Summary5 min read

Risky Bulletin: Second iOS Hacking Framework Found in the Wild

Date: March 20, 2026
Host: Claire Aird
Prepared by: Catalin Cimpanu, Risky Business Media

Episode Overview

This episode delivers a packed roundup of critical cybersecurity news, highlighting a second professional iOS hacking framework identified in the wild, state-driven advances in secure communication, significant cyberattacks targeting public and private infrastructure, notable law enforcement and legislative updates, major data breaches, and several important software vulnerabilities and patches.

Key Topics & Insights

1. Second iOS Hacking Framework: Dark Sword

[00:05]
- A new professional iOS hacking toolkit called Dark Sword has been seen targeting Ukraine, Turkey, Malaysia, and Saudi Arabia.
- Used for both espionage and financially motivated campaigns.
- Investigated by Google, iVerify, and Lookout: the framework used at least six iOS exploits, all of which are now patched.
Notable Quote:
- “A second professional iOS hacking framework has been seen in the wild. The Dark Sword toolkit was used against targets in Ukraine, Turkey, Malaysia, and Saudi Arabia. It's been used in both espionage and financially motivated operations.” — Claire Aird [00:06]

2. Belgian Government's Secure Messaging App

[00:24]
- Beam app developed for internal government and military use.
- Aims to replace foreign messaging apps like WhatsApp and Facebook Messenger for official communication.
- Military and intelligence officials have already received access; civilian government workers to gain access next week.

3. Japanese Defence Forces Authorised for Offensive Cyber Operations

[00:41]
- Japan will authorize military and police to perform pre-emptive hacking from October, following a law passed in 2025.
- Cabinet determined the law complied with Japan’s non-aggressive constitutional principles.

4. US Tech Firms Subpoenaed Over EU Communications

[01:01]
- US House Judiciary Committee subpoenas Amazon, Apple, Microsoft, and others for communications with EU authorities.
- Focus: enforcement of the Digital Services Act amid U.S. concerns about EU censorship of Americans.

5. FBI Purchasing Data from Brokers

[01:26]
- FBI Director Kash Patel admits the agency purchases US citizens’ location and movement data from brokers—legal since current US law only bans warrantless collection directly from tech companies.

6. Massive Law Enforcement Tip Database Leak

[01:46]
- Hacker “Internet Yif Machine” exploited a vulnerability to breach P3 Global Intel and a Navigate360-managed platform.
- Leaked 93+ GB of data to journalists and DDoS Secrets, exposing records sufficient to de-anonymise tipsters.

7. Intoxalock Breathalyser System Cyberattack

[02:08]
- Cyberattack disrupted Intoxalock car breathalysers in the US, preventing connection to central services.
- People required by courts to use the devices have been unable to start their cars for two days.

8. Bitrefill Cryptocurrency Hack

[02:25]
- Suspected North Korean hackers breached Bitrefill (crypto gift cards & SIM top-ups).
- Assets and customer records stolen; attackers tried to alter gift card stock.
- Entry point traced to a compromised employee laptop; bears hallmarks of Lazarus and Blue Noroff groups.

9. Chinese Supply Chain Attacks on Crypto

[02:50]
- Chinese threat actors, fronting as the cybersecurity firm Wuhan Anshun, used supply chain attacks targeting Electron apps and browser plugins.
- Stole millions by collecting private keys and seed phrases.
- Disclosure followed a disgruntled employee’s leaks; Trust Wallet users lost $7m in December.

10. Additional Major Crypto Breaches

[03:18]
- Venus Protocol: $3.6M stolen via Flash Loan exploit; suffered $27M loss last September.

11. Iranian Group Handala Websites Seized

[03:30]
- US authorities seize sites used to leak data and offer bounties on officials.
- Group retaliated for US attacks by breaching US medtech company Stryker and wiping over 200,000 systems.

12. Interlock Ransomware & Cisco Zero-Day

[03:45]
- Interlock ransomware group exploited a Cisco Firewall Zero Day for over a month (Jan–Mar 2026).
- Exploit: unauthenticated, runs malicious code as root, enabled via serialized Java objects in Cisco Secure Firewall Management Console.

