Sign in Subscribe

InfoSec News 19MAR2026

General

  • ProPublica (recently re-published in Ars Technica) have published an investigation into Microsoft Government Cloud. It's rather scathing, suggesting there are large gaps in the FedRAMP (Federal Risk and Authorisation Management Program) assessment.
The tech giant’s “lack of proper detailed security documentation” left reviewers with a “lack of confidence in assessing the system’s overall security posture,” according to an internal government report reviewed by ProPublica.
...
For years, reviewers said, Microsoft had tried and failed to fully explain how it protects sensitive information in the cloud as it hops from server to server across the digital terrain. Given that and other unknowns, government experts couldn’t vouch for the technology’s security.
Such judgments would be damning for any company seeking to sell its wares to the US government, but it should have been particularly devastating for Microsoft. The tech giant’s products had been at the heart of two major cybersecurity attacks against the US in three years. In one, Russian hackers exploited a weakness to steal sensitive data from a number of federal agencies, including the National Nuclear Security Administration. In the other, Chinese hackers infiltrated the email accounts of a Cabinet member and other senior government officials.
...
The program’s layers of review, which included an assessment by outside experts, were supposed to ensure that service providers like Microsoft could be entrusted with the government’s secrets. But ProPublica’s investigation—drawn from internal FedRAMP memos, logs, emails, meeting minutes, and interviews with seven former and current government employees and contractors—found breakdowns at every juncture of that process.
...
By late 2024, FedRAMP reviewers concluded that they had little choice but to authorize the technology—not because their questions had been answered or their review was complete, but largely on the grounds that Microsoft’s product was already being used across Washington.
...
“This is not security,” he said. “This is security theater.”
...
these days, ProPublica found, there aren’t many people left at FedRAMP to work with.
The program was an early target of the Trump administration’s Department of Government Efficiency, which slashed its staff and budget. Even FedRAMP acknowledges it is operating “with an absolute minimum of support staff” and “limited customer service.” The roughly two dozen employees who remain are “entirely focused on” delivering authorizations at a record pace, FedRAMP’s director has said. Today, its annual budget is just $10 million, its lowest in a decade, even as it has boasted record numbers of new authorizations for cloud products.
The consequence of all this, people who have worked for FedRAMP told ProPublica, is that the program now is little more than a rubber stamp for industry
Background Security Improvements deliver lightweight security releases for components such as the Safari browser, WebKit framework stack, and other system libraries that benefit from smaller, ongoing security patches between software updates.
North Korea’s IT worker operations are widespread and deeply integrated within the DPRK party-state. It is an integral component in the DPRK’s revenue-generation and sanctions-evasion machinery. With an intimate knowledge of their operations, tools, motivations, and goals, organizations can know what to look for and prevent infiltration from operators.
...
Because the deployment of IT workers has been so lucrative for the DPRK, the tactics of IT worker teams continue to evolve to ensure their continued success. This report has given a snapshot of their techniques to date, but with the dearth of new reports released about their operations, they will continue to adapt their methodologies to avoid detection.
  • Just what you need in your Remote Monitoring and Management (RMM) software - leaking keys used to protect authentication tokens. Typically opaque security advisory. The leaked data are the ASP.NET machine keys. ASP.NET sessions/session-details are stored in client-side cookies, protected (encrypted) by the machine keys. Control of those keys equates to the ability to create any details in said cookies, and hence impersonate any user. Even better, is the ViewState - another signed, sometimes encrypted object. This is a path to straight-up de-serialisation attacks, and Remote Code Execution (RCE), for example using the classic ysoserial (and its .NET cousin ysoserial.net)
ConnectWise has released a security update for ScreenConnect™ that addresses issues related to how server-level cryptographic material is protected. Earlier versions of ScreenConnect stored unique machine keys per instance within server configuration files, which under certain conditions could allow unauthorized actors to extract this material and misuse it for session authentication. ScreenConnect version 26.1 introduces enhanced protections for machine key handling, including encrypted storage and management, reducing the risk of unauthorized access in scenarios where server integrity may be compromised.

Getting Techy

  • Lookout's security team pivoted off the recent Coruna iOS Exploit Kit, identifying another exploit kit targeting older iOS devices. Lookout, iVerify and Google Threat Intelligence Group (GTIG) have shared information, and all examined the kit.
All components in the attack chain had previously received patches. Specifically, both kernel components were patched in iOS 26.1. However, the CVEs for these components were not added to the advisories until the same day that patches for the Safari RCE were released. Despite all vulnerabilities being exploited in the same attack, only the RCEs were officially designated as "exploited in the wild."

