In today’s cybersecurity news…
Possible iPhone-hacking toolkit used by spies
An iPhone hacking toolkit called Coruna has likely infected tens of thousands of devices and may have originated as a US government tool. The toolkit exploits 23 iOS vulnerabilities to silently install malware when users visit a compromised website. Google and security firm iVerify traced Coruna through multiple campaigns- Russian spies targeting Ukrainians, then cybercriminals stealing cryptocurrency from Chinese-speaking victims. Apple patched the vulnerabilities in iOS 26, but older versions remain at risk. (Wired)
Hacker mass-mails HungerRush extortion emails
Restaurants using HungerRush’s point-of-sale system had their patrons receive mass extortion emails claiming that millions of customer and restaurant records could be exposed unless the company responded. The messages, sent via Twilio SendGrid from HungerRush domains, threatened data including names, emails, passwords, addresses, and credit card information. Security researcher Alon Gal linked the campaign to credentials stolen from a HungerRush employee in October 2025, but HungerRush confirmed it’s investigated and that these events are not related. (BleepingComputer)
Tycoon 2FA phishing platform dismantled
Europol, Microsoft, and cybersecurity firms dismantled Tycoon 2FA, a subscription-based phishing-as-a-service platform used to send tens of millions of emails monthly to 500,000 organizations. The platform let attackers bypass multi-factor authentication and capture credentials from email and cloud accounts, contributing to roughly 62% of Microsoft’s blocked phishing attempts last year. Law enforcement seized 330 domains and took legal action against operators, including Saad Fridi in Pakistan. The takedown involved agencies across Europe and support from major cybersecurity companies. (SecurityWeek)
14 countries shut down LeakBase
Authorities from 14 countries shut down LeakBase, a major cybercrime forum with over 142,000 members, seizing its database, domains, and arresting multiple suspects. The site hosted stolen data, including banking details, credentials, and personal information from U.S. and international targets. Around 100 enforcement actions targeted 37 active users, and the FBI, Europol, and other agencies coordinated the takedown to disrupt access to stolen information and hold operators accountable. (Cyberscoop)
Huge thanks to our sponsor, Adaptive Security
Hacktivist DDoS hits 110 orgs in 16 countries
Following the U.S.-Israel military campaign against Iran, hacktivist groups launched 149 DDoS attacks targeting 110 organizations in 16 countries, mostly in the Middle East. Key groups included Keymous+, DieNet, and Hider Nex, focusing on government, finance, and telecom sectors. Attacks also included phishing campaigns and attempts on critical infrastructure, with Iranian state-sponsored actors targeting energy and digital systems. (The Hacker News)
LexisNexis data breach confirmed
LexisNexis confirmed a data breach after hackers leaked 2GB of files, including 400,000 personal records. The attackers tried to extort the company but failed. Compromised data mostly came from legacy systems prior to 2020, including customer names, contact info, survey IPs, and support tickets. Hackers reportedly exploited the React2Shell vulnerability and unsecured AWS instances. LexisNexis says its products and services were unaffected and the issue is contained. (SecurityWeek)
Fake LastPass support emails steal vault passwords
LastPass warned of a phishing campaign using fake support email threads to steal vault passwords. Emails impersonate LastPass, urging users to click links like “report suspicious activity,” which lead to a fake login page that captures credentials. Attackers use multiple sender addresses and altered URLs to appear legitimate. LastPass systems were not compromised and users are reminded never to share their master password. The company is working to take down the phishing sites and asks suspicious emails to be reported to abuse@lastpass.com. (BleepingComputer)
Cisco warns of max severity Secure FMC flaws
Cisco patched two maximum-severity vulnerabilities in Secure Firewall Management Center (FMC) that allow unauthenticated attackers to gain root access or execute arbitrary Java code as root. One is an authentication bypass, the other affects the cloud-based Security Cloud Control Firewall Management. No evidence of active exploitation or public PoCs exists. Cisco also addressed dozens of other high-severity flaws across FMC, Adaptive Security Appliance, and Threat Defense software. (BleepingComputer)