Sign in Subscribe

InfoSec News 20MAR2026

General

  • Ransomware TTPs (Tools, Techniques and Procedures) - how they get the data out.
As defenders have improved their ability to detect malicious code, attackers have adapted by reducing their reliance on bespoke implants. As a result, data exfiltration is no longer primarily driven by custom malware or specialized tooling. Instead, many modern exfiltration operations leverage legitimate, widely deployed utilities already present in enterprise environments, along with benign cloud storage locations as the destination of the exfiltration connections.
...
This research originated from a fundamental question: If attackers don’t require malicious software or infrastructure to exfiltrate data, what signals can defenders rely on to detect their behavior?
...
The Exfiltration Framework is a defensive project designed to systematically document how legitimate tools are abused for data exfiltration. Early in its development, the goal was to provide a comparative overview of exfiltration-capable tools, similar in spirit to matrix-style projects that summarize capabilities at a high level. While useful for classification, this approach proved insufficient for capturing the behavioral and forensic details required for detection and investigation.
As a result, the framework evolved toward a structured, feature-oriented model inspired by projects such as LOLBAS, where tool capabilities, behaviors, and artifacts are documented in a consistent and extensible format. This design allows exfiltration-relevant characteristics to be organized clearly and compared across tools without oversimplifying their behavior.
The framework is intentionally scoped to legitimate, widely available tools commonly present in enterprise environments. It does not attempt to catalog all possible exfiltration mechanisms, nor does it analyze custom malware, exploit-based techniques, or novel C2 protocols. Instead, it concentrates on utilities routinely used for legitimate purposes that can naturally blend into normal activity, making their abuse particularly difficult to detect.
To successfully encrypt data, ransomware encryptors need to evade detection. Nowadays, a wide range of mature evasion techniques is available, ranging from packing and code virtualization to sophisticated injection. However, we rarely see any of these implemented in encryptors. Instead, ransomware attackers opt for EDR killers to disrupt security solutions right before encryptor deployment.
...
EDR killers endure because they’re cheap, consistent, and decoupled from the encryptor – a perfect fit for both encryptor developers, who don’t need to focus on making their encryptors undetectable, and affiliates, who possess an easy-to-use, powerful utility to disrupt defenses prior to encryption.
Our research presents telemetry-backed insights into the EDR killer ecosystem that move past the commonly seen driver-centric approach. We document how affiliates, not operators, shape tooling diversity, and how codebases routinely reuse and swap drivers. We outline how the past year saw increasingly commercialized offerings for EDR killers, and showcase how commercial EDR killers especially can supply the defense evasion techniques commonly missing in encryptors.
The FBI has seized two websites used by the Handala hacktivist group after the threat actors conducted a destructive cyberattack on medical technology giant Stryker that wiped approximately 80,000 devices.
Both the hacktivist's handala-redwanted[.]to and handala-hack[.]to clearnet domains now display a seizure notice stating that the websites were seized under a seizure warrant issued by the District Court for the District of Maryland.
...
While there has been no official announcement by law enforcement regarding the seizures, the domain name servers have now been switched to those commonly used by the FBI when seizing domains
A malicious actor with access to the network could exploit a Path Traversal vulnerability found in the UniFi Network Application to access files on the underlying system that could be manipulated to access an underlying account.
...
An Authenticated NoSQL Injection vulnerability found in UniFi Network Application could allow a malicious actor with authenticated access to the network to escalate privileges.
A critical flaw in Magento's REST API lets unauthenticated attackers upload executable files to any store. We named the vulnerability "PolyShell" because the attack uses a polyglot (code disguised as image).
Sansec has not observed active exploitation so far. However, the exploit method is circulating already and Sansec expects automated attacks to appear soon.
...
The vulnerable code has existed since the very first Magento 2 release. Adobe fixed it in the 2.4.9 pre-release branch as part of APSB25-94, but no isolated patch exists for current production versions. While Adobe provides a sample web server configuration that would largely limit the fallout, the majority of stores use a custom configuration from their hosting provider.
The process is designed to create friction. Users must first enable developer mode in system settings. They then need to confirm that they're not being coerced. After that, they need to restart their phone and reauthenticate. And then they need to wait one day.
"There is a one-time, one-day wait and then you can confirm that this is really you who's making this change with our biometric authentication (fingerprint or face unlock) or device PIN," said Forsythe. "Scammers rely on manufactured urgency, so this breaks their spell and gives you time to think."
Currently, the digital ID can only be used to authenticate access to 246 online government services, according to data released in December.
The government said that 80 million ID verified transactions had flowed through the AGDIS in the year to December 2025, with 15 million Digital IDs registered.
However, the plan has always been to open the AGDIS to private sector use as well.
This is intended to allow private sector users to securely verify the identity of customers using the government-issued digital identity.
It appears the government is now exploring how this can be implemented; in particular, how to technically integrate identity systems used by the private sector with the AGDIS, so that checks can be digitally requested and returned.

