InfoSec News 03MAR2026

General

• The FBI is on the media path for its "Operation Winter Shield: Ten Actions to Improve Cyber Resilience". As pointed out by Cyber Scoop, this fits much more into the Cybersecurity and Infrastructure Security Agency (CISA)'s mandate.
  Recommendations:
  - Adopt phish-resistant authentication
  - Implement a risk-based vulnerability management program
  - Track and retire end-of-life technology on a defined schedule
  - Manage third-party risk
  - Protect security logs and preserve them for an appropriate time
  - Maintain offline, immutable backups and test restoration
  - Identify, inventory, and protect internet-facing systems and services
  - Strengthen email authentication and malicious content protections
  - Reduce administrator privileges
  - Exercise your incident response plan with stakeholders

“The 10 recommendations that we’re making right now are not a surprise to many people out there who work or have cyber over the last few years, but it’s important that we also highlight that these 10 controls are the ways that we continue to see actors getting into fortune 100 businesses and small to medium businesses in virtually 99% or greater of the investigations we run,” Leatherman said.
...
Leatherman said Winter Shield is meant to serve as a complement to CISA’s work and vice-versa. The international component of the campaign still has an eye on the homeland, he said. “We’re helping partners understand the Internet is so interconnected now, companies are international, and if you just do this work here in the homeland, you’re at risk of actors targeting your international operations and pivoting into U.S.-based work,” he said.

• https://www.fbi.gov/file-repository/operation-winter-shield-slick.pdf/view
• https://cyberscoop.com/brett-leatherman-fbi-cyber-priorities-winter-shield/
• Scalpers looking to profit from RAM scarcity. Memory requirements from AI training and inference is driving up RAM prices (both directly and as manufacturers switch production to High Bandwidth Memory (HBM)).

The Galileo threat research team uncovered a sophisticated operation making over 10 million scraping requests, with bots checking the stock of specific RAM kits every 6.5 seconds.
These bots aggressively target the entire supply chain, from consumer RAM to B2B industrial memory providers and raw hardware components like DIMM sockets.
...
By rapidly snapping up the limited DDR5 memory inventory for profitable resale, these bots further deplete the consumer supply, effectively boxing out legitimate customers and driving market prices even higher.

• https://datadome.co/threat-research/scarcity-ddr5-ram-fueled-by-ai-demand-scalping-surge
• https://www.theregister.com/2026/03/02/memory_scalpers_hunt_scarce_dram/
• It didn't take scammers long to take advantage of the attacks in the Middle East.

In light of the current circumstances, Dubai Police have detected attempts by fraudsters to exploit recent developments by impersonating employees purportedly affiliated with the “Dubai Crisis Management” department and falsely claiming links to Dubai Police.
These attempts aim to unlawfully obtain sensitive information, including UAE Pass credentials and Emirates ID details.

• https://x.com/DubaiPoliceHQ/status/2028240436632916220
• https://www.theregister.com/2026/03/02/dubai_iran_sim_swap/

Getting Techy

• Malwarebytes Labs look at a phishing site with an interesting trick - using Progressive Web Apps (PWA) to visually move away from a normal browser experience. To become a PWA, a website needs a manifest, and a JavaScript 'worker' process, that runs in the browser, in the background (no visible tab).

When installed as a PWA (a Progressive Web App, essentially a website that pins to the home screen and runs in its own window), the browser address bar disappears. The victim sees what looks and feels like a native Google app.
...
When the victim installs the PWA and grants permissions, two separate pieces of code go to work. Understanding which does what explains why closing the tab is not enough.
The page script runs as long as the app is open. It attempts to read the clipboard on focus and visibility-change events, looking for one-time passwords and cryptocurrency wallet addresses. It tries to intercept SMS verification codes via the WebOTP API on supported browsers, builds a detailed device fingerprint, and polls /api/heartbeat every 30 seconds, waiting for the operator to send commands.
The service worker is the part that survives if you close the tab.

• https://www.malwarebytes.com/blog/privacy/2026/02/inside-a-fake-google-security-check-that-becomes-a-browser-rat
• https://www.bleepingcomputer.com/news/security/fake-google-security-site-uses-pwa-app-to-steal-credentials-mfa-codes/
• Arctic Wolf have a write-up on an "India-nexus threat actor" dubbed SloppyLemming (Outrider Tiger, Fishing Elephant). Sloppy by name, sloppy by nature.

Operational security (OPSEC) failures: Multiple C2 domains were discovered operating as open directories, exposing malware components including Havoc C2 framework artifacts. This gave Arctic Wolf researchers an insight into its infrastructure.
...
The first vector uses PDF documents containing embedded malicious URLs that redirect victims to ClickOnce application manifest files, which orchestrate the download and execution of a multi-component payload chain. The second vector uses macro-laden Excel spreadsheets that directly download and execute malicious binaries.
Both attack chains ultimately achieve code execution through DLL search order hijacking, whereby legitimate, digitally signed Microsoft executables are placed alongside malicious DLLs that the executables automatically load during initialization.
...
The technical analysis reveals a threat actor operating with moderate capability: the multi-stage execution chains demonstrate understanding of defense evasion techniques and shows familiarity with Windows internals, while the operational security failures – particularly the open directory exposures – indicate areas where tradecraft falls short of the capabilities of more disciplined threat actors. This assessment aligns with the “Sloppy” designation in the group’s name, which references their historically inconsistent operational security.

