Sign in Subscribe

InfoSec News 04FEB2026

General

  • Interesting work from Greynoise, looking at when the US Cybersecurity and Infrastructure Security Agency (CISA) modifies its Known Exploited Vulnerabilities (KEV) list 'knownRansomwareCampaignUse' from 'Unknown' to 'Known'. If being in KEV isn't enough to encourage patching, being Known to be used by Ransomware operators definitely should. There are no announcements when this changes, so Greynoise looked at when this happens, and have released a news feed for these changes.
  • Iron Mountain are claiming the Everest Ransomware crew only got marketing materials.
    Iron Mountain has been around since 1951 and specialises in 'enterprise information management'. "We help organizations of all sizes seamlessly manage their digital and physical assets across their lifecycle—making them visible, secure, accessible, and AI-ready.". It started as physical records storage, in a disused iron-ore mine, "offering bomb-resistant storage".
"No customer confidential or sensitive information has been involved. A single compromised login credential was used to gain access to one folder, consisting primarily of marketing materials shared with third-party vendors on a public-facing file-sharing site ...
At this time, we also confirm that no Iron Mountain systems have been breached, and there is no ransomware or malware involvement, or any other cyber activity, beyond the compromised folder credential, which has since been deactivated."
Between January 28 and February 2, 2026, the GreyNoise Global Observation Grid tracked a coordinated reconnaissance campaign against Citrix ADC Gateway and Netscaler Gateway infrastructure. The campaign ran two distinct modes: a massive distributed login panel discovery operation using residential proxy rotation, and a concentrated AWS-hosted version disclosure sprint.
The numbers tell the story: 111,834 sessions, 63,000+ unique source IPs, and a 79% targeting rate against Citrix Gateway honeypots specifically. That last number matters—it’s well above baseline scanning noise, indicating deliberate infrastructure mapping rather than opportunistic crawling.
...
Organizations running internet-facing Citrix infrastructure should treat this activity as a pre-attack signal. The 79% targeting rate isn’t mere “noise”. Someone is almost certainly building a target list.
Over a 23-day period, Gen Threat Labs analyzed 14.5 million ads running on Meta platforms across the EU and UK, representing more than 10.7 billion impressions. Nearly one in three of those ads (30.99%) pointed to a scam, phishing or malware link. In total, scam ads generated more than 300 million impressions in less than a month. The activity was highly concentrated, with just 10 advertisers responsible for over 56% of all observed scam ads.
...
Rather than chasing individual scam examples, we built a large-scale measurement pipeline around Meta’s Ad Transparency API, which provides visibility into ads that are currently active or were recently active on Meta platforms. Each day, we collected ads that were active or had recently been active, contained English ad text, and were delivered to users in regions covered by Meta’s Ad Transparency Library, primarily the EU and UK.
10% of Meta's gross revenue comes from ads for fraudulent goods and scams, and; the company knows it, and; they decided not to do anything about it
A search is being carried out today in the French premises of Platform X, as part of the investigation opened in January 2025 by the cybercrime section of the Paris Public Prosecutor's Office, with the National Cyber Unit of the National Gendarmerie • UNCyber and in the presence of Europol.
At the same time, summonses for free hearings on April 20, 2026 in Paris were sent to Mr. Elon MUSK and Mrs. Linda YACARINO, in their capacity as de facto and de jure managers of Platform X at the time of the facts. The conduct of this investigation is at this stage part of a constructive approach, with the aim of ultimately ensuring that Platform X complies with French laws, insofar as it operates on the national territory.
The Information Commissioner’s Office (ICO) has opened formal investigations into X Internet Unlimited Company (XIUC) and X.AI LLC (X.AI) covering their processing of personal data in relation to the Grok artificial intelligence system and its potential to produce harmful sexualised image and video content.
We have taken this step following reports that Grok has been used to generate non‑consensual sexual imagery of individuals, including children. The reported creation and circulation of such content raises serious concerns under UK data protection law and presents a risk of significant potential harm to the public.
...
The ICO is the UK’s independent regulator for data protection. Our role is to uphold information rights in the public interest and protect individuals’ personal data. ...
Where organisations fail to meet these obligations, the ICO has a range of enforcement powers. These include issuing information notices, assessment notices and enforcement notices, as well as imposing monetary penalties.
Under the UK GDPR and Data Protection Act 2018, the ICO can issue fines of up to £17.5 million or 4% of an organisation’s annual worldwide turnover, whichever is higher.

