Sign in Subscribe

InfoSec News 19FEB2026

General

  • Some retro-vibes with 'GRIMBOLT' the replacement for 'BRICKSTORM' malware. Starting with a "Hardcoded Credential Vulnerability" to malware packed using UPX (Ultimate Packer for eXecutables) - tricks dating back to 2009/2010 Stuxnet. Interesting tricks including adding new NICs (Network Interface Controllers) to virtual machines to help with access, along with magic packets (contains an attacker-selected string) to open up new ports with iptables (software firewall).
Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credential vulnerability. This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability leading to unauthorized access to the underlying operating system and root-level persistence.
We are convinced that Agentic Endpoint Security will soon become a standard requirement for enterprise security. Upon closing the proposed acquisition, we intend to integrate Koi’s capabilities across our platforms to help our customers secure the AI-native workspace.
Palo Alto Networks says Koi’s technology would be integrated into its Prisma AIRS AI security platform and would enhance the company’s Cortex XDR endpoint product. The stated goal is better visibility into AI-driven activity on endpoints and additional controls over tools that fall outside conventional security monitoring.
"Impact is specific to some users located in Europe and United States who are served through the affected infrastructure attempting to send and receive chat messages that include inline media (images, code snippets, videos)."
...
Microsoft is also working to resolve an incident that blocks users from joining some Microsoft Teams meetings via the "Join" button in the meeting chat (tracked as TM1231009), and another incident that prevents some users from adding (or updating) Copilot Studio agents to Microsoft Teams (TM1218513).
the inquiry will examine whether X Internet Unlimited Company (X's EU subsidiary) complied with core GDPR obligations, including the principles of lawful processing, data protection by design, and the requirement to conduct data protection impact assessments.
"The DPC has been engaging with XIUC since media reports first emerged a number of weeks ago concerning the alleged ability of X users to prompt the @Grok account on X to generate sexualised images of real people, including children," said Deputy Commissioner Graham Doyle on Tuesday.
...
As the lead EU supervisory authority, the DPC's investigation carries particular weight, as its findings could result in substantial fines enforceable across all 27 EU member states and the three European Economic Area countries (Iceland, Liechtenstein, and Norway).

Getting Techy

  • Kaspersky have uncovered a new Android trojan, they've dubbed "Keenadu". Of particular concern - in at least one case, it appears to have been integrated into device firmware, as part of standard Over The Air (OTA) updates.
After analyzing the initial infection stages, we set out to determine exactly how the backdoor was being integrated into Android device firmware. Almost immediately, we discovered public reports from Alldocube tablet users regarding suspicious DNS queries originating from their devices. This vendor had previously acknowledged the presence of malware in one of its tablet models.
...
the initial Alldocube iPlay 50 mini Pro NFE firmware (released November 7, 2023) was clean – unlike other models’ initial firmware. However, every subsequent version, including the latest release from May 20, 2024, contained Keenadu.
...
Infected apps have managed to infiltrate Google Play too. During our research, we identified trojanized software for smart cameras published on the official Android app store. Collectively, these apps had been downloaded more than 300,000 times.
...
Currently, we have confirmed links between Triada, Vo1d, and BADBOX, as well as the connection between Keenadu and BADBOX.

Geo-Politics

  • [CN] It's not just Volt Typhoon and their attacks on communications infrastructure we need to worry about - chinese attackers have also been digging into power systems and other critical infrastructure.
an existing group that Dragos tracks as Voltzite and is "highly correlated" with Volt Typhoon, according to Dragos CEO Robert M. Lee, kept up its intrusion activities last year. This is the Beijing goon squad that the US government has accused of burrowing into critical American networks for years and readying destructive cyberattacks against those targets.
...
"Nothing that they were taking was useful for intellectual property," Lee said. "Everything they were doing and learning was only useful for disrupting or causing destruction at those sites. Voltzite was embedded in that infrastructure for the purpose of taking it down."
...
Sylvanite exploits known vulnerabilities in internet-facing products from F5, Ivanti, and SAP to provide Voltzite access into electric power generation, transmission and distribution, water, sewage, and oil and gas organizations across North America, the UK, Europe, Asia and the Middle East.
The threat actor distributed malicious files bundled with authentic protest footage and a Farsi-language report described as providing updates from “the rebellious cities of Iran.” Two files in the archive, disguised as a video and an image, delivered a previously undocumented malware strain that researchers dubbed CRESCENTHARVEST.
The malware functions as both a remote access trojan and an information stealer. It is capable of executing commands, logging keystrokes and extracting sensitive data, including saved credentials, browsing history, cookies and Telegram account information.
Mwangi was arrested last July against a backdrop of mass protests against extrajudicial killings by Kenyan authorities. He was released on bail and his phone was returned to him in September, according to the report. A criminal case against him is ongoing.
He immediately noticed the phone’s password protection had been removed and asked the Citizen Lab to analyze it.
Researchers found traces of an application — which appeared under the name com.client.appA — known to be linked to Cellebrite’s data extraction technology.
Following the widely-condemned arrest in July 2025 of prominent Kenyan opposition voice Boniface Mwangi, the Citizen Lab analyzed artefacts from devices seized during the arrest. We found that Cellebrite’s forensic extraction tools were used on his Samsung phone while it was in police custody. This case adds to the concerning pattern of the misuse of Cellebrite technology by government clients.

