Sign in Subscribe

InfoSec News 04MAR2026

General

The company's data breach confirmation comes as a threat actor named FulcrumSec leaked 2GB of files on various underground forums and sites.
LexisNexis L&P is a global provider of legal, regulatory, and business information, research tools, and analytics used by lawyers, corporations, governments, and academic institutions in more than 150 countries worldwide.
...
The threat actor says that on February 24 they gained access to the company's AWS infrastructure by exploiting the React2Shell vulnerability in an unpatched React frontend app.
LexisNexis L&P admitted that hackers breached its network, noting that the stolen information was old and consisted mostly of non-critical details.
...
“These servers contained mostly legacy, deprecated data from prior to 2020, including information such as customer names, user IDs, business contact information, products used, customer surveys with respondent IP addresses, and support tickets”
Mar 02 4:19 PM PST We are providing an update on the ongoing service disruptions affecting the AWS Middle East (UAE) Region (ME-CENTRAL-1) and the AWS Middle East (Bahrain) Region (ME-SOUTH-1). Due to the ongoing conflict in the Middle East, both affected regions have experienced physical impacts to infrastructure as a result of drone strikes. In the UAE, two of our facilities were directly struck, while in Bahrain, a drone strike in close proximity to one of our facilities caused physical impacts to our infrastructure. These strikes have caused structural damage, disrupted power delivery to our infrastructure, and in some cases required fire suppression activities that resulted in additional water damage. We are working closely with local authorities and prioritizing the safety of our personnel throughout our recovery efforts.
...
We continue to strongly recommend that customers with workloads running in the Middle East take action now to migrate those workloads to alternate AWS Regions. Customers should enact their disaster recovery plans, recover from remote backups stored in other Regions, and update their applications to direct traffic away from the affected Regions. For customers requiring guidance on alternate regions, we recommend considering AWS Regions in the United States, Europe, or Asia Pacific, as appropriate for your latency and data residency requirements.

Getting Techy

  • WatchTowr Labs have been busy - this week they're exploring a vulnerability in Juniper JunOS Evolved platform.
  • Google Threat Intelligence Group (GTIG) identified an exploit kit dubbed "Coruna", that "contained five full iOS exploit chains and a total of 23 exploits". It targeted older devices - "Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023)". Keep your devices up-to-date, and try out Lockdown Mode.
Over the course of 2025, GTIG tracked its use in highly targeted operations initially conducted by a customer of a surveillance vendor, then observed its deployment in watering hole attacks targeting Ukrainian users by UNC6353, a suspected Russian espionage group. We then retrieved the complete exploit kit when it was later used in broad-scale campaigns by UNC6691, a financially motivated threat actor operating from China.
...
Bailing out if the device is in Lockdown Mode, or the user is in private browsing.
...
The injected payload doesn’t exhibit the usual capabilities that we would expect to see from a surveillance vendor, but instead steals financial information. The payload can decode QR codes from images on disk. It also has a module to analyze blobs of text to look for BIP39 word sequences or very specific keywords like “backup phrase” or “bank account.” If such text is found in Apple Memos it will be sent back to the C2.

Geo-Politics

  • There appears to be a rift developing, in the design of 6G networks. China is promoting their own state-backed initiatives, whilst the "Global Coalition on Telecoms" (GCOT) is promoting a more western view.
A group of Western and Indo-Pacific nations launched a coalition on Tuesday aimed at shaping the security foundations of next-generation 6G mobile networks, as China accelerates its own research and investment in the technology.
...
Drawing on lessons from the global rollout of 5G, the non-binding principles aim to ensure that future 6G networks are “secure by design” and resilient from the outset rather than retrofitted with protections late
...
Beijing has prioritized 6G research through state-backed initiatives, including the IMT-2030 (6G) Promotion Group, and has emphasized participation in global standards-setting bodies including the International Telecommunication Union and 3GPP.
  • Unsurprisingly "Pro-Russia threat actors have formed a loose coalition with Iran-nexus hacking groups in response to the bombing campaign launched by the U.S. and Israel on Iran.". NoName057(16) is a Russian - almost certainly government-sponsored - 'hacktivist' group.
A group called the Cyber Islamic Resistance working with NoName057(16) targeted an Israeli defense contractor along with multiple municipal governments in a large-scale distributed denial of service attack, Flashpoint said.