• https://arcticwolf.com/resources/blog/sloppylemming-deploys-burrowshell-and-rust-based-rat-to-target-pakistan-and-bangladesh/
• https://therecord.media/india-pakistan-cyber-campaign-apt

Geo-Politics

• The UK's National Cyber Security Centre (NCSC) is warning of heightened risk, due to the war in Iran.

As a result of the ongoing conflict in the Middle East, there is likely no current significant change in the direct cyber threat from Iran to the UK, however due to the fast-evolving nature of the conflict, this assessment may be subject to change.
There is almost certainly a heightened risk of indirect cyber threat for those organisations and entities who have a presence, or supply chains, in the Middle East
Iranian state and Iran-linked cyber actors almost certainly currently maintain at least some capability to conduct cyber activity.
...
Organisations should prepare to respond to the risk of collateral impacts in the UK from Iran-linked hacktivists by reading previously issued advisories on DDoS attacks, phishing activity and ICS Targeting.

• https://www.ncsc.gov.uk/news/ncsc-advises-uk-organisations-take-action-following-conflict-in-middle-east
• https://www.bleepingcomputer.com/news/security/uk-warns-of-iranian-cyberattack-risks-amid-middle-east-conflict/
• https://therecord.media/iran-britain-cyber-threats-warning
• https://www.theregister.com/2026/03/02/ncsc_security_iran/
• One mobile application security company is claiming they've already seen an increase in probes against critical infrastructure, that they're attributing to Iran. However, "The probes stopped on February 27, he added, which may be linked to the internet blackout across all of Iran at the start of the war."

Iranian hackers have launched spying expeditions, digital probes, and distributed denial of service (DDoS) attacks in the wake of the US and Israel launching missile strikes over the weekend, and security researchers urge organizations to expect more cyber intrusions as the war continues.
Most of the cyber activity so far has targeted Israel and Persian Gulf countries - and some of this began well before military campaigns - but threat intel analysts tell The Register that digital attacks against American organizations are inevitable.
Mobile app security firm Approov noted a "significant surge in highly sophisticated probing attacks against APIs and mobile applications that provide critical communication links for regional governments," according to company CEO Ted Miracco. "We have analytical indications that the presumed Iranian actors were scouting and gauging regional infrastructure vulnerabilities."

• https://www.theregister.com/2026/03/02/cyber_warfighters_iran/
• More warnings about potential Iranian attacks

“Iranian cyber espionage has resumed after a brief lull during the initial military strikes, and hacktivist fronts with ties to the IRGC (Islamic Revolutionary Guard Corps) are making claims and threats about disruptive attacks in the region,” John Hultquist, chief analyst, Google Threat Intelligence Group, said on Sunday.
...
Iran-linked groups are expected to launch attacks against U.S., Israeli and Gulf Cooperation Council member countries, with a focus on critical infrastructure providers and other targets of opportunity, Hultquist said.
CrowdStrike researchers on Saturday warned that Iran-aligned groups were already conducting reconnaissance and initiating DDoS attacks.

• https://www.cybersecuritydive.com/news/iran-hackers-threat-level-us-allies/813494/
• [RU] DDoS attacks in Russia, attacking Roskomnadzor (Communications Regulator), Defence Ministry and "Main Radio Frequence Center (GRFC)".

The Russian communications watchdog, Roskomnadzor, said in a statement to several local media outlets on Friday that the attack was a “complex multi-vector” operation originating from servers and botnets located mainly in Russia, as well as in the United States, China, the United Kingdom and the Netherlands.
The incident affected websites operated by Roskomnadzor and the Russian Defense Ministry, as well as infrastructure belonging to the Main Radio Frequency Center (GRFC), a subordinate agency responsible for monitoring telecommunications networks and enforcing internet restrictions.
...
The group responsible for the attack has not been identified, and no threat actor had publicly claimed responsibility as of the time of publication.

• https://therecord.media/cyberattack-briefly-takes-down-russian-government-websites
• [US] Cyber Command has its "me too" moment, in attacks against Iran.

“Coordinated space and cyber operations effectively disrupted communications and sensor networks across the area of responsibility, leaving the adversary without the ability to see, coordinate or respond effectively,” Caine said.
...
There have been a handful of apparent cyber operations since the joint U.S.-Israeli attacks on targets across Iran began on Saturday, including the hacking of multiple news websites and a religious calendar app, reportedly by Israeli digital forces, with messages urging defections and resistance to the government regime.
Officials in both Washington and Jerusalem are girding for potential retaliatory cyberattacks by Iranian proxy groups or Tehran’s allies. In the past, Iran has conducted a range of malicious activities, from ransomware strikes to denial-of-service attacks.

