Possible iPhone-hacking toolkit used by spies, Hacker mass-mails HungerRush extortion emails, Tycoon 2FA phishing platform dismantled - Cybersecurity Headlines

Summary4 min read

Cybersecurity Headlines – March 5, 2026

Host: Sarah Lane
Theme: Rapid-fire coverage of the latest cyber threats, major data breaches, law enforcement wins, and ongoing risks in the information security world.

Main Theme and Purpose

This episode delivers concise updates on significant recent events in cybersecurity, including high-profile hacking toolkits, phishing platforms, massive data breaches, hacktivist campaigns, and substantial product vulnerabilities. Sarah Lane breaks down global incidents relevant to business and government security.

Key Discussion Points & Insights

Possible iPhone Hacking Toolkit Used by Spies

[00:14]

Karuna Toolkit: A sophisticated iPhone hacking kit called Karuna has likely infected tens of thousands of devices.
- Origin: Possibly developed as a US government tool.
- Operation: Exploited 23 different iOS vulnerabilities.
- Attack Vector: Silent malware installation when users visited compromised websites.
- Victims: Used in multiple campaigns—Russian spies against Ukrainians and cybercriminals targeting Chinese-speaking crypto users.
- Patches: Apple patched these vulnerabilities in iOS 26, but older devices remain vulnerable.
Notable quote:

“The toolkit exploits 23 iOS vulnerabilities to silently install malware when users visit a compromised website.” — Sarah Lane (00:21)

HungerRush Extortion Email Campaign

[00:46]

Incident: Hacker sent mass extortion emails to restaurant patrons using HungerRush’s Point of Sale system.
- Threat: Exposed names, emails, passwords, addresses, credit card info.
- Email Source: Twilio SendGrid, via official HungerRush domains.
- Attribution: Security researcher Alan Gal traced the attack to credentials stolen from a HungerRush employee in October 2025.
- Response: HungerRush confirmed the breach; investigation ongoing with law enforcement involved.

Tycoon2FA Phishing Platform Dismantled

[01:34]

Platform: Tycoon2FA, a ‘phishing-as-a-service’ operation, was dismantled through joint action by Europol, Microsoft, and other cybersecurity firms.
- Function: Allowed attackers to bypass MFA and capture credentials from email/cloud accounts.
- Scale: Targeted 500,000 organizations, sent tens of millions of phishing emails monthly.
- Impact: Accounted for 6.62% of Microsoft’s phishing blocks.
- Enforcement: 330 domains seized; key individuals (including Saud Friti, Pakistan) targeted.
- International Reach: Agencies across Europe coordinated, with support from major cyber companies.
Notable quote:

"The platform let attackers bypass multi factor authentication and capture credentials from email and cloud accounts." — Sarah Lane (01:45)

LeakBase Cybercrime Forum Shut Down

[02:07]

Action: 14 countries collaborated to shut down LeakBase, a massive forum with over 142,000 members.
- Data: Contained stolen banking details, credentials, PII from US and international targets.
- Law Enforcement: About 100 coordinated actions targeted 37 active users; arrests made.
- Goal: Disrupt access to stolen information and hold operators accountable.

Hacktivist DDoS Attacks in Middle East

[03:20]

Context: Series of DDoS attacks followed US-Israel military activity against Iran.
- Scope: 149 DDoS attacks, 110 organizations, 16 countries (mainly Middle East).
- Actors: Groups such as Keymaus Plus, Dinet, and Hydranex.
- Targets: Government, finance, telecom; sometimes aimed at critical infrastructure (ex: Iranian state actors targeting energy/digital systems).

LexisNexis Data Breach Confirmed

[03:55]

Breach: LexisNexis confirmed a leak of 2GB of files (400,000 personal records).
- Source: Largely legacy systems (pre-2020 data).
- Method: Hackers exploited ‘React to Shell’ vulnerability and unsecured AWS instances.
- Aftermath: LexisNexis products/services unaffected, issue reportedly contained.

Fake LastPass Support Phishing

[04:37]

Phishing Campaign: Attackers sent fake support emails mimicking LastPass.
- Tactic: Urged users to ‘report suspicious activity’—links led to false login pages to steal credentials.
- Technique: Used varied sender addresses and cleverly altered URLs.
- Mitigation: LastPass services intact; urges users to never share master passwords; users should report to abuse@lastpass.com.

Cisco Secure FMC Vulnerabilities

[05:27]

Patches: Cisco fixed two maximum-severity flaws in Secure Firewall Management Center (FMC).
- Risks: Allowed unauthenticated attackers root or arbitrary Java code execution.
- Affected: Authentication bypass, cloud-managed systems.
- Mitigation: No reports of exploitation so far; other high-severity flaws also fixed across Cisco’s portfolio.

Notable Quotes & Memorable Moments

On sophisticated mobile exploits:

“The toolkit exploits 23 iOS vulnerabilities to silently install malware when users visit a compromised website.” — Sarah Lane (00:21)
Phishing-as-a-service threat described:

"The platform let attackers bypass multi factor authentication and capture credentials from email and cloud accounts." — Sarah Lane (01:45)
DDoS landscape shift:

"Hacktivist groups launched 149 DDoS attacks targeting 110 organizations in 16 countries, mostly in the Middle East." — Sarah Lane (03:23)
On consumer security reminders:

"Users are reminded never to share their master password." — Sarah Lane (04:52)

Important Timestamps by Segment

[00:14] – Karuna iPhone Hacking Toolkit
[00:46] – HungerRush Extortion Emails
[01:34] – Tycoon2FA Phishing Platform Dismantled
[02:07] – LeakBase Forum Shut Down
[03:20] – Hacktivist DDoS Campaigns
[03:55] – LexisNexis Data Breach
[04:37] – Fake LastPass Phishing Emails
[05:27] – Cisco FMC Vulnerabilities Patched

Summary

This episode underscores the diversity and persistence of major cyber threats: advanced government-grade toolkits affecting consumer devices, large-scale phishing and credential theft operations, data breaches targeting major enterprises, the rise of hacktivist cyberattacks amidst geopolitical tensions, and new vulnerabilities in widely-used security products. The episode conveys a sense of urgency and ongoing vigilance—while highlighting both criminal innovation and coordinated global response.