Privacy

  • Generative Engine Optimisation (GEO) - the creepier version of Search Engine Optimisation (SEO), applied to Generative AI models. Dodgy browser extensions are recording user's chatbot session, that are then marketed to advertisers. As might be expected, the (unredacted) sessions are a privacy nightmare.
Dryburgh said he had access to a major VC-backed generative engine optimization platform and, through that platform, was able to examine the aggregated clickstream data made available to customers.
...
One set of queries returned conversations about depression, suicide, self-harm, medication, abuse, and eating disorders. A second provided access to chat about substance abuse, medical diagnoses, financial vulnerability, children, sexuality, and immigration. A third covered HIV/STDs, cancer, fertility/pregnancy, children, sexual violence, financial crisis, and medical diagnoses. And a fourth provided chats about clinical HIPAA notes, legal PII, relationships, gender identity, criminal records, workplace harassment, and religious identity.
A geofence warrant is also known as a "reverse search warrant" because they let police demand technology companies pinpoint all mobile devices present in a specific geographic area during a particular time span. Geofence warrants help police find suspects, but sweep up the location of many innocent people, creating privacy and civil liberties concerns, critics say.
...
In its amicus brief, Google called the warrants a violation of people’s rights and said that in recent months it has objected to more than 3,000 geofence warrants on constitutional grounds.
...
Google also took issue with how geofence warrants sweep up innocent people and expose their sensitive locations. It said it has objected to thousands of “overbroad” geofence warrants, including some that would have exposed the location of thousands of innocent people.
...
“No court would authorize a physical search of hundreds of people or places, yet geofence warrants sometimes do so by design,” Google’s brief argued.
...
Individuals’ documents and data stored electronically and securely in remote servers are the modern-day “papers[] and effects” protected by the Fourth Amendment. Though kept on servers in “the cloud,” these documents are not publicly accessible.... These documents are therefore not ordinary business records maintained by a third party that happen to concern an individual; they are the user’s personal records. Those papers and effects do not lose Fourth Amendment protection merely because they were stored by Google on behalf of the user.
The CPPA alleges that PlayOn Sports collected students' personal data and delivered targeted advertising by using tracking technologies without providing a “sufficient way to opt out.”
...
During the relevant time period, PlayOn’s Digital Properties Collected Personal Information using first- and third-party cookies, persistent trackers, and similar Tracking Technologies (e.g., MetaPixel) for the purpose of providing advertisements, among other things. PlayOn subsequently Sold and Shared the Personal Information it Collected with advertising, social media, and analytics partners.
...
These notice banners required Consumers to click “Agree” to the use of these Tracking Technologies and provided no other way to close the notice banner without clicking on “Agree.”
When using PlayOn’s GoFan ticketing platform on a phone or mobile device, the notice banner covered the portion of the screen that allowed the Consumer to “use” or redeem the ticket. Thus, Consumers were forced to first click “Agree” on the notice banner in order to use their ticket
...
PlayOn failed in its responsibility to provide a method for opting out of the Sale/Sharing of Personal Information by certain Tracking Technologies and instead stated in its privacy policy that Consumers should opt-out directly with third parties via the Network Advertising Initiative (NAI) and the Digital Advertising Alliance (DAA).
...
In accordance with Civil Code § 1798.199.55, PlayOn shall pay an administrative fine in the amount of one million one hundred thousand dollars ($1,100,000).

AI

  • Zenity Labs explored the Perplexity 'agentic' web browser, showing that assumptions around the 'user' of the browser are invalidated in agentic use-cases. This is a really important considerations, when agents are given access to normal human-use tools - assuming the user of the tool won't do something malicious or stupid is invalid.
browsers are not isolated from the host machine. In addition to rendering web content, a browser can access local resources through supported schemes such as file://. This behavior is well understood and widely accepted, as it is typically exercised only through explicit user navigation.
...
From a traditional browser security perspective, this is expected behavior. The browser does not act on its own. It only navigates to this location when the user explicitly requests it.
...
Once Comet treats attacker-controlled content as authoritative, it can cross trust boundaries that are normally separated by explicit user action. In our case, the agent moved laterally from untrusted web content to the local machine by navigating to file://, traversing directories, opening local files, and then exfiltrating their contents through ordinary browser navigation.
Browser extensions operate under a defined set of permissions, strictly governed by the browser’s security model. One of their functions is to interact with or modify content on webpages. These webpages are considered inferior to the extension itself in the browser's privilege hierarchy.
...
Intercepting and injecting JavaScript code into the Gemini web app when loaded via an ordinary tab is trivial and doesn’t grant access to special powers. However, when the Gemini app is loaded within this new panel component, Chrome hooks it with access to powerful capabilities. These include being able to read local files, take screenshots, access the camera and microphone and more, so the app could perform complex tasks. Being able to intercept it under that setting would have allowed attackers to gain access to these powers too.

Subscribe to Deuxieme RE Banque News

Sign up now to get access to the library of members-only issues.
Jamie Larson
Subscribe