InfoSec News 11FEB2026
General
- Kudos to Microsoft - is planning to make Windows behave more like a mobile operating system, from a security perspective.
With Windows Baseline Security Mode, Windows will move toward operating with runtime integrity safeguards enabled by default. These safeguards ensure that only properly signed apps, services and drivers are allowed to run, helping to protect the system from tampering or unauthorized changes.
...
With User Transparency and Consent, we are bringing a more consistent and intuitive approach to how Windows communicates security decisions. Just like on your smartphone, Windows will now prompt you when apps try to access sensitive resources — like your files, camera or microphone — or when they attempt to install other unintended software.
...
Windows has a long-standing tradition as an open platform. We will continue to preserve what has made it successful: freedom to install any app and openness to every developer.
- https://blogs.windows.com/windowsexperience/2026/02/09/strengthening-windows-trust-and-security-through-user-transparency-and-consent/
- https://www.bleepingcomputer.com/news/microsoft/microsoft-announces-new-mobile-style-windows-security-controls/
- It's Patch Tuesday in the US, Microsoft has released updates for Windows 11 and Windows 10 (Extended Security)
- https://www.bleepingcomputer.com/news/microsoft/microsoft-february-2026-patch-tuesday-fixes-6-zero-days-58-flaws/
- https://www.bleepingcomputer.com/news/microsoft/windows-11-kb5077181-and-kb5075941-cumulative-updates-released/
- https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-windows-10-kb5075912-extended-security-update/
- https://cyberscoop.com/microsoft-patch-tuesday-february-2026/
- Updated Secure Boot certificates for Windows PC will roll out via Windows Update over the coming months. A bit close to the late-June-2026 deadline from existing certificate expiry. The process for manually replacing Secure Boot certificates in UEFI (Unified Extensible Firmware Interface - modern replacement for BIOS) is not the simplest, nor is it standardised across UEFI manufacturers. Non-Windows users of Secure Boot will need to find their own solutions.
Although Microsoft will automatically update high-confidence devices via Windows Update, IT admins can also deploy Secure Boot certificates using registry keys, Group Policy settings, and the Windows Configuration System (WinCS) to ensure that endpoints don't lose Windows Boot Manager and Secure Boot protections.
While devices that fail to receive updated certificates before June will continue to function normally, they will enter what Microsoft describes as a "degraded security state," with "limited" boot-level protections and no protection against attacks that exploit newly discovered vulnerabilities because they cannot install new mitigations.
- https://www.bleepingcomputer.com/news/microsoft/microsoft-rolls-out-new-secure-boot-certificates-before-june-expiration/
- https://www.itnews.com.au/news/windows-secure-boot-certificates-expire-in-june-microsoft-warns-623522
- Not so great Microsoft - Microsoft 365 Admin Centre down for some, primarily in North America.
"Initial reports indicate that the issue is occurring in the North America regions. We'll provide more information once identified."
Although Microsoft didn't disclose how many customers are impacted, the company has classified this issue as an incident, which usually involves noticeable user impact.
- https://www.bleepingcomputer.com/news/microsoft/microsoft-365-outage-takes-down-admin-center-in-north-america/
- https://status.cloud.microsoft/
- iVerify has uncovered a full-featured iOS and Android RAT (Remote Access Trojan) dubbed "ZeroDayRAT".
From that panel, an operator gains full remote control over a user’s Android or iOS device, with support spanning Android 5 through 16 and iOS up to 26, including the iPhone 17 Pro. No technical expertise is required. The platform goes beyond typical data collection into real-time surveillance and direct financial theft.
...
GPS coordinates are pulled and plotted on an embedded Google Maps view with location history, so an operator can track not just where the infected user is now but where they've been.
...
Notifications are captured separately: app name, title, content, and timestamp. WhatsApp messages, Instagram notifications, missed calls, Telegram updates, YouTube alerts, system events.
...
Every account registered on the device is enumerated: Google, WhatsApp, Instagram, Facebook, Telegram, Amazon, Flipkart, PhonePe, Paytm, Spotify, and more, each with its associated username or email.
...
a keylogger captures every input with app context and millisecond timestamps: biometric unlocks, gestures, keystrokes, app launches. A live screen preview runs on the right side of the panel, so the attacker sees what the target is doing and what they're typing at the same time.
