InfoSec News 10APR2026

General

• Chrome's long-awaited "Device Bound Session Credentials" (DBSC), has finally (after a 2024 announcement) arrived. It uses the Trusted Platform Module as the root of trust, to protect a key-pair, which in turn protects the cookies.
  Most modern authentication uses a short-lived (commonly 1 hour) Access token, used to interact with the site; and a long-lived (in some cases 90 days) Refresh token, used to re-issue the Access token when it expires.
  DBSC is designed to defeat theft of the Refresh token (e.g. via an Information Stealer), stopping issuance of an Access token, and thus access to the site. It does so by introducing a challenge-response, requiring the Refresh token holder to sign the challenge with the un-exportable (thus un-stealable) challenge.
  DSBC requires explicit support by the website, and only protects against theft and remote use of the cookie, not Attacker-in-the-Browser (commandeering the user's browser, which can respond to the challenge successfully).

At a high level, DBSC introduces a cryptographic key pair associated with the user's device. Chrome generates this key pair during login and stores the private key in secure hardware, such as a Trusted Platform Module (TPM), when available. Sessions use short-lived cookies. When one of these cookies expires, Chrome proves possession of the private key before refreshing them. This process links session continuity to the original device.
If a user's device does not support secure key storage, DBSC gracefully falls back to standard behavior without breaking the authentication flow.

• https://www.bleepingcomputer.com/news/security/google-chrome-adds-infostealer-protection-against-session-cookie-theft/
• https://developer.chrome.com/docs/web-platform/device-bound-session-credentials
• Another Device Code Phishing and Attacker in the Middle platform - dubbed 'Venom'. This one's very well put together. It uses Quick Response (QR) codes, to move the attack onto - likely less monitored - mobile devices. Interestingly, the QR code is constructed "entirely from Unicode block characters", rather than included as an image.

In adversary-in-the-middle (AiTM) mode, the harvester presents the target's real identity provider—their organization's logo, their own email address pre-filled, and if their account is federated, their actual IdP login page rather than a generic Microsoft form. The experience is indistinguishable from a genuine sign-in because it is, in every visible respect, genuine. The branding is real, the federation handoff is real, and the login form that the target types into mirrors exactly what they would see during a legitimate sign-in. Credentials and MFA codes are relayed to Microsoft's live API in real time.
In Device Code mode, the target never sees a login form. The page presents as a Docusign notification—a protected document pending verification. The target copies a code, clicks through to microsoft[.]com/devicelogin, enters it, and approves what Microsoft presents as a routine device sign-in request. That approval is the attack. Microsoft authenticates the target against its own infrastructure and delivers the resulting access and refresh tokens directly to the attacker's polling backend. There is no credential form to detect, no proxy to identify, and no MFA to intercept.
...
The operator has built an end-to-end pipeline where every stage actively protects the next: the email evades scanners so the QR code reaches the target; the QR code moves the session off-network so the gate goes unmonitored; the gate filters out researchers so the harvester stays unexposed, and the harvester completes its work—including persistence—before the target's browser has moved on.
The most consequential finding is not the sophistication of any individual mechanism but what the campaign achieves structurally: MFA is rendered ineffective not by exploiting a vulnerability in the protocol, but by operating within it. Whether through real-time session relay or Microsoft's own Device Code flow, the attacker obtains persistent access through the authentication system itself.

• https://abnormal.ai/blog/venom-phishing-campaign-mfa-credential-theft
• https://www.bleepingcomputer.com/news/security/new-venom-phishing-attacks-steal-senior-executives-microsoft-logins/
• Interested in knowing more about the theft of Coruna iOS exploits from L3 Trenchant (L3 Harris)? Kim Zetter has written a long article in her blog.
  • https://www.zetter-zeroday.com/trenchant-exec-says-he-had-depression-money-troubles-when-he-decided-to-sell-zero-days-to-russian-buyer-also-new-info-reveals-nature-of-his-work-for-australian-intelligence-agency/
• Something a little different - Tech Crunch, on the life of Mikko Hyppönen.

“I often call this ‘cybersecurity Tetris,’” he tells the audience with a serious face, rattling off the rules of the classic video game. When you complete a whole line of bricks, the row vanishes, leaving the rest of the bricks to fall into a new line.
“So your successes disappear, while your failures pile up,” he tells the audience during his keynote at Black Hat in Las Vegas in 2025. “The challenge we face as cybersecurity people is that our work is invisible … when you do your job perfectly, the end result is that nothing happens.”

• https://techcrunch.com/2026/04/04/after-fighting-malware-for-decades-this-cybersecurity-veteran-is-now-hacking-drones/
• This seems like an effective test for suspected North Korean IT Workers

For the last few years, North Koreans have gotten remote jobs at hundreds of Western companies pretending to be from somewhere else, using fake resumes, and sometimes with the help of American collaborators.
...
Over time, someone realized that there could be a way to expose possible North Koreans during the interview process: Ask the suspected impostor to insult the country’s dictator Kim Jong Un, given that insulting him is illegal in the country and can result in harsh punishments. While this is a well-known strategy, we rarely see real-life examples of it working in real time.

