InfoSec News 24MAR2026
General
- Google Mandiant have released their "M-Trends" for 2026.
Exploits remained the most common initial infection vector for the sixth consecutive year, accounting for 32% of intrusions. However, highly interactive voice phishing saw a significant surge to 11%, becoming the second-most commonly observed vector.
...
Across all 2025 investigations, 52% of the time organizations first detected evidence of malicious activity internally, an increase from 43% in 2024.
...
the high tech sector (17%) outpacing the financial sector (14.6%) as the most frequently targeted industry, shifting the financial sector out of the top spot it held in 2024 and 2023.
...
In 2022, the median time between an initial access event and the hand-off to a secondary threat group was more than 8 hours. In 2025, that window collapsed to just 22 seconds.
...
Attackers are exploiting misconfigured Active Directory Certificate Services templates to create admin accounts that bypass password rotation and are actively deleting backup objects from cloud storage.
- https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2026/
- https://www.gstatic.com/security-marketing/m-trends-2026-en.pdf
- https://www.theregister.com/2026/03/23/voice_phishing_skyrockets_as_smooth/
- Cisco Talos have also released their "2025 Year in Review"
New large-scale vulnerabilities were operationalized almost immediately, but adversaries also continued to exploit CVEs that have been exposed for years. This rapid operationalization of new vulnerabilities reflects a rise in automated exploit development, public proof-of-concept code, and mature adversary coordination.
...
Attackers who gained access through compromised credentials stealthily extended that access through internal phishing and abuse of identity controls within network infrastructure. Control of identity often meant control of the environment.
...
Approximately 25% of the vulnerabilities in the Top 100 targeted list affected widely used frameworks and libraries that are embedded deep within the software stack. Because these components underpin applications and network appliances across vendors, a single CVE can create mass exploitation potential across industries. Compromising these shared foundations enabled lateral movement across environments.
- https://blog.talosintelligence.com/2025-talos-year-in-review-speed-scale-and-staying-power/
- https://storage.ghost.io/c/af/a0/afa04ee3-414f-4481-8d23-7e7c146f192e/content/files/2026/03/2025YiR-report.pdf
- https://www.theregister.com/2026/03/23/cisco_talos_cybersecurity_report_patch_fast/
- Brian Krebs has detailed 'CanisterWorm' in a new article. This is a wiper, targeting machines with the time zone set to "Asia/Tehran" or "Iran", or language set to Farsi ("fa_IR"). It's from TeamPCP, the same group behind the attack on Trivy, mentioned yesterday.
A financially motivated data theft and extortion group is attempting to inject itself into the Iran war, unleashing a worm that spreads through poorly secured cloud services and wipes data on infected systems that use Iran’s time zone or have Farsi set as the default language.
Experts say the wiper campaign against Iran materialized this past weekend and came from a relatively new cybercrime group known as TeamPCP.
...
Over the weekend, the same technical infrastructure TeamPCP used in the Trivy attack was leveraged to deploy a new malicious payload.
The decision tree is simple and brutal:
Kubernetes + Iran: Deploy a DaemonSet that wipes every node in the cluster
Kubernetes + elsewhere: Deploy a DaemonSet that installs the CanisterWorm backdoor on every node
No Kubernetes + Iran: rm -rf / --no-preserve-root
No Kubernetes + elsewhere: Exit. Nothing happens.
...
A third iteration of the payload just showed up...The previous versions relied on DaemonSets to move across a cluster. This variant drops that entirely and replaces it with two lateral movement methods: SSH key theft and exposed Docker API exploitation. It also scans the local /24 subnet for new targets.
- https://krebsonsecurity.com/2026/03/canisterworm-springs-wiper-attack-targeting-iran/
- https://www.aikido.dev/blog/teampcp-stage-payload-canisterworm-iran
- Even more from TeamPCP - this time taking over Checkmarx's KICS - "an open-source tool for scanning Infrastructure as Code (IaC) to detect misconfigurations and vulnerabilities before deployment".
