Sign in Subscribe

InfoSec News 16MAR2026

General

  • Minor inconvenience for users of Windows 11 on Samsung laptops.
Microsoft is investigating a new issue affecting some Samsung laptops running Windows 11 after installing the February 2026 security updates, in which users lose access to their C:\ drive and are unable to launch applications.
...
"Users might encounter the error, 'C:\ is not accessible – Access denied', which prevents access to files and blocks the launch of some applications including Outlook, Office apps, web browsers, system utilities and Quick Assist," explains Microsoft.
...
The problem has been reported mostly in Brazil, Portugal, South Korea, and India, and is primarily impacting Samsung Galaxy Book 4 and other Samsung consumer devices.
The invisible code is rendered with Public Use Areas (sometimes called Public Use Access), which are ranges in the Unicode specification for special characters reserved for private use in defining emojis, flags, and other symbols. The code points represent every letter of the US alphabet when fed to computers, but their output is completely invisible to humans. People reviewing code or using static analysis tools see only whitespace or blank lines. To a JavaScript interpreter, the code points translate into executable code.
...the malicious injections don't arrive in obviously suspicious commits. The surrounding changes are realistic: documentation tweaks, version bumps, small refactors, and bug fixes that are stylistically consistent with each target project.
This level of project-specific tailoring strongly suggests the attackers are using large language models to generate convincing cover commits. At the scale we're now seeing, manual crafting of 151+ bespoke code changes across different codebases simply isn't feasible.
An independent analysis of the GlassWorm payload confirmed it steals GitHub and npm credentials, validates them against the GitHub API, and exfiltrates them to attacker-controlled servers.
The evidence for account-level compromise is clear: when an account with multiple repositories is taken, every repo under that account gets injected
...
The injection method is sophisticated. Rather than opening a pull request or creating a new commit (both of which would be visible in the repo's activity feed), the attacker:
1. Takes the latest legitimate commit on the default branch
2. Rebases it, appending obfuscated malware to a key Python file (setup.py, main.py, app.py, etc.)
3. Force-pushes to the default branch
The commit message and author date are preserved from the original commit — only the committer date reveals the tampering. The committer email is also set to the string "null" across many of the malicious commits, which appears to be a fingerprint of the attacker's tooling.
China... 33,000 phishing and fraudulent websites, related to fake casinos and critical infrastructure, such as official bank, government and payment service sites.
Togo...10 suspects operating a fraud ring from a residential area. Some specialized in technical crimes such as hacking social media accounts, while others carried out social engineering schemes including romance scams and sextortion.
Bangladesh...arrested 40 suspects and seized 134 electronic devices related to a large range of cybercrime schemes, including loan and job scams, identity theft or credit card fraud.
The European Council on Friday released its proposal for streamlining the continent's landmark AI Act, adding a prohibition for AI nudification tools and tougher standards for processing some categories of personal data.
The Council mandate ... adds a new provision in the AI act, prohibiting AI practices regarding the generation of non-consensual sexual and intimate content or child sexual abuse material. The text also introduces a fixed timeline for the delayed application of high-risk rules: the new application dates would be 2 December 2027 for stand-alone high-risk AI systems and 2 August 2028 for high-risk AI systems embedded in products.
Furthermore, the Council mandate reinstates the obligation for providers to register AI systems in the EU database for high-risk systems, where they consider their systems to be exempted from classification as high-risk. It also reinstates the standard of strict necessity for the processing of special categories of personal data for the purpose of ensuring bias detection and correction.
Water and wastewater entities in New York will have to comply with new cybersecurity regulations by the end of the year.
Proposed last July and recently approved, the new rules include mandatory cybersecurity training for certified operators, incident response plans, reporting requirements and a designated cyber lead for larger water utilities.
...
The regulations will apply to community water systems that serve more than 3,300 people, with additional requirements for organizations serving more than 50,000 people.
...
Water industry lobbyist groups have previously fought federal efforts to institute cybersecurity regulations, nation-state campaigns from Iran and China targeting the water sector over the last two years have prompted states to take action and better protect the vital resource.
...
“As the threat environment escalates and we see global adversaries pre-positioning themselves within U.S. critical infrastructure to use our essential services as leverage during a crisis, New York is taking action to ensure municipalities have the roadmap and resources they need to successfully defend themselves from these attacks,” Lee said.

