InfoSec News -25MAR2026
General
- Sigh - it didn't take long for Tycoon2FA to rebuild, and return to prior service-levels. It appears that they haven't changed their ways, and are still using all of the same Tactics, Techniques and Procedures (TTPs).
Since the date of the Tycoon2FA takedown, the CrowdStrike ...team observed a short-term decrease in the volume of Tycoon2FA campaign activity; however, the volume of cloud compromises has since increased to levels previously observed by Falcon Complete. This resumed campaign volume — and the continuation of previously observed Tycoon2FA tactics, techniques, and procedures (TTPs) — suggests the actors responsible for the PhaaS are likely to remain active in the threat landscape in the short to medium term and warrant continued vigilance by defenders.
- https://www.bleepingcomputer.com/news/security/tycoon2fa-phishing-platform-returns-after-recent-police-disruption/
- https://www.crowdstrike.com/en-us/blog/tycoon2fa-phishing-as-a-service-platform-persists-following-takedown/
- Another person associated with the RaaS-ecosystem sentenced in a US court.
A Russian national was sentenced to nearly 7 years in prison after pleading guilty to acting as an initial access broker (IAB) for Yanluowang ransomware attacks.
...
Volkov said that he breached corporate networks and sold that access to the Yanluowang ransomware-as-a-service (RaaS) operation, whose affiliates encrypted victims' data and sent ransom demands ranging from $300,000 to $15 million.
He was extradited to the U.S. after being arrested in Italy in January 2024. U.S. prosecutors charged him after the Yanluowang gang stole non-sensitive files from a Cisco employee's Box folder, but failed to encrypt systems and collect a ransom.
...
They also traced Volkov's identity through Apple iCloud data, cryptocurrency exchange records, and social media accounts (including a Twitter account) linked to his Russian passport and phone number.
- https://www.bleepingcomputer.com/news/security/yanluowang-ransomware-access-broker-gets-81-months-in-prison/
- https://cyberscoop.com/aleksei-volkov-russian-initial-access-broker-sentenced-ransomware/
- Firefox is rolling out free VPN functionality to some markets (US, UK, Germany, France).
Mozilla released Firefox 149 with added privacy protection through a built-in VPN tool offering up to 50GB of monthly traffic.
...
Starting today, the built-in VPN feature will roll out progressively to users in the U.S., UK, Germany, and France. Currently, there is no timeline for expanding the service to more regions.
- Problems accessing Exchange on your mobile? You're not alone - Microsoft is rolling back the change that caused the issues.
Microsoft is working to address an ongoing service issue that has intermittently prevented some users from accessing their cloud-based Exchange Online mailboxes via Outlook mobile and Mac desktop clients since Thursday.
After investigating the incident (tracked under EX1256020), Microsoft found that the root cause was a newly introduced virtual account.
On Saturday, began working to revert the change as a possible long-term solution to mitigate the impact, after failing to address the problem by restarting the affected infrastructure.
- Turns out that supply-chain attacks, like Trivy - mentioned yesterday - are quite effective. As the group gather up more credentials in each wave of attack, expect the potential blast radius to keep growing.
"We know of over 1,000 impacted SaaS environments right now that are actively dealing with this particular threat actor," Mandiant Consulting CTO Charles Carmakal said during a Google event on the outskirts of the annual RSA Conference in San Francisco.
"That 1,000-plus downstream victims will probably expand into another 500, another 1,000, maybe another 10,000," he continued. "And we know that these actors are collaborating with a number of other actors right now."
- https://www.theregister.com/2026/03/24/1k_cloud_environments_infected_following/
- https://cyberscoop.com/trivy-supply-chain-attack-aqua-downstream-extortion-fallout/
- [US] Stryker - the medical company that suffered a wiper attack from (Iran's) Handala, is slowly coming back online.
The medical device firm Stryker said it is ramping production lines back up two weeks after alleged Iranian cyber actors wiped more than 200,000 company devices.
- https://therecord.media/stryker-cyberattack-malware-iran
- https://www.cybersecuritydive.com/news/stryker-confirms-cyberattack-is-contained-and-restoration-underway/815427/
- [US] There is a claim of a large breach in Lockheed-Martin, by "APT Iran". If true, and linked to Iran, then their demand for $400m not to leak, sound hollow (of course they'd leak the data).
