46 Azure Skeleton Keys Leak: US Clouds Naked, CFOs Panic

TL;DR

• Azure Data Factory CVE-2026-23659 allows cross-tenant service certificate theft via misconfigured data connectors
• New Android malware Perseus steals banking credentials via IPTV app lure, targets Turkey, Italy, Poland, Germany
• Virus 'Mammoth' targets Max app users in Russia, stealing banking credentials via phishing attacks after mandatory platform switch from Telegram

🔓 Azure Data Factory CVE-2026-23659: Cross-Tenant Certificate Heist Hits All Regions

Microsoft just handed every ADF tenant a free skeleton key 🔑—any bored user can yoink your service cert & pretend to be YOU. 46 info-leaks this month, but this one’s the crown jewel: cross-tenant, zero privilege, full decrypt power. Your “private” pipelines? Public punchline. Already patched? Prove it—show me the rotated cert or stfu. US clouds first, rest of planet next. Who’s betting their data lake on Microsoft’s pinky-promise?

Yesterday Microsoft quietly added CVE-2026-23659 to its Security Update Guide: pick the wrong connector in Azure Data Factory and you can swipe the next tenant’s service certificate like taking candy from a coma patient. No admin rights, no fancy exploit—just log in, click “test connection,” and watch the IR cough up someone else’s crypto passport. Redmond swears a backend patch is “coming soon”; until then, every hybrid pipeline is a piñata.

How the heist works

1. Spin up a Data Connector in your own AD tenant.
2. Point it at an external endpoint (SQL, SAP, whatever) without locking the Integration Runtime to a private endpoint.
3. The IR’s certificate-retrieval API happily returns the cert for whoever last touched that connector—no tenant check, no shame.
4. Use the stolen cert to decrypt traffic or impersonate the victim service; pivot to their storage, their vault, their Christmas list.

Impacts in one gulp

• Confidentiality: encrypted data in transit now “plain-text-by-certificate.”
• Impersonation: attacker’s pipeline looks, smells, and bills like the victim’s.
• Compliance: GDPR, HIPAA, SOX auditors adore surprise cross-tenant data spills—fines start at 4 % of global revenue.
• Ops overhead: every IR cert must be rotated now; hope you scripted it.

What to do before lunch

• Audit every connector; if it lacks a private endpoint, kill it or nail it down.
• Re-issue all IR certs; the old ones are radioactive.
• Strip “Data Factory Contributor” rights from that intern who wanted to “learn cloud.”
• Turn on diagnostic logs and alert on any CertificateRetrieved event; if it fires at 3 a.m., you’re the entertainment.

Timeline of (maybe) getting better

• This weekend: Microsoft’s back-end patch drops; pray your region is first.
• Next 30 days: 46 info-disclosure bugs still loom; expect more frantic Tuesdays.
• 6 months: ADF connectors get tenant-scoped certs; until then, zero-trust or zero-chance.

Cloud security: same circus, new clowns. Lock your connectors or someone else’s name will be on your data.

💸 Perseus Android Malware: 17% Turkey Infection Rate Triggers €2.4k Bank Heist

17% of Turkey just got pickpocketed by a FREE TV app 😱—that’s 1 in 6 phones turned into a €2.4k ATM for hoodies! 📺💸 Perseus malware laughs at your ‘Install anyway’ click, drains bank + crypto while you binge. IPTV junkies, your sideload is the heist—still feel clever? 🇹🇷🔥

Perseus, the latest Android banking leech, hides inside pirated IPTV apps and quietly empties accounts while you binge. It stitches together six-year-old Cerberus/Phoenix code, asks for one innocent-sounding “accessibility” permission, then overlays fake login screens, screenshots every PIN, and ships the loot to its operators. Turkey (17 %) and Italy (15 %) are the biggest mugs so far, but Poland, Germany, and France are already on the roll call.

How the grift works

• Dropper: sideloaded APK promising “free sports.”
• Hook: Accessibility Service = universal keylogger + remote desktop.
• Overlay: a pixel-perfect bank-app forgery on top of the real one; you type, it harvests.
• C2 ping: encrypted heartbeat every 30 s; payload key = SHA-1 of the filename—because why not reuse 1995 crypto?

