Sign in Subscribe

InfoSec News 05MAR2026

General

  • Multi-Factor Authentication Phishing service - 'Tycoon 2FA' - was disrupted in a Europol-coordinated activity. The service used a proxy-style approach (as popularised by elivginx), to capture session cookies after users had passed through all single- and multi-factor challenges. Passkeys are not vulnerable to this attack, as the MFA is tied to the domain-name, and these proxy-style attacks require the use of an attacker-controlled domain.
As part of the disruption, 330 domains forming the core infrastructure of the criminal service, including phishing pages and control panels, were taken down.
...
By mid-2025, Tycoon 2FA accounted for roughly 62% of all phishing attempts blocked by Microsoft.
According to an affidavit unsealed on March 3, the LeakBase forum had over 142,000 members and more than 215,000 messages between members.... LeakBase allowed forum users to sell the information from stolen databases, including data illegally obtained from U.S. corporations and individuals, and offered credit and debit card numbers, banking account and routing information, usernames and associated passwords which could facilitate additional account takeovers, as well as other sensitive business and personally identifiable information.
On March 3 and 4, law enforcement agents and officers in 14 countries ... shut down LeakBase, seized its data and two of the domains used by the forum, posted seizure banners on the LeakBase sites, sent prevention messages to LeakBase members, and collected additional evidence. Law enforcement also executed search warrants, arrests, and conducted interviews in the United States, Australia, Belgium, Poland, Portugal, Romania, Spain, and the United Kingdom.
This vulnerability is due to an improper system process that is created at boot time. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute a variety of scripts and commands that allow root access to the device.
This vulnerability is due to insecure deserialization of a user-supplied Java byte stream. An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root.
Both Google and iVerify connected the exploit kit to Operation Triangulation, which Russian cybersecurity firm Kaspersky said in 2023 had targeted the company and the Russian government attributed to the U.S. government. The NSA declined to comment on that allegation.
Boris Larin, principal security researcher at Kaspersky GReAT, told The Register on Wednesday: "We see no evidence of actual code reuse in the published reports to support attributing Coruna to the same authors."
The attack chain initiates with a phishing email containing a link to a ZIP archive. Once extracted, an initial HTA file displays a lure document written in Ukrainian concerning border crossing appeals to deceive the victim. Simultaneously, the infection triggers the download of BadPaw, a .NET-based loader. Upon establishing command-and-control (C2) communication, the loader deploys MeowMeow, a sophisticated backdoor.
...
The campaign employs strict Parameter Validation; the malicious components remain dormant, running only “dummy” code with a benign GUI, unless executed with specific, predefined parameters.

Getting Techy

Geo-Politics

  • [IR] Chainalysis try to understand what's going on in Iranian crypto markets - it's very murky.
  • [US] NSO Group - makers of the Pegasus spyware - are spending up, tyring to lobby their way back into the US Government's good books, and off the (Bureau of Industry and Security (BIS)) Entity List.
    (EAR = Export Administration Regulations)
To achieve its business objective (increased sales), NSO faces a regulatory hurdle (BIS Entity List designation). De-listing requires a lengthy administrative process, including review by an interagency committee comprising representatives from the Departments of Commerce, State, and Defense, among others. The National Security Council and Congress, although they do not play a direct role, could also exert influence over this process.
...
A key element of that strategy appears to be completing its transition to US ownership — specifically to a group of investors led by Hollywood producer Robert Simonds — and potentially to adopt a new US corporate structure. This is an important strategic move as it could render the BIS Entity Listing redundant, as it solely targets foreign companies.
The Entity List is a tool utilized by BIS to restrict the export, reexport, and in-country transfer of items subject to the EAR to persons (individuals, organizations, companies) reasonably believed to be involved, have been involved, or pose a significant risk of being or becoming involved, in activities contrary to the national security or foreign policy interests of the United States.

