Summary5 min read

Cybersecurity Headlines — March 18, 2026

Host: Rich Stroffelino
Podcast: CISO Series
Episode: Energy strategy, scammer accord, font-rendering attack
Date: March 18, 2026

Episode Overview

This episode offers a rapid-fire rundown of major cybersecurity developments as of March 18, 2026. Topics range from government and industry efforts to defend against cyber threats—such as the US Department of Energy's upcoming cyber strategy and an unprecedented fraud accord by leading tech firms—to newly discovered vulnerabilities, evolving ransomware tactics, international sanctions on threat actors, expanding cyber monitoring initiatives, and the latest campaigns from notorious APT groups.

Key Discussion Points & Insights

1. U.S. Department of Energy’s Upcoming Cyber Strategy

[00:18]

The U.S. Department of Energy will soon unveil its first strategic plan for protecting the national energy grid from cyberattacks.
This plan supplements the National Cybersecurity Strategy, emphasizing sector resilience and public-private partnerships.
Notably, the strategy will outline investments in defensive AI, prompted by a “rise in adversaries using AI offensively.”
Memorable quote:
- Alex Fitzsimmons (Acting Director, Office of Cybersecurity, Energy Security and Emergency Response):
  - “We're already seeing an increase in adversaries using it [AI] offensively.” [00:29]
Focus areas: AI for defense, collaboration between government and industry.

2. Tech Industry’s Anti-Scam Accord

[00:43]

Major tech firms—Google, Microsoft, Meta, Amazon, OpenAI, Adobe, and Match Group—have signed the new “Online Services Accord Against Scams.”
Goals: Share information about scams, deploy new fraud detection tools, introduce security features, and establish user reporting mechanisms.
The accord is voluntary with no enforcement mechanism.
Quote:
- “Each company is also committed to deploying new fraud detection tools and introducing new security features to users, then sharing any best practices from those with their fellow signees.” [01:09]

3. Font Rendering Attack Evades AI Detection

[01:26]

LayerX researchers demonstrated a proof-of-concept attack using custom font remapping and CSS to hide malicious commands from LLM-based security tools.
LLMs scanning the code see gibberish, but browsers render visible malicious instructions for human users.
Affected models include: ChatGPT, Claude, Copilot, Gemini, and Grok.
Vendors mostly categorized this as a social engineering issue—only Microsoft accepted and addressed it.
Quote:
- “LayerX presented the findings to vendors in December, but most found this issue out of scope...with only Microsoft accepting and addressing the finding.” [02:13]

4. LeakNet Ransomware’s New “Bring Your Own Runtime” Tactic

[02:31]

LeakNet, active since 2024, now employs “bring your own runtime” attacks using the Deno JavaScript/TypeScript runtime to launch malware loaders.
Attack chain: Social engineering (ClickFix) → Deno loader → In-memory JavaScript payload → C2 server for secondary payload.
Main goal: Minimize forensic evidence and stay off detection radars.

5. EU Sanctions on Iranian and Chinese Threat Actors

[04:30]

The EU placed fresh sanctions on Iran's Mnet Pasargad (for the Charlie Hebdo incident) and Chinese companies Integrity Technology Group and Axon Information Technology.
Sanctioned for: Data theft, critical infrastructure targeting, selling info for hack-for-hire operations, and direct involvement in high-profile attacks (“Flax Typhoon”).
Impact: Frozen assets, business bans with EU entities.
Quote:
- “The EU also issued sanctions against two Chinese firms...for targeting critical infrastructure and selling information to hack for hire services.” [05:13]

6. Long-Term China Nexus Operations in Southeast Asia

[05:30]

Palo Alto’s Unit 42 reports a China-linked group infiltrated Southeast Asian military networks since at least 2020.
Methods: Two new backdoor malwares, GetPass credential stealer, Dropbox as dead drop resolvers.
Objective: Intelligence on military capabilities and collaborations.
Takeaway: “Custom malware and focused approach indicate a highly sophisticated threat actor.” [06:03]

7. UK Cyber Monitoring Center Eyes US Expansion

[06:13]

The UK’s Cyber Monitoring Center (CMC) measures the economic impact of cyber incidents using a 0-5 scale (akin to natural disaster scales).
Published detailed analyses in 2025 (e.g., Marks & Spencer's, Jaguar Land Rover attacks).
CMC plans to expand to the US in 2026, with reporting beginning in 2027.
Quote:
- “At a recent event in London, CMC head of operations Ruth Goodwin said establishing a US cyber monitoring center was on its roadmap for 2026.” [06:36]

8. North Korea’s Connie Group Targets KakaoTalk

[06:52]

Genyon, a South Korean firm, discovered a new spear phishing campaign by North Korea-linked group Connie.
Attack details: Phishing email posing as an appointment for a North Korean human rights lecturer → Malicious LNK file installs End Rat trojan → System data exfiltration and KakaoTalk spread.
Notably, second-stage attacks are highly targeted.