Impacts in one gulp

• Wallet: average unauthorized wire €2.4 k (TR) / €1.8 k (IT) → rent money gone before halftime.
• Data: passwords, 12-word crypto seeds, OTP codes → sold wholesale, reused everywhere.
• Ecosystem: Google Play Protect now flagging legit IPTV clones; expect blanket bans on harmless hobby apps.

Who’s doing what (spoiler: not enough)

• Users: keep tapping “allow” for sketchy streams.
• Banks: reimbursing victims but not blocking old Androids.
• Google: Android 14 beta tightens Accessibility, but rollout is 18 months late and OEMs will skip it to save $0.37 per unit.

Outlook

• 2026 Q3: Detection signatures cut new infections ~30 %—like putting a Band-Aid on a severed artery.
• 2027: Operators migrate to infected “real” TV apps; overlays go fully encrypted; losses double.
• 2028: EU finally mandates accessibility-permission disclosures; malware simply asks for “battery optimization” instead.

Bottom line: if the app didn’t come from a real store, you’re the product—and the checkout counter is your bank balance.

😈 ₽2B Heist Lurks in Russia’s Max App After Telegram Ban

70M Max users herded off Telegram straight into Mammoth’s jaws—₽2B loot if 0.1% click the cute phishing link 😈 State says “safer,” malware says “thanks for the fresh meat.” Your bank PIN is now Moscow’s hottest OnlyFans. Muscovites—ready to factory-reset your life, or still trust the Kremlin’s ‘secure’ chat?

By the chaos-junkie in the cheap seats

Another Friday, another digital kick in the teeth

Seventy million Russians woke up this month on a shiny new chat app called Max—only to find a wooly mammoth in the living room gnawing on their bank cards.
“Mammoth” malware slides into DMs, begs you to tap a “funny video,” then screenshots your banking app while you scream at the spinning wheel.
State cops admit “multiple” major banks already kissed credentials goodbye; do the napkin math and a ₽2-billion hole is chewing through Moscow’s ATMs like a drunk mole.

How the heist works

• Crooks shorten a poison URL, dress it up as a Dropbox link, drop it in your “private” Max chat.
• One tap grants fake “accessibility” rights—Android’s skeleton key.
• Overlay windows clone your Sberbank login, hoover OTP texts, ship the loot to *.mamont-pay[.]ru before you can say “kommersant.”
• Reboot? No problem—Mammoth reinstalls itself while you make coffee.

Impacts in bite-size agony

Money: ₽30,000 average drained per hit → one day’s wages for half of Russia gone in 29 minutes.
Trust: 70 million daily users now suspect every blue link → friendship groups mute, commerce stalls.
Regulation: Roskomnadzor snoops chats for “security,” yet the same metadata hands attackers a targeting laser → surveillance paradox in neon.
Banks: three top lenders already reporting “credential loss events” → expect new fees, slower payment rails, PR bleach.

Short-term forecast (next 90 days)

• April 2026: phishing volume spikes 3× as script-kiddies copy Mammoth repo; expect 120,000 extra poison links/day.
• May 2026: Max pushes a forced update—biometric pop-up for overlay permission; 40% of users will blindly tap “yes” anyway.
• June 2026: cops kill one C2 domain; two more pop up offshore, laundering crypto before breakfast.

Long-term (six-twelve months)

• Q4 2026: AI-generated Cyrillic lures drop breakout time to 12 minutes; half the country keeps passwords on sticky notes—guess who wins.
• Q1 2027: Parliament drafts law mandating hardware tokens for any bank app; cost passed to customers → ₽500 ruble “security fee,” cheers.
• Mid-2027: Max competitor “R-Chat” appears, promising “real privacy,” attracts 15 million refugees—until its own woolly clone shows up.

Sectoral punchline

When governments herd citizens onto a single, home-grown app, they build a hacker buffet: one menu, 70 million plates, zero encryption sprinkles. Until banks ditch SMS codes and Android stops handing out skeleton keys, Mammoth is just the first tusk in the door.

In Other News

• Authorization bypass vulnerability in HTTP/2 :path pseudo-header exposes GRPC-Go servers to policy evasion, prompting urgent patch to v1.80.3
• Google implements 24-hour wait for Android sideloading to combat malware, targets Brazil, Indonesia, Singapore, Thailand