When zero-days escape the lab.

A suspected U.S. exploit kit shows up in global iOS attacks. Facebook goes down briefly worldwide. A critical help-desk flaw enables remote code execution. Juniper PTX routers face a major bug. LastPass warns of phishing. Telegram becomes a cybercrime marketplace. Healthcare groups fight relaxed IT rules. A stolen Gemini API key runs up massive bills. CISA’s CIO departs. Our guest is Brian Long, CEO and Co-Founder of Adaptive Security, discussing how AI is reshaping social engineering. The problem of posthumous profiles.

Today is Wednesday March 4th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Welcome to the show. This week we’re coming to you from Zero Trust World in Orlando, Florida, where we’re joining security leaders and practitioners from across the industry. Our coverage here is made possible by our sponsors at ThreatLocker, who’ve brought the community together to talk all things Zero Trust, resilience, and the future of cybersecurity. Thanks for listening, and thanks to ThreatLocker for helping make it possible.

A possible U.S.-developed exploit framework surfaces in global iOS attacks. 

Researchers say a sophisticated exploit kit possibly originating from a leaked U.S. government framework is behind what may be the first mass-scale attack against Apple’s iOS. Google’s Threat Intelligence Group and mobile security firm iVerify reported Tuesday that the tool, known as the Coruna exploit kit, uses zero-day vulnerabilities and has already appeared in multiple campaigns across the cybercrime and espionage landscape.

Google observed the kit being used over the past year in operations tied to a surveillance vendor’s customer and in attacks against Ukrainian targets attributed to a suspected Russian espionage group. Investigators later recovered the full toolkit from a financially motivated cybercriminal group operating in China. iVerify estimates the campaign may have compromised at least 42,000 iOS devices, a significant figure for Apple’s tightly controlled ecosystem.

The spread of the toolkit resembles an “EternalBlue moment,” referring to the leaked NSA exploit that fueled the global WannaCry and NotPetya outbreaks in 2017. While evidence suggests possible U.S. government origins, the exact path of the leak remains unclear. Apple previously issued patches related to the attacks, which researchers link to the earlier Operation Triangulation campaign.

Facebook suffered a brief global outage. 

Facebook experienced a global outage that prevented users from accessing their accounts, displaying a message that accounts were temporarily unavailable due to a site issue. According to DownDetector, the disruption began around 4:15 PM ET and affected users worldwide. Meta’s status page reported “high disruptions” affecting Facebook Ad Manager, Instagram Boost, and the WhatsApp Business API. The outage was later resolved by 6:21 PM ET, restoring access for users. Facebook had not yet provided details about the cause of the disruption.

A critical help-desk vulnerability enables remote code execution. 

A critical vulnerability in the open-source help desk platform FreeScout could allow attackers to execute remote code without user interaction. Tracked as CVE-2026-28289 with a CVSS score of 10.0, the flaw bypasses a recent patch for another remote code execution bug, CVE-2026-27636.

Researchers at Ox Security found the bypass uses a zero-width space character in a filename to evade validation checks designed to block malicious .htaccess uploads. Because the invisible character passes the initial check and is later removed during sanitization, the file is ultimately saved as a valid dotfile on the server.

Attackers can exploit the issue by sending a malicious email to a FreeScout mailbox, requiring no authentication or user interaction. Successful attacks could allow full server compromise, data theft, and lateral movement. The flaw affects FreeScout 1.8.206 and earlier and was fixed in version 1.8.207.

Juniper PTX routers expose a critical vulnerability. 

A critical vulnerability in Juniper Networks’ Junos OS Evolved could allow attackers to gain root-level access to PTX Series routers. Tracked as CVE-2026-21902 with a CVSS score of 9.3, the flaw stems from improper permission settings in the On-Box Anomaly Detection framework, which runs as root and is enabled by default. Researchers at watchTowr discovered the issue. If exposed through certain configurations, attackers could exploit it without authentication and gain full control of affected routers. Juniper has advised restricting access via firewalls or access lists and plans to release a patch.

LastPass warns users about a new phishing campaign. 

LastPass is warning users about a new phishing campaign designed to steal master passwords. The emails impersonate LastPass by spoofing the display name, a tactic that can hide the real sender address in many email clients, especially on mobile devices. Messages claim there has been suspicious activity, such as unauthorized access or a master password change, and urge recipients to act quickly. Links in the emails lead to a fake LastPass login page that harvests credentials. LastPass has published indicators of compromise, including malicious URLs, IP addresses, and sender details, and is working with partners and hosting providers to take down the phishing sites.

