Project Hyphae
Search

Information Security News – 4/6/2026

Share This Post

FBI Declares Suspected Chinese Hack of U.S. Surveillance System a ‘Major Cyber Incident’

Article Link: https://www.politico.com/news/2026/04/01/fbi-hack-surveillance-system-major-incident-00854237?ref=readtangle.com

  • The Federal Bureau of Investigation (FBI) classified a China-linked breach of an internal surveillance system as a major cyber incident under Federal Information Security Management Act of 2002 (FISMA), confirming exposure of law enforcement sensitive data.
  • Officials said attackers accessed the system through a commercial internet service provider’s vendor infrastructure, using advanced techniques to reach FBI networks.
  • The compromised data includes pen register and trap and trace records along with personally identifiable information (PII) tied to investigations, raising national security and counterintelligence concerns.
  • Officials said the FBI acted quickly to address the intrusion, although the breach was described as “embarrassing” given the actors involved, who are typically the focus of FBI tracking efforts, prompting required congressional notifications and response actions.

Researchers Observe Sub-One-Hour Ransomware Attacks

Article Link: https://www.infosecurity-magazine.com/news/researchers-subonehour-ransomware/

  • Researchers at Halcyon reported that the Akira ransomware group can complete a full attack lifecycle in under one hour, marking a sharp increase in attack speed.
  • Akira gains access by exploiting internet-facing VPN and backup systems without MFA, while also using credential theft, phishing, and access brokers to enter networks.
  • The group steals data before encryption, uses built-in system tools to avoid detection, and has generated up to $244 million since emerging in March 2023.
  • Halcyon recommends hardening access points, restricting remote services, watching for data staging, maintaining tested recovery processes, and deploying anti-ransomware tools to block attacks before execution.
  • FRSecure experts strongly emphasize at a minimum to use fully air-gapped and immutable backups, keep them off the domain, enforce MFA, include edge devices in vulnerability management, and do not rely solely on MSPs.

New EvilTokens Service Fuels Microsoft Device Code Phishing Attacks

Article Link: https://www.bleepingcomputer.com/news/security/new-eviltokens-service-fuels-microsoft-device-code-phishing-attacks/

  • Researchers at Sekoia reported a phishing-as-a-service kit called EvilTokens that enables attackers to hijack Microsoft accounts using device code authentication flows.
  • The kit tricks users into entering verification codes on legitimate Microsoft login pages after interacting with phishing lures disguised as business documents or trusted services.
  • Once authenticated, attackers obtain access and refresh tokens, granting access to email, files, Teams data, and single sign-on capabilities across Microsoft services.
  • Sekoia identified global campaigns targeting multiple industries and recommends using indicators of compromise (IoCs) and detection rules to identify and block EvilTokens-related activity.
  • FRSecure identifies this is a good opportunity to reinforce Conditional Access policies that restrict token use to trusted devices, locations, and applications after authentication.

LinkedIn Phishing Scam Uses Fake Notifications to Hijack Accounts

Article Link: https://hackread.com/linkedin-phishing-scam-fake-notificatioms-hijack-accounts/

  • Researchers at Cofense Phishing Defense Center uncovered a phishing campaign using fake LinkedIn notifications and lookalike domains to steal login credentials and hijack accounts.
  • The emails mimic real LinkedIn alerts, using urgency and business opportunity themes to lure users into clicking links that redirect to fraudulent login pages.
  • Attackers use spoofed domains like “inedin.digital” to capture usernames and passwords, gaining full access to professional accounts and sensitive data.
  • Cofense PDC advises verifying sender addresses and inspecting links before clicking, as newly created domains and mismatched URLs can reveal fraudulent activity.

