on the toolkit, with iVerify calling the campaign the "first observed mass exploitation of mobile phones, including iOS, by a criminal group using tools likely built by a nation-state."
GTIG explains, "The exploit kit, named 'Coruna' by its developers, contained five full iOS exploit chains and a total of 23 exploits. The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses."
The researchers have observed the exploit kit being used by China-based cybercriminals and by a Russian espionage actor targeting Ukrainians.
Experience the Power of Community at RSAC 2026 Conference
RSAC™ 2026 Conference returns to San Francisco March 23–26, bringing together the global cybersecurity community for four days of expert insights, hands-on learning, and breakthrough innovation. Join thousands of practitioners, executives, and innovators as they tackle today’s toughest challenges and explore solutions shaping tomorrow. From cutting-edge ideas to immersive programs and vibrant networking, this is where meaningful progress happens. Register today and be part of the conversations driving cybersecurity forward.
Law enforcement disrupts Tycoon 2FA phishing-as-a-service platform.
A Europol-coordinated law enforcement operation shuttered 330 domains used by the popular phishing-as-a-service platform Tycoon 2FA, dismantling the core infrastructure of the criminal service. Microsoft used a court order to seize the domains with support from private-sector partners, while the seizure of infrastructure was carried out by law enforcement in Latvia, Lithuania, Portugal, Poland, Spain, and the United Kingdom. Tycoon 2FA grew to be one of the largest phishing services in the world after it emerged in 2023, accounting for 62% of all phishing attacks observed by Microsoft in mid-2025.
In addition to law enforcement entities, Microsoft credits Proofpoint, Intel 471, eSentire, SpyCloud, Cloudflare, Health‑ISAC, Resecurity, Trend Micro, Coinbase, and the Shadowserver Foundation for their contributions to the takedown.
FBI investigates breach of wiretap management systems.
The US FBI is investigating a breach of systems used to manage foreign intelligence surveillance and wiretap warrants, CNN reports. A source told CNN that officials are still working to determine the scope of the incident. The source said the incident "has prompted senior officials at the FBI and Justice Department focused on civil liberties and national security to respond." The Bureau said in a statement, "The FBI identified and addressed suspicious activities on FBI networks, and we have leveraged all technical capabilities to respond."
BleepingComputer notes that China's Salt Typhoon cyberespionage operation in 2024 compromised systems used by the US government for court-authorized wiretapping requests, though it's unclear if the latest breach is related.
