The IT Nerd

Researchers have uncovered a new iOS devices exploit kit dubbed “DarkSword” used to steal data from potentially millions of iPhones running iOS 18.4 through 18.6.2. The attack is linked to the Russian hacking group UNC6353 which recently used the Coruna exploit chain reported by Google and iVerify. 

Brian Bell, CEO of customer identity and access management platform FusionAuth, provided the following comments:

“When a device can be silently compromised when visiting a website, perimeter-based and device-based security collapse. That’s not a future risk, it’s the current reality for anyone with a mobile user base.

The right response isn’t to wait for your users to patch. It’s to build authentication that assumes the device is already compromised. Short-lived tokens, step-up authentication before sensitive actions, forced re-authentication when signals change. Design for the breach, not against it.

And here’s the piece that most teams miss: most authentication platforms are SaaS; your token policies, session controls, and audit logs live in someone else’s cloud, under someone else’s access controls. But when authentication runs inside your own infrastructure, isolated from external dependencies, a compromised device doesn’t cascade into a compromised system. Identity is your last defense, so make sure you own it.”

If you are worried about this new exploit, the fix is simple. Which is to update to iOS 26 as that apparently is not affected. The most recent version of iOS 18 which at the time of this article is 18.7.3 is also not affected. But I would just go straight to iOS 26 as it is likely to protect you from more than this single exploit.

Cybersecurity researchers at Akamai are reporting a sharp rise in malicious online activity following the outbreak of conflict involving Iran, with cybercrime increasing by 245% since late February. The surge includes widespread activity such as credential harvesting attempts, automated reconnaissance, and probing of enterprise infrastructure as attackers capitalize on geopolitical instability.

The financial sector has been the most heavily impacted, accounting for approximately 40% of observed malicious traffic, followed by e-commerce, gaming, and technology companies.

Researchers also observed significant increases in:

• Automated reconnaissance traffic – Up 65%
• Credential harvesting attempts – Up 45%
• Infrastructure scanning for exposed services Up 52%
• Botnet-driven discovery traffic – Up 70%
• DDoS reconnaissance – Up 38%

Analysts warn that the volume and sophistication of activity are likely to persist as cyber operations continue to accompany broader geopolitical tensions.

Sunil Gottumukkala, CEO, Averlon provided this comment:

   “The surge in activity following geopolitical tensions is consistent with what we typically see in these environments. Early-stage signals like reconnaissance, credential harvesting, and infrastructure probing tend to increase significantly as attackers look for initial access opportunities.

   “Enterprises should assume this activity will persist and focus on preparedness. That means staying on top of attack surface and exposure management to reduce exploitable vulnerabilities and ensure known weaknesses cannot be used to gain initial access. It also means strengthening identity security and monitoring for credential misuse, since many of these campaigns rely on stolen credentials.

   “The organizations that fare best are the ones that treat this activity as a precursor to more targeted attacks and invest in visibility into their exposure and rapid remediation of high-risk issues.”

Michael Bell, Founder & CEO, Suzu Labs supplied this comment:

   “The 245% number is real but the breakdown underneath it matters more than the headline. Only 14% of the malicious traffic Akamai observed originated from Iranian IPs. Russia accounted for 35% and China 28%, which tells you this isn’t just Iranian retaliation. Russia and China are taking a “never let a good crisis go to waste” approach, using the conflict as operational cover to ramp up scanning, credential harvesting, and infrastructure mapping while defenders are focused on the named adversary.

   “The attack mix confirms it. Botnet discovery traffic up 70% and automated reconnaissance up 65% means most of what Akamai is measuring is the setup phase, not the main event. The actual attacks that follow this reconnaissance, using the access and mapping being built right now, will be worse than the current numbers suggest.”

Phillip Wylie, Chief Security Evangelist & Senior Consultant, Suzu Labs follows with this comment:

   “Geopolitical conflict has always created opportunity for cyber threat actors, whether they are nation-state aligned groups, cybercriminals exploiting distraction, or opportunistic attackers taking advantage of heightened uncertainty. What we are seeing now is consistent with historical patterns where global instability increases scanning, credential attacks, and reconnaissance activity as organizations shift attention toward crisis response.

   “What stands out is not just the volume increase but the automation behind it. Attackers are clearly leveraging AI-assisted tooling, botnets, and automated discovery techniques to quickly identify weak points while defenders are distracted. This reinforces the importance of continuous exposure management, strong identity security, and monitoring for abnormal reconnaissance behavior, not just traditional alert-driven detection.

