InfoSec News 12MAR2026
General
- A cynic might suggest that Meta are on a Public Relations (PR) push, to counter calls for investigations into their “facilitation of and profiting from” fraudulent advertising.
The company said it also removed 10.9 million Facebook and Instagram accounts associated with criminal scam centers as it rolled out new tools aimed at stopping online fraud, something Meta describes as “one of the fastest-growing forms of organized crime globally.”
...
The company said most scam ads are detected automatically. Agranovich said 92% of the 159 million scam ads removed last year were taken down before anyone reported them.
...
The incentives for these platforms to tackle the problem have been questioned. A Reuters investigation last year, citing internal company documents, reported that Meta projected about 10% of its 2024 revenue, roughly $16 billion, would come from ads linked to scams and banned goods. Meta disputes that figure and says scams undermine the trust its advertising business depends on.
...
The Reuters investigation helped spur calls in Washington for greater scrutiny of scam ads on Meta platforms. In November, Sens. Richard Blumenthal (D-Conn.) and Josh Hawley (R-Mo.) urged the FTC and Securities and Exchange Commission to investigate whether Meta profited from scam advertising and whether enforcement action was warranted.
Other lawmakers have pushed for broader changes. In February, Sens. Ruben Gallego (D-Ariz.) and Bernie Moreno (R-Ohio) introduced the bipartisan SCAM Act, which would require social media companies to take “reasonable steps” to verify advertisers and combat fraudulent ads or face action from the FTC and state attorneys general.
...
In Britain, the government this week outlined a new fraud strategy that would shift more responsibility for stopping scams onto telecom providers, technology companies and financial firms. Critics say it falls short of actually introducing any substantial obligations on those private sector entities who could best disrupt the crimes.
- Meta are rolling out scam-detection and -protection in across WhatsApp, Facebook and Messenger.
WhatsApp now alerts users when behavioral signals suggest a device-linking request may be fraudulent, a tactic scammers have been using to hijack accounts by tricking users into sharing a linking code or scanning a malicious QR code.
...
WhatsApp allows users to connect multiple devices (e.g., computers, phones, tablets) to an account to send and receive messages across those devices. This is done by scanning a QR code generated by the main mobile device, which authorizes the new device to access and synchronize the messages.
However, attackers who trick a user into linking a malicious device will gain access to the victim's messages, read their chats, and may even send messages while impersonating the victim. Additionally, unlike account takeover attacks, the victims will usually retain access to their accounts, making the breach harder to detect.
- https://about.fb.com/news/2026/03/meta-launches-new-anti-scam-tools-deploys-ai-technology-to-fight-scammers-and-protect-people/
- https://www.bleepingcomputer.com/news/security/meta-adds-new-whatsapp-facebook-and-messenger-anti-scam-tools/
- https://www.theregister.com/2026/03/11/meta_international_cops_ai_scammers/
- Meta claim to have disrupted an Iranian influencer operation.
Meta said it removed about 300 accounts and pages across Facebook and Instagram before the network had gained a large following. About 41,000 accounts followed the Instagram personas, which received minimal engagement from real users.
- First attacks claiming alignment with Iran - Handala Hack Team has exfiltrated data, then wiped systems at MedTech firm Stryker.
In this operation, over 200,000 systems, servers, and mobile devices have been wiped and 50 terabytes of critical data have been extracted.
A Stryker employee told BleepingComputer the incident began early Wednesday morning, when devices enrolled in the company's mobile device management system were remotely wiped. The employee said colleagues who had personal phones enrolled for work access also lost data after their devices were reset.
Staff were instructed to remove corporate management and applications from their personal devices, including the Intune Company Portal, Teams, and VPN clients.
...
Handala (also known as Handala Hack Team, Hatef, Hamsa) first surfaced in December 2023 as a hacktivist operation linked to Iran's Ministry of Intelligence and Security (MOIS) that targets Israeli organizations with destructive malware designed to wipe Windows and Linux devices.
News reports out of Ireland, Stryker’s largest hub outside of the United States, said the company sent home more than 5,000 workers there today.
...
