Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack & Vibe-Coded Malware

Another week in cybersecurity brought a mix of victories and challenges. Attackers and defenders were both active, leading to a series of events that highlight the ongoing struggle in the cybersecurity landscape.

Threat of the Week

The dismantling of the Tycoon2FA service and LeakBase forum by a coalition of security companies and law enforcement agencies marks a significant step in combating phishing operations. These actions are expected to have a substantial impact on multi-factor authentication (MFA) credential phishing and the phishing-as-a-service (PhaaS) market.

Top News

• Anthropic Finds 22 Firefox Vulnerabilities: Anthropic’s Claude Opus 4.6 large language model (LLM) identified 22 security vulnerabilities in Firefox, with 14 classified as high severity. These vulnerabilities were addressed in Firefox 148.
• Qualcomm Flaw Exploited in the Wild: A high-severity flaw in Qualcomm chips used in Android devices has been exploited, with Google acknowledging limited targeted exploitation.
• Coruna iOS Exploit Kit: Google disclosed details of the Coruna exploit kit targeting older iOS devices, which has been repurposed by various threat actors for different objectives.
• Transparent Tribe Vibeware: Bitdefender reported that the Pakistan-aligned Transparent Tribe used AI-powered coding tools to create malware targeting Indian government entities.
• Iranian Hackers Target U.S. Entities: The Iranian hacking group MuddyWater targeted several U.S. companies and organizations, including banks and non-profits, amid geopolitical tensions.

Trending CVEs

The following vulnerabilities are this week’s most critical:

• CVE-2026-2796 (Mozilla Firefox)
• CVE-2026-21385 (Qualcomm)
• CVE-2026-2256 (MS-Agent)
• CVE-2026-26198 (Ormar)
• CVE-2026-27966 (langflow)
• CVE-2025-64712 (Unstructured.io)
• CVE-2026-24009 (Docling)
• CVE-2026-23600 (HPE AutoPass License Server)
• CVE-2026-27636
• CVE-2026-28289 (aka Mail2Shell) (FreeScout)
• CVE-2025-67736 (FreePBX)
• CVE-2025-34288 (Nagios XI)
• CVE-2025-14500 (IceWarp)
• CVE-2026-20079 (Cisco Secure Firewall Management Center)
• CVE-2025-13476 (Viber app for Android)
• CVE-2026-3336, CVE-2026-3337, CVE-2026-3338 (Amazon AWS-LC)
• CVE-2026-25611 (MongoDB)
• CVE-2026-3536, CVE-2026-3537, CVE-2026-3538 (Google Chrome)
• CVE-2026-27970 (Angular)
• CVE-2026-29058 (AVideo)

Around the Cyber World

• AirSnitch Attack: A new attack called AirSnitch bypasses Wi-Fi client isolation, demonstrating the need for additional security measures.
• 90 Exploited 0-Days in 2025: Google reported 90 zero-day vulnerabilities exploited in 2025, with a significant number impacting enterprise technologies.
• ClickFix Attack: Velvet Tempest used a ClickFix lure to deploy payloads and conduct reconnaissance, though no ransomware was deployed.
• Romance Scam Conviction: A Ghanaian national pleaded guilty to his role in a $100 million romance scam and business email compromise attacks.
• Taiwan Indicts Cyber Scammers: 62 individuals and 13 companies were indicted for their involvement in cyber scams organized by the Prince Group.
• Ransomware Uses AzCopy: Ransomware operators are using Microsoft’s AzCopy tool to exfiltrate data stealthily.
• WPEverest Plugin Exploited: Threat actors are exploiting a critical flaw in WPEverest’s User Registration & Membership plugin to create rogue admin accounts.
• MuddyWater Evolves Tactics: The Iranian hacking group MuddyWater is using Shodan and Nuclei to identify vulnerable targets and exploit recently disclosed CVEs.
• Valid Certificates Exposed: Over a million unique private keys were leaked across GitHub and Docker Hub, with 2,600 valid certificates actively protecting major organizations.

元記事: https://thehackernews.com/2026/03/weekly-recap-qualcomm-0-day-ios-exploit.html