13. Apple Delivers First iOS Background Security Update

[04:10]
- Fixes low-severity Safari bug.
- Uses Background Security Improvement System for silent, automatic patch deployment (system first used in 2019 for macOS).

14. AWS Kills S3 Bucket Squatting

[04:24]
- New AWS security feature ties S3 bucket names to account IDs and regions, preventing malicious re-registration of expired buckets.
- Azure/Google Cloud have analogous protections.

15. GNU inetutils Telnet Daemon Vulnerability

[04:36]
- Major unpatched bug: allows remote unauthenticated RCE via memory overflow.
- Second big bug for inetutils Telnet this year.

16. SharePoint and Zimbra Vulnerabilities Exploited

[04:50]
- RCE bug in SharePoint exploited in the wild; patched in January but just added to CISA KEV list.
- Zimbra XSS vulnerability also added.

17. Ubiquiti UNIFI Critical Patch

[05:03]
- Ubiquiti patches path traversal flaw (severity: 10/10) in UNIFI Internet Gateway and Wi-Fi app.
- Vulnerability could allow attackers to access config files and take over gateways.

Memorable Quotes & Moments

On Dark Sword toolkit:
“The Dark Sword toolkit was used against targets in Ukraine, Turkey, Malaysia, and Saudi Arabia.” — Claire Aird [00:06]
On FBI’s data practices:
“FBI Director Kash Patel has admitted the agency has resumed purchasing data about American citizens from private brokers.” — Claire Aird [01:26]
On Intoxalock attack’s real-world impact:
“They've been unable to start their cars for two days.” — Claire Aird [02:15]
On AWS’s new S3 feature:
“A new AWS security feature prevents S3 bucket squatting attacks.” — Claire Aird [04:24]

Segment Timestamps

00:05 – Dark Sword iOS hacking framework
00:24 – Belgian government's Beam app
00:41 – Japanese cyber operations law
01:01 – US tech companies subpoenaed by Congress
01:26 – FBI’s purchases of US citizens’ data
01:46 – Law enforcement tip database breach
02:08 – Intoxalock breathalyser cyberattack
02:25 – Bitrefill North Korean crypto breach
02:50 – Chinese supply chain attacks on crypto
03:18 – Additional crypto hacks (Venus Protocol)
03:30 – US seizes Handala websites
03:45 – Interlock ransomware exploits Cisco zero-day
04:10 – Apple iOS background security update
04:24 – AWS S3 bucket squatting prevented
04:36 – GNU Telnet daemon RCE vulnerability
04:50 – Microsoft SharePoint, Zimbra vulnerabilities
05:03 – Ubiquiti patch for critical UNIFI gateway flaw

Summary

The March 20th episode of Risky Bulletin is a dense and essential digest of cybersecurity’s top developments, from sophisticated state-backed hacking toolkits and legislative changes to large-scale data breaches and vital software patches. The episode serves cybersecurity professionals and enthusiasts by consolidating high-impact events with clarity, speed, and an unvarnished style faithful to the Risky Business brand.

