Sign in Subscribe

InfoSec News 23FEB2026

General

  • Slow, but inexorable - arrested in May 2024 for identity theft and wire fraud - in support of North Korean IT workers - now sentenced to 5 years in jail. As hinted by the article - Didenko was arrested the same month that an Arizona woman was charged with running a laptop farm (used by the North Koreans) from her house.
"Oleksandr Didenko participated in a scheme that stole the identities of hundreds of people, to include United States citizens, which were used by North Korea to fraudulently secure lucrative IT jobs"
...
Throughout this scheme, he provided the North Korean remote workers with at least 871 proxy identities and proxy accounts on three freelance IT hiring platforms. He also facilitated the operation of at least eight "laptop farms" in Virginia, Tennessee, California, Florida, Ecuador, Poland, and Ukraine that allowed the North Koreans to make it look like their devices were located in the United States.
One of these "laptop farms" was run by Christina Marie Chapman, a 50-year-old woman from Arizona, from her own home between October 2020 and October 2023. Chapman was charged in May 2024 and was sentenced to 102 months in prison after a July 2025 guilty plea.
"On December 12, 2025, PayPal identified that due to an error in its PayPal Working Capital ("PPWC") loan application, the PII of a small number of customers was exposed to unauthorized individuals during the timeframe of July 1, 2025 to December 13, 2025,"
...
"When there is a potential exposure of customer information, PayPal is required to notify affected customers," the spokesperson said. "In this case, PayPal’s systems were not compromised. As such, we contacted the approximately 100 customers who were potentially impacted to provide awareness on this matter.”
Upon adding Pulse Secure to Ivanti’s portfolio, along with a mobile-device security company called MobileIron Inc., the company’s owners immediately loaded Ivanti with even more debt to pay for another purchase.
...
The former employees, most of whom were on the Pulse engineering team or in senior management positions at Ivanti and who asked not to be identified discussing private information, detailed how significant pressure to cut costs resulted in Ivanti’s private equity owners firing, among others, engineers critical to maintaining Connect Secure at a time of escalating cyberattacks.
...
Within a few years, Ivanti, saddled with $2.8 billion in debt, was slashing budgets and gutting teams across the company, including the VPN division. That left Connect Secure and its more than 20,000 customers vulnerable, according to public documents and the former employees.
Ivanti began laying off employees immediately after taking over the VPN maker in late 2020. Dismissals peaked in 2022 as interest rates skyrocketed, and have continued ever since. Over this period, three separate Chinese state-sponsored hacking campaigns exploited more than a dozen previously unknown weaknesses in Connect Secure VPNs.
...
The day after the acquisition closed, Ivanti revealed plans to lay off 70 Pulse employees, according to a disclosure Ivanti filed with California employment regulators, or about 11% of Pulse’s 650-person staff.
The cuts included nearly all of Pulse’s top executives and several senior engineers. The engineering department was targeted shortly after, when Ivanti eliminated vacant positions, terminated long-term contractors and began firing some of the most experienced — and best paid — members of the core team in California, who were responsible for high-level design of the VPNs and developing the next generation of technologies
...
This downsizing left Ivanti exposed when an alarming discovery came to light: In February 2021, the company learned that Chinese hackers had compromised the network of Pulse’s California data center via one of Pulse’s own VPNs
RMM tools continue to be many attackers’ top choice for initial access. Such enterprise remote support software like SimpleHelp, SuperOps, Datto, N-able and others are frequently delivered via email campaigns by cybercrime actors or used as follow-on payloads once an actor achieves initial access.
...
But at the end of January, Proofpoint observed a weird twist on the RMM landscape: a threat actor created a malware masquerading as an RMM called “TrustConnect Agent.”
...
The platform provides a web-based C2 dashboard, automated payload generation with digital signatures, and a subscription-based access model which costs $300 per month paid via cryptocurrency. The centralized C2 server, trustconnectsoftware[.]com, manages multiple customers.
The University of Mississippi Medical Center (UMMC) closed all its clinic locations statewide on Thursday following a ransomware attack.
UMMC has over 10,000 employees and, as one of the largest employers in Mississippi, operates seven hospitals, 35 clinics, and more than 200 telehealth sites statewide. The medical center includes the state's only children's hospital, only Level I trauma center, only organ and bone marrow transplant program, and the only Telehealth Center of Excellence, one of two across the United States.
...
"Patients in our hospital and our emergency department are being cared for. Clinical equipment and operations remain functional."

