InfoSec News 25FEB2026
General
- Good news from Microsoft - they appear to have learnt from the incident of CoPilot accessing confidential email.
Microsoft is expanding data loss prevention (DLP) controls to block the Microsoft 365 Copilot AI assistant from processing confidential Word, Excel, and PowerPoint documents, regardless of their location.
...
Once the change is deployed, Copilot will not be able to read or process Word, Excel, or PowerPoint documents that are labeled as restricted by DLP controls.
Microsoft also stated that the changes will be automatically enabled for organizations with DLP policies configured to block Copilot from processing sensitivity-labeled content, without requiring any administrative action or changes.
- CrowdStrike have released their 'Annual Global Threat Report'. Some key callouts:
The average eCrime breakout time fell to 29 minutes in 2025, a 65% increase in speed from the prior year. The fastest breakout took just 27 seconds. In one intrusion, data exfiltration began within four minutes of initial access. The window to detect, decide, and respond has narrowed dramatically
...
Notably, 82% of detections were malware-free. Intrusions moved through authorized pathways and trusted systems, blending into normal activity
- https://www.crowdstrike.com/explore/2026-global-threat-report/2026-global-threat-report
- https://cyberscoop.com/crowdstrike-annual-global-threat-report-attack-breakout-time/
- Symantec/Carbon-Black researchers are attributing some Medusa ransomware attacks to the North Korean group Stonefly/Andariel (part of Lazarus).
For many years, Stonefly was thought to be solely engaged in espionage attacks, particularly against high-value targets. However, the group became involved in ransomware attacks approximately five years ago.
...
The indictment shed some light on the motivation behind Stonefly’s move into ransomware. It alleged that the group was using the proceeds of ransomware attacks to fund its espionage activities, including attacks against the defense, technology, and government sectors in the U.S., Taiwan and South Korea.
- https://www.security.com/threat-intelligence/lazarus-medusa-ransomware
- https://www.bleepingcomputer.com/news/security/north-korean-lazarus-group-linked-to-medusa-ransomware-attacks/
- https://therecord.media/north-korean-hackers-using-medusa-ransomware
- https://www.theregister.com/2026/02/24/north_koreas_lazarus_group_healthcare_medusa_ransomware/
- The (L3 Harris owned) Trenchant exec - who stole zero-days and hacking tools, selling them to a Russian broker - has been sentenced to seven years in prison.
The Russian broker "Operation Zero" and associated individuals (the owner, plus two Trickbot members) have been sanctioned under the "Protecting American Intellectual Property Act (PAIPA)", apparently this is the first use of the act.
Peter Williams, the Australian-born former executive of Trenchant, admitted last October to stealing at least eight "software trade secrets" from his former US employer over a three-year period, beginning in 2022. He also admitted to receiving millions of dollars in cryptocurrency payments in exchange for selling the stolen hacking tools.
...
Trenchant, or L3Trenchant as it's formally known, was formed through the merging of two Australian firms – Azimuth and Linchpin Labs – after the US-based defense contractor L3Harris acquired the two companies in 2018. Azimuth was well-regarded in the intelligence community for creating valuable zero-day exploits and other hacking tools for the US and select allies.
...
Remarkably, Williams continued his crimes even while the FBI was investigating the theft, and while another employee at Trenchant was reportedly fired for stealing zero-day exploits for the Chrome browser from Trenchant and leaking them – a crime he says he didn't commit. As reported last year by Tech Crunch, in February 2025 the worker says he was called into Trenchant's London office for a team-building exercise, but when he arrived he was ushered into a meeting room for a video call with Williams. Williams said the company suspected the employee of moonlighting for another company and seized his electronics and suspended him. He was subsequently fired, though Williams did not give a reason. The employee only learned from other workers later that they company suspected he had stolen the zero-day exploits.
- https://www.zetter-zeroday.com/trenchant-exec-who-sold-his-employers-zero-day-exploits-to-russian-buyer-sentenced-to-7-years-in-prison/
- https://home.treasury.gov/news/press-releases/sb0404
- https://www.state.gov/releases/office-of-the-spokesperson/2026/02/designation-of-russia-based-zero-day-exploits-broker-and-affiliates-for-theft-of-u-s-trade-secrets/
- https://cyberscoop.com/l3harris-executive-peter-williams-sentenced-zero-day-exploits-russia/
- https://therecord.media/sanctions-russian-exploit-broker-cyber
- https://techcrunch.com/2026/02/24/former-l3harris-trenchant-boss-jailed-for-selling-hacking-tools-to-russian-broker/
- https://techcrunch.com/2026/02/24/treasury-sanctions-russian-zero-day-broker-accused-of-buying-exploits-stolen-from-u-s-defense-contractor/
Getting Techy
- A researcher has unpicked the chain from UEFI Direct Memory Access (DMA) and Input/Output Memory Management (IOMMU - controlling that DMA), through to full BitLocker access of a machine.
TL;DR - from physical access, to reading the contents of an encrypted laptop.
Privacy
- [UK] The Information Commissioner's Office is taking a swipe at Reddit. Not for intentionally collecting the data on children, rather that they "failed to apply any robust age assurance mechanisms".
Reddit is pushing back, not wanting to collect private information on its users.
In July 2025, Reddit introduced age assurance measures that include age verification to access mature content and asking users to declare their age when opening an account. The ICO informed Reddit that relying on self-declaration presents risks to children as it is easy to bypass. The regulator is keeping Reddit’s processing of children’s personal information under review as part of on-going work focusing on online platforms that primarily rely on self-declaration - an area of focus for the ICO
...
Reddit's terms of service prohibited children under 13 years of age using its platform, but despite that it did not have measures in place to check the age of users accessing its platform until July 2025.
"Reddit doesn't require users to share information about their identities, regardless of age, because we are deeply committed to their privacy and safety," the spokesperson added. "The ICO's insistence that we collect more private information on every UK user is counterintuitive and at odds with our strong belief in our users' online privacy and safety. We intend to appeal the ICO's decision."
- https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2026/02/reddit-issued-with-1447m-fine-for-children-s-privacy-failures/
- https://www.bleepingcomputer.com/news/security/uk-fines-reddit-19-million-for-using-childrens-data-unlawfully/
- https://therecord.media/reddit-children-age-checks-uk-ico-fine
- https://www.theregister.com/2026/02/24/ico_fines_reddit/