Sign in Subscribe

InfoSec News 08APR2026

General

  • Serious déjà-vous - attackers exfiltrating data from Snowflake using stolen credentials (quick calendar check - nope, it is 2026).
While numerous cloud storage and SaaS vendors were targeted using the stolen tokens, BleepingComputer has learned that the majority of the data theft attacks targeted the cloud-based data warehouse platform Snowflake.
...
While Snowflake would not confirm which third-party integration partner was linked to these attacks, BleepingComputer was told by numerous sources that the attacks stem from a security incident at data anomaly detection company Anodot.
Anodot is an AI-based analytics company that provides real-time anomaly detection for business and operational data, helping organizations automatically spot unusual changes in revenue, transactions, and system performance using machine learning. Data analytics company Glassbox acquired the company in November 2025.
...
After learning of the attacks, the ShinyHunters group confirmed to BleepingComputer that they were behind them, claiming to have stolen data from dozens of companies this past Friday. They also confirmed their attempts to steal data from Salesforce, but said they were blocked by AI detection.
  • I guess the old tricks still work.... APT28 (aka Forest Blizzard, Strontium, Fancy Bear, Flamboyant Leatherdaddy) have been modifying DNS settings on edge-devices (mainly routers). Target traffic is then routed through attacker infrastructure. It seems to be a rather noisy attack for target domains - "The actor-controlled malicious infrastructure would then present an invalid TLS certificate to the victim, spoofing the legitimate Microsoft service. If the compromised user ignored warnings about the invalid TLS certificate, the threat actor could then actively intercept the underlying plaintext traffic".
    Interesting to see that the US remotely reset/removed the changes to US routers.
We assess that APT28 is almost certainly the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Centre (GTsSS) Military Intelligence Unit 26165. APT28 (also known as Forest Blizzard, Fancy Bear, STRONTIUM, the Sednit Gang and Sofacy)
...
Since 2024 and into 2026, APT28 has been configuring Virtual Private Servers (VPSs) to operate as malicious DNS servers. These VPSs typically receive high volumes of DNS requests originating from routers that had been exploited by the actor likely utilising public vulnerabilities.
...
Lookups for domain names containing key terms associated with particular services, often email applications or login pages, would then be resolved by the malicious DNS servers to further actor-owned IP addresses. DNS requests not matching the actor’s targeting criteria would instead be resolved to the legitimate IP addresses for the requested services.
The actor would then attempt to conduct adversary-in-the-middle (AitM) attacks against follow-on connections with the likely aim of harvesting user account credentials
Forest Blizzard, which primarily collects intelligence in support of Russian government foreign policy initiatives, has also leveraged its DNS hijacking activity to support post-compromise adversary-in-the-middle (AiTM) attacks on Transport Layer Security (TLS) connections against Microsoft Outlook on the web domains. This activity enables the interception of cloud-hosted content, impacting numerous sectors including government, information technology (IT), telecommunications, and energy—all usual targets for this actor.
While the number of organizations specifically targeted for TLS AiTM is only a subset of the networks with vulnerable SOHO devices, Microsoft Threat Intelligence assesses that the threat actor’s broad access could enable larger-scale AiTM attacks, which might include active traffic interception. Targeting SOHO devices is not a new tactic, technique, or procedure (TTP) for Russian military intelligence actors, but this is the first time Microsoft has observed Forest Blizzard using DNS hijacking at scale to support AiTM of TLS connections after exploiting edge devices.
Today, the Department of Justice and the FBI announced a court-authorized technical operation to neutralize the U.S. portion of a network of small office/home office (SOHO) routers compromised by a unit within Russia’s Main Intelligence Directorate of the General Staff (GRU) Military Unit 26165, also known as APT28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit.
...
As described in court documents unsealed in the Eastern District of Pennsylvania, the FBI developed a series of commands to send to compromised routers in the United States, designed to collect evidence regarding the GRU actors’ activity, reset DNS settings (i.e., remove GRU DNS resolvers and force routers to obtain legitimate DNS resolvers from their Internet Service Providers (ISP)), and to otherwise prevent the GRU actors from exploiting the original means of unauthorized access.
An individual, Zhenyun Sun (https://find-and-update.company-information.service.gov.uk/officers/svz68usL11Hfb5q2_65DDqlFd2Y/appointments), is registering UK "fibre ISPs" at Companies House at an unusual rate. On the surface, they could pass for legitimate broadband providers. But look closer, and the picture soon changes 🕵️ ...
Some of these companies are assigned an ASN, sharing the same abuse contact: onesproxy[.]com
...
One explanation is that this makes proxy traffic appear to originate from genuine residential broadband customers. But it may not necessarily be for malicious purposes. It could be targeting SEO and those who want to "cheat the system" by simulating traffic from a large pool of users for marketing
  • [AU] The Australian Tax Office has added an in-app call verification feature, to help combat some scam scenarios. Whilst the feature can verify if someone is talking to the ATO using their account, it can't validate that the caller they're speaking with is from the ATO (for example, if the caller is simultaneously speaking with the ATO, pretending to be the target).
When a taxpayer receives a call from someone claiming to be the ATO, they open the app, log in, and select the verify call option.
If the notification does not appear within that window, the ATO said the call should be treated as a scam and the user should hang up.
The feature inverts the burden of proof, putting the tool in the taxpayer's hands rather than asking them to independently verify a caller's identity.
A “large-scale” distributed denial-of-service (DDoS) attack targeted the network of Russian state-run telecom giant Rostelecom on Monday evening, temporarily disrupting online banking, government platforms and other digital services across dozens of cities.
Rostelecom told state-owned media the attack was quickly contained, adding the disruption to internet services was a consequence of emergency filtering introduced to mitigate the attack. DDoS attacks overwhelm websites and online services with large volumes of junk traffic, making them temporarily unavailable to legitimate users.
...
As of Tuesday, internet users in Russia continued to report problems accessing some government websites, according to local internet monitoring services.
...
The latest disruption follows a separate outage last week that knocked out banking applications and payment systems across Russia for several hours, leaving customers in several regions, including Moscow, unable to pay by card, withdraw cash or access mobile banking services.
The cause of that incident remains unclear. Some Russian media outlets suggested it was linked to government attempts to block internet resources, including the filtering of IP addresses used by banking infrastructure. Other reports pointed to a possible internal failure at Sberbank, Russia’s largest lender.
North Korea, where only the regime’s most trusted citizens can use the global internet, scored 0 for internet freedom. Russia, Pakistan, Iran and China each scored just 4. The countries at or near the bottom of the list (with a score of 20 or below) are distributed across three continents: Asia, Africa and Europe.
“Commanders are now responsible for assessing the specific cyber risks to their mission and tailoring their unit’s training accordingly,” said Army Chief Information Officer Leonel Garciga in an emailed statement to DefenseScoop Friday. “This allows them to integrate cybersecurity into their operational training plans in a way that is relevant and effective for their soldiers.”
...
Retired Rear Adm. Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, said that a once-every-five-year cyber requirement “is unusual and probably a little riskier than one would expect in an agency that’s under constant foreign adversary attack.”
....
While the baseline requirement for the military’s Cyber Awareness Challenge — which has long been the “butt of all jokes” among troops, according to one cybersecurity expert — is every five years for the Army, Garciga said, commanders can decide to employ “more frequent or specialized” training based on their units’ situation, systems or “threats they face.”
Montgomery said units already focused on cyber may embrace the new directive to tailor such training for their own personnel and operations, but those that aren’t likely won’t. Infantry or armor units, for example, are already busy with tasks related to their core roles.