   “Organizations should treat these spikes as a reminder that external events often translate into increased cyber risk. Security teams should prioritize basic defensive discipline such as patching exposed services, enforcing MFA, monitoring for credential abuse, and validating DDoS readiness. In periods of global tension, good cyber hygiene and visibility often make the biggest difference.”

Jacob Warner, Director of IT, Xcape, Inc. had this comment:

   “The recent surge in Iranian cyber activity following Operation Epic Fury highlights a sophisticated “loud vs. quiet” strategic pivot. High-profile “wiper” attacks, where large amounts of data are deleted, on entities like Stryker dominate headlines and cause immediate operational paralysis. Meanwhile, state-sponsored actors are simultaneously executing quiet, long-term espionage campaigns.

   “For security professionals, the danger lies in the “loud” attacks serving as a massive smoke screen, drawing incident response resources away from deep-seated persistence in critical infrastructure.

   “Defenders must look past the immediate carnage of defacements and wipers to hunt for “living off the land” techniques and compromised administrative tools like UEM and MDM platforms. Prioritizing identity security and behavioral analytics is the only way to catch the quiet intruder while the sirens are blaring.

   “In modern conflict, the wiper attack is just a loud invitation to a heist that has been running for months.”

We clearly live in interesting times. That is a bad thing at the moment as threats from threat actors are all around us. Meaning that we all have to be on our toes to counter those threats.

A ransomware group called Medusa today took credit for last month’s cyber attack on the University of Mississippi Medical Center.

UMMC shut down its clinics and cancelled appointments from February 19 to March 2, 2026 to contain the attack. The medical center lost access to phone lines, email, and patient records. 

Commenting on this news is Rebecca Moody, Head of Data Research at Comparitech: 

“The fact that Medusa has now added UMMC to its data leak site suggests a ransom hasn’t been paid — for the data at least. And its demand of $800,000, which is double the average across its other confirmed healthcare attacks from this group, could be for a number of reasons. It may be because Medusa believes the data it’s stolen from UMMC is of a higher value than others, or it could be because of how much publicity the attack has received. 

Whatever the reasoning for the high ransom and whatever the data is that has potentially been stolen, UMMC needs to provide patients and employees with an update as soon as possible. According to our data, the average breach on a healthcare provider following an attack via Medusa involves 195,000 records, which is a significant figure. Understandably, it takes organizations a long time to analyze the breached data and identify everyone who’s been affected (Bell Ambulance is a prime example with its recent increase in those affected from 114,000 to nearly 238,000), but if all employees and patients are aware of a potential data breach from the offset, it helps them mitigate the risks involved with a data leak. 

Anyone whose data is associated with UMMC should start monitoring their accounts for any unauthorized activity and should be on high alert for any potential phishing campaigns, especially those purporting to be from UMMC.”

Once again, healthcare is the target for threat actors. At this point this is not new information. The problem is that this keeps happening. And this needs to stop ASAP as attacks on the healthcare sector are out of control.

Researchers at Aryaka have identified a year-long cyber campaign with attackers sending messages containing links to files disguised as job applications or resumes to corporate HR departments that injects malware, dubbed BlackSanta, designed to disable security tools before stealing data.

The attack typically starts with victims downloading an ISO file hosted on cloud storage services, which contains seemingly legitimate documents and scripts. When opened, the file executes commands that download additional payloads and deploy the BlackSanta malware. The module functions as an “EDR killer,” disabling antivirus and endpoint detection and response tools at the kernel level, allowing attackers to operate on compromised systems with minimal resistance.

Once security controls are disabled, the malware can perform system reconnaissance, harvest credentials, and exfiltrate sensitive data from the compromised network. Researchers say the campaign specifically targets HR workflows because recruitment staff routinely open files from external applicants and may not scrutinize attachments as closely as security or IT teams, making them a practical entry point into enterprise environments.

Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, Suzu Labs:

   “HR is a very practical point of entry. This has been a common attack path for a long time, so much so that fake resumes and job applications are taught as phishing lures because they work. HR staff are constantly interacting with unknown external people, opening files, and following up on inbound submissions as part of normal business, which makes them much easier to target than users in IT or finance, who are usually more security conscious and more conditioned to be suspicious.

   “A foothold is a foothold. Attackers do not need to land on the most privileged user first if they can compromise a softer target, establish access, and move laterally from there. HR is attractive because it combines lower resistance with real value. Even if it does not always have the same technical access as IT or the same direct financial access as finance, it often holds a broad set of personal information on both employees and applicants. That data can be stolen, resold, reused in future phishing and social engineering, or leveraged for broader fraud and identity theft.

