Alex: Welcome to Cleartext. It's Wednesday, March fourth, twenty twenty-six. I'm Alex Chen.

Jordan: And I'm Jordan Reeves. So the US government apparently built an iOS exploit kit so good that it ended up in the hands of Russian hackers and then Chinese cybercriminals, and now potentially tens of thousands of iPhones are compromised. We'll get to that. But first, we need to talk about the fact that Cyber Command went offensive against Iran before the kinetic strikes, and the alliance forming in the aftermath might be the most consequential threat development of the year so far.

Alex: Big show today. We're covering the US cyber operations against Iran and the Russia-Iran threat actor convergence that's already spinning up. That iOS exploit kit proliferation story Jordan just mentioned. A massive deal reshaping cyber insurance. The Pentagon's Anthropic ban and what it reveals about AI supply chain blindness. A LexisNexis breach. A VMware Aria flaw you need to patch today. And a startup raising thirty-four million at seed for AI governance. Let's get into it.

Jordan: So Risky Business reported Monday that Cyber Command conducted offensive cyber operations ahead of the kinetic strikes on Iran. Communications disruption, surveillance support, the kind of battlefield preparation we've theorized about for years but rarely see confirmed this quickly. What's notable is the speed of attribution. The government wanted this known.

Alex: That's the signal, right? The messaging is deliberate. It says we have these capabilities and we will use them. But for CISOs, the immediate concern isn't the US offensive posture. It's the retaliation calculus. When you punch a nation-state in cyberspace ahead of bombing them, the cyber response is guaranteed.

Jordan: And it's already materializing. Cybersecurity Dive reported that pro-Russia actors have formed a loose alliance with Iran-linked hackers, specifically targeting critical infrastructure in the US and the Middle East. This isn't theoretical. These groups are actively collaborating right now.

Alex: This is what I'd call a cooperative threat model, and it changes the math for defenders. Historically you'd profile Iranian actors and Russian actors separately. Different TTPs, different tooling, different infrastructure. Now you've got Russian operational sophistication, think access brokering, initial access tradecraft, combined with Iranian persistence and destructive intent. The capability set broadens significantly.

Jordan: Right. Iranian groups have always been willing to go destructive. Shamoon, the Albania attacks. Russian groups bring better zero-days, better infrastructure, better operational security. You fuse those two and you get something that's harder to detect and more willing to cause damage. If you're a CISO in energy, water, transportation, defense industrial base, you should be elevating your threat monitoring posture today. Not next week. Today.

Alex: And talk to your threat intel providers. Make sure they're correlating across both actor sets, not siloing them.

Jordan: Now let's connect this to the iOS story because it's actually thematically related. CyberScoop reported on what researchers are calling the Coruna exploit kit. Twenty-three exploits across five chains targeting iOS thirteen through seventeen point two point one. Google's threat analysis group found it in the wild. Here's where it gets really uncomfortable. This kit was likely originally built for the US government. It moved from a spyware vendor's customer to Russian hackers to Chinese cybercriminals. And now it's being used at mass scale. Possibly tens of thousands of devices.

Alex: This is the proliferation problem we've been warning about for years. Government-grade exploits don't stay contained. They leak, they get stolen, they get resold. And when something this sophisticated hits the criminal ecosystem, your entire mobile threat model changes overnight.

Jordan: The sophistication here is real. Five separate exploit chains means redundancy. If one gets patched, the kit pivots to another. This isn't a single vulnerability. It's a platform. And most enterprise MDM deployments aren't configured to detect exploitation at this level. They'll enforce app policies, sure. But kernel-level compromise from a chain like this? Your MDM thinks everything is fine.

Alex: So what's the action? First, enforce iOS updates aggressively. Anything below seventeen point two point two should be off your network. Second, reassess your mobile threat defense tooling. If you don't have endpoint detection on mobile devices, this is the story that justifies the budget. Third, for high-value personnel, executives, board members, anyone with access to sensitive communications, consider dedicated secure devices with restricted app installation.

Jordan: And if you're in the defense supply chain, given the Iran context we just discussed, assume you're a target for exactly this kind of capability.

Alex: Let's shift to something that'll affect every CISO's budget conversation. Zurich is acquiring Beazley for eleven billion dollars. Beazley has been one of the most sophisticated and CISO-friendly cyber insurers in the market. Zurich is a global insurance giant. This creates a dominant player in cyber insurance.

Jordan: And dominant players set terms. That's the concern.

Alex: Exactly. When the deal closes, likely second half of this year, the combined entity will have enormous market power. I'd expect tighter underwriting standards, more prescriptive security control requirements, and potentially less flexibility on policy terms. If you've enjoyed Beazley's relatively progressive approach to cyber coverage, don't assume that survives integration with Zurich's risk appetite.