Researchers say Telegram has increasingly become a central hub for cybercriminal activity. 

Researchers at CYFIRMA say Telegram has increasingly become a central hub for cybercriminal activity, replacing many traditional Dark Web forums. Unlike Tor-based marketplaces that could disappear when law enforcement shut them down, Telegram channels can quickly reappear if banned, allowing criminal communities to maintain operations with minimal disruption.

According to the analysis, hackers use Telegram as a fast, automated marketplace where bots help sell stolen credentials, malware subscriptions, and “initial access” to corporate networks. Channels also host large databases of stolen login data and serve as platforms for ransomware groups to pressure victims by posting leak previews and countdowns.

The platform is also used by hacktivist groups to coordinate distributed denial-of-service (DDoS) attacks and promote campaigns. Although Telegram has increased cooperation with law enforcement, including sharing user data in hundreds of investigations, researchers say cybercriminal activity on the platform continues to grow.

Healthcare groups lobby against relaxed IT certification rules. 

Healthcare industry groups are warning that proposed changes to U.S. health IT certification rules could weaken privacy and security protections. The Office of the National Coordinator for Health IT (ONC), part of the Department of Health and Human Services, has proposed reducing certification criteria from 60 to 34 to ease regulatory burdens on software developers and encourage innovation.

However, organizations including the College of Healthcare Information Management Executives and the American Hospital Association argue that removing requirements such as authentication, access controls, and authorization would shift responsibility for cybersecurity and HIPAA compliance from vendors to healthcare providers. They warn the change could increase costs and expose hospitals to greater cyber risk, particularly as the healthcare sector remains a frequent ransomware target.

Industry groups also raised concerns about removing patient-matching requirements tied to care transitions, saying it could increase patient misidentification risks and undermine data security.

A stolen Google Gemini API key leads to big bills. 

A startup developer says their company was hit with over $82,000 in unauthorized charges after a stolen Google Gemini API key was abused within 48 hours. The small Mexico-based firm normally spends about $180 a month on cloud services, but attackers used the compromised key to generate heavy usage of Gemini 3 Pro image and text models. After revoking the key and contacting support, the developer said Google cited its shared responsibility model, meaning customers must secure their own credentials.

Researchers at Truffle Security also found 2,863 publicly exposed Google API keys that could be used to access Gemini services, potentially allowing attackers to access stored data and generate costly AI requests. The issue stems partly from older API keys that were originally meant as public project identifiers but now also function as Gemini credentials. Google says it is working on fixes and mitigation measures.

CISA’s CIO steps down. 

Robert Costello, chief information officer at the Cybersecurity and Infrastructure Security Agency, announced Tuesday that he is stepping down after nearly five years in the role and 18 years with the Department of Homeland Security. In a LinkedIn post, Costello described serving as CISA’s CIO as one of the greatest privileges of his career, highlighting the agency’s progress in strengthening cybersecurity defenses, modernizing critical systems, and building lasting capabilities.

During his tenure, Costello championed improved technology to help recruit talent, supported responses to emerging vulnerabilities, and promoted the use of artificial intelligence to enhance CISA’s mission. He also frequently represented the agency at industry events and in public discussions about cybersecurity.

Costello expressed deep gratitude for the public servants he worked alongside across DHS, CISA, and the U.S. Air Force. His departure comes amid broader leadership changes at the agency.

 

The problem of posthumous profiles. 

The OpenID Foundation is warning that the internet has a serious blind spot: what happens to our digital lives after we die. In a new report, The Unfinished Digital Estate, the group says there is no consistent global standard for handling the accounts of deceased users, leaving everything from email and social media to cryptocurrency in a legal and technical gray area.

Right now, platforms treat death like a rare corner case, even though it eventually applies to every internet user. According to the report, the lack of coordination could invite fraud, identity abuse, and even scams powered by deepfake technology that impersonates the deceased to manipulate friends or relatives.

The problem is compounded by privacy laws like GDPR and CCPA, which largely stop protecting personal data after death. The foundation is urging policymakers and tech companies to establish clearer digital inheritance rules, stronger identity protections, and standardized systems that allow trusted individuals to manage accounts without relying on shared passwords.

Because while the internet never forgets, it also hasn’t figured out when it should let go.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.