Quantum Computers Need Vastly Fewer Resources Than Thought to Break Vital Encryption

Article Link: https://arstechnica.com/security/2026/03/new-quantum-computing-advances-heighten-threat-to-elliptic-curve-cryptosystems/

  • New research shows quantum computers may need far fewer resources than expected to break elliptic-curve cryptography (ECC), a core security method used across modern systems.
  • Two papers demonstrated advances using neutral atom architectures and improved algorithms, including breaking ECC-256 in 10 days with fewer than 30,000 qubits and in under 10 minutes using optimized circuits.
  • The findings point to accelerating progress toward cryptographically relevant quantum computing, with implications for financial systems, digital communications, and blockchain technologies.
  • Researchers note the work is not yet peer-reviewed but emphasize steady progress, reinforcing the push to transition widely used systems to post-quantum cryptographic standards.
  • Research Papers: https://arxiv.org/abs/2603.28627; cryptocurrency-whitepaper.pdf

CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation

Article Link: https://thehackernews.com/2026/03/cisa-adds-cve-2025-53521-to-kev-after.html

  • The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-53521, a critical flaw in F5 BIG-IP APM, to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation.
  • The vulnerability allows remote code execution through malicious traffic when APM access policies are configured, and was reclassified from denial-of-service after new findings in March 2026.
  • F5 confirmed exploitation in the wild, with reports of scanning activity targeting vulnerable systems and techniques including web shell deployment and system modification.
  • CISA directed federal agencies to apply patches by March 30, 2026, while F5 provided indicators of compromise to help detect affected systems and guide response efforts.
  • CVE Record: https://www.cve.org/CVERecord?id=CVE-2025-53521

Cisco Patches 9.8 CVSS IMC and SSM Flaws Allowing Remote System Compromise

Article Link: https://thehackernews.com/2026/04/cisco-patches-98-cvss-imc-and-ssm-flaws.html

  • Cisco released patches for two critical vulnerabilities, CVE-2026-20093 and CVE-2026-20160, affecting IMC and Smart Software Manager On-Prem, both rated 9.8 in severity.
  • The flaws allow unauthenticated attackers to send crafted requests that bypass authentication, change user passwords, or execute commands with root-level access.
  • Affected systems include enterprise compute platforms and server environments, creating risk of full system compromise across impacted deployments.
  • Cisco issued fixes with no available workaround, recommending customers update to patched versions to prevent unauthorized access and system control.
  • Security Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-auth-bypass-AgG2BxTn

Anthropic Accidentally Leaks Claude Code

Article Link: https://securityaffairs.com/190229/data-breach/anthropic-accidentally-leaks-claude-code.html

  • Anthropic accidentally exposed over 500,000 lines of Claude Code source code through a public npm release after a debug file was included.
  • The exposure was attributed to a packaging error caused by human mistake, not a breach, and did not involve customer data or credentials.
  • The leaked code revealed internal architecture, memory systems, and future development plans, giving insight into how the AI operates and is designed.
  • Anthropic said it is introducing measures to prevent similar release issues, as the incident highlights risks tied to software distribution and internal code exposure.

Man Admits to Locking Thousands of Windows Devices in Extortion Plot

Article Link: https://www.bleepingcomputer.com/news/security/man-admits-to-extortion-plot-locking-coworkers-out-of-thousands-of-windows-devices/

  • A former infrastructure engineer pleaded guilty to locking administrators out of hundreds of servers and thousands of Windows systems in an extortion attempt against his employer.
  • According to court documents, Daniel Rhyne used an administrator account to delete accounts, reset passwords across domain users and admins, and schedule shutdowns across systems.
  • The attack impacted 254 servers and more than 3,000 workstations, with ransom demands of 20 bitcoin (nearly $1.4 million) and threats to continue disrupting operations.
  • Investigators identified premeditation through web searches and hidden virtual machine activity, with charges carrying up to 15 years in prison.


Reach out to our incident response team for help

More To Explore

Information Security News – 3/30/2026

China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks Article Link: https://thehackernews.com/2026/03/china-linked-red-menshen-uses-stealthy.html FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber

Jo Moldenhauer March 30, 2026

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.