Loading summary

Transcript1 lines

[00:04]
A
A second iOS hacking framework has been found in the wild Belgium launches its own government communications app AWS kills S3 bucket squatting and a cyber attack cripples car Breathalysers this is the risky bulletin prepared by Catalyn Kimpanu and read by me, Claire aird. Today is the 20th of March and this podcast episode is brought to you by Sublime Security. In today's top story, a second professional iOS hacking framework has been seen in the wild. The Dark Sword toolkit was used against targets in Ukraine, Turkey, Malaysia and Saudi Arabia. It's been used in both espionage and financially motivated operations. According to Google, Iverify and Lookout, the kit used at least six iOS exploits. All have been patched. In other news, the Belgian government has launched its own secure messaging app. The Beam app has been developed for internal, government and military use. It's designed to replace foreign apps like WhatsApp and Facebook messenger for official communications. Military and intelligence officials gained access to Beam last week. Government workers will receive it next week. Japanese defence forces will be ready to carry out offensive cyber operations from October. A law was passed last year that allows the country's military and police to pre emptively hack adversary networks. Cabinet approved the law after confirming its alignment with the country's constitutional principles. Principles of non aggression the US House Judiciary Committee has subpoenaed 10 US tech companies for copies of their communications with the EU. They've been ordered to hand over communications related to enforcement of the EU's Digital Services Act. The commission has accused Europe of trying to censor Americans through its tech rules. Subpoenaed companies include Amazon, Apple and Microsoft. FBI Director Kash Patel has admitted the agency has resumed purchasing data about American citizens from private brokers. Politico has reported the data is used to track people's movement and location history. Law enforcement is not allowed to obtain the data from tech companies without a warrant. US Law does not, however, prevent them from buying it from data brokers. A hacker has leaked data from a law enforcement confidential TIP database. The leaker, who goes by the name Internet Yif Machine, said they exploited a vulnerability to breach P3 Global intel and a platform managed by Navigate360. The hackers shared more than 93 gigabytes with journalists and the DDoS Secrets project. The leak implies Navigate360 stored enough details to de anonymise people who submitted tips. A cyber attack has crippled vehicles equipped with Intoxalock breathalysers. Devices installed in cars in the US have been unable to connect back to Intoxalock service to confirm Breath test results. In some cases, US Courts have ordered people convicted of drunk driving to use the devices. They've been unable to start their cars for two days. Suspected North Korean hackers have breached an online platform that allows users to buy gift cards and sim top ups with cryptocurrency. Bitrefill said hackers stole crypto assets and customer records. They also attempted to alter its gift card inventory. The entry point has been traced back to a compromised employee laptop. The company said the attack resembled previous intrusions by the Lazarus and Blue Noroff groups. Hackers using a Chinese cybersecurity firm as a front have stolen millions in cryptocurrency. They used supply chain attacks to compromise Electron apps and browser plug ins. From there, they collected private keys and seed phrases to empty out crypto wallets. The attacks were exposed after the secret operations of the company, Wuhan and Shun, were revealed by a disgruntled employee. One of the company's victims was Trust Wallet, whose users lost $7 million in December. Hackers have stolen $3.6 million worth of crypto from Venus Protocol. The attackers exploited the platform's Flash loan system to extract the funds. Venus protocol also lost $27 million in a separate hack last September. US authorities have seized two websites operated by Iranian hacking group Handala. The group had used the websites to leak data and offer bounties on Israeli and US officials earlier this month. The group breached US MedTech company Stryker and wiped more than 200,000 systems in retaliation for the US attacks. The Interlock ransomware group exploited a Cisco Zero Day for close to a month before patches were available. Attacks began on January 26, and the patch was released on March 4. The vulnerability allowed threat actors to run malicious code on Cisco firewalls that were running the Secure Firewall Management Console. Software exploitation is triggered by its serialized Java Objects, doesn't require authentication, and runs the malicious code as root. Apple has rolled out its first background security update for iOS. The update, released this week, fixes a low severity bug in Safari. It was delivered through Apple's Background Security Improvement System, which allows the company to apply patches without any user interaction. This system was first used in 2019 to push a silent fix for macOS. A new AWS security feature prevents S3 bucket squatting attacks. The feature ties AWS bucket names to account IDs and regions. This prevents threat actors from registering expired buckets. Both Azure and Google Cloud also have protections against this type of attack, but using different approaches. A major vulnerability remains unpatched in the GNU inet UTILS Telnet daemon. The bug allows remote unauthenticated attackers to overflow memory on a Telnet server and run malicious code. This is the second major bug disclosed in the Telnet server this year. Threat actors are exploiting an RCE vulnerability to take over Microsoft SharePoint servers. The bug was initially patched in January, but was added to the CISAKEV list this week. CISA also added a Zimbra Cross site scripting vulnerability. And finally, Ubiquiti has patched a critical vulnerability in its UNIFI Internet Gateway and WI Fi Management application. The firmware update fixes a path traversal bug that allows threat actors to access configuration files and take over UNIFI gateways. The vulnerability has a severity rating of 10 out of 10, and that is all for this podcast edition. Today's show is brought to you by our sponsor, Sublime Security. Find them at Sublime Security. Thanks to your company.