Sign in Subscribe

InfoSec News 26FEB2026

General

  • ACSC is warning of a CVSS10 vulnerability in Cisco Catalyst Software Defined Wide Area Network (SD-WAN) Controller and Manager. Cisco's advisory indicates that this attack has been underway for "at least three years (2023)".
Malicious cyber threat actors are targeting SD-WANs of organisations, globally. These actors exploited a Cisco Catalyst SD-WAN controller authentication bypass vulnerability, CVE-2026-20127. After exploitation of this vulnerability the malicious actors add a rogue peer, and eventually gain root access to establish long-term persistence in SD-WANs.
Cisco Talos is tracking the active exploitation of CVE-2026-20127, a vulnerability in Cisco Catalyst SD-WAN Controller, formerly vSmart, that allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges on the affected system by sending a crafted request to an affected system. Successful exploitation may allow the attacker to gain administrative privileges on the Controller as an internal, high privileged, non-root, user account.
...
After the discovery of active exploitation of the 0-day in the wild, we were able to find evidence that the malicious activity went back at least three years (2023). Investigation conducted by intelligence partners identified that the actor likely escalated to root user via a software version downgrade. The actor then reportedly exploited CVE-2022-20775 before restoring back to the original software version, effectively allowing them to gain root access.
Since May 30 last year, non-critical infrastructure businesses with $3 million or more turnover have faced compulsory reporting to Home Affairs and the ASD, should they elect to pay a ransom.
...
The numbers show that between seven and 13 organisations with turnover of at least $3 million paid ransom every month, indicating that for larger businesses, such payments are a regular occurrence.
In addition to this, a Home Affairs spokesperson said that entities responsible for critical infrastructure - a cohort that also faces mandatory disclosure - made 19 ransomware payment reports in the eight months to January 2026.
That brings the total number of known ransomware payments by Australian organisations up to 94 for the period.
Liu Taizong, deputy director-general of the intellectual property department at the country’s top prosecutorial agency, said on Tuesday that prosecutors nationwide are increasing cases involving alleged theft of trade secrets and key technologies, as reported by state media.
From 2021 through 2024, authorities handled more than 1,200 business secret infringement cases, Liu said, with another 232 cases in the first 11 months of 2025, adding that enforcement is focusing on sectors including artificial intelligence, biomanufacturing and energy, as officials seek to counter what he described as growing risks of technology leakage.
...
The crackdown comes as Beijing continues to face long-standing criticism abroad over its own intellectual property practices, and raises questions about whether Western companies operating in China would receive equal protection under Beijing’s new enthusiasm for protecting IP.
Analysts at the Center for Strategic & International Studies have described China’s state-supported IP theft as “part of a larger industrial strategy” in which “China uses a variety of policies to displace Western companies, including investment, subsidies, barriers to trade, security regulations, procurement mandates, licit and illicit acquisition of foreign technology and Western firms.”
The United States and European countries have repeatedly accused Chinese companies and state-linked actors of stealing or improperly acquiring foreign technology — allegations China denies, saying technology transfers occur through legitimate business deals.
Back in 2019, the FBI described the Chinese government as “the world’s principal infringer of software, and theft of trade secrets is intellectual property” and, at that time, estimated the theft of trade secrets cost the U.S. economy up to $600 billion annually.
A Moscow resident has been accused of trying to extort money from the notorious Conti ransomware group by posing as an officer of Russia’s Federal Security Service (FSB), according to local media reports.
....
The scheme allegedly began in September 2022, when Satuchin contacted one of Conti’s members and claimed to have influence over law enforcement activities targeting the group, the sources said.
...
The gang fractured following a major leak in early 2022, when a person claiming pro-Ukraine sympathies published internal Conti chat logs, source code and infrastructure documents after the group publicly backed Russia’s invasion of Ukraine.

Getting Techy

  • Google's Threat Intelligence Group (GTIG) have disrupted a chinese APT (UNC2814, aka Gallium, Granite Typhoon, Phantom Panda, Funky Dandelion), using a new backdoor, they've dubbed "GRIDTIDE".
    Novel technique - using a Google Sheets spreadsheet for command and control (C2) between the attackers and the victim machines. One cell is used for incoming commands, and outgoing responses, others are used for data.
It is important to highlight that UNC2814 has no observed overlaps with activity publicly reported as “Salt Typhoon,” and targets different victims globally using distinct tactics, techniques, and procedures (TTPs). Although the specific initial access vector for this campaign has not been determined, UNC2814 has a history of gaining entry by exploiting and compromising web servers and edge systems.
...
The threat actor used a service account to move laterally within the environment via SSH. Leveraging living-off-the-land (LotL)binaries, the threat actor performed reconnaissance activities, escalated privileges, and set up persistence for the GRIDTIDE backdoor.
...
Subsequently, SoftEther VPN Bridge was deployed to establish an outbound encrypted connection to an external IP address. VPN configuration metadata suggests UNC2814 has been leveraging this specific infrastructure since July 2018.
...
We assess the targeting of PII in this engagement is consistent with cyber espionage activity in telecommunications, which is primarily leveraged to identify, track, and monitor persons of interest. We expect UNC2814 used this access to exfiltrate a variety of data on persons and their communications. Similar campaigns have been used to exfiltrate call data records, monitor SMS messages, and to even monitor targeted individuals through the telco’s lawful intercept capabilities.
...
GRIDTIDE is a sophisticated C-based backdoor with the ability to execute arbitrary shell commands, upload files, and download files. The backdoor leverages Google Sheets as a high-availability C2 platform, treating the spreadsheet not as a document, but as a communication channel to facilitate the transfer of raw data and shell commands. GRIDTIDE hides its malicious traffic within legitimate cloud API requests, evading standard network detection.
...
GRIDTIDE’s C2 communication works on a cell-based polling mechanism, assigning specific roles to spreadsheet cells to facilitate communication.
In this post, we’ll walk through vulnerabilities we discovered in SolarWinds Web Help Desk that allowed us to achieve pre-auth RCE on what was, at the time, a fully patched instance.
Well-intentioned as always, our initial goal was to reproduce CVE-2025-26399 - a previously patched SolarWinds Web Help Desk deserialization RCE disclosed in 2025.
The vulnerabilities we discovered are:
CVE-2025-40552 / WT-2025-0099 - Authentication Bypass
CVE-2025-40553 / WT-2025-0100 - Remote Code Execution via Deserialization
CVE-2025-40554 / WT-2025-0101 - Authentication Bypass

