InfoSec News 23MAR2026

General

• Predictable ending to a Krebs on Security investigation - they never end well for the miscreants involved.

The U.S. Justice Department joined authorities in Canada and Germany in dismantling the online infrastructure behind four highly disruptive botnets that compromised more than three million Internet of Things (IoT) devices, such as routers and web cameras. The feds say the four botnets — named Aisuru, Kimwolf, JackSkid and Mossad — are responsible for a series of recent record-smashing distributed denial-of-service (DDoS) attacks capable of knocking nearly any target offline.
...
The DOJ said its disruption of the four botnets coincided with “law enforcement actions” conducted in Canada and Germany targeting individuals who allegedly operated those botnets, although no further details were available on the suspected operators.
In late February, KrebsOnSecurity identified a 22-year-old Canadian man as a core operator of the Kimwolf botnet. Multiple sources familiar with the investigation told KrebsOnSecurity the other prime suspect is a 15-year-old living in Germany.

• https://krebsonsecurity.com/2026/03/feds-disrupt-iot-botnets-behind-huge-ddos-attacks/
• https://www.justice.gov/usao-ak/pr/authorities-disrupt-worlds-largest-iot-ddos-botnets-responsible-record-breaking-attacks
• https://www.bleepingcomputer.com/news/security/aisuru-kimwolf-jackskid-and-mossad-botnets-disrupted-in-joint-action/
• https://www.itnews.com.au/news/us-germany-canada-disrupt-botnets-624497
• https://therecord.media/us-seizes-botnet-infrastructure-four-large-networks
• https://www.theregister.com/2026/03/20/botnet_disruption/
• You had one job Trivy..."a comprehensive and versatile security scanner" mainly used to check containers.

On March 19, we observed that a threat actor used a compromised credential to publish malicious trivy (v0.69.4), trivy-action, and setup-trivy releases. This was a follow up from the recent incident (2026-03-01) which exfiltrated credentials. Our containment of the first incident was incomplete. We rotated secrets and tokens, but the process wasn't atomic and attackers may have been privy to refreshed tokens. We are now taking a more restrictive approach and locking down all automated actions and any token in order to thoroughly eliminate the problem.

The malicious payload is designed to execute within GitHub Actions runners, targeting sensitive data in CI/CD environments. Observed behavior includes dumping runner process memory to extract secrets, harvesting SSH keys, and exfiltrating credentials for AWS, GCP, and Azure, as well as Kubernetes service account tokens.

The Trivy vulnerability scanner was compromised in a supply-chain attack by threat actors known as TeamPCP, which distributed credential-stealing malware through official releases and GitHub Actions.
Trivy is a popular security scanner that helps identify vulnerabilities, misconfigurations, and exposed secrets across containers, Kubernetes environments, code repositories, and cloud infrastructure. Because developers and security teams commonly use it, it is a high-value target for attackers to steal sensitive authentication secrets.

• https://github.com/aquasecurity/trivy/discussions/10425
• https://socket.dev/blog/trivy-under-attack-again-github-actions-compromise
• https://www.bleepingcomputer.com/news/security/trivy-vulnerability-scanner-breach-pushed-infostealer-via-github-actions/
• Oracle have a lovely pre-authentication remote-code-execution (RCE) vulnerability in Identity Manager and Web Services Manager (part of Oracle Fusion Middleware). 9.8 CVSS rating. Expect these to be exploited soon.

Oracle says the flaw is of low complexity, remotely exploitable over HTTP, and does not require authentication or user interaction, increasing the risk of exploitation on exposed servers.
The fix was released through its Security Alert program, which delivers out-of-schedule fixes or mitigations for critical or actively exploited vulnerabilities. However, Oracle says that patches released through these programs are only offered for versions under Premier or Extended Support, and older unsupported versions may be vulnerable.
Oracle has not disclosed whether the vulnerability has been exploited and declined to comment when BleepingComputer asked about its exploitation status.

• https://www.oracle.com/security-alerts/alert-cve-2026-21992.html
• https://www.bleepingcomputer.com/news/security/oracle-pushes-emergency-fix-for-critical-identity-manager-rce-flaw/
• Extorting a former employer went as well as can be expected - paid US$7.5k ransom, now facing up to 12 years in jail.