• https://therecord.media/iran-cyber-us-command-attack
• https://www.war.gov/News/Transcripts/Transcript/Article/4418959/secretary-of-war-pete-hegseth-and-chairman-of-the-joint-chiefs-of-staff-gen-dan/
• [US] Continuing fallout from the Immigrations and Customs Enforcement (ICE) raids - the "Department of Peace" has leaked a large number of contracts between the Department of Homeland Security (DHS - of which ICE is a part) and various organisations.

Details on ICE and DHS contracts with over 6,000 different entities ranging from private businesses to government agencies and even dozens of universities. Some of the notable firms include Anduril, HBGary, L3Harris, Microsoft, Oracle, Palantir and Raytheon.
The data was hacked from DHS' Office of Industry Partnership and leaked by a group calling themselves the Department of Peace.
...
Why hack the DHS? I can think of a couple Pretti Good reasons! I'm releasing this because the DHS is killing us and people deserve to know which companies support them and what they're working on.

• https://ddosecrets.org/article/ice-contracts
• https://micahflee.github.io/ice-contracts
• https://techcrunch.com/2026/03/02/hacktivists-claim-to-have-hacked-homeland-security-to-release-ice-contract-data/

Privacy

• [AU] The Office of the Australian Information Commissioner (OAIC) has announced a "new approach" - shifting focus from individual issues and complaints, to system problems and enforcement.

Over the past twelve months, the OAIC has been intentionally shifting to a greater focus on enforcement, acknowledging the considerable deterrent and educative benefits of proportionate regulatory action. Our approach is designed to ensure maximum impact in elevating privacy practices across all sectors. The early results from that shift speak for themselves: the $5.8 million civil penalty imposed on Australian Clinical Labs, the civil penalties proceedings we filed against Optus and Medibank, and the watershed settlement of $50 million we obtained from Meta Platforms are three examples. Other landmark determinations have sought to update the application of the Privacy Act in light of new technologies, such as with respect to facial recognition in the Bunnings and Kmart decisions.
...
A key area in which we’ll be changing our approach relates to how we handle individual privacy complaints.
Going forward, we need to take a robust approach to assessing the validity of individual privacy complaints, and deciding which privacy complaints warrant an investigation in all of the circumstances.
...
Not all individual privacy complaints will be taken through to investigation. In exercising our discretion under the Privacy Act, we will take into account a range of considerations including our enforcement-focussed stance and our regulatory priorities.
...
We currently have a significant backlog of individual privacy complaints that we are actively seeking to address. As at February 2026, it is unlikely that we will be able to substantially progress new validly lodged individual privacy complaints for some 6 to 12 months after they are lodged (unless we determine there are exceptional circumstances which may warrant expeditious consideration).

• https://www.oaic.gov.au/news/blog/handling-privacy-complaints-a-new-approach-for-a-new-era
• https://www.itnews.com.au/news/privacy-watchdog-to-refocus-on-systemic-harms-and-market-practices-623979

AI

• Shock and surprise - OpenClaw - an 100% vibe-coded application - has a security hole! The details are actually interesting - and something likely to catch developers out. Cross Origin Resource Sharing (CORS) policies, designed to stop a malicious site tampering with another site, don't protect WebSockets. In this case, a WebSocket, bound to localhost, designed for local Command Line Interface (CLI) usage. To avoid blocking the local user, the localhost WebSocket doesn't have rate-limits or lockouts. With no CORS to protect against attacks from malicious JavaScript on another site, and no rate-limits, attackers can brute-force the credentials.

At its core, OpenClaw runs a gateway, a local WebSocket server that acts as the brain of the operation. The gateway handles authentication, manages chat sessions, stores configuration, and orchestrates the AI agent.
Connected to the gateway are nodes—these can be the macOS companion app, an iOS device, or other machines. Nodes register with the gateway and expose capabilities, running system commands, accessing the camera, reading contacts, and more. The gateway can dispatch commands to any connected node.
Authentication is handled via either a token (a long random string) or a password. The gateway binds to localhost by default, based on the assumption that local access is inherently trusted.
...
There's an inherent trust that the gateway places in locally originating connections. This makes sense when you think about the intended use case—local tools like the CLI, the macOS companion app, or the web dashboard all connect from localhost. But the designers likely did not consider this scenario: a third-party website, controlled by an attacker, whose code also runs in the browser and originates from localhost in the context of the connection.

• https://www.oasis.security/blog/openclaw-vulnerability
• https://www.bleepingcomputer.com/news/security/clawjacked-attack-let-malicious-websites-hijack-openclaw-to-steal-data/
• Developer productivity dives, as they have to remember how to write code again... Anthropic suffered an outage with their Claude models.

Claude appears to be having a major outage, with elevated errors reported across all platforms.
The incident was flagged on March 2, 2026 at 11:30 UTC, and it’s impacting users broadly rather than being limited to one app or region.
...
At 18:54 UTC, Anthropic again said a fix was implemented, and monitoring was underway. However, Opus 4.6 continues to have issues in our tests.

• https://www.bleepingcomputer.com/news/artificial-intelligence/anthropic-confirms-claude-is-down-in-a-worldwide-outage/
• https://status.claude.com/ / https://archive.is/tR4CE
• https://downdetector.com/status/claude-ai/