ClearSignal — Mar 19, 2026

Federal cybersecurity infrastructure faces escalating pressure on multiple fronts: CISA is directing emergency vulnerability patches while confronting proposed workforce cuts of one-third and hundreds of millions in budget reductions. Meanwhile, sophisticated threat actors are exploiting critical vulnerabilities in widely-deployed enterprise systems—from Cisco firewalls to Microsoft SharePoint—with Russian state-backed groups deploying advanced iPhone exploit kits against Ukrainian targets. The combination of shrinking defensive capacity and intensifying offensive operations creates heightened risk across government and critical infrastructure.

Top 3

1. DHS nominee Mullin pressed on restoring CISA staffing — The proposed one-third reduction in CISA’s workforce and hundreds of millions in budget cuts represents a fundamental threat to federal cybersecurity posture at precisely the moment when agencies face unprecedented exploitation activity. This workforce gutting directly undermines the agency responsible for coordinating federal cyber defense and issuing the emergency directives currently protecting government systems. The timing creates dangerous capability gaps as adversaries intensify campaigns against government infrastructure. — the-record
2. Ransomware gang exploits Cisco flaw in zero-day attacks since January — The Interlock ransomware gang’s active exploitation of a maximum severity RCE vulnerability in Cisco’s Secure Firewall Management Center since late January represents a critical threat to enterprise security infrastructure itself. Organizations rely on these Cisco systems as foundational security controls, meaning compromised firewall management platforms can provide attackers with keys to entire networks. The zero-day nature of the initial attacks suggests advanced adversaries may have already established persistent access in numerous environments. — bleeping-computer
3. Russia-linked hackers use advanced iPhone exploit to target Ukrainians — Russia-linked DarkSword malware demonstrates a significant evolution in mobile device targeting, enabling complete iPhone compromise with minimal user interaction and rapid data extraction within minutes. The framework’s ability to remove all evidence while targeting Ukrainians indicates sophisticated intelligence collection capabilities that likely extend beyond current known victims. This represents a new tier of mobile exploitation affecting devices previously considered highly secure. — the-record

Policy & Regulatory

• US intelligence chief grilled on absence of election threats in security assessment — US intelligence chief was questioned about the absence of election threat assessments in recent security reporting, despite previous intelligence community documentation of influence operations by Iran, Russia, and China through online propaganda and cyber operations. — the-record
• Ukraine war undermining Russia’s Arctic plans, US intelligence says — US intelligence assessments indicate the Ukraine war is undermining Russia’s Arctic strategic plans, though Russia continues to view the Arctic as critical to its political, economic, and military security interests. — defense-news
• US assesses China not planning to invade Taiwan in 2027 — U.S. intelligence agencies’ annual report assesses that China is not planning to invade Taiwan in 2027, despite Beijing intensifying military pressure through frequent drills around Taiwan. — defense-news
• UK, Netherlands, Finland in talks to set up defense investment bank — The United Kingdom, Netherlands, and Finland are negotiating to establish a multilateral defense investment bank that can include non-EU partners, according to Dutch officials. — defense-news

Agency & Mission Activity

• CISA orders feds to patch Zimbra XSS flaw exploited in attacks — CISA issued a directive requiring federal agencies to patch an actively exploited cross-site scripting (XSS) vulnerability in Zimbra Collaboration Suite email and collaboration servers. — bleeping-computer
• DHS nominee Mullin pressed on restoring CISA staffing — DHS nominee Mullin faced questioning from Senator Maggie Hassan regarding CISA workforce cuts of one-third and hundreds of millions in budget reductions under the Trump administration. — the-record