Getting Techy

  • Cisco Talos investigates the Endpoint Detection and Response (EDR) killer, used by then Qilin ransomware group.
This DLL represents the initial stage of a sophisticated, multi-stage infection chain designed to disable local endpoint detection and response (EDR) solutions present on compromised systems.
...
Overall, the malware is capable of disabling over 300 different EDR drivers across a wide range of vendors.

Geo-Politics

  • [KH] Cambodia has passed laws specifically targeted at the plethora of scam centres in the country.
Senior officials acknowledged the death of foreign workers, hit to Cambodia’s reputation, rising recruitment of local workers and continued challenge of policing transnational crime as they presented the country’s new law against online scams on Friday.
...
“The eyes of the world are on online scams, and it has become a new shared concern for Cambodia, the region and the world — because mostly online fraud is committed across borders by organized crime networks. Criminals located in any country can defraud victims in other countries.”
...
The four offenses, in summary, are:
Online scams: Acts of deception using technology with the aim of obtaining transfers of funds, property, services or contracts. The punishment is two to five years in jail and a fine of 200 million to 500 million riel (about $50,000 to $125,000), or five to 10 years in jail and 500 million to 1 billion riel ($125,000 to $250,000) when committed by organized crime or against multiple victims.
Organizing or directing an online scam center: Punishable by five to 10 years in jail and 500 million to 1 billion riel in fines, or 10 to 20 years and 1 billion to 2 billion ($250,000 to $500,000) where there is violence, torture, confinement, coercion or human trafficking. Organizing or directing an online scam center that results in a death is punishable by 15 to 30 years or life imprisonment.
Recruiting or training others to commit online scams: Two to five years in jail and 200 million to 500 million riel, or five to 10 years and 500 million to 1 billion riel if there is violence, capture, confinement, death or migrant smuggling.
Collecting identification documents or personal information documents of others with malicious intent: Collecting bank accounts or social media accounts in order to commit online scams is punishable by one to three years in jail and a fine of 100 million to 300 million riel ($25,000 to $75,000), or three to five years and 300 million to 500 million ($75,000 to $125,000) if committed by organized crime.
Iran-affiliated advanced persistent threat (APT) actors are conducting exploitation activity targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley. This activity has led to PLC disruptions across several U.S. critical infrastructure sectors through malicious interactions with the project file and manipulation of data on human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays, resulting in operational disruption and financial loss.
...
During a similar campaign beginning in November 2023, the IRGC CEC-affiliated cyber threat actors known as "CyberAv3ngers” targeted U.S.-based PLCs and HMIs, causing disruptive effects.