Privacy

  • The high cost of data-brokers.
Breaches at data brokers have cost American consumers more than $20 billion, Congress’s Joint Economic Committee revealed Friday as part of an investigation triggered by The Markup and CalMatters.
...
The Markup and CalMatters’ August story examined how several data brokers used code called the “no-index” tag on pages where consumers could exercise their right to opt out.
The tag is used to tell search engines not to index the page, meaning the information may not be returned in search results. The story noted that this created a barrier for consumers looking to block brokers from using their data. Many of the data brokers quickly removed the tag as the story was published.
...
Congressional staff found that hundreds of millions of people were exposed by just four major data broker breaches in the last 10 years. The breaches counted were a 2017 Equifax incident, impacting 147 million people, as well as others involving Exactis in 2018, 230 million people, National Public in 2023, 270 million people and TransUnion in 2025, 4 million people.
Using estimates of the number of people who experience identity theft after breaches, as well as an assumed median loss of $200 from thefts, the report arrived at the nearly $21 billion figure.
TikTok will not introduce end-to-end encryption (E2EE) - the controversial privacy feature used by nearly all its rivals - arguing it makes users less safe.
E2EE means only the sender and recipient of a direct message can view its contents, making it the most secure form of communication available to the general public.
...
It confirmed its approach in a briefing to the BBC about security at its London office - saying it wanted to protect users, especially young people, from harm.
...
TikTok has not commented before on why it chooses not to use E2EE.
But the company has now told the BBC it believes the technology prevents police and safety teams from being able to read direct messages if they needed to.
Whenever an advertisement is displayed inside an app, a near instantaneous bidding process happens with companies vying to have their advert served to a certain demographic. A side effect of this is that surveillance firms, or rogue advertising companies working on their behalf, can observe this process and siphon information about mobile phones, including their location. All of this is essentially invisible to an ordinary phone user, but happens constantly.
This sort of surveillance can happen through all sorts of innocuous seeming apps, such as video games, news apps, weather trackers, and dating apps. 404 Media has previously linked RTB-based surveillance to games like Candy Crush and Subway Surfers; dating apps Tinder and Grindr; the social network Tumblr, and the popular fitness app MyFitnessPal.
...
In essence, the AdID acts as the digital glue between a person’s device and their location data, allowing marketers—or a surveillance contractor or DHS—to attribute a set of movements to a specific device. From there, investigators can draw geofences to see all phones at a particular area over a period of time. Many smartphone location data tools then let officials see where else those devices went, potentially revealing where their owners live or work, or other sensitive locations.

AI

  • The first reports of developers being stung with massive Gemini bills are landing. When Google added Gemini access to the same API keys used for Maps, Firebase and other services - where the API keys are by design public - it created a massive problem. Anyone can scan the web for these keys on websites, and then easily test if they have Gemini access. If so, the keys embedded in the webpages can then be used to steal Gemini access.
    TruffleSec warned about this last month, as included in the 27FEB2026 news.
"I am in a state of shock and panic right now," the dev wrote on Reddit, and went on to detail how his startup's Google Cloud API key was somehow compromised between February 11 and February 12. During that time, unknown miscreants used the key to spend $82,314.44, primarily on Gemini 3 Pro Image and Gemini 3 Pro Text.
The issue in this case starts with an organization called the Open Knowledge Association (OKA), a non-profit organization dedicated to improving Wikipedia and other open platforms.
“We do so by providing monthly stipends to full-time contributors and translators,” OKA’s site says. “We leverage AI (Large Language Models) to automate most of the work.”
The problem is that editors started to notice that some of these translations introduced errors to articles. For example, a draft translation for a Wikipedia article about the French royal La Bourdonnaye family cites a book and specific page number when discussing the origin of the family. A Wikipedia editor, Ilyas Lebleu, who goes by Chaotic Enby on Wikipedia, checked that source and found that the specific page of that book “doesn't talk about the La Bourdonnaye family at all.”

Subscribe to Deuxieme RE Banque News

Sign up now to get access to the library of members-only issues.
Jamie Larson
Subscribe