Sign in Subscribe

InfoSec News 06MAR2026

General

  • Wikipedia suffers their own brief Samy Worm incident.
The Wikimedia Foundation suffered a security incident today after a self-propagating JavaScript worm began vandalizing pages and modifying user scripts across multiple wikis.
...
BleepingComputer's review of the archived test.js script shows it self-propagates by injecting malicious JavaScript loaders into both a logged-in user's common.js and Wikipedia's global MediaWiki:Common.js, which is used by everyone.
...
The script also includes functionality to edit a random page by requesting one via the Special:Random wiki command, then editing the page to insert an image and .... hidden JavaScript loader.
...
According to BleepingComputer's analysis, approximately 3,996 pages were modified, and around 85 users had their common.js files replaced during the security incident. It is unknown how many pages were deleted.
Although that volume of zero-days is lower than the record high observed in 2023 (100), it is higher than 2024’s count (78) and remained within the 60–100 range established over the previous four years, indicating a trend toward stabilization at these levels.
...
In 2025, we continued to observe the structural shift, first identified in 2024, toward increased enterprise exploitation.
...
State-sponsored espionage groups continue to prioritize edge devices and security appliances as prime entry points into victim networks
...
Commercial surveillance vendors (CSVs) further reduce barriers to zero-day access. For the first time since we began tracking zero-day exploitation, we attributed more zero-days to CSVs than to traditional state-sponsored cyber espionage groups.
...
People’s Republic of China (PRC)-nexus cyber espionage groups continue to dominate traditional state-sponsored espionage zero-day exploitation.
...
In 2025, we attributed the exploitation of 9 zero-days to confirmed or likely financially motivated threat groups.
...
Browsers accounted for less than 10% of 2025 zero-day exploitation, a marked decrease from the browser-heavy years of 2021-2022.
...
Command injection and deserialization were critical vectors in the enterprise space.
....
Threat actors continued to rely on memory corruption, with memory safety issues (particularly use-after-free [UAF] and out-of-bounds write) accounting for roughly 35% of the vulnerabilities.
...
The prevalence of authentication and authorization bypass vulnerabilities highlights the difficulty edge devices face in securing both the network perimeter and their own administrative interfaces.
...
Logic and Design Flaws: Frequently exploited in enterprise appliances, these issues represent fundamental architectural weaknesses where the system’s intended logic or design is inherently insecure.
"The organization recruited highly vulnerable women in areas hit hard by the war in Ukraine and opened bank accounts in their names that they used on gaming platforms to move illicit profits, estimated at 4,750,000 euros."
After a joint investigation with the Ukrainian police that began in October 2023, Spanish authorities arrested 12 suspects and conducted 9 house searches across Alicante and Valencia.
Following searches at nine Spanish addresses and eight Ukrainian properties, they also seized dozens of mobile phones, 20 computers, 22 bots, four high-end vehicles, and 500 SIM cards, froze ten properties valued at over €2 million, and blocked accounts across 11 countries holding more than €470,000.
To scale the operation, the criminals relied heavily on stolen personal data. Police discovered more than 5,000 stolen identities from 17 different nationalities and at least 3,000 compromised credit cards tied to the scheme.
The criminal group also transferred government subsidies received by the victim due to their refugee status. Parts of the illegally obtained funds were invested in luxury real estate.
The company is accused of running hundreds of compounds in Cambodia where workers and human trafficking victims were forced to conduct cyberscams and steal billions from people in the U.S., Europe and China.
...
Taipei prosecutors said those associated with Prince Group laundered at least $339 million into Taiwan and used the stolen funds to buy 24 properties, 35 vehicles and other assets amounting to about $1.7 million. Taiwan has seized about $174 million in cash and assets.
...
Nine people have been detained and 73 people were granted bail following Taiwan’s monthslong investigation. Those detained, who were considered senior figures in Prince Group or had deep ties to the operation, are facing decades in prison.
...
The status of Zhi’s whereabouts and legal case in China is unknown but China executed four members of the Bai crime family last month after they were accused of running cyber scam compounds in Myanmar. Another 11 members of the Ming crime family were executed last month for running similar cyber scam compounds.
Phobos is a long-running ransomware-as-a-service (RaaS) operation linked to the Crysis ransomware family. Phobos has been widely distributed through many affiliates, accounting for roughly 11% of all submissions to the ID Ransomware service between May 2024 and November 2024.
Prosecutors accused Ptitsyn of being behind attacks on the California public school system — which paid a $300,000 ransom in 2023 — as well as multiple healthcare organizations and several companies.
U.S. prosecutors previously said operators of Phobos and a related strain called 8Base collected upwards of $16 million from victims worldwide dating back to 2019.
“If you’ve been paying any attention at all to US politics, you’ll know how insidiously provocative this would be if it were a real email,” Benenson wrote in a blog post about the email. “This phishing campaign is a fascinating example of how sophisticated social engineering has become. Instead of Nigerian 419 scams, hackers have evolved to carefully craft messages sent to professionals that are designed to exploit the American political consciousness. The opt-out buttons are the trap.”
...
In SendGrid’s case, Benenson found that the emails looked “real” because they were sent from other SendGrid user accounts. Basically, hackers compromised the account of a SendGrid user and then used that account to send phishing emails using the SendGrid infrastructure. “The emails look real because, technically, they are real SendGrid emails sent via SendGrid’s platform and via a customer’s reputation–they’re just sent by the wrong people and wrong domains,” he wrote.
Blockchain investigator ZachXBT broke the case publicly in late January when he published an analysis that ​​​​​​traced $23 million in USMS-linked wallet movements to addresses he linked to Daghita
...
Further on-chain analysis subsequently enabled ZachXBT to link those wallets to government-seized assets from the Bitfinex hack seizure. After the investigator reported his findings to authorities, Daghita reportedly taunted him repeatedly on Telegram by sending small amounts of the allegedly stolen funds (a tactic known as a "dust attack") to ZachXBT's public wallet address.