But a trusted source with knowledge of the attack who spoke on condition of anonymity told KrebsOnSecurity the perpetrators in this case appear to have used a Microsoft service called Microsoft Intune to issue a ‘remote wipe’ command against all connected devices.
- https://archive.is/CcrTm
- https://www.bleepingcomputer.com/news/security/medtech-giant-stryker-offline-after-iran-linked-wiper-malware-attack/
- https://www.cybersecuritydive.com/news/stryker-outage-Iran-cyberattack/814497/
- https://www.itnews.com.au/news/us-medical-device-maker-strykers-microsoft-environment-attacked-624212
- https://krebsonsecurity.com/2026/03/iran-backed-hackers-claim-wiper-attack-on-medtech-firm-stryker/
- https://techcrunch.com/2026/03/11/stryker-hack-pro-iran-hacktivist-group-handala-says-it-is-behind-attack/
- https://therecord.media/stryker-cyberattack-iran-hackers
- https://www.theregister.com/2026/03/11/us_medtech_firm_stryker_cyberattack_iran/
- https://www.zetter-zeroday.com/iranian-hacktivists-strike-medical-device-maker-stryker-in-severe-attack-that-wiped-systems/
- Early reports that Handala may also have hit Israeli Point-of-Sale company 'Verifone'
- Albania's parliamentary email system was disrupted, with the attack claimed by an Iran-linked group.
In a statement shared with local media, parliament said its main systems and official website remained operational but confirmed that internal email services used by the parliamentary administration had been temporarily suspended. The disruption affected both incoming and outgoing communications.
...
Authorities have not publicly attributed the incident, but earlier this week a hacker group known as Homeland Justice claimed responsibility, saying it had obtained internal communications involving Albanian lawmakers. The group also posted screenshots of what it said were leaked documents on its Telegram channel.
...
Homeland Justice has previously been linked by security researchers and Western officials to Iran’s Islamic Revolutionary Guard Corps (IRGC).
...
Many of the cyber operations attributed to Homeland Justice have been linked to Albania’s hosting of members of the Iranian opposition group Mujahedeen-e-Khalq (MEK), who are based in the coastal county of Durrës.
...
The claim follows recent statements by MEK leader Maryam Rajavi announcing the formation of what she described as a provisional government aimed at replacing Iran’s current leadership with a democratic republic.
- https://therecord.media/iran-linked-hackers-claim-cyberattack-albania-parliament
- https://www.middleeasteye.net/news/iran-mek-opposition-us-backed-path-power-albania
- Calmer corporate news - Google's acquisition of Wiz has now completed.
Google on Wednesday said it completed a $32 billion agreement to buy Wiz, a leading cloud and AI security platform, marking one of the largest-ever acquisitions in the cybersecurity market.
...
Wiz works across the leading cloud providers, including Amazon Web Services, Microsoft Azure and Oracle Cloud.
...
Google provides a portfolio of threat intelligence, cloud-native security operations and incident response through its Mandiant Consulting unit.
- [CH] Swiss e-voting pilot doesn't go well - votes were captured, but now can't be read.
Basel-Stadt announced the problem with its e-voting pilot, open to about 10,300 locals living abroad and 30 people with disabilities, last Friday afternoon. It encouraged participants to deliver a paper vote to the town hall or use a polling station but admitted this would not be possible for many.
By the close of polling on Sunday, its e-voting system had collected 2,048 votes, but Basel-Stadt officials were not able to decrypt them with the hardware provided, despite the involvement of IT experts.
"Three USB sticks were used, all with the correct code, but none of them worked," spokesperson Marco Greiner told the Swiss Broadcasting Corporation's Swissinfo service.
...
The votes made up less than 4 percent of those cast in Basel-Stadt and would not have changed any results, but the canton is delaying confirmation of voting figures until March 21 and suspending its e-voting pilot until the end of December, while its public prosecutor's office has started criminal proceedings.
Getting Techy
- SQL Injection...still?! Most concerningly, this isn't old code - "This vulnerability was reported to our program just five days after it was introduced.". It's a straight-up, concatenate untrusted input to an SQL command, then run it.
