Sign in Subscribe

InfoSec News 11MAR2026

General

Microsoft Entra passkeys on Windows enable phishing-resistant, passwordless sign-in using Windows Hello on Entra-protected resources, including unmanaged devices. Public preview starts mid-March 2026. Organizations must opt in and configure policies to enable this feature; no impact occurs without activation.
We’re introducing Microsoft Entra passkeys on Windows to enable phishing-resistant sign-in to Entra-protected resources. This update allows users to create device‑bound passkeys stored in the Windows Hello container and authenticate using Windows Hello methods (face, fingerprint, or PIN). It also expands passwordless authentication to Windows devices that aren’t Entra‑joined or registered, helping organizations strengthen security and reduce reliance on passwords.
Today is Microsoft's March 2026 Patch Tuesday with security updates for 79 flaws, including 2 publicly disclosed zero-day vulnerabilities.
This Patch Tuesday also addresses three "Critical" vulnerabilities, 2 of which are remote code execution flaws and the other is an information disclosure flaw.
CVE-2026-26144 is a critical-severity information disclosure vulnerability in Microsoft Excel. This cross-site scripting flaw can be exploited to "cause Copilot Agent mode to exfiltrate data via unintended network egress, enabling a zero-click information disclosure attack," Redmond warned.
Yes, you read that right: a zero-click bug that weaponizes an Excel spreadsheet and the Copilot Agent to steal data. As Childs notes, it's "an attack scenario we're likely to see more often."
“Coruna was definitely an internal name of a component,” said one former L3Harris employee, who was familiar with iPhone hacking tools as part of their work at Trenchant.
“Looking at the technical details,” this person said, referring to some of the evidence Google published, “so many are familiar.”
The former employee said the overarching Trenchant toolkit housed several different components, including Coruna and related exploits. Another former employee confirmed that some of the details included in the published hacking toolkit came from Trenchant.
For years, Iranian intelligence services have operated through deniable criminal intermediaries in the physical world. A similar pattern is now becoming visible in cyber space, where state objectives are increasingly pursued through criminal tools, services, and operational models. Notably, this dynamic appears with growing frequency in activity associated with actors linked to the Ministry of Intelligence and Security (MOIS).
For a long time, Iranian actors sought to mask state activity behind the appearance of ordinary cyber crime, most often by posing as ransomware operators. The trend we are seeing now goes beyond imitation. Rather than simply adopting criminal and hacktivist personas to complicate attribution, some Iranian actors appear to be associating with the cyber criminal ecosystem itself, leveraging its malware, infrastructure, and affiliate-style mechanisms. This shift matters because it does more than improve deniability; it can also expand operational reach and enhance technical capability.
Polish police have referred seven suspected juvenile cybercriminals to family court over an alleged scheme to flog DDoS kits online.
The youths, aged between 12 and 16 at the time of the alleged offenses, all face charges related to selling DDoS tools in what police described as a purely profit-driven scheme.
...
The investigation began in 2025 after one of the group's leaders, aged just 14 at the time, was identified as a suspected administrator of the tools the group was allegedly selling.
Police visited the teenager at their residence in the Masovian voivodeship, central Poland, collected artifacts, and later analyzed them, leading investigators to the other six suspects.
The order also calls for the creation of a Victim Restoration Program in 90 days that will provide “restoration or remission to victims of cyber-enabled fraud schemes from funds clawed back, forfeited, or seized from the transnational criminal organizations that perpetrate such schemes.”
An operational unit within the National Coordination Center will be created to organize federal efforts to combat the organizations. Participants will include the State, Treasury, War, Homeland Security and Justice Departments.
...
The unit will use technical capabilities, threat intelligence and operational insights from commercial cybersecurity firms to “enhance attribution, tracking, and disruption of malicious cyber actors and enabling infrastructure engaged in cybercrime, fraud, and predatory schemes.”