Geo-Politics

  • [CN] More on china behaving badly - a "user with links to Chinese law enforcement" tried to use ChatGPT for smear campaigns against the Japanese Prime Minister.
The user, since banned by the AI giant, tried to convince the model to help them plan a smear campaign against Sanae Takaichi, Japan's first female prime minister, after she criticized the Chinese Communist Party for trampling human rights in Inner Mongolia.
...
The malicious activity OpenAI spotted included generating status reports on operations targeting Chinese dissidents and CCP critics, along with the specific covert op against Takaichi. The latter seemed to follow the structure of the original draft plan to discredit the Japanese politician, focusing on the same five areas – negative comments, immigration, living conditions, far-right links, and tariffs – and even provided the threat intel team with several operational details about the smear campaign.
...
"This is what Chinese, modern, transnational repression looks like," Nimmo said. "It's not just digital. It's not just about trolling. It's about trying to hit critics of the CCP with everything everywhere, all at once."
These cyber operations are "well resourced" and "meticulously planned," he added. "They target people who dare to criticize the CCP's record, not just at home, but anywhere in the world."
Russian authorities have launched a criminal investigation of Telegram founder and CEO Pavel Durov. He is allegedly charged with promoting and facilitating terrorist activity on the Telegram platform by failing to respond to law enforcement takedown requests.
...
They say Telegram has ignored more than 153,000 requests to remove illegal content sent by the Roskomnadzor and other agencies. Over 33,000 of them were allegedly related to sabotage, terrorism and extremist activity.
...
The publication says Durov and Telegram shared the phone numbers and IP addresses of Russian citizens with foreign governments, data that was allegedly used to launch attacks on civilian targets in Russia. Is it true? Highly unlikely. But the newspaper also called Durov a man "under foreign influence" and accused him of sacrificing the safety of Russian citizens for to Western interests.
...
Since MAX's rollout, Russia began blocking Telegram voice and video calls since August, and began throttling the main Telegram instant messenger earlier this month, with the Roskomnadzor allegedly forcing a traffic degradation of around 55%.
...
this crackdown might also be driven by the Kremlin's desire to push Telegram's massive Russian userbase to its MAX messenger, who is still around the 3-6 million active users mark, depending on different sources. A full Telegram block would without a doubt raise MAX adoption rates.

Privacy

  • Discord is pausing its Age Verification push, whilst it looks to improve how it looks to its customers.
Vishnevskiy acknowledged the intense user backlash in the post and apologized for failing to communicate that any age verification system put in place will not affect more than 90% of Discord users. Internal Discord safety systems that make age determinations for adult users based on factors other than government ID spare many people from having to submit identification or a selfie, the blog post said.
“The way this landed, many of you walked away thinking we're requiring face scans and ID uploads from everyone just to use Discord,” the blog post said. “That's not what's happening, but the fact that so many people believe it tells us we failed at our most basic job: clearly explaining what we're doing and why. That's on us.”
The lawsuit argued that PowerSchool Holdings, its subsidiary Hobsons, Inc. and the analytics firm Heap Inc. collected sensitive personal data about millions of students by covertly recording their communications.
...
The lawsuit dates to August 2023 with allegations that while PowerSchool and Hobsons had advertised that they valued student privacy in reality they used online surveys, assessments and other tools to collect and obtain “sensitive and confidential” personal information about students, including student records and associated data.

AI

  • Poisoning AI chat with just one website. A BBC reporter shows how easy it is.
    Note: This is a RAG exploit, not (at least yet!) baked into model weights.
To demonstrate it, I pulled the dumbest stunt of my career to prove (I hope) a much more serious point:
 I made ChatGPT, Google's AI search tools and Gemini tell users I'm really, really good at eating hot dogs. Below, I'll explain how I did it, and with any luck, the tech giants will address this problem before someone gets hurt.
...
When you talk to chatbots, you often get information that's built into large language models, the underlying technology behind the AI. This is based on the data used to train the model. But some AI tools will search the internet when you ask for details they don't have, though it isn't always clear when they're doing it. In those cases, experts say the AIs are more susceptible. That's how I targeted my attack.
...
I spent 20 minutes writing an article on my personal website titled "The best tech journalists at eating hot dogs". Every word is a lie. I claimed (without evidence) that competitive hot-dog-eating is a popular hobby among tech reporters and based my ranking on the 2026 South Dakota International Hot Dog Championship (which doesn't exist). I ranked myself number one, obviously. Then I listed a few fake reporters and real journalists who gave me permission
...
Less than 24 hours later, the world's leading chatbots were blabbering about my world-class hot dog skills. When I asked about the best hot-dog-eating tech journalists, Google parroted the gibberish from my website, both in the Gemini app and AI Overviews, the AI responses at the top of Google Search. ChatGPT did the same thing, though Claude, a chatbot made by the company Anthropic, wasn't fooled.

Subscribe to Deuxieme RE Banque News

Sign up now to get access to the library of members-only issues.
Jamie Larson
Subscribe