HackWithHeart

Tag: NYDFS

  • The Road to Resilience via MFA and Global Verification

    It’s a Paper Trail for the week ending in April 4, 2026, and we’ll cover what happened last week in the Information Security space.

    Last Week, in Review

    • BitSight recorded publicly disclosed data breaches between April 2025 and March 2026, spanning the public sector (21.4%), educational services (14.5%), information services (13.6%), and finance and insurance (12.9%). The most breaches were reported in the U.S. (755) over the period. The breadth of affected industries highlight that no sector is immune and organizations must layer their defenses and have contingencies for the worst-case scenario. [BitSight]
    • Google rolled out Android Developer verification globally for Play Console and Developer Console, to reduce the risk of distribution of apps with malware. This will make it significantly harder for anonymous actors to deploy malicious apps without requiring additional user actions – starting from September 2026 in Brazil, Indonesia, Singapore, and Thailand, before expanding globally in 2027. While this helps strengthen the supply chain trust, organizations still need to employ MDM or MAM solutions to reduce the enterprise risk for mobile devices. [Android Developers, The Hacker News]

    Pulse

    Palo Alto Networks Unit 42 research identified that Google Cloud’s Vertex AI platform grants deployed AI agents permissive access by default – including the ability to read all cloud storage buckets in the project. An attacker who deploys a malicious agent can leverage the service account’s default credentials to pivot into the broader cloud environment and access that data. Because the attack operates within the bounds of legitimately granted permissions, it may not produce obvious alerts for teams to investigate. This highlights the need to consistently audit identity permissions in the environment, and to recognize that even well-designed cloud platforms can inadvertently introduce attack paths when defaults aren’t carefully reviewed and scoped. [Palo Alto Networks, The Hacker News]

    A remote access toolkit dubbed CTRL – as identified by Censys – is distributed via malicious Windows shortcut (LNK) files disguised as private key folders. The disguise makes a malicious script look like a folder; double-clicking it silently executes a PowerShell payload. The custom .NET toolkit enables credential phishing, keylogging, RDP (Remote Desktop Protocol) hijacking, and reverse tunneling. It exploits end users’ curiosity about ‘private keys,’ making the social engineering lure especially effective against developers and power users. [Censys, The Hacker News]

    Fix-it Frank

    F5 BIG-IP is a critical application delivery platform used by enterprises – including financial institutions – for load balancing SSL termination, application firewalling, and VPN access. A vulnerability, in F5 BIG-IP APM (Access Policy Manager) devices, originally classified as medium severity denial-of-service – disclosed in October 2025 (CVE-2025-53521) – was reclassified to critical severity unauthenticated RCE after it was found to be under active exploitation by remote adversaries that deployed web shells. Successful exploitation of this vulnerability could grant the adversaries a strategic chokepoint to intercept credentials, inject malicious responses, and move laterally in the organization. Organizations should upgrade their 15.x, 16.x, and 17.x versions of BIG-IPs to the latest versions to remediate the vulnerabilities. [Arctic Wolf, The Hacker News, Dataminr, F5]

    Axios – one of the most popular NPM packages with ~100 million weekly downloads – was hit with a supply-chain attack. Any build pipeline, developer workstation, or production application that ran npm install during the ~3-hour exposure window and installed Axios versions 1.14.1 or 0.30.4 may have been affected by the malicious package. Organizations should pin the Axios version to known good versions, rotate the credentials, and take multiple additional actions. [Microsoft, SOCReader, Arctic Wolf

    The Fine Print

    The FTC announced a proposed settlement with OkCupid and Match Group Americas, over allegations that OkCupid secretly shared nearly three million users’ photos, location data, and demographic details with Clarifai – an AI facial recognition company – despite a privacy policy explicitly promising data would only go to service providers, business partners, or affiliates. Clarifai was none of those. The FTC also alleged years of active concealment, including obstruction of the agency’s Civil Investigative Demand. The settlement carries no monetary penalty but permanently bars both companies from misrepresenting their data practices and requires ten years of compliance reporting to the FTC. This serves as a reminder for organizations to review their privacy policies against actual data flows in their applications. [Ars Technica, ArentFox Schiff]

    Every NYDFS-licensed entity must file its Annual Certification of Material Compliance (or Acknowledgment of Noncompliance) by April 15, 2026 the first annual certification that must affirmatively cover compliance with the November 1, 2025 amendments to Part 500, which added mandatory multifactor authentication (MFA) for any individual accessing any information system with nonpublic information, as well as written asset inventory policies and procedures. Organizations should confirm MFA is active for all users and all information systems – including cloud consoles, identity providers, remote access, and internal systems alike. If exceptions exist, they should be documented and approved by appropriate authorities within the organization with appropriate compensating controls. [Greenberg Traurig]

    The Bottom Line

    From global developer verification to the strengthening of regional compliance standards, this week highlights a collective move toward a more transparent and resilient digital world. As we look ahead, with the NYDFS deadline nearly here, what’s one proactive step your team has taken this week to make your environment even more resilient?

    This newsletter is provided for informational purposes only and does not constitute legal, compliance, or professional cybersecurity advice. Readers should consult qualified legal, compliance, or cybersecurity professionals before making decisions based on any information contained herein.