Getting Techy

  • From Lumen's Black Lotus Labs - malware using the Distributed Hash Table (DHT) protocol to provide a level of resilient Command and Control (C2).
Kademlia is an implementation of a distributed hash table (DHT) that allows for efficient decentralized lookups of information across peers and has been proven through multiple real-world protocols such as BitTorrent DHT, eMule, I2P and Etherum.
To better understand this system, think of Kademlia like using a chain of friends to find someone’s phone number: each friend does not know the whole number but knows someone who can get you closer to the answer. Passing your request along this chain, you quickly put together the whole phone number. Likewise, Kademlia nodes forward queries to others that are “closer” to the target, enabling fast and efficient searches without knowing the whole network.
The KadNap malware is a custom implementation of a Kademlia DHT. Naming the ELF file kad was likely in relation to using this protocol to hide the IP address of the C2 server.

Geo-Politics

  • [FI] Finland's Security and Intelligence Service (SUPO) has released their "National Security Overview 2026", covering a number of areas, including:
The end of the war will not change the character of Russia
Growing tensions in the Baltic Sea
China aims to become a global leader by exploiting others
Race for resources shifts from oil to critical minerals
Cloud adoption obscures the digital independence of states
Continuing instability in the Middle East has extensive repercussions
...
Espionage can rob a start-up of its future
Generative artificial intelligence enhances the efficiency of influencing activities
China aims to become so influential that other countries are dependent on it and forced to take its interests into account. China also aims to keep on developing its armed forces so that, in the long term, it will be capable of operating globally. The ability to control the neighbouring areas is particularly important for China, with the Taiwan issue being the key priority.
...
China tries to accelerate the development of its position by benefiting from the international policy structures, trading with Russia and engaging developing countries in the Global South to agreements that promote China’s interests. China wants to shape the current world order so that it would better serve its own needs. China’s actions are aimed at ensuring that Western countries would not be able to pressurise it in matters related to such issues as democracy and human rights.
...
For example, China has been investing in increasing its influence in the UN for years and has succeeded in raising Chinese individuals to many key positions within the organisation. When matters are voted on, China wins developing countries on its side by means of economic cooperation. This way, it has influenced, for example, the way human rights are reviewed periodically. The reduced interest of the United States in the UN has also made it possible for China to build a higher profile.
Fitch Ratings, in a report released Monday, warned that hacktivists, state-sponsored groups and lone wolf actors could use cyber to target critical infrastructure and U.S. public entities in reaction to the war.
...
Fitch Ratings warned the threat could range from distributed denial-of-service hacks to financially motivated attacks and other attempts to disrupt operations of these entities. They warned that attacks on critical infrastructure providers such as power companies or water utilities could lead to downstream impacts.
“Heightened geopolitical tensions involving Iran increase the risk of retaliatory cyber activity, particularly against organizations linked to the U.S., Israel and allies as past incidents have shown,” said Leroy Terrelonge, cyber risk senior credit officer at Moody’s Ratings.
...
The current bombing campaign, which began Feb. 28, has led to heightened threats from pro-Iran and some pro-Russian hacktivists. Already security researchers have warned of exploitation attempts targeting critical infrastructure, including ICS systems in Israel and surveillance cameras in Persian Gulf countries.
The Trump administration has started to loosen some restrictions on Russian oil exports that were designed to pressure the Kremlin over the war in Ukraine, as Washington seeks to ease the shock in energy markets from the U.S.-Israeli attacks on Iran.
Treasury Secretary Scott Bessent on Friday issued a 30-day waiver for India to buy Russian oil already at sea without retaliation from Washington, which he said would only have a modest impact on Russia’s revenues.
...
Mr. Bessent later said that the United States was considering lifting more sanctions on Russian oil. And President Trump on Monday said in a news conference that his administration was “waiving certain oil-related sanctions to reduce prices.”
...
“We have sanctions on some countries, we are going to take those sanctions off until this straightens out,” Mr. Trump said. “And then who knows, maybe we won’t have to put them on because there will be so much peace.”
...
The dramatic change in energy markets could not have come at a better time for President Vladimir V. Putin of Russia. The country’s energy revenues had been plummeting, with oil and gas companies contributing 44 percent less to Russia’s budget in February than in the same month a year earlier. This has forced Russia to draw on the dwindling liquid assets left in its National Wealth Fund.
The nominee to helm Cyber Command and the NSA has traditionally cleared the Senate without a formal vote. However, Senate Majority Leader John Thune (R-SD) took the unusual step to circumvent a procedural hold from Sen. Ron Wyden (D-OR), who last month pledged to block Rudd from receiving a quick confirmation.
Speaking on the chamber floor before the vote, Wyden, a senior member of the Senate Intelligence Committee, called Rudd’s nomination a “mistake.”
“Our country needs an NSA director with experience in U.S. signals activities and it has to come from working in these issues around the world. General Rudd does not have that experience,” he said, citing the ongoing war with Iran.
...
If confirmed by the full chamber, Rudd would be the first Senate-approved leader of Cyber Command and the NSA since Trump fired former head Gen. Timothy Haugh nearly a year ago.