Getting Techy

By attaching to the browser process as a debugger and setting a breakpoint at the precise moment when the key is present in plaintext, an attacker can extract it directly from the memory. Importantly, this can be done without any privilege escalation and, when using hardware breakpoints rather than software ones, without any writes to the browser process.

Geo-Politics

  • [RU] Putin...you need to be crazy to denounce him.
A pro-Kremlin figure ‌who unexpectedly denounced Russian President Vladimir Putin and the war in Ukraine in a social media post this week that went viral has been placed in a psychiatric facility, ​the hospital said on Thursday.
Ilya Remeslo made a career denouncing ​Putin's critics until he became one himself, posting a manifesto ⁠late on Tuesday to his 90,000 followers on Telegram entitled: "Five reasons why ​I stopped supporting Vladimir Putin."
He said Putin had prosecuted a "failing war" in ​Ukraine that had killed millions and torpedoed Russia's economy to the detriment of its citizens' well-being.
"Vladimir Putin is not a legitimate president. Vladimir Putin must resign and be ​brought to trial as a war criminal and a thief," Remeslo wrote ​in his post.
...
On Thursday, St Petersburg's Fontanka newspaper reported Remeslo had been hospitalised in the city's Psychiatric Hospital No. 3. Reuters was unable to reach Remeslo himself or determine how he came to be hospitalised.
Thomas Lind, a senior adviser at the Office of the National Cyber Director, acknowledged at the Prague Cyber Security Conference on Tuesday that the administration’s four-page national cyber strategy, unveiled earlier this month, called for a more aggressive approach against criminal networks and adversarial governments.
...
“We have to impose heavy costs. We need to do it more often, and we need to do it in a more routine and coordinated fashion,” Lind said. He added that those responses will not necessarily mirror the attacks themselves: “We don’t have to cyber them because they’ve cybered us.”
Imposing such costs means the U.S. needs “to bring in the private sector,” said Lind, before stressing: “That does not mean hack back, that does not mean letters of marque,” he said. “We’re not interested in fighting pirates with pirates.”
National Cyber Director Sean Cairncross also addressed the issue Tuesday at the McCrary Cyber Summit in Washington, D.C., where he called for closer cooperation with industry while specifying that “private sector, industry or companies engaging in cyber offensive campaigns — that's not what we're talking about.”
“What I'm talking about are the technical capabilities, the ability of our private sector to illuminate the battlefield from what they're seeing”

