John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
Not a quiet week. Not a noisy-headline-then-forgotten week either. The stories that defined March 16 to 22 have staying power because they’re pointing at the same thing: the foundational layers security is built on are cracking.
Management planes. Identity systems. The scanners we use to find problems. The phones in everyone’s pockets. None of those were supposed to be easy to compromise. This week, they all were.
Control Plane Vulnerabilities Are the Real Story
Cisco’s Firewall Management Center got an emergency patch for an authentication bypass. CISA put it straight onto the Known Exploited Vulnerabilities list and gave federal agencies until Sunday. That’s about as urgent as deadlines get.
Same week: a critical SharePoint flaw under active exploitation. ScreenConnect with a session hijacking hole. Oracle Identity Manager with an emergency out-of-band patch for an unauthenticated RCE. These didn’t land as a coordinated disclosure. They landed in a cluster because attackers are probing these systems on purpose.
Firewall managers, identity platforms, remote desktop tools – these aren’t just software. They’re the control plane. Compromise one and you’ve potentially already bypassed everything downstream. Management and identity systems deserve shorter patch timelines and sharper detection than most organizations give them.
Your Security Tools Might Not Be Safe Either
Trivy, a widely used security scanner, became an attack vector this week. The details of which packages are still being nailed down, but the trust assumption buried in “my scanner is clean” turned out to be wrong. That’s uncomfortable.
Langflow, an AI pipeline framework, had a critical vulnerability exploited within about a day of disclosure. One day. If you’re running AI tooling in production and moving slowly on patches, that window is already gone.
GlassWorm added another angle: a supply-chain attack hitting GitHub and npm through Unicode-based obfuscation. Clever precisely because humans don’t inspect Unicode closely.
The supply chain problem has migrated further upstream than most people have caught up to. Auditing code you run isn’t enough anymore. You have to audit where it comes from, who signed it, and whether the release pipeline itself was touched. That includes the security tools.
Mobile Exploitation Isn’t a Niche Anymore
DarkSword used to be the kind of iOS exploit kit that showed up in surveillance campaigns against journalists and dissidents. Nation-state stuff. High resource cost.
Not anymore. Google’s Threat Intelligence Group documented DarkSword being used by multiple distinct actor clusters this week, including commercial surveillance operators. A six-vulnerability iOS chain, shared and reused. The friction required to run a mobile exploitation campaign dropped hard.
Meanwhile, actively exploited Chrome and Android zero-days got patches this week. The patch-and-chase cycle is moving faster than most enterprise update policies were built for.
Mobile patch latency is an enterprise risk metric now. It belongs in the same conversation as server patching. Anyone with access to sensitive systems from their phone needs enforced update timelines, not aspirational ones. For high-risk roles, Lockdown Mode on iOS is worth it.
Iran Got Taken Down. Then Got Back Up.
DOJ formally linked Handala to Iran’s Ministry of Intelligence and Security, seized four domains. Real enforcement. Meaningful.
Handala was back on new infrastructure before the press cycle finished.
This is the deterrence problem with proxy operations: infrastructure is cheap and reconstitution is fast. Domain seizures create friction without lasting disruption. The right mental model for defenders isn’t “the threat is reduced.” It’s “they’re already working on the next setup.” Watch infrastructure patterns, not just specific domains.
North Korea IT Workers Got Sanctions. The Problem Remains.
Treasury sanctioned six individuals and two entities tied to the DPRK IT worker fraud scheme. Three people got federal sentences. State Department issued more guidance.
None of that changes what got us here. North Korean operatives are applying for remote jobs with fabricated identities, routing pay through third-party networks, and in documented cases, leveraging legitimate access for follow-on extortion after they’re hired.
Enforcement matters. But it doesn’t substitute for making the hiring pipeline harder to exploit. Identity verification at onboarding, device checks that confirm who’s actually behind the keyboard, payment routing scrutiny for remote contractors: those are the controls that catch these actors before they have access.
AI Is Lowering the Cost of Fraud
Sears had an AI chatbot exposing phone calls and text chats to anyone on the web. Aura, an identity protection service, had a breach hitting roughly 900,000 marketing contacts. An Interpol-linked assessment called AI-enabled fraud a systemic economic trend. A conviction came down in an AI music streaming fraud case.
Individually, none of these are catastrophic. Together they describe the same dynamic: AI is lowering the cost of fraud faster than organizations are raising the cost of trust. Verification flows that were adequate before deepfakes aren’t adequate now. Helpdesk authentication that held up against skilled social engineers is under pressure from tools that keep getting cheaper.
It’s economics. Fraud scales because the inputs got cheap. The response has to be structural.
Tip of the Week
Treat your identity and device management platforms as tier-zero infrastructure. Emergency patch timelines. Detection tuned for behavioral anomalies in how those systems are being used, not just uptime checks. And revisit helpdesk and account-recovery procedures before an attacker does.
The whole week was a demonstration that perimeter-level thinking breaks down the moment attackers go after the things that control the perimeter.
The full breakdown, every story, and what to actually do about it.