Privacy

  • Remember DOGE and their slap-dash approach to information security?
The Social Security Administration’s internal watchdog is investigating a complaint that alleges a former U.S. DOGE Service employee claimed he had access to two highly sensitive agency databases and planned to share the information with his private employer — a claim that, if true, would constitute an unprecedented breach of security protocols at an agency that serves more than 70 million Americans.
...
The databases, called “Numident” and the “Master Death File,” include records for more than 500 million living and dead Americans, including Social Security numbers, places and dates of birth, citizenship, race and ethnicity, and parents’ names.
...
According to the complaint, he allegedly told the whistleblower that he needed help transferring data from a thumb drive “to his personal computer so that he could ‘sanitize’ the data before using it at [the company.]” The engineer told colleagues that once he had removed personal details from the data, he wanted to upload it into the company’s systems. He told another colleague, who refused to help him upload the data because of legal concerns, that he expected to receive a presidential pardon if his actions were deemed to be illegal, according to the complaint.

AI

  • Research from Palo Alto Network's (PAN) Unit 42 - using "Automated Predictive Fuzzing" to bypass LLM-based gatekeepers. No surprise that layering an LLM on top of an LLM, in the hope that one will protect the other, is not a winning move.
    An interesting part of their research, was generating bypasses that can easily pass for normal text ("low perplexity"). It was conducted as a black-box test, no special access required.
Our research using this tool achieved a 99% success rate in bypassing controls across several widely used architectures that customers rely on today:
...
Models specifically built and trained to act as “security guards” for other AI systems.
...
Even the largest, most “intelligent” models (with more than 70 billion parameters) were susceptible. Their complexity actually provides more surface area for these logic-based attacks to succeed.
...
The methods of AdvJudge-Zero in our testing prove that AI judges are susceptible to logic flaws similar to other software. If an attacker can automate the discovery of bypass codes through fuzzing, they can systematically defeat AI guardrails with innocent-looking inputs.
The court held that Amazon “has provided strong evidence that Perplexity, through its Comet browser, accesses with the Amazon user’s permission but without authorization by Amazon, the user’s password-protected account.”
Per the ruling, Perplexity must prohibit Comet from accessing, attempting to access, assisting, instructing or providing the means for others to access Amazon user accounts. Perplexity must also delete all Amazon account and customer data it collected along the way.
...
The case could have broader implications for the way commercial AI agent tools are designed and how far they can legally act on a person’s behalf. Notably, while Amazon opposes Comet’s AI-directed purchases, Perplexity claims that its users have given them permission to make purchases on their behalf.
Perplexity argued a court order halting their AI’s activities would go against the public interest, depriving them of consumer choice and innovation. Chesney concluded the opposite, endorsing Amazon’s argument that the public has a greater interest in protecting their computers from unauthorized access.

Subscribe to Deuxieme RE Banque News

Sign up now to get access to the library of members-only issues.
Jamie Larson
Subscribe