27-year-old Cameron Curry (also known as "Loot") took advantage of his access to Brightly's payroll information and corporate data to steal sensitive documents, which he used as leverage in an extortion scheme after learning that his six-month contract wouldn't be extended.
One day after his contract ended on December 10, Curry began sending over 60 extortion emails to Brightly employees using the lootsoftware@outlook.com Microsoft email address and the Loot alias, threatening to leak sensitive information stolen between August and December 2023 unless he was paid a $2.5 million ransom.

• https://www.bleepingcomputer.com/news/security/data-analyst-found-guilty-of-extorting-brightly-software-of-25-million/
• Making decent money from streaming royalties, with bot accounts.

At the peak of the operation, Smith was using over 1,000 bot accounts to artificially boost streams. On October 20, 2017, he also emailed himself a financial breakdown outlining how he operated 52 cloud service accounts, each with 20 bot accounts.
He estimated that each bot could stream around 636 songs per day, for a total of approximately 661,440 streams per day. With an average royalty rate of half a cent per stream, the daily earnings would reach $3,307.20, the monthly earnings would reach $99,216, and the annual earnings would exceed $1.2 million, according to Smith.
...
Smith has agreed to pay $8,091,843.64 in forfeiture and faces a maximum sentence of 5 years in prison after pleading guilty to one count of conspiracy to commit wire fraud.

• https://www.bleepingcomputer.com/news/security/musician-pleads-guilty-to-10m-streaming-fraud-powered-by-ai-bots/
• https://therecord.media/man-pleads-guilty-8-million-ai-music-scheme
• Abusing legitimate services (in this case alerting) to deliver phishing. Watch this one move from one platform to the next.

The threat actors are conducting this campaign by creating alerts in Azure Monitor for easily triggered conditions, such as new orders, payments, generated invoices, and other billing events.
When creating alerts, you can enter any message you want in the description field, which the attackers use to put their callback phishing message.
These alerts are then configured to send emails to what is believed to be a mailing list under the attacker's control, which forwards the email to all the targeted people in the attack.

• https://www.bleepingcomputer.com/news/security/microsoft-azure-monitor-alerts-abused-in-callback-phishing-campaigns/
• More buggy Microsoft rollouts - March's Patch Tuesday cumulative update breaks Office 365 logins for personal Microsoft accounts.

The list of affected applications also includes Microsoft Edge, Excel, Word, and Microsoft 365 Copilot, which will display the same error message for features that require a Microsoft account sign-in.
...
"Please note that this issue occurs only with sign in operations involving Microsoft accounts, which are commonly used for Microsoft Teams Free. Businesses using Entra ID (previously known as Azure Active Directory) for app authentication will not be affected by this issue."
...
Since this month's Patch Tuesday Windows updates were released, Microsoft has also issued two emergency out-of-band (OOB) updates for hotpatch-enabled Windows 11 Enterprise devices that address a Bluetooth device visibility issue and several security flaws in the Routing and Remote Access Service (RRAS) management tool.

• https://www.bleepingcomputer.com/news/microsoft/kb5079473-march-windows-11-update-breaks-microsoft-account-sign-ins/

Geo-Politics

• [IR] Domains that are allegedly tied to Iran's Ministry of Intelligence and Security (MOIS), have been taken down by the FBI. These include Handala-branded sites.

The Justice Department seized four domains — Justicehomeland[.]org, Handala-Hack[.]to, Karmabelow80[.]org, and Handala-Redwanted[.]to — allegedly used by Iran’s MOIS in operations dating back to 2022.
Last week, Handala took credit for an attack on Michigan-based medical tech company Stryker. The group used one of the sites to post information stolen from the company and boast of how it wiped thousands of the company’s devices.
...
The FBI said the Handala website was linked to other domains used by Iran’s MOIS in operations dating back to 2022.
One of the websites was used to host information stolen from Albania during two cyberattacks on the country’s government in 2022.