Privacy

  • [US] An interesting legal case to watch - a case has been filed in the US, testing a recent (April 2025) Department of Justice (DOJ) regulation - Data Security Program. This will test whether trackers on a website violate the rule "implemented to prevent adversarial countries from acquiring large quantities of behavioral data which could be used to surveil, analyze, or exploit American citizens' behavior."
In April 2025, the U.S. Department of Justice implemented the Data Security Program, a national security program codified at 28 C.F.R. Part 202, known as “Bulk Data Transfer Rule,” and more formally known as the “Rule Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons” (the “Bulk Sensitive Data Transfer Rule” or the “DOJ Rule”).
The impetus for the DOJ Rule was that the U.S. government determined that the export of Americans’ behavioral data to hostile foreign regimes or entities under their jurisdiction constitutes an “unusual and extraordinary threat . . . to the national security and foreign policy of the United States that has been repeatedly recognized across political parties and by all three branches of government.”
...
As detailed herein, Lenovo knowingly and systematically used communications and associated covered personal identifiers intercepted from American citizens for the purpose of sharing U.S. consumers’ data with covered persons without the safeguards required by U.S. law.
...
When a user lands on the homepage of Website, the Website loads numerous first- and third-party tracking implementations that measure and record user data.
...
Through the Tracking Technologies, Lenovo collects bulk personal data, from users of the Website. This data includes persistent identifiers—including IP addresses, advertising IDs, and cookie data—and the full-page context—including full-string URLs revealing the pages viewed and product viewed.

AI

The company is ramping up work on smart glasses, a pendant that can be pinned to a shirt or worn as a necklace, and AirPods with expanded AI capabilities, according to people with knowledge of the plans. All three devices are being built around the Siri digital assistant, which will rely on visual context to carry out actions.
...
The AirPods and pendant are envisioned as simpler offerings, equipped with lower-resolution cameras designed to help the AI work rather than for taking photos or videos. The glasses, meanwhile, will be more upscale and feature-rich.
...
The company stopped development last year of a cheaper and lighter version of its Vision Pro headset dubbed N100. It was meant to be a bridge toward the AR devices, but Apple ultimately chose to focus on glasses rather than a more enclosed headset design.
Alpha School, an “AI-powered private school” that heavily relies on AI to teach students and can cost up to $65,000 a year, is AI-generating faulty lesson plans that internal company documentation find sometimes do “more harm than good,”
...
“All educational content is obsolete. Every textbook, every lesson plan, every test, all of it is obsolete because gen AI is going to be able to deliver a personalized lesson just for you,” Joe Liemandt, Alpha School’s “principal”
...
“Poorly constructed questions do more harm than good,” another Alpha School employee testing AlphaRead wrote. “They confuse students with unclear wording and illogical choices, undermining their trust in the assessment process. These questions not only fail to meet SAT standards but also fall short of the quality we promise to deliver.”
...
“When a student requires help with additional questions, the chatbot fails to identify which specific question is being addressed,” an internal Alpha School document outlining issues with AlphaRead says. “Accuracy of the content provided by the [AI] tutor is a concern. There are instances where it not only delivers incorrect answers but also provides convincing yet flawed justifications. Despite raising multiple queries about a particular answer, the chatbot erroneously confirmed an incorrect option as correct.”
...
Alpha School makes an app called StudyReel, which monitors activity on a student’s screen, their computer camera and microphone, what apps and websites they’re using, and how they’re moving their mouse.
...
“The idea of installing software that tracks and records everything our kids do and is designed to not let us turn it off is understandably uncomfortable,”
...
Alpha School maintains a spreadsheet which contains a list of student names, their grade, and an archive of their recordings which shows what’s happening on their screen, their remote tutor, and a video of the student taken via their webcam. This spreadsheet is not only available to anyone at the company, but is also shared in such a way that anyone on the internet who has the link can access the spreadsheet and the videos of students.

Subscribe to Deuxieme RE Banque News

Sign up now to get access to the library of members-only issues.
Jamie Larson
Subscribe