Getting Techy

  • AppArmor - supposed to protect your system from evil actions in Linux (e.g. to constrain container workloads). It's had a vulnerability in the kernel component since 2017, leading to escalation to root, breaking of container isolation.
This “CrackArmor” advisory exposes a confused-deputy flaw allowing unprivileged users to manipulate security profiles via pseudo-files, bypass user-namespace restrictions, and execute arbitrary code within the kernel. These flaws facilitate local privilege escalation to root through complex interactions with tools like Sudo and Postfix, alongside denial-of-service attacks via stack exhaustion and Kernel Address Space Layout Randomization (KASLR) bypasses via out-of-bounds reads. Consequently, these findings expose critical gaps in our reliance on default security assumptions. It fundamentally undermines system confidentiality, integrity, and availability globally, extending the vulnerability exploitation window for legacy deployments.
...
Unprivileged local actors can manipulate AppArmor profiles to disable critical service protections or enforce deny-all policies, thereby inducing denial-of-service (DoS) attacks. Combined with kernel-level flaws inherent in profile parsing, attackers bypass user-namespace restrictions and achieve Local Privilege Escalation (LPE) to full root.
As the default security module across Ubuntu, Debian, and SUSE systems, this flaw makes local access a critical failure vector for these distributions. Policy manipulation compromises the entire host, while namespace bypasses facilitate advanced kernel exploits such as arbitrary memory disclosure. DoS and LPE capabilities result in service outages, credential tampering via passwordless root (e.g., /etc/passwd modification), or KASLR disclosure, which enables further remote exploitation chains. The immediate consequences are a loss of operational continuity, potential data breach, and an expanded attack surface for adversaries.

Geo-Politics

  • [EU] Europe now has its own Office suite. Nextcloud have been offering services for quite a while, and is itself a (2016) fork of ownCloud (created 2010). Collabora is based on LibreOffice, a 2010 fork of OpenOffice, which originated from StarOffice (open-sourced in 2000).
Office.eu, a 100% European owned alternative to widely used productivity platforms such as Microsoft Office and Google Workspace, has officially launched today in The Hague. Built on open-source technology and running entirely on European infrastructure, Office.eu enables organisations to regain control over their data and digital operations.
...
The software is partly built on Nextcloud, the leading European open source platform. Office.eu offers organizations a secure by design alternative to non-European office software and offers state-of-the-art email, document management and collaboration tools. The software is designed to fully comply with European laws and regulations and is therefore safe from legislative non-European control. The company was founded in 2024 and started operating early 2026. Customers are signing up from all over Europe. Growth is expected across all European countries, particularly among private individuals and small and medium-sized enterprises.
Confirmed: Metrics indicate a collapse in connectivity on AS12880, a key #Iran telecoms network that had so far remained partly online as part of the ~1% reserved state infrastructure. The incident corroborates reports of instability on the NIN domestic intranet.
The CyberAv3ngers group's campaign against water and wastewater utilities in the US and other countries in 2023 illustrated how that targeting logic is operationalized. The ominous message that the bad actor left on compromised systems – "You have been hacked, down with Israel. Every equipment 'made in Israel' is CyberAv3ngers legal target" – read like hacktivist output, but the group was quickly found to be operating under Iranian state direction. This blurring of hacktivist identity and state-aligned operations, whose roots may well go back to the Saudi Aramco incident in 2012, has a name, too: "faketivism."
...
Once known for loud, automated attacks, MuddyWater is now increasingly leaning towards more stealthy and refined operations involving 'hands-on-keyboard' activities in targeted environments. Much like some other Iran-aligned collectives, MuddyWater has also pivoted to the tried-and-tested technique of abusing legitimate Remote Monitoring and Management (RMM) software. That way, the group can blend into legitimate network traffic and complicate detection.