Privacy

  • Oh, the irony - ShinyHunters steals the 900k records containing personal information of customers, of a company that sells "identity theft protection, credit and fraud monitoring". Don't worry - their "information security systems and processes worked as intended"...even as large amounts of data were dumped.
At this time, we can confirm that the unauthorized party was able to access approximately 900,000 records, the vast majority of which consist of names and email addresses from a marketing tool used by a company Aura acquired in 2021.
We believe the contact information (name, email, home address, phone number) for less than 20,000 active Aura customers and less than 15,000 former Aura customers was accessed. No Social Security numbers, passwords, or financial information were compromised.
Aura’s information security systems and processes worked as intended. They are designed to limit the potential exposure of customer information in the event of a breach, including organizational, technical, and physical safeguards. All sensitive customer personal information (Social Security numbers, financial transactions, credit files, payment details, credentials) is encrypted and access is highly restricted.
In rolling out these laws, governments are effectively walling off large swathes of the open and decentralized internet, while sleepwalking the rest of us into a security and privacy disaster.
Now, hundreds of security and privacy academics are sounding the alarm in response to these invasive online checks, saying age verification laws carry significant risks that threaten the internet as we know it.
...
Age verification laws are a lazy way for politicians and governments to appear as if they are tackling online child safety, but without any forethought to the future consequences of amassing vast banks of personal information for verifying people's identities.
...
As journalist Taylor Lorenz writes in The Guardian, age verification laws "could transform the internet from a space of free expression to a fully surveilled digital panopticon where every action you take online is tied to your government ID."
...
According to the academics, many age verification systems as designed today create a "single point of failure" by storing huge amounts of personal and identifiable information in central databases. These data stores become rich targets for hackers, malicious insiders, and law enforcement agencies demanding access at a moment's notice.
...
These are not hypotheticals. In October 2025, Discord reported a data breach that allowed hackers to steal around 70,000 identity documents of users, who had contacted its customer support to appeal their age check determination. There are inherent risks in collecting this kind of sensitive data to begin with.
Gated community apps like Tea and TeaOnHer, which only allowed access to users who uploaded their identity documents, both experienced security spills involving thousands of people's papers.
I’ve been building Confer: end-to-end encryption for AI chats. With Confer, your conversations are encrypted so that nobody else can see them. Confer can’t read them, train on them, or hand them over – because only you have access to them.
The core idea is that your conversations with an AI assistant should be as private as your conversations with a person. Not because you’re doing something wrong, but because privacy is what lets you think freely.
Ten years ago, I worked with Meta to integrate the Signal Protocol into WhatsApp for end-to-end encrypted communication. That enabled end-to-end encryption by default for billions of people. Now we’re going to do the same thing again, for AI chat.
As Confer continues to operate as an independent entity, I will also work to integrate Confer’s privacy technology so that it underpins Meta AI. Meta is building advanced frontier models, so this will combine the most private AI chat technology in the world with the most capable AI models in the world. As Meta builds more AI products beyond the basic chat paradigm, the privacy technology from Confer will be a part of the foundation of everything that is to come.
A hacker says they ⁠have ⁠broken into a US platform for searching law enforcement hotline messages and compromised more than 8 million confidential tips.
In a statement posted online, the hacker - who ‌used the name "Internet Yiff Machine" - said they ‌had ‌broken into tip intelligence platform P3 ‌Global Intel, an arm of safety ⁠company Navigate360, and stolen 93 gigabytes of data.
...
The transparency website Distributed Denial of Secrets - which archives material from hacks and leaks - ​said it too had received a copy of the data and would make it available to "established journalists and researchers."
In a statement, the site's ‌founder, Emma ⁠Best, said the data "provides ​excruciating detail" on a tip-collection system that "seeks to make everyone an informant."
U.S. intelligence leaders on Thursday presented a united public front in favor of extending a key national security surveillance power without changes, providing momentum to backers of such an approach before a crucial week in Congress
...
“I wish the reauthorization was longer than 18 months, congressman,” CIA Director John Ratcliffe said in response to questions from Rep. Darin LaHood (R-IL).
...
FBI Director Kash Patel, ... agreed.
“I’d like five to ten years,” he said.
...
The new approach has put Director of National Intelligence Tulsi Gabbard in an awkward position. In 2020, Gabbard, then a Democratic congresswoman from Hawaii, introduced legislation that would have repealed the authority and other spying capabilities.

AI

  • Someone's decided to go back to a 2023 Apple paper - LLM in a flash: Efficient Large Language Model Inference with Limited Memory - and get Claude Code to implement it.
    End result: Running the pretty large Qwen3.5-379b-a17b (379b parameters, 17b active) on a MacBook Pro with only 48GB of RAM (README from GitHub implies only 6GB of that used!). The latest version is running at roughly 4 tokens per second.
    The key is that - whilst a Mixture of Experts (MoE) model may be large (379b parameters), only a fraction of those (17b active) are used in the processing of each token (however different tokens may use different sets of 'experts' - different selections of those 17b parameters from the overall 379b parameters). The Apple paper describes offloading most of the model onto fast disk (e.g. NVME), and loading the required sections into RAM on demand.

Subscribe to Deuxieme RE Banque News

Sign up now to get access to the library of members-only issues.
Jamie Larson
Subscribe