The threat actor, tracked as APT Iran, claims to have stolen 375 terabytes of data from the aerospace and defense industry company, according to information from multiple security researchers, including Flashpoint and Check Point Software.
The group claims to have copies of blueprints of F-35 aircraft, which is America’s most advanced jet fighter, and other corporate information, according to Flashpoint.
The group has since posted additional claims demanding more than $400 million in return for not selling the information to adversaries of the U.S., according to information from Halcyon.
Getting Techy
- Another day, another crypto-currency (Decentralised Finance, aka DeFi) theft.
“Earlier today, a malicious actor gained unauthorized access to Resolv infrastructure through a compromised private key, resulting in the minting of approximately $80 million of uncollateralized USR,” the company said.
- https://www.chainalysis.com/blog/lessons-from-the-resolv-hack/
- https://therecord.media/hacker-breaches-resolv-defi-25-million
- Team Cymru (confusingly based in the US, not Wales), found an open web server, hosting the tools for the "Beast" Ransomware as a Service.
Geo-Politics
- [AU] An "Independent Review of the Security of Critical Infrastructure Act", suggests the government has some work to do....
The overarching conclusion is that the SOCI Act requires major legislative change to remove complexity and confusion while becoming more agile and responsive.
...
Stakeholder feedback revealed a need for clarity in the SOCI Act, for the removal of regulatory duplication and visible enforcement action and clearer accountability mechanisms
...
The SOCI Act is perceived as too reactive and too slow compared to evolving risks, despite multiple previous modifications
Privacy
- This is just plain creepy - a company is recording Zoom meetings - without any permission - then adding AI-generated summaries in chat-show format, and publishing it all to the web.
a page on WebinarTV.us which featured a full recording of the Zoom recording, an AI-generated video summary of the meeting, “chapters” that sent the viewers to different parts of the meeting, and an AI-generated episode of the “Phil & Amy Show,” in which two AI-generated personalities discuss the content of the call, including quips and rapport between Phil and Amy.
- https://www.404media.co/this-company-is-secretly-turning-your-zoom-calls-into-ai-podcasts/ / https://archive.is/TYd4L
- [US] The Record has published an interview with the author of a new book on privacy and surveillance in the US. Whilst the legal element doesn't translate well to other jurisdictions, the underlying technology (and the privacy-invasions so created) does.
His new book ... reveals the shocking ways law enforcement can mine virtually any data about citizens from doorbell and automated license plate reader cameras, connected cars, apps, Google searches and other digital tools that are now widely used.
AI
- Looks like delivery robots still aren't ready for prime-time yet.
A Serve Robotics food delivery robot crashed through the glass wall of a bus stop shelter in Chicago earlier this week, shattering the glass all over the sidewalk.
...
In 2022, a Serve robot drove underneath police caution tape and through what was at the time considered to be an active crime scene
- The UK NCSC has written an article exploring the potential impact of increased AI-coding capabilities on the use of SaaS. It takes a long-term view of the situation.
I think a challenge the security community will face is that no one yet knows exactly what we need to introduce to ensure the ‘vibe coded future’ is a safer one. There is a call to action here for the security community on research, and broad opportunities for new companies to emerge around this. If we face this challenge head on from the start, we have a chance to introduce some strong security fundamentals. More worryingly, if security professionals don’t lean in from the start, the landscape will evolve without this crucial input, as was arguably the case in the early years of cloud adoption.
- https://www.ncsc.gov.uk/blogs/vibe-check-ai-may-replace-saas-but-not-for-a-while
- https://therecord.media/vibe-coding-uk-security-risk
- OpenAI is closing down Sora - its video-generation app - and with it, losing investment pledges from Disney, worth US$1b. Apparently, it's not getting out of video-generation totally.
“We’re saying goodbye to Sora. To everyone who created with Sora, shared it, and built community around it: thank you,” the company said in a statement. “What you made with Sora mattered, and we know this news is disappointing. We’ll share more soon, including timelines for the app and API and details on preserving your work.”
A source familiar with the matter tells The Hollywood Reporter that Disney is also exiting the deal it signed with OpenAI last year, in which it pledged to invest $1 billion in the company and agreed to license some of its characters for use in Sora.