- Eset have analysed some of the malware used by the Russian Sednit (Forest Blizzard, Strontium, Fancy Bear, APT28, Flamboyant Leatherdaddy) group.
The Sednit group – also known as APT28, Fancy Bear, Forest Blizzard, or Sofacy – has been operating since at least 2004. The US Department of Justice named the group as one of those responsible for the Democratic National Committee (DNC) hack just before the 2016 US elections and linked the group to Unit 26165 of the GRU, a Russian Federation intelligence agency within the Main Intelligence Directorate of the Russian military. The group is also presumed to be behind the hacking of global television network TV5Monde, the World Anti-Doping Agency (WADA) email leak, and many other incidents.
Geo-Politics
- Foreign access to Epstein files in 2023 - watch the conspiracy theories grow.
A foreign hacker compromised files relating to the FBI’s investigation of the late sex offender Jeffrey Epstein during a break-in at the bureau’s New York Field Office three years ago, according to a source familiar with the matter and recently published US Justice Department documents reviewed by Reuters.
In a statement, the FBI said what it described as a "cyber incident" was "an isolated one."
"The FBI restricted access to the malicious actor and rectified the network. The investigation remains ongoing, so we do not have further comments to provide at this time."
The person familiar with the breach said the intrusion was carried out by a foreign hacker who did not appear to realize they had penetrated a law enforcement server. The hacker expressed disgust at the presence of child abuse images on the device and left a message threatening to turn its owner over to the FBI, the person said.
The source said bureau officials defused the situation by convincing the hacker that they actually were the FBI, in part by having the hacker join a video chat where they flashed their law enforcement credentials in front of a web camera.
...
Many of the Justice Department's documents have been heavily redacted and others have been kept secret altogether despite a law mandating their full release last year. The Trump administration says it is withholding material that could compromise victims’ identities or jeopardize ongoing investigations.
- https://www.itnews.com.au/news/foreign-hacker-in-2023-compromised-epstein-files-held-by-fbi-624213
- https://www.reuters.com/world/us/foreign-hacker-2023-compromised-epstein-files-held-by-fbi-source-documents-show-2026-03-11/
- https://techcrunch.com/2026/03/11/hacker-broke-into-fbi-and-compromised-epstein-files-report-says/
- https://www.theguardian.com/us-news/2026/mar/11/fbi-epstein-files-hacker-break-in
- [US] A fight if brewing in the US, over alleged Iranian sanctions evasion using the Binance crypto-currency platform. "The probe follows the crypto exchange’s dismantling of an internal investigation into more than $1 billion that flowed through the platform to a network funding Iran-backed terror groups".
I write regarding reports that Binance has facilitated the large-scale violation of American and international sanctions against the government of Iran. Binance appears to have ignored warnings and recommendations to prevent Iranian money laundering schemes on its cryptocurrency exchange, allowing $1.7 billion in transfers to Iran.1 These transactions have helped prop up Iranian-linked terrorist organizations and illicit Russian oil sales. I therefore demand that you provide the Permanent Subcommittee on Investigations (“PSI” or “the Subcommittee”) records and information related to Binance’s role in Iranian money laundering and its repeated failure to prevent illicit use by sanctioned entities, terrorist organizations, and other criminal actors.
According to stunning reports from the Wall Street Journal, the New York Times, and Fortune, late last year, Binance compliance staff found that two Binance partners, Hexa Whale and Blessed Trust, acted as intermediaries for laundering money and enabling trade with Iranian government entities.2 Additionally, Binance compliance found 2,000 accounts associated with Iranian entities on its cryptocurrency exchange,3 despite restrictions on Iranian banking and Binance’s claim that it bans Iranian users.4 According to documents obtained by the Times and the Journal, Binance was even warned that Hexa Whale was financing terrorist organizations such as the Yemeni Houthis, and internal investigators found cryptocurrency transfers to wallets associated with Iran’s Islamic Revolutionary Guards Corps and payments to crew members of Russia’s sanctions-evading shadow fleet of oil tankers.