Getting Techy

  • Insecure security software, sigh. Even better, they won't accept bug reports without a signed NDA.
    (LPE = Local Privilege Escalation)
Avira Internet Security ships with a handful of modules that quietly handle privileged operations in the background: software updates, performance monitoring and system cleanup. Each one runs parts of its workflow as SYSTEM. Three of them don't bother checking what they are actually operating on.
...
Three modules, three bugs, all running as SYSTEM. The arbitrary file delete is the most versatile primitive: useful standalone, and can be used as a setup step for the deserialization. The deserialization is the cleanest LPE: no race condition, no timing window, just drop a file and click a checkbox. The TOCTOU is the most constrained of the three, but still a straightforward path to SYSTEM.

Geo-Politics

  • Reporting from Cybersecurity Dive suggests Sean Plankey - Trump's nominee for next head of the Cybersecurity and Infrastructure Security Agency (CISA) - is out.
Security personnel escorted Plankey out of a DHS facility on Monday, a person familiar with the matter told Cybersecurity Dive, confirming an incident first reported by CBS News. Plankey announced on Wednesday that he had left his job as a senior Coast Guard adviser to DHS Secretary Kristi Noem, but he framed his departure as a voluntary one intended to help him focus on his nomination to serve as CISA director.
...
But Plankey’s departure was anything but amicable or voluntary, the person familiar with the matter told Cybersecurity Dive. “He was operating autonomously inside CISA and ruffling feathers,” this person said. It is unusual for nominees to involve themselves in agency leadership decisions prior to being confirmed.
When a Monday prep session for one of Noem’s oversight hearings on Capitol Hill “didn’t go well,” that was “a last straw” for Plankey’s service in the administration, the person familiar with the matter said.
...
For more than a year, CISA has weathered personnel cuts and program changes that have sapped its ability to fulfill its central missions, especially its work supporting infrastructure providers. The agency is on its third acting director, following the Trump administration’s abrupt removal last week of a scandal-plagued official who had no cybersecurity background but close ties to Noem.
The 141-page five-year blueprint, which ⁠covered a wide range of socio-economic targets and policies, mentioned AI more than 50 times and included a sweeping "AI+ action plan".
The focus on tech reflects ​China's need to grapple with its rapidly ageing workforce and looming demographic crisis, its fierce battle with the United States for supremacy in core technologies, as ​well as dramatic progress made by Chinese AI model developers such as DeepSeek.
Specific measures in the plan include experimenting with robots to perform jobs in sectors suffering from labour shortages and deploying AI agents that can perform tasks with minimal human guidance.
The Israel Defense Forces on Wednesday said it bombed a compound in Tehran housing Iran’s cyber warfare headquarters — but it’s unclear whether the strike will significantly kneecap Iran’s cyberattack capabilities.
...
The IDF claims that the headquarters of the IRGC’s “cyber and electronic headquarters” and its “Intelligence Directorate” were among the military outposts hit in the strike.
...
The IRGC has been linked to major cyber operations against the U.S. in recent years, including a hack and leak attack against the presidential campaign of Donald Trump in 2024.
...
The Iranian government has often relied on proxy groups outside the country, including those based in Russia, to carry out cyberattacks or disinformation campaigns on its behalf. This makes it harder to trace efforts back to the Iranian regime and more difficult for impacted countries to respond to these types of decentralized attacks.
“Cyber is now embedded in modern conflict, and operational impact does not require all operators to be physically located in Tehran,” said Alexander Leslie, senior advisor on government affairs at cybersecurity company Recorded Future.

