DJBSEC's CyberNews 2026-03-23

FBI Links Signal Phishing Campaigns to Russian Intelligence

The FBI has publicly linked a wave of phishing attacks targeting Signal and WhatsApp users to Russian intelligence services, marking a more direct attribution than earlier warnings. The campaigns are not breaking end-to-end encryption; instead, they rely on account hijacking tactics such as tricking users into sharing verification codes or scanning malicious QR codes that link accounts to attacker-controlled devices. According to the FBI, the attacks have already compromised thousands of accounts worldwide and are focused on high-value targets such as government officials, military personnel, political figures, and journalists. Once inside an account, attackers can read messages, access contact lists, impersonate victims, and use those trusted accounts to phish others.
Read More

LAPSUS$ Claims Alleged AstraZeneca Data Breach

The hacking group LAPSUS$ has claimed responsibility for an alleged breach involving AstraZeneca, adding another high-profile name to its list of claimed victims. Reports indicate the group says it accessed and exposed sensitive corporate data, though the full scope and authenticity of the claims were still being evaluated at the time of reporting. The incident is drawing attention because LAPSUS$ has historically relied more on social engineering, credential theft, and insider-style access than on sophisticated malware. If confirmed, the breach would reinforce how damaging identity-focused attacks can be for major enterprises.
Read More

Trivy Supply Chain Attack Spreads Worm-Like Malware Across npm

A supply chain attack tied to Trivy has triggered a self-spreading malware campaign dubbed CanisterWorm across 47 npm packages. Researchers say the malicious code was designed to propagate through developer environments and software pipelines, turning a trusted part of the development ecosystem into a distribution channel. The incident highlights how software supply chain attacks are continuing to evolve from one-off package compromise into more automated, worm-like behavior. For defenders, the takeaway is clear: dependency monitoring, package integrity validation, and tighter CI/CD controls are becoming mandatory, not optional.
Read More

WorldLeaks Claims Breach of the City of Los Angeles

The WorldLeaks ransomware group has claimed it breached the City of Los Angeles and stolen data from municipal systems. As with many extortion-driven attacks, the group is using public disclosure to pressure the victim while officials assess the scope and validity of the claims. If confirmed, the incident would add to the long list of cyberattacks disrupting state and local governments, where legacy systems and broad service dependencies make recovery especially challenging. The case is another reminder that city governments remain attractive targets because of the critical services they provide and the sensitive information they hold.
Read More

Attackers Abuse Azure Monitor Alerts in Callback Phishing Campaigns

Threat actors are abusing Microsoft Azure Monitor alerts to make callback phishing attacks look more legitimate and urgent. By leveraging a trusted Microsoft-branded service, attackers can deliver notifications that appear authentic and push victims to call fake support numbers or interact with malicious workflows. The tactic is effective because it blends social engineering with legitimate cloud infrastructure, making detection harder for both users and defenders. It also shows how attackers are increasingly weaponizing trusted SaaS platforms instead of relying only on spoofed emails and fake domains.
Read More

Oracle Fixes Critical Identity Manager RCE Flaw

Oracle has released patches for CVE-2026-21992, a critical vulnerability in Oracle Identity Manager that could allow unauthenticated remote code execution. A flaw in an identity platform is especially serious because these systems often sit at the center of access management for business-critical applications and user accounts. An attacker exploiting the bug could potentially gain a foothold without credentials, turning a core identity service into an entry point for wider compromise. Organizations running affected Oracle environments should treat this as a priority patching event and verify their exposure immediately.
Read More