For full details on any headline, visit CISOseries.com.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines
[00:07]
B
these are the cybersecurity headlines for Thursday, March 5, 2026. I'm Sarah Lane. Possible iPhone Hacking toolkit used by spies an iPhone hacking toolkit called Karuna has likely infected tens of thousands of devices and may have originated as a US government tool. The toolkit exploits 23 iOS vulnerabilities to silently install malware when users visit a compromised website. Google and security firm Iverify traced Karuna through multiple campaigns. Russian spies targeting Ukrainians, then cybercriminals stealing cryptocurrency from Chinese speaking victims. Apple patched the vulnerabilities in iOS 26, but older versions remain at risk. Hacker Mass Mails Hunger Rush Extortion Emails Restaurants using Hunger Rush's point of Sale system have had their patrons receive mass extortion emails claiming that millions of customer and restaurant records could be exposed unless the company responds. The messages sent via Twilio Sengrid from Hunger Rush domains three threatened data, including names, emails, passwords, addresses and credit card information. Security researcher Alan Gal linked the campaign to credentials stolen from a Hunger Rush employee in October of 2025. Hunger rush confirmed the incident and is investigating with law enforcement. Tycoon2FA fishing platform dismantled Europol, Microsoft and cybersecurity firms dismantled Tycoon2FA, a subscription based phishing as a service platform used to send tens of millions of emails monthly to 500,000 organizations. The platform let attackers bypass multi factor authentication and capture credentials from email and cloud accounts, contributing to roughly 6.62percent of Microsoft's block phishing attempts. Last year, law enforcement seized 330 domains and took legal action against operators including Saud Friti in Pakistan. The takedown involved agencies across Europe and support from major cybersecurity companies. 14 countries shut down leak base authorities from 14 countries shut down Leak Base, a major cybercrime forum with over 142,000 members seizing its database domains and arresting multiple suspects. The site hosted stolen data, including banking details, credentials and personal information from US and international targets. Around 100 enforcement actions targeted 37 active users and the FBI. Europol and other agencies coordinated the takedown to disrupt access to stolen information and hold operators accountable. Huge thanks to our sponsor, Adaptive Security. This episode is brought to you by Adaptive Security, the first security awareness platform built to stop AI powered social engineering. Picture a new hire who interviews well, except they're synthetic AI, video, AI voice, AI backstory. Once they're in, they go after payroll, internal docs and access that is the new reality. The attack surface is trust itself. Adaptive fights back with realistic deep fake simulations and training that actually sticks. Learn more@adive security.com Hacktivist DDoS hits 110 orgs in 16 countries following the U S Israel military campaign against Iran, hacktivist groups launched 149 DDoS attacks targeting 110 organizations in 16 countries, mostly in the Middle East. Key groups included Keymaus Plus, Dinet and Hydranex, focusing on government, finance and telecom sectors. Attacks also included phishing campaigns and attempts on critical infrastructure with Iranian state sponsored actors targeting energy and digital systems. LexisNexis data breach confirmed LexisNexis confirmed a data breach after hackers leaked two gigs of files including 400,000 personal records. The attackers tried to extort the company but apparently failed. Compromised data mostly came from legacy Systems prior to 2020, including customer names, contact information, survey IPs and support tickets. Hackers reportedly exploited the React to shell vulnerability and unsecured AWS instances. LexisNexis says its products and services were unaffected and the issue is contained fake LastPass support emails steal vault passwords LastPass warned of a phishing campaign using fake support email threads to steal vault passwords. Emails impersonate LastPass, urging users to click links like report suspicious activity, which leads to a fake login page that captures credentials. Attackers use multiple sender addresses and altered URLs to appear legitimate. LastPass systems weren't compromised and users are reminded never to share their master password. The company is working to take down the phishing sites and asks suspicious emails to be reported to abuse. @LastPass.com Cisco warns of max severity Secure FMC flaws Cisco patched two maximum severity vulnerabilities in Secure Firewall Management center, or FMC that allow unauthenticated attackers to gain root access or execute arbitrary Java code as root 1 is an authentication bypass, the other affects the cloud based security, cloud control, firewall management. No evidence of active exploitation or public POCs exists. Cisco also addressed dozens of other high severity flaws across FMC adaptive security appliance and threat defense software. Cybersecurity Sales Lives and dies on trust so why do so many vendors burn bridges just to get a foot in the door? That is what we're trying to figure out on the latest episode of Defense In Depth. Look for the episode why over promising is a Dangerous Sales tactic. Wherever you get your podcasts and if you have thoughts on the news from today or about our show in general, be sure to reach out to us@feedbacksoseries.com. we really want to hear from you. I am Sarah Lane, reporting for the CISO series. You stay classy out there. Planet Earth
[07:46]
A
cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.