Mar 27 Digest: EU Commission AWS Breach, DarkSword iOS Exploit Leaked, F5 BIG-IP Actively Exploited

This Week in Cybersecurity

The final days of March 2026 brought a high-impact cluster of disclosures spanning cloud security, mobile exploitation, critical infrastructure vulnerabilities, and healthcare data theft.

The European Commission confirmed it is investigating unauthorized access to its Amazon Web Services cloud environment after a threat actor claimed to have exfiltrated over 350 GB of data — including databases, employee records, and email server data. Amazon confirmed its infrastructure was uncompromised; the breach was of the Commission's own cloud tenant. This follows a January 2026 MDM platform breach, making it two disclosed security incidents for EU institutions within two months.

On the threat landscape front, the public leak of the DarkSword iOS exploit chain on GitHub fundamentally changed the economics of iPhone compromise. What was previously nation-state-grade capability — a six-vulnerability chain targeting iOS 18.4 through 18.7 — is now deployable by virtually any attacker with a web host and basic HTML skills. Apple has patched all six vulnerabilities; update immediately if you haven't.

F5 BIG-IP APM is confirmed under active attack. CVE-2025-53521 — a zero-authentication RCE triggered by malicious traffic against APM virtual servers — landed in CISA's Known Exploited Vulnerabilities catalogue on March 27 with a CVSS 9.8 rating. BIG-IP sits at the perimeter of many enterprise and government networks; compromise of the appliance enables traffic interception across the entire application delivery stack.

In healthcare, QualDerm Partners disclosed that a December 2025 breach exposed the personal and protected health information of 3.1 million patients across 158 dermatology practices in 17 states.

Top Stories

European Commission Investigates 350 GB AWS Breach — Second EU Security Incident in Two Months

The European Commission — the EU's primary executive body — confirmed it is actively investigating a breach of its Amazon Web Services cloud environment. A threat actor provided BleepingComputer with screenshots demonstrating access to Commission systems and claimed to have exfiltrated over 350 GB of data, including multiple databases, employee information, and email server data. The attacker stated they have no intention of extorting the Commission and plan to publicly leak the data at a later date.

Amazon confirmed AWS infrastructure was not compromised — the breach was of the Commission's cloud tenant, meaning the attacker obtained access to the Commission's own AWS account credentials or session tokens rather than exploiting an AWS flaw. The initial access vector remains under investigation. Potential vectors include phished or stolen IAM credentials, compromised access keys, misconfigured IAM roles, or session token hijacking via a prior endpoint compromise.

This is the second disclosed security incident for EU institutions in 2026, following the January 30 breach of the Commission's mobile device management platform. The pattern puts pressure on EU institutions to significantly harden their cloud security posture — particularly around MFA enforcement on all IAM accounts, CloudTrail logging with tamper-proof storage in a dedicated security account, GuardDuty real-time anomaly detection, and egress monitoring that would flag 350 GB of outbound data transfer.

Full story →

DarkSword GitHub Leak Threatens to Turn Elite iPhone Hacking Into a Tool for the Masses

An unidentified party published the DarkSword iOS exploit chain on GitHub, turning what was previously a nation-state-grade iPhone compromise capability into something deployable by virtually any attacker. DarkSword chains six vulnerabilities across iOS and Safari to achieve zero-click compromise via a single drive-by website visit — no user interaction beyond visiting a malicious page is required.

The exploit targets iOS 18.4 through 18.7 and, critically, is written in plain HTML and JavaScript with no compiled binaries or complex toolchains. Researchers confirmed the exploit can be stood up "in a couple of minutes to hours" with no iOS expertise required. Allan Liska of Recorded Future put the stakes plainly: "If anyone can exploit an iPhone, suddenly something that has managed to be relatively secure now is a much bigger attack surface."

DarkSword was previously used by suspected Russian state-sponsored group UNC6353 and customers of Turkish surveillance vendor PARS Defense, targeting individuals in Saudi Arabia, Turkey, Malaysia, and Ukraine. The Ghostblade payload deployed by known campaigns harvests contacts, messages, call history, location data, iOS Keychain passwords, photos, iCloud files, and cryptocurrency wallet data across major platforms including Coinbase, Binance, Ledger, and MetaMask.

Apple has patched all six DarkSword vulnerabilities. Update to iOS 26.3 (or iOS 18.7.3 for older devices) immediately. High-value targets should enable Lockdown Mode — researchers confirmed it blocks the DarkSword attack chain even on unpatched devices.

Full story →

QualDerm Partners Discloses Breach Affecting 3.1 Million Dermatology Patients

Tennessee-based dermatology management company QualDerm Partners disclosed that unauthorized access over December 23–24, 2025 exposed the personal and protected health information of 3,117,874 individuals across 158 practices in 17 states. Notification letters began reaching affected patients on February 22, 2026 — approximately two months after the breach.

Compromised data includes names, dates of birth, email addresses, doctor names, medical record numbers, diagnoses and treatment information, health insurance details, and for a subset of individuals, government-issued identification numbers. The combination of PHI and personal identifiers creates elevated risk beyond a typical breach, enabling medical identity theft, fraudulent insurance claims, and highly targeted healthcare-themed phishing.

The two-month gap between breach detection and patient notification is under legal scrutiny for potential HIPAA Breach Notification Rule compliance gaps. Multiple law firms have launched class action investigations. QualDerm is offering complimentary credit monitoring and identity theft protection services to all affected individuals.