   “This is not some new or surprising attack path. Most of the tradecraft involved is well known and has become fairly standard across the criminal ecosystem. Using an ISO to get past boundary level detections is a common technique, and the layered execution and EDR tampering here are a good example of how capabilities that once felt more specialized have become easier to obtain and reuse.

   “That broader commercialization matters. Advanced tooling, stolen information, and even direct access are now routinely bought, sold, shared, and reused, which keeps lowering the barrier to entry.”

Rajeev Raghunarayan, Head of GTM, Averlon:

   “The bigger risk isn’t the initial HR compromise. It’s what those compromised credentials or systems can reach. In many environments, HR processes intersect with identity and access workflows, which means an initial foothold can potentially lead to broader access across the organization if permissions and controls are not tightly managed.

   “Many environments still have overly broad permissions that allow attackers to move laterally once they gain a foothold. Organizations need to understand how identities and privileges become part of attack chains, not just focus on the endpoint where the malware first lands.”

Noelle Murata, Sr. Security Engineer, Xcape, Inc.:

   “The BlackSanta campaign utilizes malicious ISO files disguised as job applications to deliver a specialized “EDR killer” payload to corporate targets. This malware operates at the kernel level to systematically disable antivirus and endpoint detection tools, effectively blinding security operations centers before data exfiltration begins.

   “For security professionals, this represents a critical escalation in the arms race between attackers and defensive telemetry. When an adversary can reliably neuter the primary visibility tool of the modern enterprise, the entire incident response playbook is rendered obsolete. While HR departments remain a vulnerable entry point due to their operational need to open external files, the true threat lies in the sophisticated ability of this malware to achieve total silence on the host.

   “Defenders must pivot toward a defense-in-depth strategy that includes robust application control and the enforcement of “least privilege” for kernel-level drivers. Implementing hardware-backed security features and isolated environments for processing untrusted external documents can help mitigate the risk when endpoint agents are compromised.

   “If the EDR can’t see the fire, the whole building burns down before the first alarm sounds.”

This is a scary one as this attack kills the canary in the coal mine so there are no warnings. Thus it’s a good time to look at what you can do to make this less of a threat.

US medical company, Stryker, has been pwned in a cyber attack by Iran-backed cybercriminals. Here’s some details on this attack:

Stryker is a Fortune 500 company that specializes in the manufacturing of surgical equipment, orthopedic implants, and neurotechnology. Headquartered in Michigan, the company employs approximately 56,000 people and reported over $25 billion in revenue for 2025. Its critical role in the healthcare supply chain makes it an essential partner for hospitals worldwide.

The Iran-linked hacker group named Handala has taken credit for the attack, claiming to have struck an “unprecedented blow” to the company.

The hackers claim to have wiped more than 200,000 servers, mobile devices, and other systems, forcing Stryker to shut down offices in 79 countries. They also allegedly stole 50TB of data from the company’s systems. 

Handala has been highly active since the start of the US-Israel-Iran conflict.

Lee Sult, Chief Investigator, Binalyze had this to say:

“The Stryker attack looks to be the first drop of blood in the water as a result of nation-state and hacktivist activity off the back of the Iran conflict. This attack confirms Western organizations are not only in the adversary’s crosshairs, but the adversary can also make the shot. More shots are coming.

“An attack like this is about damage and spreading chaos. Handala is using a scorched earth approach, they get in fast, wipe devices, steal data, and leave chaos behind them. Thousands of employees locked out of devices isn’t just an operational crisis. It quickly becomes a financial, reputational, and potentially life-and-property risk. 

“Speed is everything when attacks like this happen. Investigation can’t be an afterthought, organizations need to know if the attackers are still inside systems, which systems are impact, and how the attackers got in. The faster those questions are answered, the faster you can begin recovery.

“Stryker could be the first in a wave of attacks. Cyber assets friendly to the Iranian regime have regrouped and are actively circling their next target sets. Organizations need to be monitoring for IOCs linked to Iran-backed campaigns – including those seen in Operation Olalampo and APT35. But it’s also about reinforcing the basics: software needs to be patched, phishing-resistant MFA enabled, and having a clear plan to isolate devices and systems when suspicious activity arises. In firefighting terms, it’s time to cancel vacations and pre-stage your fire companies near critical assets.”

The age of hybrid warfare has clearly begun. That means that every single one of us needs to re-evaluate how secure we are and take the steps required to make sure that it is as hard as possible for a threat actor to pwn you. Given the state of the world at the moment, this isn’t optional anymore.