- https://www.hsgac.senate.gov/wp-content/uploads/2026.02.24-Binance-Iran-Sanctions-Evasion-to-Send.pdf
- https://www.courtlistener.com/docket/72409712/1/binance-holdings-limited-v-dow-jones-company-inc-dba-the-wall-street/
- https://www.wsj.com/finance/currencies/justice-department-probes-irans-use-of-binance-to-evade-sanctions-9dc61ce4 / https://archive.is/pkaw1
- https://hachyderm.io/@molly0xfff/116210832826175994
Privacy
- Windows Recall - apparently it's still a dumpster fire.
So @xaitax has cracked Microsoft Recall, he's got access to the encrypted database and has automated dumping of screenshots and all text from screenshots.
I've looked at most recent Recall and yep, you can just read the database as a user process. The database also contains all manner of fields which aren't publicly disclosed for tracking the user's activity.
No AV or EDR alerts triggered, world's #1 in infostealer 😅
* you can just read it in plain text
- [US] Senator Wyden is hinting (the information is classified, limiting his whistle-blowing abilities) that there are some serious privacy issues with FAA 702 (Section 702 of the FISA Amendments Act, 2008; FISA = Foreign Intelligence Surveillance Act), beyond its existing use for mass surveillance. As its name suggests, FISA is supposed to only collect information on foreign parties, however its 'incidental' collection of US parties communications has been controversial. There are also some interesting legal redefinitions of words like 'collect', away from a more common definition of obtaining data, to instead when it's searched and a match found - that is now 'collect'.
Congress will soon plunge into a debate about surveillance as warrantless authorities expire on April 20. Sen. Ron Wyden, D-Ore., said Tuesday there’s a lot that the American people don’t know about it. Speaking on the Senate floor, Wyden said he’s been asking Director of National Intelligence Tulsi Gabbard to declassify secret information that “affects the privacy rights of the American people” and is still awaiting an answer. “The American people are going to be stunned that it took so long and that Congress has been debating this authority with insufficient information,” Wyden said. Wyden said he can’t talk about it yet, because the program is still classified, but we followed up anyway. He said his speech was intended to raise awareness about the program, so it doesn’t blindside the public: “That’s what I was trying to do.”
- https://www.semafor.com/newsletter/03/10/2026/pm-semafor-washington-dc-threat-level#:~:text=Wyden%3A%20Public%20will%20be%20%E2%80%98stunned%E2%80%99%20by%20surveillance
- https://mastodon.social/@zackwhittaker/116209876969202319
- https://en.wikipedia.org/wiki/PRISM
- Got a mac? Want to browse securely and with some local privacy?
Bromure launches a full Chromium browser inside a lightweight, disposable Linux VM using Apple's Virtualization.framework. Every browsing session starts from a clean slate – when you close the window, the VM and all its data are destroyed. Nothing persists: no cookies, no history, no cached files, no traces.
It runs as a native macOS app with a pre-warmed VM pool, so new browser windows open almost instantly.
...
Bromure includes built-in ad and tracker blocking powered by Pi-hole DNS filtering with a local Squid proxy running inside each VM. No external services, no browser extensions – ads are blocked at the network level before they reach the browser.
...
Bromure integrates Cloudflare WARP directly into each VM. When enabled, all browser traffic is routed through Cloudflare's encrypted network via a SOCKS5 proxy – no system-wide VPN configuration required.
WARP runs entirely inside the disposable VM, so Cloudflare never sees your host machine's identity. When the session ends, the WARP registration is destroyed along with everything else.
AI
- Meta has acquired Moltbook, and its two founders
Meta has acquired Moltbook, a viral social network designed for AI agents
...
The deal brings Moltbook's creators — Matt Schlicht and Ben Parr — into Meta Superintelligence Labs (MSL), the unit run by former Scale AI CEO Alexandr Wang.
...
Moltbook's social network was designed to run in conjunction with a separate project, OpenClaw.
...
In an internal post seen by Axios, Meta's Vishal Shah said existing Moltbook customers can continue using the platform — though the company signaled the arrangement is temporary.