Getting Techy

  • JAMF examines the Predator spyware, to examine how it enables the microphone and camera, without the normal visual indicators.
The target method _handleNewDomainData: is called by iOS whenever sensor activity changes — camera turns on, microphone activates, etc. By hooking this single method, Predator intercepts ALL sensor status updates before it can be rendered on screen, preventing the green and orange dots from ever appearing to the user.
...
The SBSensorActivityDataProvider class aggregates all sensor activity before dispatching to the UI layer. By intercepting _handleNewDomainData:, Predator blocks updates for ALL sensor types with one hook.
While touring the Firefox source code to gather inspiration for a CTF challenge (Stay tuned for TRX CTF 2026!) I stumbled across quite an interesting, albeit simple, bug inside SpiderMonkey’s Wasm component.
I was able to exploit it to gain Code Execution inside the Firefox renderer process and reported my findings to Mozilla.

Geo-Politics

  • [NL] Dutch intelligence agencies (both General Intelligence and Military Intelligence) are warning about the increased threat posed by Russia.
In a joint assessment by the General Intelligence and Security Service (AIVD) and the Military Intelligence and Security Service (MIVD), the Dutch agencies warned that while a direct military clash between Russia and NATO remains unlikely, it is no longer unthinkable.
“Russia has not only proven capable of absorbing the substantial losses in Ukraine but has even expanded and reformed its armed forces. Furthermore, the Russian armed forces are preparing for the possibility of a conflict with NATO and are carrying out various activities to test the West’s willingness to escalate,” the report said.
Since late 2023, Europe has seen a sharp rise in such activity, the agencies said. Similar observations have been made by other NATO allies and the president of the European Commission, who last October told the European Parliament: “It is time to call it by its name. This is hybrid warfare, and we have to take it very seriously.”
...
The expulsion of hundreds of Russian intelligence officers from Europe following the 2022 invasion has seen Moscow increasingly rely on “low-level” agents — often recruited online, sometimes with criminal backgrounds, and in many cases unaware they are working for Russia.
The DOJ says that while working at Google, Samaneh Ghandali allegedly transferred hundreds of internal files, including trade secrets, to a third-party communications platform and shared them in channels associated with the defendants. Soroor Ghandali is accused of transferring numerous files as well, with prosecutors claiming the data later turned up on personal devices and other systems connected to the group.
Khosravi, who is married to Samaneh Ghandali, is accused of coordinating with the sisters and accessing sensitive information through his own unnamed employer.
Karen Newton was in America on the trip of a lifetime when she was shackled, transported and held for weeks on end. With tourism to the US under increasing strain, she says, ‘If it can happen to me, it can happen to anyone’
The dream holiday ended abruptly on Friday 26 September, as Karen and Bill were trying to leave the US. When they crossed the border, Canadian officials told them they didn’t have the correct paperwork to bring the car with them. They were turned back to Montana on the American side – and to US border control officials. Bill’s US visa had expired; Karen’s had not.
...
She didn’t know it at the time, but it was the beginning of an ordeal that would see Karen handcuffed, shackled and sleeping on the floor of a locked cell, before being driven for 12 hours through the night to an Immigration and Customs Enforcement (ICE) detention centre. Karen was incarcerated for a total of six weeks – even though she had been travelling with a valid visa.

AI

  • Anthropic aiming to change the reputation of LLM's and code quality? They've released "in a limited research preview" Claude Code Security, "that can scan a user’s software codebases for vulnerabilities and suggest patching solutions."
    It works in three phases - Scan, Validate, Review & Patch.
Scan your code in parallel
Claude Code Security understands context, traces data flows across files, and identifies complex, multi-component vulnerability patterns that traditional scanners might not detect.

Validate findings
Every finding goes through an adversarial verification pass. Claude challenges its own results before surfacing them. More real issues get reported, and fewer false positives waste analyst time.

Review and patch
Claude detects issues and proposes fixes. Every finding includes a recommended patch for teams to review and approve. Fix vulnerabilities quickly rather than adding them to a growing backlog.
...
Anthropic said Claude Opus 4.6 is “notably better” at finding high-severity vulnerabilities than past models, in some cases identifying flaws that “had gone undetected for decades.”
US and Chinese developers take different approaches. 21/30 agents are developed by US-incorporated companies and 5/30 by Chinese companies. Chinese-incorporated agents typically lack documented safety frameworks (1/5) and compliance standards (1/5), though their compliance may simply not be publicly documented.
...
Web conduct standards for agents remain unsettled. Browser-based agents often ignore robots.txt and some are explicitly designed to bypass anti-bot systems. Companies justify this by arguing agents act on behalf of users, but content hosts cannot verify or control agent access. Only one agent (ChatGPT Agent) uses cryptographic request signing.
...
A significant transparency gap exists between capability and safety disclosure. Developers share far more about product features than safety practices. Of the 13 agents exhibiting frontier levels of autonomy, only 4 disclose any agentic safety evaluations (ChatGPT Agent, OpenAI Codex, Claude Code, Gemini 2.5 Computer Use). 25/30 agents disclose no internal safety results, and 23/30 have no third-party testing information.

Subscribe to Deuxieme RE Banque News

Sign up now to get access to the library of members-only issues.
Jamie Larson
Subscribe