UPDATE: Ensar Seker, CISO at SOCRadar, has provided the following commentary: 

“Claims like wiping 200,000 devices and extracting tens of terabytes of data should be treated cautiously until independently verified. Hacktivist groups often exaggerate operational impact for psychological effect. However, even if the scale is smaller than claimed, a wiper-style attack against a global medical technology company is serious because it targets operational continuity rather than just data theft. In the healthcare ecosystem, outages affecting device manufacturers or support systems can ripple across hospitals, supply chains, and patient care environments.

What makes this incident notable is the alleged use of enterprise management infrastructure to execute a destructive campaign. If attackers gained access to tools such as mobile device or endpoint management platforms, they could push destructive commands at scale across thousands of systems almost instantly. That shifts the attack from traditional ransomware or espionage into a coordinated operational disruption, which is consistent with the tactics we increasingly see in geopolitically motivated hacktivism tied to regional conflicts.

Groups like Handala represent the blurred line between hacktivism, state alignment, and information operations. Many of these actors position themselves as ideological collectives, but their campaigns often align with broader geopolitical narratives. Targeting a global medical technology provider may be intended less as a financially motivated attack and more as a symbolic demonstration that Western critical industries can be disrupted during geopolitical tensions.

Organizations should take this as a reminder that destructive cyber operations are no longer limited to nation-state military targets. Companies in healthcare, manufacturing, and critical supply chains should prioritize stronger identity security around administrative tools, strict segmentation of device-management platforms, and continuous monitoring for anomalous mass actions such as remote wipes or bulk configuration pushes. In many modern attacks, the damage is done not through sophisticated malware but through the abuse of legitimate enterprise management capabilities.”

Reuters is reporting that Russia-linked hackers have breached the messaging accounts of officials, journalists, and activists using apps including Signal and WhatsApp, according to a warning issued by the Dutch government. Something that I have covered here in the past.

Authorities say the campaign involved targeted account takeovers that allowed attackers to access private communications and potentially monitor sensitive conversations. The activity highlights how threat actors can gain access to messaging platforms without breaking encryption by compromising accounts or exploiting weaknesses in how applications and devices are trusted.

Mark Mazur, Field CTO, Approov Mobile Security had this to say:

“Account takeover attacks often exploit applications’ failure, particularly messaging applications, to accurately assess the risk of tampered mobile applications and devices.

“Security teams need to treat mobile applications and the devices they run on as potential sources of threats. Cloning and modifying an app downloaded from an app store, on a rooted or jailbroken device is an increasing risk due to AI-powered reverse engineering. RASP, Attestation and cryptographically signed API messages should be used in mobile applications to minimize these risks.”

Having strict policies on the use of personal for business use, as well as using MDM products to manage apps on devices and detect jailbroken devices are some ways to keep users safe. Organizations should look at options like those to mitigate the potential threat that this scenario poses.

ManoMano, a European online DIY, home improvement marketplace with 50 million visitors per month, is notifying customers about a significant data breach that affected an estimated 38 million individuals after it discovered unauthorized access in January 2026 linked to one of its third-party customer service providers.

Although not confirmed, it is rumored that the compromised organization was a customer support service provider that suffered a Zendesk breach. Investigations found that personal data from customer accounts and interactions were extracted by the attackers. 

A threat actor using the alias “Indra” claimed responsibility on a hacker forum, alleging possession of roughly 37.8 million user records, over 900,000 service tickets, and over 13,000 attachments. The exposed information varied by individual and may include full names, email addresses, phone numbers, and the contents of customer service communications.

The ManoMano stated that account passwords were not accessed and there is no evidence of data being altered within its internal systems. Upon discovering the incident, the company disabled the subcontractor’s access to customer data, strengthened access controls and monitoring, notified relevant authorities, and began informing potentially affected users with guidance on vigilance against phishing and other threats.

Noelle Murata, Sr. Security Engineer, Xcape, Inc.:

   “The data breach at ManoMano allowed the threat actor “Indra” to abscond with almost 38 million user records and close to a million service tickets. Although internal systems were unaffected, this highlights the inherent dangers associated with the “extended enterprise” model and reliance on third parties. This incident is believed to be connected to a broader exploitation of Zendesk. It underscores the sensitivity of customer support communications that frequently contain unmasked personal information and user behavior data.

   “The true prize lies not merely in contact details but also in the 13,000 pilfered attachments and service logs that provide the ideal blueprint for highly targeted phishing attacks. The primary threat isn’t necessarily account hijacking, but rather scams referencing actual past purchases or support interactions. Any communication purporting to be from a support representative should be viewed with suspicion.