More credential thefts, likely leading to even more supply-chain attacks.
This is the second popular open source security scanner that this group has compromised in the last five days. The operation uses familiar naming conventions and the same RSA public key, allowing Wiz to assess with high confidence that it is the same actor.
- The iOS Exploit Kit dubbed 'DarkSword' (exposed shortly after the 'Coruna' kit), has apparently been leaked on GitHub.
Last week, cybersecurity researchers uncovered a hacking campaign targeting iPhone users that used an advanced hacking tool called DarkSword. Now someone has leaked a newer version of DarkSword and published it on the code-sharing site GitHub.
...
Frielingsdorf said that these new versions of DarkSword spyware share the same infrastructure with the ones he and his iVerify colleagues analyzed previously, although the files are slightly different. The files uploaded to GitHub are uncomplicated, just HTML and JavaScript, he said, meaning anyone can copy and paste them and host them on a server “in a couple minutes to hours.”
- More charges against people supporting North Korean IT workers. Three men from the US charged for running laptops, and providing access to their identities, from 2019 to 2022.
Travis pleaded guilty to accusations that he allowed North Korean IT workers to use his identity on resumes and during employer vetting processes that involved interviews, drug tests and fingerprints. The North Korean IT workers also opened bank accounts in his name to receive payment from employers.
Travis received a laptop from eight companies that thought they were hiring him and installed software that allowed North Korean workers to access the devices remotely.
...
Salazar and Phagnasay similarly allowed North Koreans to use their identities and received company laptops.
...
Prosecutors said the scheme earned North Koreans a total of about $1.3 million in salary payments.
- https://therecord.media/us-soldier-sentencer-for-helping-nk-it-workers
- https://flare.io/learn/resources/north-korean-infiltrator-threat
- The Register lays some snark on Microsoft over recent patches.
Microsoft has released an out-of-band update to resolve bugs introduced by a Windows patch just days after promising improved reliability.
...the latest in a growing line of patches that themselves need patching.
...
Until the fix, Microsoft's advice amounted to "turn it off and on again and hope for the best", at least at the service level.
...
The patch comes just a few days after Windows boss Pavan Davuluri promised an era of reliability and stability for Microsoft's operating system, with a less scattered approach to implementing AI technologies such as Copilot.
Davuluri acknowledged user frustration in November, meaning there were almost four months to ensure updates are being properly tested before release. And yet here we are.
- Useful little guide from Eset, in case you need to advise someone who may have fallen for a phishing attack.
Stop the damage (minutes 0–2)...
Secure access (minutes 3–6)...
Check, check, check (minutes 7–10)...
Clean up (minutes 11–13)...
Warn and report (minutes 14–15 – and beyond)
- [RU] The brief rise-and-fall of ClayRAT, launched in October 2025.
Rooky mistake - based in Russia, targeting Russians.
The malware, known as ClayRat, was designed for espionage and remote control of infected Android devices. Once installed, it could intercept SMS messages and call logs, access contacts, take photos, record screens, and execute commands sent from a remote command-and-control server.
...
Despite attracting attention shortly after emerging in October 2025, ClayRat’s infrastructure deteriorated rapidly. By December, all known command servers associated with the malware had gone offline
...
The shutdown appears to coincide with the arrest in the Russian city Krasnodar of a student suspected of developing the malware. He allegedly marketed ClayRat through Telegram channels using a subscription model that charged customers $90 per week or $300 per month, or took a 15% share of revenue generated through the malware.
...
Researchers said the campaign largely targeted users in Russia.
- [US] Three Business Email Compromise (BEC) scammers have plead guilty in US courts.
A Nigerian man has been sentenced to more than seven years in a U.S. prison for his role in a scheme that hacked business email accounts and tricked victims into sending millions of dollars to fraudulent bank accounts, U.S. authorities said.