Privacy

  • [US] Immigrations and Customs Enforcement have confirmed their use of commercial spyware product Paragon.
acting ICE Director Todd Lyons wrote that he had authorized the use of “cutting-edge technological tools” to help the Homeland Security Investigations division fight fentanyl, particularly against organizations using encrypted communications.
...
“It’s outrageous that [the Department of Homeland Security] and ICE are using this spyware with no Congressional oversight and a complete lack of compliance standards,” they said in a joint statement shared with CyberScoop. “Given the track record of the Trump Administration, ICE’s feigned compliance with existing standards doesn’t mean much; we need to see proof and evidence of ironclad safeguards.
...
The letter’s vague language on safeguards, combined with ICE’s stance on privacy, is concerning, said Cooper Quintin, a security researcher and senior public interest technologist with the Electronic Frontier Foundation’s Threat Lab.
“It leaves open the door for them to interpret that it is constitutional for them to use administrative subpoenas to use this malware in HSI investigations,” Quintin said.
The missive, obtained by Recorded Future News, arrives days before policymakers return from recess next week and aim for a quick extension Section 702 of the Foreign Intelligence Surveillance Act (FISA) for another 18 months. It allows the National Security Agency to intercept the communications of foreign espionage or terrorism suspects that transit through U.S. telecom and internet companies.
Members have just days before the statute expires on April 20.
...
“In particular, we also write to caution against allowing this essential legislation to become entangled with unrelated policy debates that threaten to delay its passage,” it notes.
The line is a nod to a push by some of Trump’s ardent congressional supporters to attach a controversial voting rights bill to any reauthorization and arguments from civil liberty and privacy advocates who are alarmed by the federal government purchasing information from data brokers.
The letter also cites a staff report issued last week by the Privacy and Civil Liberties Oversight Board that endorsed how FISA Section 702 has been utilized since the last extension in 2024. However, the findings have come under fire from critics because Trump previously fired the board’s Democratic panelists and is currently represented by a single GOP member.

AI

  • Anthropic has put together an industry partnership, in an effort to give defenders a head-start with new - more capable - models.
    The second link discusses some of the patched findings in more detail.
Today we’re announcing Project Glasswing1, a new initiative that brings together Amazon Web Services, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks in an effort to secure the world’s most critical software.
...
As part of Project Glasswing, the launch partners listed above will use Mythos Preview as part of their defensive security work; Anthropic will share what we learn so the whole industry can benefit. We have also extended access to a group of over 40 additional organizations that build or maintain critical software infrastructure so they can use the model to scan and secure both first-party and open-source systems. Anthropic is committing up to $100M in usage credits for Mythos Preview across these efforts, as well as $4M in direct donations to open-source security organizations.
...
Over the past year, AI models have become increasingly effective at reading and reasoning about code—in particular, they show a striking ability to spot vulnerabilities and work out ways to exploit them. Claude Mythos Preview demonstrates a leap in these cyber skills—the vulnerabilities it has spotted have in some cases survived decades of human review and millions of automated security tests, and the exploits it develops are increasingly sophisticated.
...
Project Glasswing partners will receive access to Claude Mythos Preview to find and fix vulnerabilities or weaknesses in their foundational systems—systems that represent a very large portion of the world’s shared cyberattack surface. We anticipate this work will focus on tasks like local vulnerability detection, black box testing of binaries, securing endpoints, and penetration testing of systems.

Subscribe to Deuxieme RE Banque News

Sign up now to get access to the library of members-only issues.
Jamie Larson
Subscribe