Getting Techy

  • Further investigations into the Notepad++ supply chain attacks - this time from Kaspersky. Kaspersky identified three separate attack-chains being distributed, with the third (October 2025) aligning with earlier reporting from Rapid7 'Chrysalis'.
We observed three different infection chains overall designed to attack about a dozen machines, belonging to:
- Individuals located in Vietnam, El Salvador and Australia;
- A government organization located in the Philippines;
- A financial organization located in El Salvador;
- An IT service provider organization located in Vietnam.
  • Nitrogen ransomware authors made a mistake in their code (hand-rolled assembly?) for encrypting ESXi. The bad news - data is encrypted with a key that even the ransomware operators don't know, leaving data unrecoverable without backups.
Because of this bug, the corrupted public key is used in the key exchange to encrypt each file. Normally, when a public-private Curve25519 keypair is generated, the private key is generated, first and then the public key derived subsequently based on the private key. The resulting corrupted public key wasn't generated based on a private key, it was generated by mistakenly overwriting a few bytes of another public key. The final outcome is that no one actually knows the private key that goes with the corrupted public key. Files that were encrypted with the corrupted public key can not be decrypted by any means, including by paying a ransomware. The threat actor themselves will be unable to decrypt the files in a test.

Geo-Politics

  • [DE] Two arrested over sabotage of German Navy vessels. No mention of motivation, or whether there are external (e.g. State) links.
The two suspects, who work at the Port of Hamburg, are suspected to have attempted acts of sabotage in 2025. This includes dumping more than 20 kilogrammes of abrasive gravel into the engine block of German navy ships, puncturing the fresh water supply lines, removing fuel tank caps and the deactivation of electronic safety switches.
Spanish Prime Minister Pedro Sanchez said on Tuesday that the country will ban children under age 16 from accessing social media and will mandate that platforms require age verification.
...
"We will protect [children] from the digital Wild West," Sanchez reportedly said in remarks at the World Government Summit in Dubai. "Social media has become a failed state, where laws are ignored, and crimes are tolerated.”
The Spanish government also will reportedly introduce legislation next week to regulate social media content.
The 60-year-old detainee, a Polish national, worked in the Ministry of National Defense’s strategy and planning department, including on military modernization projects, officials said. He was arrested at his workplace at the ministry’s headquarters in Warsaw.
...
According to Jacek Dobrzyński, spokesman for the minister-coordinator of special services, investigators collected extensive evidence confirming the detainee’s espionage activities. “The evidence indicates that this man betrayed Poland and acted on behalf of a foreign intelligence service,” Dobrzyński told local media.
Officials said on Tuesday morning the suspect used "C2 stresser" and "Command and Control Node" machines to carry out the attacks, referring to the overall mechanism as a multi-layered botnet.
...
Following the man's arrest at his apartment, officers seized his computer equipment, saying that in doing so they "dismantled the IT infrastructure used to host and distribute DDoS attack tools."
  • [US] States aren't happy at the reduction in funding and support for elections, in part driven by the severe cuts to the Cybersecurity and Infrastructure Security Agency (CISA). CISA was created in 2018 under Trump, subsuming the 2007-created National Protection and Programs Directorate. Since returning to power, Trump has been stripping the agency back.
    US 'Midterm elections' will occur in November this year, for all seats in the House of Representatives, a third of the seats in the Senate, and for governors of 34 of the 50 states.
Cuts to CISA’s funding and staff, combined with the absence of dedicated congressional funding for election security grants, have “created a scenario where states may feel a lot more like they’re going it alone than as opposed to working in partnership,” said Padilla.
...
Arizona is one of several states scrambling to find new ways to pay for election security as the federal government pulls back. States are now relying on just $45 million in federal election security grant funding from the Election Assistance Commission— less than $1 million per state on average— while election-security expertise at CISA has been sharply reduced.
“You know your regulatory scheme better than I do: Where there’s friction, where there’s frustration with information sharing, what sort of information is shared, the process through which it’s shared,” he said. “It is helpful for us to hear that and have that feedback so that we can address it, engage it and try to make it better.”

