Sign in Subscribe

InfoSec News 20FEB2026

General

  • Microsoft Device Code vishing...without the infrastructure?
BleepingComputer has learned from multiple sources that threat actors have begun using vishing social engineering attacks that no longer require attacker-controlled infrastructure, instead leveraging legitimate Microsoft login forms and standard device code authentication workflows to breach corporate accounts.
A device code phishing attack is when the legitimate OAuth 2.0 device authorization grant flow is abused to obtain authentication tokens for the victim's Microsoft Entra account.
...
This grant flow was designed to make it easy to connect devices that lack accessible input options, such as IoT devices, printers, streaming devices, and TVs.
...
Once the OAuth app is connected to an account, threat actors can use the device_code to retrieve the targeted employee's refresh token, which can then be exchanged for access tokens.
Those access tokens allow attackers to access the employee's Microsoft services without having to complete multi-factor authentication again, since MFA was already completed during the initial login.
During the eight-week operation, investigations exposed scams linked to over USD 45 million in financial losses and identified 1,247 victims, predominantly from the African continent but also from other regions of the world. Authorities also seized 2,341 devices and took down 1,442 malicious IPs, domains and servers, as well as other related infrastructure.
...
In Nigeria, police dismantled a high-yield investment fraud ring...
In Kenya, authorities made 27 arrests linked to fraud schemes that .. lure victims into making fake investments in reputable global corporations....
In Côte d’Ivoire, law enforcement made 58 arrests ... in a targeted operation against mobile loan fraud.
That database “lists all bank accounts opened in French banking institutions” and contains a range of personal data, including account numbers, names, address and, in some cases, tax identification numbers.
...
the hacker impersonated a civil servant “whose credentials allowed access as part of interministerial information exchanges” to query part of the FICOBA database.
...
The sensitive government database holds data on more than 80 million individuals...potentially 1.2 million accounts of more than 300 million were impacted by the incident.
Tech companies will be ordered to take down intimate images shared without a victim’s consent within 48 hours, under new laws to protect women and girls from this distressing abuse.
Through an amendment to the Crime and Policing Bill, companies will be legally required to remove this content no more than 48 hours after it is flagged to them, and platforms that fail to act could face fines of up to 10% of their qualifying worldwide revenue or having their services blocked in the UK.
...
As part of that work, plans are currently being considered by Ofcom for these kinds of images to be treated with the same severity as child sexual abuse and terrorism content, digitally marking them so that any time someone tries to repost them, they will be automatically taken down.
In a further step to protect victims, we will publish guidance for internet providers setting out how they should block access to sites hosting this content, targeting rogue websites that may fall outside the reach of the Online Safety Act.
The whiteboard has been on show at the UK medical center for a while now. Our reader told us: "A few months ago, I explained to a lady on the front desk that displaying this information was a bad idea. Clearly, they don't believe me."
The FBI has observed an increase in ATM jackpotting incidents across the United States. Out of 1,900 ATM jackpotting incidents reported since 2020, over 700 of them with more than $20 million in losses occurred in 2025 alone.
...
Threat actors are deploying ATM jackpotting malware, including the Ploutus family malware, to infect ATMs and force them to dispense cash. Ploutus malware exploits the eXtensions for Financial Services (XFS), the layer of software that instructs an ATM what to physically do... If a threat actor can issue their own commands to XFS, they can bypass bank authorization entirely and instruct the ATM to dispense cash on demand.
...
ATM jackpotting threat actors have used several main methods to deploy malware:
Threat actors remove the ATM’s hard drive, connect it to their computer, copy the malware to the hard drive, return the hard drive to the ATM, and reboot the ATM.
Threat actors remove the ATM’s hard drive, replace it with a foreign hard drive or other external device with preloaded malware, and reboot the ATM.

Getting Techy

Geo-Politics

  • [US] The deputy assistant director for cyber intelligence at the FBI, warns of the continued threat of chinese cyber espionage.
    He also gave provided an estimate on the number of countries impacted by Salt Typhoon (Operator Panda / Ghost Emperor / Famous Sparrow / Funky Boobsweat) - only a tiny fraction have publicly disclosed the intrusions into their telecommunications environment.
“despite all the advances in cybersecurity tools and strategies, it is still the most basic vulnerabilities that provide entry points.”
...
Despite an increasingly complex threat and technology environment, phishing attacks or targeting vulnerable legacy systems are still the most common ways the FBI sees hacking groups gain access to their victims. While foreign intelligence agencies do use zero-day vulnerabilities and other sophisticated tools to compromise well-defended systems, “by and large this is not what we are seeing, and it is not what we saw in Salt Typhoon.”
...
Machtinger estimated that Salt Typhoon’s intrusions have impacted more than 80 countries, often following the same playbook of pairing broad access with “indiscriminate” targeting and collection.
It is “important to recognize that the threat posed by Salt Typhoon actors and the rest of the PRC intelligence apparatus and enabling infrastructure is still very, very much ongoing,”

AI

  • Not to be left out of the release parties - Google have released Gemini 3.1 Pro. This one (unlike the recent Gemini 3 Deep Think, aimed at academics), is aimed at more common coding and agentic use cases. Its benchmark scores are close - but often exceeding - those of Anthropic's recent 4.6 models. Pricing remains unchanged. The downside is reported slow serving times at the moment.
  • Avast have released a free and open-source "ADR" (Agent Detection & Respose) tool, dubbed Sage, designed to hook in to common platforms (Claude Code, Cursor, VS Code, OpenClaw) and before a tool is used, run some checks to check if it's malicious.
Sage intercepts tool calls made by AI agents, extracts security-relevant artifacts, and checks them against multiple threat detection layers.
Detection Layers
URL reputation - Cloud-based lookup for malware, phishing, and scam URLs. Works without an API key.
Local heuristics - YAML-based regex patterns matching dangerous commands, suspicious URLs, sensitive file paths, credential exposure, and obfuscation techniques.
Package supply-chain checks - Registry existence, file reputation, and age analysis for npm/PyPI packages. See Package Protection.
Plugin scanning - Scans other installed plugins for threats at session start. See Plugin Scanning.

Subscribe to Deuxieme RE Banque News

Sign up now to get access to the library of members-only issues.
Jamie Larson
Subscribe