• https://therecord.media/fbi-takes-down-leak-sites-iran-mois
• https://www.justice.gov/opa/media/1431956/dl?inline
• [UK] Ciaran Martin, chair of the Cyber Monitoring Centre's technical commitee, has called into question the UK government's bail-out loan to Jaguar Land Rover (JLR).

"I think the loan guarantee is an unfortunate precedent because the government intervened in a case-specific way... without clear criteria," Martin said. "Otherwise you'll just end up with a series of ad hoc precedents that will leave nobody any the wiser."
...
"It would be better to have a framework... rather than a response to events," he said, suggesting options could include mandatory insurance, tax incentives, or some form of government-backed safety net.
...
It follows a year in which the CMC has tried to put hard numbers on the financial impact of major cyber incidents on the UK economy, including the JLR attack, which it estimates cost up to £1.9 billion. Separate attacks on retailers Marks & Spencer and the Co-op were pegged at a combined £355 million.

• https://www.theregister.com/2026/03/20/jlr_bailout_cmc/

Privacy

• [UK] The UK police force has suspended a Facial Recognition trial, due to biases in the models used.

• At the current operational setting used by Essex Police, the system correctly identified around half of the people on the watchlist who passed the cameras.
• Incorrect identifications were extremely rare in the experiment.
• The system was more likely to correctly identify men than women.
• It was statistically significantly more likely to correctly identify Black participants than participants from other ethnic groups
...
There was no statistically significant evidence that LFR deployments reduced crime in the short term

• https://www.theregister.com/2026/03/20/uk_police_force_suspend_live_faical_recog_racial_bias/ (sic)
• https://www.essex.police.uk/SysSiteAssets/media/downloads/essex/about-us/live-facial-recognition/2026-03-12-lfr-accuracy-watchlists-deterrence-cambs-uni.pdf
• [US] Recorded Future sat down to discuss the Foreign Intelligence Surveillance Act (FISA) Section 702 (current authorisation expiring 20 April 2026), with one of the Republicans. As expected, it's a very politicised view.
  • https://therecord.media/lahood-on-section-702-reauthorization-interview-political-muscle

AI

• Co-founder of Super Micro, arrested on claims of smuggling restricted Graphics Processor Units (GPU's) to China.

“The indictment unsealed today details alleged efforts to evade U.S. export laws through false documents, staged dummy servers to mislead inspectors, and convoluted transshipment schemes, in order to obfuscate the true destination of restricted AI technology—China,” said John A. Eisenberg, Assistant Attorney General for National Security. “These chips are the product of American ingenuity, and NSD will continue to enforce our export-control laws to protect that advantage.”
...
The scheme operated as follows. Liaw and Chang, who worked closely with third-party brokers with customers based in China, directed certain executives of a company based in Southeast Asia (“Company-1”) to place purchase orders with the U.S. Manufacturer for servers with certain GPUs, purportedly for Company-1. Those servers were often assembled in the United States and shipped to the U.S. Manufacturer’s facilities in Taiwan, then delivered to Company-1 elsewhere in Southeast Asia. Company-1, in consultation with the defendants, then used a shipping and logistics company to repackage the U.S. Manufacturer’s servers and place them in unmarked boxes to conceal their content prior to shipping them to their final destinations in China. To ensure that these server allocations were approved internally at the U.S. Manufacturer, the defendants and executives at Company-1 prepared false documents and records, and transmitted false communications, purporting to show that Company-1 was the end user of the servers.
At the defendants’ direction, between 2024 and 2025, Company-1 purchased approximately $2.5 billion worth of servers from the U.S. Manufacturer, many of which were assembled in the United States. The defendants’ scheme became more brazen over time and resulted in massive quantities of servers with controlled U.S. artificial intelligence technology being sent to China. Between late April 2025 and mid-May 2025 alone, at least approximately $510 million worth of the U.S. Manufacturer’s servers, assembled in the United States, were diverted to China in violation of U.S. export control laws as part of the defendants’ scheme.

• https://www.itnews.com.au/news/us-arrests-super-micro-co-founder-for-allegedly-smuggling-gpus-into-china-624452
• https://www.justice.gov/opa/pr/three-charged-conspiring-unlawfully-divert-cutting-edge-us-artificial-intelligence