...
he crypto stealer scans for wallet apps like MetaMask, Trust Wallet, Binance, and Coinbase, logging wallet IDs and balances. It also performs clipboard address injection, silently replacing copied wallet addresses with the attacker's so outgoing transfers get redirected.
A separate bank stealer module targets online banking apps, UPI platforms like PhonePe and Google Pay, and services like Apple Pay and PayPal, capturing credentials via overlay attacks
- https://iverify.io/blog/breaking-down-zerodayrat---new-spyware-targeting-android-and-ios
- https://www.bleepingcomputer.com/news/security/zerodayrat-malware-grants-full-access-to-android-ios-devices/
- Coveware have released their analysis on Ransowmware for Q4 2025. The payment values are going up, however the percentage of victims paying are going down.
Over the past several years, organizations have matured significantly in their understanding of breach consequences. Paying for data suppression does not eliminate legal or regulatory notification obligations. It does not meaningfully reduce the likelihood of litigation. And experience has shown—repeatedly—that it does not prevent threat actors from retaining the data, selectively leaking it, or recycling it for future re-extortion months or even years later.
...
Q4 continues to show a pronounced gap between average ($591,988, +57% from Q3 2025) and median ransom payments ($325,000, +132% from Q3 2025). While median payments remain comparatively constrained, the average payment exhibits sharp volatility driven by a small number of outsized settlements. This reinforces that headline “average ransom” figures are increasingly influenced by edge cases rather than representative outcomes.
...
Ransom Payment Rates Continue to Set New Lows Ransom payment rates have continued their long-term decline, reaching approximately 20% in the most recent quarter, representing a new historical low and extending the multi-year downward trajectory observed since 2020.
- https://www.coveware.com/blog/2026/2/3/mass-data-exfiltration-campaigns-lose-their-edge-in-q4-2025
- https://databreaches.net/2026/02/08/some-good-news-downstream-victims-of-mass-data-theft-campaigns-are-less-likely-to-pay-incident-responders/
- [US] A chinese (and Saint Kitts and Nevis*) national has been sentenced to 20 years in prison for pig butchering. Unfortunately, although he was arrested at Atlanta airport in 2024, in December 2025 he cut off his ankle monitor and escaped.
* Saint Kitts and Nevis is a small (~54,000 people) nation in the Caribbean, that runs a "Citizenship-by-Investment" programme. For around US$400,000 in real-estate purchase, or US$250,000 in contributions to a fund, approved applicants can receive citizenship for life, inheritable by their dependants.
He instructed accomplices to open bank accounts and transfer more than $73 million to Deltec Bank in the Bahamas for conversion into cryptocurrency, including Tether. The investigators also discovered more than $341 million in cryptocurrency in one of the crypto wallets the fraud ring used for money laundering.
Geo-Politics
- Google Threat Intelligence have released a large catalogue of "Threats to the Defense(sic) Industrial Base". It's a who's who of threat actors attacking western interests.
Privacy
- The Section 702 of the Foreign Intelligence Surveillance Act (FISA) is close to expiring again. Discussions are underway around its renewal.
The high-level meeting comes just weeks before Section 702 of the Foreign Intelligence Surveillance Act (FISA), which enables broad electronic surveillance of the communications of overseas national security threats, such as terrorists and foreign spies, is set to expire.
The foreign spying tool is considered essential to national security by intelligence officials, however a wide range of progressive and conservative lawmakers have resented the program as it allows some Americans’ private data to be collected and searched without a warrant.
Under § 702(b) of the FISA Amendments Act, acquisitions are subject to several limitations.
Specifically, an acquisition:
- May not intentionally target any person known at the time of acquisition to be located in the United States;
- May not intentionally target a person reasonably believed to be located outside the United States if the purpose of such acquisition is to target a particular, known person reasonably believed to be in the United States;
- May not intentionally target a U.S. person reasonably believed to be located outside the United States;
- May not intentionally acquire any communication as to which the sender and all intended recipients are known at the time of the acquisition to be located in the United States;
- Must be conducted in a manner consistent with the Fourth Amendment to the United States Constitution. (unreasonable searches and seizures)
AI
- OpenAI are implementing an allow-listing idea, to help prevent data exfiltration through crafted URLs. It raises the bar, but doesn't block all avenues (just slows them down). Their using their own web-crawler to create the allow-list of URLs they've seen.