Jordan: Practically speaking, if your renewal is coming up in the next twelve months, start those conversations early. Lock in terms before the new entity starts flexing.

Alex: And use this as leverage in your board conversations. The insurance market is consolidating because the risk is real and growing. That's an argument for security investment, not against it.

Jordan: Now the Pentagon story. This one is going to resonate with every CISO listening. The federal government ordered all agencies to stop using Anthropic technology with a six-month phaseout. That's a significant mandate. But VentureBeat's reporting surfaces the real problem. Only fifteen percent of CISOs surveyed said they've mapped their AI vendor dependencies.

Alex: Fifteen percent. Let that sink in. Eighty-five percent of security leaders don't know where AI models are embedded in their environments. And these dependencies cascade. Your SaaS vendor uses Anthropic for a feature. Their vendor uses it for data processing. You have no visibility into any of it.

Jordan: This is shadow IT on steroids. At least with shadow IT, someone in the organization made a conscious decision to deploy something. With AI dependencies, your vendors are embedding models into products without telling you, sometimes without even updating their own documentation.

Alex: The federal ban is the canary in the coal mine. Today it's Anthropic and government agencies. Tomorrow it could be any AI provider and any regulatory jurisdiction. If the EU decides a particular model doesn't meet AI Act requirements, and that model is buried three layers deep in your supply chain, you have a compliance problem you don't even know about.

Jordan: So the action here is straightforward but hard. You need an AI dependency map. Not just what your organization has deployed directly, but what your vendors are using. Add AI model disclosure requirements to your vendor questionnaires. Make it part of procurement. And do it now, before you're scrambling with a six-month clock like the federal agencies.

Alex: Quick hit on the LexisNexis breach. A threat actor claims to have stolen two gigabytes of data including millions of records from legacy systems. LexisNexis says it's contained.

Jordan: LexisNexis holds legal, financial, and personal data on an enormous scale. If your organization uses their services, and many do for due diligence, background checks, legal research, you should be asking them directly what data was affected and whether your organization's information was in scope. Don't wait for the notification letter.

Alex: And this is yet another legacy data story. The attackers went after old systems. The data you forgot about is the data that gets stolen.

Jordan: The Leakbase takedown is worth noting. FBI and European law enforcement took down a major forum for stolen credentials and exploit code. Good news. But CISOs should check with their threat intel teams whether their organization's credentials appeared on Leakbase before it went dark. The data that was traded there is still out in the wild.

Alex: On vulnerabilities, CISA added CVE-2026-22719 to the Known Exploited Vulnerabilities catalog. It's a command injection flaw in VMware Aria Operations, CVSS eight point one. Unauthenticated remote code execution. It's being actively exploited.

Jordan: If you run Aria Operations, and a lot of enterprises do for infrastructure monitoring, patch immediately. Unauthenticated RCE in a monitoring platform means attackers get broad visibility into your environment the moment they're in. This is a priority one.

Alex: Last item. JetStream, a startup led by an ex-CrowdStrike product leader, raised thirty-four million at seed for AI governance tooling. They're targeting shadow AI, MCP server governance, and token-level spending controls.

Jordan: Thirty-four million at seed tells you where the smart money thinks the next budget line is forming. MCP server governance is a real emerging need. If you're evaluating tools in this space, JetStream is one to watch, but the market is moving fast. Don't buy the first thing you see.

Alex: Let's talk about the emerging theme. Jordan, the thread I see running through almost every story today is the collapse of containment assumptions.

Jordan: Explain that.

Alex: Cyber weapons built for the US government end up in Chinese criminal hands. AI models embedded by vendors cascade through supply chains invisibly. Russia and Iran fuse their threat capabilities in real time. Legacy data stores you thought were dormant get breached. The assumption that anything stays contained, tools, data, threats, alliances, that assumption is broken.

Jordan: I'd agree. And the operational implication is that static security models fail faster than ever. Your threat model from January is already wrong. Your vendor risk assessment from last quarter didn't account for AI dependencies. Your mobile security posture didn't anticipate a government-grade exploit kit going mass market.

Alex: So the mandate for CISOs right now is continuous reassessment. Not annual. Not quarterly. Continuous. Map your dependencies. Pressure-test your assumptions. And assume that whatever was contained yesterday is in the wild today.

Jordan: Watch the Iran retaliation space over the next seventy-two hours. If critical infrastructure operators aren't at heightened alert, they should be.

Alex: That's our show for Wednesday, March fourth. Thanks for listening to Cleartext.

Jordan: Stay sharp out there.