• https://techcrunch.com/2026/04/06/watch-this-video-of-how-a-job-interviewer-exposes-a-north-korean-fake-it-worker/
• https://x.com/i/status/2041096021300928759
• [RU] Attackers have been targeting finance departments in organisations across Russia.

The attackers used phishing emails to infect accountants’ computers with malware, allowing them to access remote banking systems used to manage company payments.
Once inside, the hackers created payment orders that appeared to be legitimate salary transfers but in fact routed funds to accounts they controlled.
More than 3,000 Russian organizations received the malicious emails, researchers said. The largest confirmed theft exceeded 14 million rubles (about $178,000).
According to the report, the attackers carefully tailored their phishing emails to employees working in accounting or finance departments.

• https://therecord.media/cybercriminals-hack-russian-accountants-to-steal-millions

Getting Techy

• There's a Zero Day in Adobe (PDF) Reader. It involves running javascript inside the PDF, with none of the usual steps indicating an 'exploit', just (ab)using included functionality.

This "fingerprinting" exploit has been confirmed to leverage a zero-day/unpatched vulnerability that works on the latest version of Adobe Reader without requiring any user interaction beyond opening a PDF file. Even more concerning, this exploit allows the threat actor to not only collect/steal local information but also potentially launch subsequent RCE/SBX attacks, which could lead to full control of the victim's system.
...
[Update on April 8] A new variant was found today by @greglesnewich. I've confirmed this finding, it connects to IP address 188.214.34.20:34123. This sample appeared on VT on 2025-11-28, showing that this 0day/APT campaign has been ongoing for at least 4 months.

• https://justhaifei1.blogspot.com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.html
• https://www.bleepingcomputer.com/news/security/hackers-exploiting-acrobat-reader-zero-day-flaw-since-december/
• Chainalysis provide a little more detail on the recent Drift Protocol crypto currency theft.

On 1 April, 2026, Drift Protocol, the largest DeFi protocol on the Solana network, suffered the largest hack of the year so far and the second largest security failure in Solana’s history. Beginning at approximately 16:05 UTC on 01 April 2026, an attacker gained admin control of the Drift protocol and proceeded to drain an estimated $285 million from its vaults over the following hours, wiping out more than 50% of its total value locked (TVL).

• https://www.chainalysis.com/blog/lessons-from-the-drift-hack/

Geo-Politics

• [CN] A brief analysis of china's Five Year Plan (FYP), approved in March.

On March 12, 2026, the National People’s Congress approved the “Outline of the 15th Five-Year Plan for National Economic and Social Development (15th FYP) of the People’s Republic of China”..., the country’s highest-level development blueprint, which covers the years 2026 to 2030. Over the years, the Western cybersecurity industry, the US government and other private and public organizations have reported that China’s cyber operation targets are closely aligned with its strategic plans, including the FYP. Therefore, examining the strategic objectives in the FYPs is necessary to identify the likely intelligence requirements of China’s cyber operations.

• https://www.nattothoughts.com/p/cybersecurity-strategy-in-chinas
• [US] Further signs of cohesive and strategically planned policy in the US. After further cutting the budget of the Cybersecurity and Infrastructure Security Agency (CISA) - tasked with industry collaboration and information sharing - the US now wants better information sharing with the crypto currency platforms. In steps Treasury's Office of Cybersecurity and Critical Infrastructure Protection (OCCIP).

Eligible U.S. digital asset firms and industry organizations “that meet Treasury’s criteria” will be able to receive, at no cost, the same actionable cybersecurity information Treasury regularly shares with traditional U.S. financial institution.
...
Luke Pettit, assistant secretary for financial institutions at the Treasury Department, said digital asset firms are an “increasingly important part of the U.S. financial sector” and their resilience is “critical to the health of the broader system.”
“By extending access to the same high-quality cybersecurity information used by traditional financial institutions, Treasury is helping promote a more secure and responsible digital asset ecosystem,” Pettit said.

• https://therecord.media/treasury-department-announces-crypto-info-sharing

AI

• Two more AI model releases:
• Meta Muse Spark - closed weights model. Their first after the Llama 4 flop. The benchmark claims are high.

Over the last nine months, we rebuilt our pretraining stack with improvements to model architecture, optimization, and data curation...The results are clear: we can reach the same capabilities with over an order of magnitude less compute than our previous model, Llama 4 Maverick.

• https://ai.meta.com/blog/introducing-muse-spark-msl/
• Z.AI have released their next open weights GLM model - 5.1. It's a hefty 748b parameter model (so ~1.5TB download!). Not quite as strong a model. As seems to be the trend at the moment, the focus is on long-running agentic sessions.
  • https://z.ai/blog/glm-5.1