...
The scheme dates back to at least 2017, according to court documents. Prosecutors estimate the operation ultimately stole about $6 million.
...
Two other defendants in the case have already pleaded guilty. Kosi Goodness Simon-Ebo admitted his role in the scheme in 2023 and received an 18-month prison sentence. Another co-conspirator, Henry Onyedikachi Echefu, pleaded guilty in 2024 and could face up to 20 years in prison.
- [US] Physical-world impacts of ransomware. Intoxalock sells a breathalyzer device that integrates with a car's ignition circuit. With some of the company's systems down, the breathalyzer systems won't unlock.
The company, Intoxalock, says on its website that it is “currently experiencing downtime” after a cyberattack on March 14. Intoxalock sells breathalyzer devices that fit into vehicle ignition switches, and is used by people who are required to provide a negative alcohol breath sample to start their car.
...
These breathalyzer devices need to be calibrated every few months or so, but the cyberattack has left Intoxalock unable to perform these calibrations. The company said customers whose devices require calibration may experience delays starting their vehicles.
...
According to local news reports across Maine, drivers are experiencing lockouts and some have been unable to start their vehicles. One auto shop in Middleboro told WCVB 5 in Boston that it has had cars parked in its lot all week due to the cyberattack.
- [US] The Federal Communications Commission (FCC) has just outlawed all new foreign-made routers.
Today, the Federal Communications Commission updated its Covered List to include all consumer-grade routers produced in foreign countries.
...
The Executive Branch determination noted that foreign-produced routers (1) introduce “a supply chain vulnerability that could disrupt the U.S. economy, critical infrastructure, and national defense” and (2) pose “a severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure and directly harm U.S. persons.”
...
As outlined below, today’s action does not impact a consumer’s continued use of routers they previously acquired. Nor does it prevent retailers from continuing to sell, import, or market router models approved previously through the FCC’s equipment authorization process. By operation of the FCC’s Covered List rules, the restrictions imposed today apply to new device models
Geo-Politics
- The war in Iran is showing that NATO needs to re-think some of its defense strategies.
The takeaway from Iran's tactics is that adversaries are likely to combine precision weapons with cheap, mass-produced drones to overwhelm air defense systems so that the precision weapons can get through. Managing this threat means developing low-cost defensive weapons, produced and used at scale, to complement the interceptor missiles costing millions that are built to target aircraft and ballistic missiles.
...
Ukraine is ahead of NATO in one critical area – the ability to produce and deploy low-cost systems at scale. It is manufacturing tens of thousands of interceptor drones annually, and delivering them to frontline units at rates exceeding 1,500 per day.
Instead of relying solely on expensive interceptors, Ukraine has built a layered system in which cheap one-way interceptor drones - costing as little as $2,000 - now account for the majority of drone takedowns across the country.
- [US] As the partial government shutdown (Department of Homeland Security aka DHS funding) bites, Immigration and Customs Enforcement (ICE) officers are being called upon to fill in. They're moving in, with their usual grace.
In recent days, travelers have filmed lines with wait times estimated at several hours. Trump border czar Tom Homan told CNN that ICE agents would be deployed starting Monday to airports with the longest wait times. Homan said details of the plan were still under discussion.
Critics say having ICE agents at airports would increase tensions with travelers.
Federal agents have been seen making at least one arrest at San Francisco International Airport on Sunday night, according to eyewitness accounts. One video posted to TikTok shows unidentified, plain-clothed agents declining to identify themselves as they detain a person, including a child, past the security line at a terminal gate.
AI
- Interesting option, to wean household members off public Large Language Models (LLMs). It's a DNS-proxy, that redirects LLM domains to a local TCP proxy, and slows down the traffic. The idea is to make use of an LLM painful.
Nothing in here specific to LLMs, so the technique could also be used on other things, such as social-media sites (just modifythrottled-domains.txt).