Drawing on mobile phone market analysis from https://gs.statcounter.com/ios-version-market-share/ and https://www.apptunix.com/blog/apple-app-store-statistics/, we estimate that the DarkSword exploit chain still impacts a significant portion of iPhone users. Specifically, 14.2% of users (approximately 221,520,000 devices) running iOS versions between 18.4 and 18.6.2 are believed to be vulnerable.
...
We urge everyone to update to the latest available iOS version that contains fixes for all vulnerabilities used in this exploit. At the time of this publication it is: 26.3.1, 18.7.6.

Geo-Politics

  • [IR] Iranian hackers claim to have been behind a recent Microsoft M365 outage.
Hackers supporting Iran claimed to be behind today’s Microsoft outage issues while a collective that has urged “epic war” allies to stand as unified “mujahideen” on the cyber front is vowing to target more U.S. companies and conducting fundraising to beef up hackers’ infrastructure.
...
Today, the 313 Team claimed to have “launched a cyberattack targeting Microsoft 365 servers, completely shutting down the website” for five hours. “Reports of Microsoft 365 service outages continue to pour in on DownDetector, a testament to the power and capability we possess,” they posted this afternoon.
The hackers posted screenshots of posts from the official X feed for Microsoft 365 service incidents. “We’re investigating reports of some users experiencing issues when accessing their Exchange Online mailbox via one or more connection methods,” the company said, adding about two and a half hours later, “We identified and resolved an underlying issue involving the supporting network infrastructure that resulted in service degradation. After a period of monitoring, we can confirm that the service is healthy.”
..
“Globally, Microsoft Store has been targeted by us with DDoS attacks,” Cyber Islamic Resistance said. “We will continue to target other U.S companies due to Trump’s actions in the middle east.”
Network data show at a brief restoration of internet connectivity in #Iran at hour 444 of the country's second-longest blackout, as some users report coming momentarily back online after an apparent filtering system glitch. However, the restoration is not sustained.
“The threat from cyberattacks are having a huge impact on people’s lives and economic activities,” he added. “This is quite an important threat to national security.”
Japan will therefore devise regulations that make it possible to enact the “proactive cyber-defense” actions that legislation passed last year foreshadowed.
Kihara said a government cyber-management committee will have the power to approve or deny applications to commence cyber-ops. If authorized, Japan’s police and SDF will “attack and disable” infrastructure used to run cyberattacks, while working to ensure citizens’ privacy.
...
The regulations enabling Japan to hack back will allow attacks to commence from October 1st.
  • [RU] Apparently in response to Ukrainian drone attacks (presumably utilising Russian SIM cards for mobile data), Russian authorities have been introducing a form of mobile-Internet blackout in cities in the western regions of the country. It appears they're moving towards an allow-listed set of pre-approved sites, with all others blocked during these blackouts.
Mobile internet in Moscow has been intermittently disrupted since March 6, with some areas still experiencing outages, local reports say. Authorities in St. Petersburg have also warned residents this week to expect similar disruptions.
Officials have said the measures are intended to protect against Ukrainian drone attacks. Similar restrictions have previously been imposed in other regions of Russia.
Under the “whitelist” system, only pre-approved Russian platforms — including social media, marketplaces, taxi and delivery apps, telecom services and government websites — remain accessible when mobile internet is restricted. The list was first compiled last year but appears to have only recently become operational, according to Russian newspaper Kommersant,
Cybersecurity and Infrastructure Security (CISA) Acting Director Nick Andersen said the agency has been working closely with industry and sector-based groups on threats from Iran in the past couple of weeks.
“We’re seeing a steady state — we have not seen a rise in threat actor activity, which is fantastic, but again we can't take our eyes off,” Andersen told reporters on the sidelines of the McCrary Cyber Summit in Washington, D.C.
"Cyber and terrorism are the two levers that I believe Iran will pull now that their navy is decimated," retired US Army Lt. Gen. Ross Coffman told The Register. "What we saw against Stryker - it's just the beginning."
...
"The Stryker hack marks the first time that Iran executed a successful full-blown disruptive attack against a major US corporation, especially against a company that plays a critical role in the healthcare supply chain." Sergey Shykevich, threat intelligence group manager at Tel Aviv-based Check Point Research told The Register. "It's a very clear signal that Iran sends about its capabilities, but even more about its intentions and courage to execute such operations."
  • [US] Sticking with party-lines, the Director of National Intelligence was questioned in the Intelligence Committee, on why the "2026 Annual Threat Assessment" (of the U.S. Intelligence Community), didn't include anything on elections. (The only mention of elections, is in reference to Haiti, page 6)
“Are you saying there is no foreign threat to our elections in the midterms this year?” Warner asked.
“As I stated in the outset of my remarks, this year’s annual threat assessment matches the prioritization of threats,” Gabbard replied.
Previous clandestine community assessments have documented, at least at a high level, attempts by Iran, Russia or China to sway voters with online propaganda or through cyber operations.
However, with less than eight months before November’s midterms, there is concern among policymakers and former U.S. national security officials that the Trump administration is ignoring the risk of foreign influence efforts around the ballot box — citing cuts to entities like the Cybersecurity and Infrastructure Security Agency (CISA) and the lack of key appointments, such as a chief of the Foreign Malign Influence Center.
Warner remarked that the omission “does not mean the threat has disappeared. It means the intelligence community is no longer being allowed to speak honestly about it."
Matthew Malchano, vice president of software at Boston Dynamics, told lawmakers in the House Homeland Security cyber subcommittee hearing Tuesday that robotics represent the necessary physical infrastructure to support the country’s efforts to dominate the global AI race, with robots, drones and other machines more fully integrating AI systems in the coming years.
He pointed to Chinese companies like Unitree, which are capturing market share with police departments and universities across the United States, despite contracting ties to the Chinese military and cybersecurity vulnerabilities like a wormable exploit found in 2025 that would allow an attacker to takeover fleets of Unitree robots.
Malchano said Unitree is one of “dozens” of Chinese companies propped up by China’s national AI and robotics plan, which “envisions transforming virtually every major industry in China by integrating AI powered robots” through funding and favorable policies.
...
Max Fenkell, global head of policy and government relations at ScaleAI, said while the U.S. is winning the AI race on its chosen metrics – model quality and chips – it is “losing” on data and implementation.
Unlike large language models, which download training data straight from the internet, AI systems for robots will require unique training data gathered, categorized and labeled through thousands of hours of bespoke testing.