Full story →

Russian Initial Access Broker Who Enabled Yanluowang Ransomware Gets 6.75 Years in Federal Prison

Aleksei Olegovich Volkov, 26, a Russian national operating as an initial access broker for the Yanluowang ransomware group, was sentenced to 81 months in U.S. federal prison and ordered to pay $9.17 million in restitution. Volkov — known online as chubaka.kor — breached U.S. banks, telecommunications companies, and engineering firms across six states between July 2021 and November 2022, selling unauthorized network access to ransomware operators who caused over $9 million in actual losses.

Volkov was arrested in Rome in January 2024, extradited to the United States, and pleaded guilty to six federal counts across two districts covering computer fraud, identity theft, and money laundering. Yanluowang is known for triple extortion — encrypting files, threatening public data leaks, and simultaneously launching DDoS attacks against victims who refuse to pay.

The case reflects the U.S. government's expanded strategy of prosecuting every layer of the ransomware supply chain — access brokers, money launderers, and infrastructure providers — not just the operators who deploy the final payload.

Full story →

Security Corner

5 CVEs are newly published to the Security Advisories section. Key advisories to action this week:

CVE-2025-53521 — F5 BIG-IP APM Unauthenticated RCE (CVSS 9.8 Critical) — CISA KEV — Actively Exploited Zero-authentication remote code execution triggered by malicious traffic directed at BIG-IP virtual servers with APM access policies configured. Affects BIG-IP versions 15.1.0–17.5.1 across APM, AFM, ASM, SSL Orchestrator, and Analytics modules. CISA added to the Known Exploited Vulnerabilities catalogue on March 27, 2026, confirming active exploitation in production environments. Apply F5 advisory K000156741 immediately. Interim mitigation: restrict network access to APM-configured virtual servers and audit management interface exposure. Full advisory →

CVE-2026-33669 — SiYuan Unauthenticated Full Knowledge Base Exposure (CVSS 9.8 Critical) The /api/file/readDir and /api/block/getChildBlocks endpoints in SiYuan prior to v3.6.2 expose the entire knowledge base to unauthenticated network callers. A two-step attack chain first enumerates document IDs then extracts complete document content — all without credentials. Commonly used to store sensitive notes, passwords, research, and code snippets. Upgrade to SiYuan 3.6.2 immediately; bind the HTTP server to localhost if an immediate upgrade is not possible. Full advisory →

CVE-2026-33670 — SiYuan readDir Path Traversal Notebook Enumeration (CVSS 9.8 Critical) Companion to CVE-2026-33669. The readDir endpoint allows path traversal to enumerate all document filenames across every notebook without authentication. Together, the two CVEs enable complete zero-authentication exfiltration of any network-accessible SiYuan knowledge base. Both are fixed in SiYuan 3.6.2. Full advisory →

Also this week:

• CVE-2026-4312 → Advisory →
• CVE-2026-4177 → Advisory →

Quick Takes

• PTC Windchill / FlexPLM Imminent RCE Threat (CVE-2026-4681, CVSS 10.0): PTC issued an urgent warning of an imminent threat from the critical Windchill and FlexPLM RCE vulnerability following Germany's BKA nationwide alert last week. A formal patch is in active development — maintain the Apache/IIS servlet path restriction workaround and monitor PTC's advisory portal for patch availability. Read more →

• Botnet Manager Sentenced to 2 Years for Enabling Ransomware Campaigns: A federal court sentenced the manager of a botnet used to facilitate ransomware distribution to two years in prison, continuing the pattern of U.S. law enforcement targeting ransomware-adjacent infrastructure operators rather than final-stage attackers only. Read more →

• Paid AI Accounts Are Now a Hot Underground Commodity: Stolen and fraudulently acquired premium accounts for ChatGPT Plus, Claude Pro, and Gemini Advanced are actively traded on underground markets, giving threat actors elevated rate limits, more capable model tiers, and reduced safety filtering for offensive operations at scale. Market value has risen sharply through Q1 2026. Read more →

• Citrix Urges Immediate Patching of NetScaler ADC and Gateway Flaws: Citrix issued urgent guidance to patch multiple NetScaler vulnerabilities, noting threat actors have a consistent history of rapidly weaponising NetScaler disclosures. Treat this as a priority patch cycle given NetScaler's widespread deployment at enterprise network edges. Read more →

Upcoming

• April 3 — CISA KEV Remediation Deadline: Federal Civilian Executive Branch agencies must patch CVE-2025-43510 (Apple improper locking, actively exploited) and CVE-2025-54068 (Laravel Livewire v3 unauthenticated RCE, actively exploited) by April 3 per Binding Operational Directive 22-01. All organizations should treat these as urgent regardless of FCEB status.

• PTC Windchill Formal Patch: Formal remediation for CVE-2026-4681 (CVSS 10.0 RCE) is in active development. Continue the servlet path restriction workaround and monitor PTC's advisory portal. Given the imminent threat warning issued this week, treat unpatched Windchill and FlexPLM installations as actively at risk.

• F5 BIG-IP — Active Exploitation Ongoing: With CVE-2025-53521 now in CISA KEV with exploitation confirmed, all organizations running BIG-IP APM on versions 15.1.0–17.5.1 should treat this as an emergency. Investigate any anomalous BIG-IP behavior preceding patching for signs of prior compromise.

• April Patch Tuesday: Microsoft's next scheduled patch cycle lands the second Tuesday of April. Begin patch readiness reviews now, particularly for Windows, Exchange, and Office components given the volume of recent RCE disclosures across the stack.

• DarkSword Exposure Window: With the exploit publicly available and trivial to deploy, all iPhones running iOS 18.4–18.7 remain at risk until updated. MDM administrators should enforce a minimum iOS version policy and flag unpatched devices immediately.

By the Numbers

CosmicBytez Labs — IT & Cybersecurity Intelligence Hub

Unsubscribe · Privacy Policy · View in browser