¶ Intro / Opening
From the CISO series, it's Cybersecurity Headlines. These are the cybersecurity. Headlines for Wednesday, march eighteenth, twenty twenty six. I'm Rich Straffolino.
¶ US Cyber Strategy and Partnerships
Energy Department to release first cyber strategy. According to the acting director of the Office of Cybersecurity, Energy Security and Emergency Response, Alex Fitzsimmons, the US Department of Energy will release a strategic plan soon for how it intends to protect the energy grid from cyberattacks. This will supplement the recently released national cybersecurity strategy, which focuses on sector resilience. Fitzsimmons said this will rely heavily on public-private partnerships.
The strategy will also outline areas of investment for defensive AI deployments in the space, with Fitzsimmons noting that we're already seeing an increase in adversaries using it offensively. Tech giants sign on to fight scammers. One of the pillars of the new US cybersecurity strategy is a greater public-private partnership to combat transnational cybercrime organizations. We're seeing that with the energy department. This is an extension of this larger strategy.
We're already seeing one example of this in practice. The online services accord against scams was signed by some of the biggest names in the industry, with Google, Microsoft, Meta, Amazon, OpenAI, Adobe, and Match Group all on board. This accord calls for increasing information sharing about scams seen on their individual platforms, both with others in tech and law enforcement agencies.
Each company is also committed to deploying new fraud detection tools and introducing new security features to users, then sharing any best practices from those with their fellow signees. It also calls for clear reporting mechanisms for users. The accord is voluntary with no enforcement mechanism.
¶ Novel Attacks and Geopolitical Cyber Actions
Font rendering hides malicious commands from AI in plain sight. Researchers at Layer X released a proof-of-concept attack that uses custom font remapping and CSS to fool LLM-based tools while keeping a payload in clear sight in the browser. This takes advantage of the fact that an LLM looks at structured text rather than a full page render. AI tools scanning the POC's HTML only see meaningless unreadable content, but when it's rendered, it shows malicious instructions for a user.
Layer X found the approach worked on most major models from ChatGPT, Claude, Copilot, Gemini, and Gronk. Layer X presented the findings to vendors in December, but most found this issue out of scope, saying it was a social engineering attack, with only Microsoft accepting and addressing the findings. New tactics spotted for Leaknet. The Leaknet ransomware operation has been active since the end of 2024, but it's expanding its bag of tricks.
ReliaQuest spotted the group using a bring your own runtime attack, using the legitimate open source Deno runtime for JavaScript and TypeScript to deploy a malware loader. The group first gains access through a clickfix social engineering attack, then it uses the Deno-based loader to load a JavaScript payload into memory, thereby minimizing forensic evidence. Once executed, the malware connects to a C2 server to extract a secondary payload. And now a huge thanks to our sponsor.
Adaptive Security. This episode is brought to you by Adaptive Security, the first security awareness platform built to stop AI powered social engineering. Attackers don't need malware anymore, they need trust. Tip set a simple passphrase for high-risk actions like wire requests or urgent account recovery, especially within five years. If the caller can't answer it, Terrifying Adaptive runs deep. Fishing simulations, so employees practice this before it's real. Learn more at Adaptive Security.
EU hits Iranian threat actors with sanctions. We've covered a number of cyberattacks from Iranian-linked groups, and now we're seeing an array of policy responses. The European Union issued new sanctions against the Iranian company Mnet Pasargas. Back in 2023, Microsoft found the company, stole and sold data from the French magazine Charlie Hebdo on illicit forums. These sanctions freeze assets of the company held at European institutions and bans EU businesses from interacting with them.
The EU also issued sanctions against two Chinese firms. Integrity Technology Group was sanctioned for targeting critical infrastructure and selling information to hack for higher services. And Axun Information Technology received sanctions for taking part in the Flax Typhoon attacks on EU institutions. China Nexus dwelling for years in military networks.
New researcher from Palo Alto's Unit 42 found that a China Nexus threat group breached the military networks in Southeast Asia as far back as 2020. This used at least two novel backdoor malware variants and a version of the Get Pass credential stealing tool. The attackers used this access for highly targeted intelligence collection, looking for specific files on military capabilities, organizational structures, and collaborative efforts with Western Armed Forces.
The operators use multiple Dropbox accounts as dead drop resolvers, allowing them to post to legitimate services with embedded domains to hide activity. The researchers say the custom malware and focused approach indicate a highly sophisticated threat actor.
¶ Global Cyber Monitoring and Threat Groups
UK CMC looking to expand to the US. The UK based nonprofit cyber monitoring center opened in February 2025, assessing the economic impacts of cyber incidents in the country with a 0-5 scale modeled after scales used for natural disasters, think something like the Richter scale. This is based on evaluating the financial cost against the estimated affected population. This is complemented with an in-depth report on the incident and financial ramifications.
In twenty twenty five, CMC released analyses of the Mark and Spencer's retail attacks and the Jaguar Land Rover attacks. At a recent event in London, CMC Head of Operations Ruth Goodwin said establishing a US Cyber Monitoring Center was on its roadmap for twenty twenty six, with plans to start issuing reports in twenty twenty seven. Kani Group targeting cacao talk. The South Korean threat Intel firm Ganyan spotted a new campaign by the North Korea linked group Kani.
This targets victims with a spearfishing email that appears as a notice for appointment as a North Korean human rights lecturer. This contains a malicious LNK file that installs the N-rat Trojan, enabling remote access and extended dwell time on infected systems.
The attackers then use this to exfiltrate system data and access the Kacao Talk app to spread further malware to contacts. These secondary attacks don't just spray and prey to the entire contact list, but seem targeted at specific individuals. Remember to subscribe to the Seaso series YouTube channel. We have original interviews, demos, and shorts videos posted daily. Plus, you'll stay up to date on the latest Seaso series announcements.
If that sounds good to you, head on over to YouTube, look for the SeasO series, and subscribe. And if you have some thoughts about the news from today, or about the show in general, be sure to reach out to us. Feedback at seasoseries.com. We'd love to hear from you. Reporting for the CISO series, I'm Rich Drafalino, reminding you to have a super sparkly day. Cybersecurity headlines are available every Head to SeasoSeries.com for the full stories behind the headlines.