Privacy

  • [US] In what is hopefully a positive privacy trend, Mountain View, California Police have (at least temporarily) turned off Flock cameras.
“While the Flock Safety pilot program demonstrated clear value in enhancing our ability to protect our community and help us solve crimes, I personally no longer have confidence in this particular vendor,” Canfield’s letter said. “Like many of you, I was deeply disappointed to learn that Flock Safety did not meet the city's requirements regarding our data access control and transparency.”
The police department reportedly learned that the out-of-state agencies and other police departments in California were searching its database following a public records request by a local news outlet.
As they prepared to answer the public records request, Mountain View Police learned that Flock had turned on a statewide lookup tool without their permission, a feature which allowed hundreds of California police departments to search their data for 17 months.
Canfield also said the state learned that out-of-state agencies had illegal access to one Mountain View camera from August through November 2024.
  • [US] In more troubling news, reports that the Department of Homeland Security (DHS) is abusing the 'administrative subpoenas' ("a powerful legal tool that, unlike the ones people are most familiar with, federal agencies can issue without an order from a judge or grand jury.") process, harassing people opposed to current immigration enforcement actions. To fight an administrative subpoena filed with Google a defendant "would have to file a motion in federal court and submit it to Google within seven days.", despite the DHS not having to obtain any court oversight or approval for their request.
Though the U.S. government had been accused under previous administrations of overstepping laws and guidelines that restrict the subpoenas’ use, privacy and civil rights groups say that, under President Donald Trump, Homeland Security has weaponized the tool to strangle free speech.
...
Homeland Security is not required to share how many administrative subpoenas it issues each year, but tech experts and former agency staff estimate it’s well into the thousands, if not tens of thousands. Because the legal demands are not subject to independent review, they can take just minutes to write up and, former staff say, officials throughout the agency, even in mid-level roles, have been given the authority to approve them.
We all know that President Trump thinks a lot of himself, but he’s put a $10 billion price on the amount of harm his leaked tax returns allegedly caused him and his sons.
Yes, Charles Littlejohn, a former Booz Allen employee, apparently decided to leak the tax returns of about 400,000 wealthy Americans, and gave the files to the New York Times and ProPublica, who did what you would expect them to do — report what they found in examining the files.

AI

  • Ars Technica have written a piece comparing Agentic AI, with the Morris Worm of the late 1980s.
Security researchers have already predicted the rise of this kind of self-replicating adversarial prompt among networks of AI agents. You might call it a “prompt worm” or a “prompt virus.” They’re self-replicating instructions that could spread through networks of communicating AI agents similar to how traditional worms spread through computer networks. But instead of exploiting operating system vulnerabilities, prompt worms exploit the agents’ core function: following instructions.
...
Until roughly last week, large networks of communicating AI agents like these didn’t exist. OpenAI and Anthropic created their own agentic AI systems last year that can carry out multistep tasks, but generally, those companies have been cautious about limiting each agent’s ability to take action without user permission. And they don’t typically sit and loop due to cost concerns and usage limits.
Enter OpenClaw, which is an open source AI personal assistant application that has attracted over 150,000 GitHub stars since launching in November 2025.
....
Most notably, the OpenClaw platform is the first time we’ve seen a large group of semi-autonomous AI agents that can communicate with each other through any major communication app or sites like Moltbook, a simulated social network where OpenClaw agents post, comment, and interact with each other. The platform now hosts over 770,000 registered AI agents controlled by roughly 17,000 human accounts.
OpenClaw is also a security nightmare. Researchers at Simula Research Laboratory have identified 506 posts on Moltbook (2.6 percent of sampled content) containing hidden prompt-injection attacks.

Subscribe to Deuxieme RE Banque News

Sign up now to get access to the library of members-only issues.
Jamie Larson
Subscribe