Privacy

  • [US] The FBI confirms they're buying commercial surveillance data - a way to bypass warrants on direct collection.
The FBI is buying up information that can be used to track people’s movement and location history, Director Kash Patel said during a Senate hearing Wednesday.
It is the first confirmation that the agency is actively buying people’s data since former Director Christopher Wray said in 2023 that the FBI had purchased location data in the past but was not doing so at that time.
“We do purchase commercially available information that’s consistent with the Constitution and the laws under the Electronic Communications Privacy Act, and it has led to some valuable intelligence for us,” Patel told senators at the Intelligence Committee’s annual Worldwide Threats hearing.
...
“Doing that without a warrant is an outrageous end run around the Fourth Amendment, it’s particularly dangerous given the use of artificial intelligence to comb through massive amounts of private information,” Wyden said at Wednesday’s hearing.

AI

  • Some of the larger AI companies are throwing a pittance towards the open-source software they rely upon, to help deal with the flood of AI slop bug reports they've help unleash.
The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced $12.5 million in total grants from Anthropic, AWS, GitHub, Google, Google DeepMind, Microsoft, and OpenAI to strengthen the security of the open source software ecosystem.
...
“Grant funding alone is not going to help solve the problem that AI tools are causing today on open source security teams,” said Greg Kroah-Hartman of the Linux kernel project.
...
As the security landscape grows more complex, advances in AI are dramatically increasing the speed and scale of vulnerability discovery in open source software. Maintainers are now facing an unprecedented influx of security findings, many of which are generated by automated systems, without the resources or tooling needed to triage and remediate them effectively. Through this investment, Alpha-Omega and OpenSSF will work directly with maintainers and their communities to make emerging security capabilities accessible, practical, and aligned with existing project workflows. The effort will support sustainable strategies that help maintainers manage growing security demands while improving the overall resilience of the open source ecosystem.

Subscribe to Deuxieme RE Banque News

Sign up now to get access to the library of members-only issues.
Jamie Larson
Subscribe