   “Retailers should take this event as a strong impetus to enforce stringent vendor security protocols. This includes minimal data sharing, robust access controls, ongoing monitoring, and swift mechanisms to revoke third-party access when suspicious activity is detected.

   “When a contractor gets breached, the fallout belongs to you, not the subcontractor.”

Denis Calderone, CTO, Suzu Labs:

   “ManoMano wasn’t breached directly. Their outsourced customer support provider got compromised, and through that one access point attackers pulled millions of customer records and close to a million support tickets. This is the supply chain problem we keep talking about. You can lock your own house down all you want, but if your subcontractor leaves their door open, your data walks out through their environment.

   “What really caught our attention though is the support ticket data. People don’t think about what lives in support tickets. It’s not just names and emails. It’s conversations, order details, complaints, account issues, file attachments. That’s gold for social engineering. An attacker can reference your specific order, your specific complaint, and suddenly that phishing email doesn’t look like phishing anymore. It looks like a legitimate follow-up from customer support.

   “So, if you’re outsourcing customer support, ask yourself if a single agent account on the provider’s side can export your entire customer database? What kind of export controls exist to minimize the blast radius from a breach such as this? If you don’t know the answers, that’s where you start.”

Outsourcing saves cash, but it introduces a variety of dangers. This is a big one. Thus if I were an organization thinking of outsourcing something, this would make me think twice.

The online automotive-marketplace CarGurus is the latest victim of the ShinyHunters campaign after the group published a 6.1 GB dataset of approximately 12.4 million account records on February 21.

Have I Been Pwned notes that about 70% of the exposed email addresses were previously seen in breach databases, though substantial fresh data appears to be included. Analysis by the breach monitoring site indicated that the archive included:

• Email addresses
• IP addresses
• Full names
• Phone numbers
• Physical addresses
• User IDs
• Finance application data
• Dealer account details

CarGurus has not publicly confirmed the breach or provided an official statement.

In a separate but related incident, Wynn Resorts confirmed that hackers accessed employee data after the company appeared on ShinyHunters’ data leak portal on February 20 when the hackers claimed to have stolen more than 800,000 records containing PII (including SSNs) and employee data along with an extortion threat demanding a ransom of 22.34 bitcoin (roughly $1.5 million). 

Since then, the company stated that the alleged attackers claimed the stolen data had been deleted, and as of the latest reports, Wynn has not observed evidence that the information was publicly leaked or misused. 

Although the method used to obtain the data has not been confirmed, ShinyHunters, a cybercrime group known for ransom-or-release tactics, has a history of carrying out advanced voice phishing campaigns that have led to breaches targeting more than 100 organizations, including Optimizely, Figure, Panera Bread, and Crunchbase.

Denis Calderone CRO & COO, Suzu Labs:

   “ShinyHunters is basically operating what feels like an extortion assembly line. In the last few months we’ve seen over a dozen, high-profile organizations get hit: Panera, SoundCloud, Match Group, CarGurus, Wynn, and the list keeps growing.

   “The speed and volume here is what should concern security leaders. They have obviously found something that works here, and it seems that just one well-placed One phone call is all it takes, and they are getting access to your every connected SaaS app in the environment.

   “The Wynn situation is particularly interesting. They appear to have reached an agreement, and the listing was pulled. ShinyHunters has a track record of honoring these deals, AT&T being the most public example. So, paying apparently works, which makes this an agonizing decision for any executive sitting across the table from legal counsel right now. But none of us should want to fund what is clearly a thriving criminal enterprise. Every payment validates the model and funds the next wave of attacks.

   “That’s why the conversation needs to stay focused on preventing the breach, not negotiating after it. Segment your data, lock down SSO with phishing-resistant MFA, and make your environment painful enough to navigate that these groups move on to the next target. Let’s face it, the era of hardware-backed authentication, is upon us.”  

Rajeev Raghunarayan, Head of GTM, Averlon:

   “What ShinyHunters keeps demonstrating is that you don’t need a sophisticated exploit when permissions do the work for you. Once attackers compromise a single set of credentials, SSO and broad SaaS integrations turn that one access point into keys to dozens of systems. The entry is simple. The blast radius is anything but.

   “Organizations are still measuring risk by how hard it is to get in, when the more urgent question is how far an attacker can move once they’re there.”

ShinyHunters is one of those groups that I cannot stop writing about seeing as I wrote about them just yesterday. That’s bad for all of us as it is highly likely that we will hear more from them in the coming days and weeks ahead.