Technology Trends

• CISA urges US orgs to secure Microsoft Intune systems after Stryker breach — CISA issued guidance for U.S. organizations to secure Microsoft Intune endpoint management systems following a cyberattack that exploited the tool to wipe systems at medical technology company Stryker. — bleeping-computer
• New ‘Perseus’ Android malware checks user notes for secrets — New Android malware named Perseus has been discovered that targets user notes applications to extract sensitive information including passwords, cryptocurrency recovery phrases, and financial data. — bleeping-computer
• Critical Microsoft SharePoint flaw now exploited in attacks — CISA warned that a critical Microsoft SharePoint vulnerability patched in January 2024 is now being actively exploited in the wild. — bleeping-computer
• Aura confirms data breach exposing 900,000 marketing contacts — Identity protection firm Aura disclosed a data breach exposing approximately 900,000 customer records containing names and email addresses to unauthorized access. — bleeping-computer
• ConnectWise patches new flaw allowing ScreenConnect hijacking — ConnectWise disclosed a cryptographic signature verification vulnerability in ScreenConnect that could enable unauthorized access and privilege escalation. Customers have been advised to patch the flaw immediately. — bleeping-computer
• Ransomware gang exploits Cisco flaw in zero-day attacks since January — The Interlock ransomware gang has been actively exploiting a maximum severity RCE vulnerability in Cisco’s Secure Firewall Management Center since late January in zero-day attacks. This represents an ongoing threat to organizations using Cisco security infrastructure. — bleeping-computer
• Marquis: Ransomware gang stole data of 672K people in cyberattack — Texas-based financial services provider Marquis disclosed that a ransomware attack in August 2025 compromised data of over 672,000 individuals and disrupted operations at 74 U.S. banks. The incident highlights ongoing vulnerabilities in the financial services supply chain. — bleeping-computer
• The Refund Fraud Economy: Exploiting Major Retailers and Payment Platforms — Flare research reveals a growing refund fraud economy where methods and tutorials are commercialized to systematically exploit retailer return policies and payment platforms. Fraudsters have industrialized refunds and chargebacks into repeatable profit schemes. — bleeping-computer
• New DarkSword iOS exploit used in infostealer attack on iPhones — Security researchers identified a new iOS exploit kit called “Darksword” being used to deliver infostealers targeting personal information and cryptocurrency wallet data on iPhones. This represents an emerging mobile threat vector. — bleeping-computer
• Nordstrom’s email system abused to send crypto scams to customers — Nordstrom’s legitimate email system was compromised to send cryptocurrency scam messages disguised as St. Patrick’s Day promotions to customers. This represents an email infrastructure breach allowing fraudulent messages from trusted company addresses. — bleeping-computer
• Cisco’s latest vulnerability spree has a more troubling pattern underneath — Cisco has responded quickly to critical SD-WAN and firewall vulnerabilities, but concerns remain about how long sophisticated threat actors had access before patches were issued and what systems may already be compromised. The pattern of vulnerabilities raises questions about the security of widely-used enterprise infrastructure. — cyberscoop
• Second iOS exploit kit now in use by suspected Russian hackers — Suspected Russian hackers are now using a second iOS exploit kit named DarkSword, according to research from iVerify, Lookout, and Google. The kit may have implications related to possible U.S. government-developed tools. — cyberscoop
• Russian hackers exploit Zimbra flaw to breach Ukrainian maritime agency — Russian state-backed hacker group APT28 exploited a Zimbra webmail vulnerability to breach a Ukrainian maritime agency. This demonstrates continued targeting of government email infrastructure by advanced persistent threats. — the-record
• Russia-linked hackers use advanced iPhone exploit to target Ukrainians — Russia-linked hackers are using DarkSword malware to compromise iPhones targeting Ukrainians with minimal user interaction, enabling rapid data extraction within minutes and complete evidence removal. Lookout researchers identified this advanced iPhone exploit framework. — the-record
• Bank software vendor Marquis says more than 670,000 impacted by August breach — Bank software vendor Marquis disclosed that over 670,000 individuals were impacted by an August data breach affecting at least 74 financial institutions that use its customer communication software. — the-record
• SP 1800-42, Digital Identities – Mobile Driver’s License (mDL): Accelerating Development and Adoption of Digital Identity for Financial InstitutionsInitial Public Draft — NIST’s National Cybersecurity Center of Excellence published an initial public draft (SP 1800-42) providing technical guidance for financial institutions to implement mobile driver’s licenses (mDLs) for customer identification, addressing security, privacy, and interoperability challenges. — nist-drafts
• DarkSword: iPhone Exploit Kit Serves Spies & Thieves Alike — A sophisticated iPhone exploit kit named DarkSword is leveraging multiple zero-day vulnerabilities to target users in Saudi Arabia, Turkey, Malaysia, and Ukraine for espionage and criminal purposes. — dark-reading
• ‘Claudy Day’ Trio of Flaws Exposes Claude Users to Data Theft — A ‘Claudy Day’ trio of vulnerabilities in Claude AI enables attackers to use prompt injection combined with other flaws to execute a full attack chain via Google searches, potentially compromising enterprise networks. — dark-reading

Procurement & Opportunities

• US Air Force special operations seeks kamikaze drones — The US Air Force special operations forces issued a Request for Information seeking small one-way attack kamikaze drones for operational deployment. — defense-news
• The Pentagon wants to field laser weapons at scale within 3 years — The Pentagon is accelerating plans to deploy high-energy laser weapons at scale within the next 36 months, driven by the need to counter Iranian drone attacks and similar threats. — defense-news
• Common Autonomous Multi-Domain Launcher (CAML) Weapon System Integrator (WSI) Request For Solutions Brief (RFSB) — U.S. Army Rapid Capabilities and Critical Technologies Office issued a Request for Solutions Brief for the Common Autonomous Multi-Domain Launcher (CAML) Weapon System Integrator, with responses due March 25, 2026. — sam-gov

← Archive