Privacy

  • [EU] None Of Your Business (NOYB) surveyed Data Protection Officers in the European Union, to test whether some of the proposed relaxations of the General Data Protection Regulation (GDPR), are justified. As expected, the results suggest it's more aligned with Big Tech needs, than impacted organisations.
Ever since the European Commission has published its Digital Omnibus proposal, discussions about the workload the GDPR creates for businesses in Europe have intensified. Among other things, the Commission wants to restrict the Right of Access, allegedly to reduce the regulatory burden. But do these changes actually reflect the needs of privacy professionals working at companies? To find out more, noyb conducted a survey asking Data Protection Officers (DPOs) which elements of the GDPR take up most of their time – and where it is best spent to ensure people's data protection.
Turns out, most professionals don’t want protections to be cut back, but to reduce documentation duties and paperwork. In many cases, they even ask for clearer laws instead of more ‘flexibility’, which is hard to manage for most companies.
Beginning January 9, 2026 all Mexican cell phone numbers must have a verified person associated with the number. Users will need to present a valid passport, and if you are resident (temporary or permanent), you will need to cite your CURP number as well.
...
All existing active lines must be registered by June 30 to prevent the number from being suspended.
...
If you roam in Mexico using a foreign-issued cellphone, you do not need to register the number in Mexico. This requirement is only for cellphone numbers issued by Mexican telephone companies.
Britain's privacy watchdog is asking questions about Meta's AI-powered smart glasses after reports that human contractors reviewing recordings from the devices were exposed to extremely private moments captured by unsuspecting users.
...
Some of the workers interviewed claim the review queue isn't just harmless AI prompts. Some clips show people getting dressed or using the toilet, while others capture private conversations about relationships, politics, or alleged wrongdoing. Others interviewed by the Swedish outlets claimed the clips occasionally include things like bank cards, personal paperwork, or other identifying details inadvertently caught on camera. As one employee put it: "We see everything."
Here in Kenya’s capital, thousands of people train AI systems, teaching them to recognise and interpret the world.
They are called data annotators, and they are the manual labourers of the AI revolution. On the screens they draw boxes around flower pots and traffic signs, follow contours, register pixels and name objects: cars, lamps, people. Every image must be described, labelled and quality assured.
...
With the glasses we bought there is also a manual with a QR code that leads to Meta’s privacy policy for wearable products. This in turn links to other pages, such as the Terms of Use for Meta’s AI services.
At first glance, it appears that we have significant control over our data. It states that voice recordings may only be saved and used for improvement or training of other Meta products if the user actively agrees.
But for the AI assistant to function, voice, text, image and sometimes video must be processed and may be shared onwards. This data processing is done automatically and cannot be turned off.
It also states that the AIs may store and use information shared with them, and that the user should not share information “that you don’t want the AIs to use and retain, such as information about sensitive topics”.
The user is given no choice; it is mandatory to participate.
...
We asked Meta to elaborate on how sharing highly private material with subcontractors such as Sama in Kenya can be reconciled with its privacy policy. We posed the same questions to Sama. There was no response.
...
One annotator sums it up:
“You think that if they knew about the extent of the data collection, no one would dare to use the glasses”.

AI

  • Reporting from Simon Willison on key departures within the (small) team at Alibaba's Qwen group.
Twelve hours ago (at 0:11 AM Beijing time on March 4th), Lin Junyang, the technical lead for Alibaba’s Qwen Big Data Model, suddenly announced his resignation on X. Lin Junyang was a key figure in promoting Alibaba’s open-source AI models
...
With Lin Junyang’s departure, several other Qwen members also announced their departure, including core leaders responsible for various sub-areas of Qwen models, such as:
Binyuan Hui: Lead Qwen code development, principal of the Qwen-Coder series models, responsible for the entire agent training process from pre-training to post-training, and recently involved in robotics research.
Bowen Yu: Lead Qwen post-training research, graduated from the University of Chinese Academy of Sciences, leading the development of the Qwen-Instruct series models.
Kaixin Li: Core contributor to Qwen 3.5/VL/Coder, PhD from the National University of Singapore.
Besides the aforementioned individuals, many young researchers also resigned on the same day.
  • Another item from Simon Willison, discussing AI-assisted 'clean-room' reimplementations of software to avoid their licensing restrictions. Discussed in the context of the 'chardet' library, where the new maintainer rebuilt the library, at the same time moving from LGPL to the more permissive MIT licence. The original author was not happy.
I see this as a microcosm of the larger question around coding agents for fresh implementations of existing, mature code. This question is hitting the open source world first, but I expect it will soon start showing up in Compaq-like scenarios in the commercial world.
Once commercial companies see that their closely held IP is under threat I expect we’ll see some well-funded litigation.
According to new reporting by the Financial Times, the Amazon founder’s AI lab, Project Prometheus, is raising tens of billions of dollars to snatch up companies reeling from market disruption due to AI.
...
While AI is new, Bezos has a historical analogue in John Pierpont Morgan. Though most of us today know the JPMorgan Chase as the largest investment bank in the US, it didn’t become the giant it is today by happenstance.
...
Morgan and Bezos are pursuing what sounds like a similar strategy: where the former exploited small panics and depressions to consolidate industrial firms under his control, Bezos is leveraging market volatility in the uncertain age of AI

Subscribe to Deuxieme RE Banque News

Sign up now to get access to the library of members-only issues.
Jamie Larson
Subscribe