    Thanks for tuning-in to this edition of Paper Trail. We’d love your ideas and suggestions, so email us at feedback@hackwithheart.com. You can follow Paper Trail wherever you like best – read it on hackwithheart.com, listen on Spotify or Apple Podcasts, or watch on YouTube.

  • The 1.3-Day Race and the Rise of Agentic Fraud

    It’s a Paper Trail for the week ending in March 21, 2026, and we’ll cover what happened last week in the Information Security space.

    Last Week, in Review

    • Zero Day Clock tracks the speed at which adversaries are exploiting vulnerabilities. The time from when an advisory is published to first exploitation has been shrinking – from years, to months, to days – with a current mean time to exploitation of ~1.3 days. This highlights the need for organizations to adapt their patch and remediation capabilities to respond faster to truly critical vulnerabilities. [Zero Day Clock]
    • INTERPOL’s 2026 Global Financial Fraud Threat Assessment puts global fraud losses at an estimated $442 billion in 2025 – driven by a 4.5x greater profitability for AI-enhanced scams compared to traditional methods, with 77% of business leaders worldwide reporting a rise in fraud over the past year. The report underscores the emergence of Agentic AI capable of autonomous fraud cycles and the global expansion of industrial-scale scam centers now operating across multiple continents. [Interpol, The Register

    Pulse

    Trend Micro identified an active, sophisticated multi-stage credential theft campaign delivering PureLog Stealer that harvests sensitive data, including Chrome browser credentials, extensions, cryptocurrency wallets, and system information. Adversaries disguise the malware as a legitimate legal document – specifically copyright violation notices written in the local language of the target region – that, when opened, triggers a multi-stage process of malware execution in memory (fileless execution) using a Python-based loader and dual .NET loaders, evading traditional endpoint detection. [Trend Micro]

    Fix-it Frank

    A critical remote code execution vulnerability CVE-2026-33017 in Langflow version 1.8 or lower – a popular open-source AI workflow builder with 146K+ stargazers – was exploited within 20 hours of public disclosure of advisory, with adversaries building working exploits directly from the advisory description alone. Organizations should upgrade their instances of Langflow to version 1.9.0 or higher to remediate the vulnerability in their environment.  [Sysdig, TheHackerNews, GitHub, SecurityWeek]

    ConnectWise disclosed a critical severity vulnerability (CVE-2026-3564) for its on-premises ScreenConnect – a remote access platform widely used by managed service providers (MSPs), IT departments, and help desk teams. This vulnerability allowed an adversary, with access to server-level cryptographic material, to escalate privileges and gain elevated access to remote management infrastructure. Organizations should upgrade their ScreenConnect software to the version 26.1 or later and regenerate machine key material after upgrading to remediate the vulnerability. [ConnectWise, Bleeping Computer]

    Cisco Secure disclosed two critical severity vulnerabilities – one related to deserialization flaw (CVE-2026-20131) and another related to improperly created system process at boot (CVE-2026-20079) in Firewall Management Center (FMC) Software which could allow an unauthenticated, remote attacker to bypass authentication and gain access as root on an affected device. Cisco recommends that affected devices be upgraded to the latest/patched versions of the software. [Cisco, Cisco, Arctic Wolf, Amazon, The Hacker News]

    The Fine Print

    Navia Benefit Solutions – a Washington-based employee benefits administrator serving 10,000+ employers nationwide – disclosed a data breach affecting approximately 2.7 million individuals. Adversaries gained unauthorized access to their environment and accessed their systems from December 22, 2025 to January 15, 2026, and were discovered on January 23, 2026. Data exposed may include names, dates of birth, Social Security Numbers, phone numbers, email addresses, health plan details and records dating back to 2018. Navia needed to file with the Maine Attorney General, notify HHS under HIPAA, issue media notices, notify the Washington State HCA and mail letters to individuals beginning March 18, 2026 – highlighting the complex web of multi-jurisdiction notification requirements that organizations may have to navigate through and codify in their incident response plans. [The HIPAA Journal, LifeHacker, The Record]

    Cybersecurity audit requirements and risk assessment mandates under CCPA/CPRA began phasing in on January 1, 2026. Organizations selling or processing data of consumers in California and meeting certain thresholds, are required to demonstrate compliance. With North Dakota, Rhode Island, and Nevada enacting cybersecurity regulation similar to NYDFS, new tightening of state-level cyber obligations introduces compliance complexities that come with multi-state operations, for instance, the Rhode Island law requires notification of a breach within three business days, while NYDFS remains at 72 hours – a subtle but critical difference for incident response teams. [Ropes & Gray, Alston & Bird]

    The Bottom Line

    As the mean time to exploitation continues its aggressive slide towards sub-24-hour mark, scheduled patches seem like a luxury of the past. Furthermore, with the first wave of 2026 CCPA/CPRA enforcement actions likely on the horizon, the focus will shift from simple perimeter defense to the “Fine Print” – specifically, how well an organization’s IR plan can navigate the nuanced notification timelines of a multi-state.

    Thanks for tuning-in to this edition of Paper Trail. We’d love your ideas and suggestions, so email us at feedback@hackwithheart.com. You can follow Paper Trail wherever you like best – read it on hackwithheart.com, listen on Spotify or Apple Podcasts, or watch on YouTube.