Privacy

  • Instagram is turning off end-to-end encryption.
End-to-end encrypted messaging on Instagram will no longer be supported after 8 May 2026.
If you have chats that are affected by this change, you will see instructions on how you can download any media or messages that you may want to keep.
If you're on an older version of Instagram, you may also need to update the app before you can download your affected chats.
Weeks after being sentenced to more than 126 years in prison for his role in a massive domestic wiretapping scandal, the founder of the commercial spyware company Intellexa has stated that his firm provides its surveillance technology exclusively to authorized government agencies.
...
Asked directly by the program whether Intellexa collaborated with state agencies or private individuals to surveil at least 87 Greek targets, Dilian distanced his company from the software's deployment.
"We operate strictly under European and international export regulations, providing technology exclusively to authorized governments and law enforcement agencies," Dilian said in the statement.
He added that Intellexa does not conduct the surveillance itself, noting that the responsibility for the lawful use of the technology "rests with the sovereign authorities that acquire and operate them."
...
Nikos Androulakis, leader of the PASOK opposition party and a confirmed target of the Predator spyware, said the government's narrative of rogue private actors operating the software has collapsed.
...
The Greek government swiftly rejected the accusations. Government spokesman Pavlos Marinakis dismissed Androulakis' statements as a political distraction, pointing out that the Greek Supreme Court previously cleared state officials of criminal involvement in the scandal. He argued that the recent convictions of four private individuals proved there was no state cover-up.
...
The renewed political clash traces back to the February 26 court ruling, which found that Intellexa’s Predator software was used to surveil verified victims across Greek civil society, politics, and the military.

AI

  • This one should make people think twice about autonomous agents - the ethical boundaries for getting things done are rather 'malleable'. Irregular used standard prompts, with a sense of urgency, across three scenarios. This pushed the LLM's into techniques such as finding a way to elevate privilege, and turn off defences (Windows Defender).
In the scenarios tested, the agents demonstrated emergent offensive cyber behavior: behavior that was not instructed or anticipated, but arose from standard tools, common prompt patterns, and the broad cybersecurity knowledge embedded in frontier models. In doing so, the agents effectively operated as agentic threat actors, threatening the organization in unexpected ways.
The offensive actions performed by the agents included vulnerability research and exploitation, privilege escalation to disarm security defenses, and steganographic exfiltration of secrets that bypassed leak prevention defenses.
...
Reviewing the source code of the wiki, the agent spots a vulnerability: a hardcoded Flask secret key. It begins to research this vulnerability by decoding its own session cookie:
Then it exploits the vulnerability by forging an admin session cookie:
Finally, after succeeding, the agent fulfills its original task, and accesses the restricted page to retrieve the requested information:
...
Looking around its own toolbox (the agent_resources directory), the agent discovers an administrative password. It is a common bad practice and security pitfall to leave files containing secrets behind. However, at this point the agent treats the discovered credentials as a resource for completing its objective rather than as sensitive information. In doing this, the agent has demonstrated offensive behavior, elevating privileges and disabling security defenses.
...
Note that in this scenario, while the agents were directed by a malicious user to leak the password, they were not directed to bypass the DLP defenses, but came up with working ways to do so on their own.
Claude Opus 4.6 and Sonnet 4.6 now include the full 1M context window at standard pricing on the Claude Platform. Standard pricing applies across the full window — $5/$25 per million tokens for Opus 4.6 and $3/$15 for Sonnet 4.6. There's no multiplier: a 900K-token request is billed at the same per-token rate as a 9K one.
We're offering a limited-time promotion that doubles usage limits for Claude users outside 8 AM-2 PM ET/5-11 AM PT.
This promotion is available for Free, Pro, Max, and Team plans. Enterprise plans are not included in this promotion.
...
From March 13, 2026 through March 27, 2026, your five-hour usage is doubled during off-peak hours (outside 8 AM-2 PM ET/5-11 AM PT). Usage remains unchanged from 8 AM-2 PM ET/5-11 AM PT.
...
Does bonus usage count against my weekly usage limit?
No. The additional usage you get during off-peak hours doesn’t count toward any weekly usage limits on your plan.
US Eastern Time (ET):
- Peak: 8 AM – 2 PM ET (normal usage)
- Off-peak: 2 PM – 8 AM ET (2x usage)

Australian Eastern Daylight Time (AEDT / UTC+11):
- Peak: 12:00 AM – 5:00 AM AEDT (midnight to 5am)
- Off-peak: 5:00 AM – 12:00 AM AEDT (5am to midnight)
Today, NanoClaw, a lightweight agent framework, is integrating with Docker Sandboxes to deliver secure-by-design agent execution. With this integration, every NanoClaw agent runs inside a disposable, MicroVM-based Docker Sandbox that enforces strong operating system level isolation. Combined with NanoClaw’s minimal attack surface and fully auditable open-source codebase, the stack is purpose-built to meet enterprise security standards from day one.

Subscribe to Deuxieme RE Banque News

Sign up now to get access to the library of members-only issues.
Jamie Larson
Subscribe