Notable Quotes & Timestamps

Alex Fitzsimmons on AI in defense:
- “We're already seeing an increase in adversaries using it [AI] offensively.” [00:29]
Tech Accord details:
- “Each company is also committed to deploying new fraud detection tools and introducing new security features to users, then sharing any best practices from those with their fellow signees.” [01:09]
On font rendering bypass:
- “LayerX presented the findings to vendors in December, but most found this issue out of scope...with only Microsoft accepting and addressing the finding.” [02:13]
EU sanctions summary:
- “The EU also issued sanctions against two Chinese firms...for targeting critical infrastructure and selling information to hack for hire services.” [05:13]
On CMC’s US expansion:
- “At a recent event in London, CMC head of operations Ruth Goodwin said establishing a US cyber monitoring center was on its roadmap for 2026.” [06:36]

Segment Timestamps

| Segment | Timestamp | |------------------------------------------------|-----------| | US Dept. of Energy Cyber Strategy | 00:18 | | Online Services Accord Against Scams | 00:43 | | Font-Rendering LLM Bypass PoC | 01:26 | | LeakNet Ransomware Tactics | 02:31 | | EU Sanctions on Iran & China Threat Actors | 04:30 | | China Nexus in Southeast Asian Military | 05:30 | | UK Cyber Monitoring Center Expansion | 06:13 | | North Korean Connie Group Targets KakaoTalk | 06:52 |

Tone & Style

The episode maintains an up-to-the-minute, factual, and slightly pithy news tone, with direct insights and some pointed commentary (e.g., noting lack of enforcement in the tech accord or vendor reaction to new exploits). The host, Rich Stroffelino, provides crisp narration and contextual links between stories, reflecting the urgency and interconnection of global cyber threats.

Summary

This episode encapsulates how the cybersecurity landscape is simultaneously shaped by government policy, industry collaboration, innovation in both attack and defense, and the constant evolution of threat actors. For CISOs and practitioners, it delivers actionable awareness of new trends—public-private cyber initiatives, LLM attack risks, ransomware evolution, and targeted APT campaigns—along with a taste of the international chessboard on which these dramas play out.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines
[00:07]
B
these are the cybersecurity headlines for Wednesday, March 18, 2026. I'm Rich Stroffelino. Energy Department to release first cyber strategy according to the acting Director of the Office of Cybersecurity, Energy Security and Emergency Response Alex Fitzsimmons, the U.S. department of Energy will release a strategic plan soon for how it intends to protect the energy grid from cyberattacks. This will supplement the recently released National Cybersecurity Strategy, which focuses on sector resilience. Fitzsimmons said this will rely heavily on public private partnerships. The strategy will also outline areas of investment for defensive AI deployments in the space, with Fitzsimmons noting that we're already seeing an increase in adversaries using it offensively. Tech Giants sign on to Fight Scammers One of the pillars of the new US Cybersecurity strategy is a greater public private partnership to combat transnational cybercrime organizations. We're seeing that with the Energy Department. This is an extension of this larger strategy. We're already seeing one example of this in practice. The Online Services Accord Against Scams was signed by some of the biggest names in the industry, with Google, Microsoft, Meta, Amazon, OpenAI, Adobe and match Group all on board. This accord calls for increasing information sharing about scams seen on their individual platforms, both with others in tech and law enforcement agencies. Each company is also committed to deploying new fraud detection tools and introducing new security features to users, then sharing any best practices from those with their fellow signees. It also calls for clear reporting mechanisms for users. The accord is voluntary, with no enforcement mechanism. Font rendering hides malicious commands from AI in plain sight. Researchers at LayerX released a proof of concept attack that uses custom font remapping and CSS to fool LLM based tools while keeping a payload in in ClearSight in the browser. This takes advantage of the fact that an LLM looks at structured text rather than a full page render. AI tools scanning the PoC's HTML only see meaningless unreadable content, but when it's rendered it shows malicious instructions for a user. LayerX found the approach worked on most major models from ChatGPT, Claude, Copilot, Gemini and Grok. LayerX presented the findings to vendors in December, but most found this issue out of scope since saying it was a social engineering attack, with only Microsoft accepting and addressing the finding. New Tactics spotted for LeakNet the LeakNet ransomware operation has been active since the end of 2024, but it's expanding its bag of tricks. ReliaQuest spotted the group using a bring your own runtime attack using the legitimate open source deno runtime for JavaScript and TypeScript. To deploy a malware loader, the group first gains access through a ClickFix social engineering attack. Then it uses the Deno based loader to load a JavaScript payload into MEM, thereby minimizing forensic evidence. Once executed, the malware connects to a C2 server to extract a secondary payload. And now a huge thanks to our sponsor Adaptive Security this episode is brought to you by Adaptive Security, the first security awareness platform built to stop AI powered social engineering. Attackers don't need malware anymore, they need trust. Set a simple passphrase for high risk actions like wire requests or urgent account recovery, especially within finance teams and families. If the caller can't answer it, pause and verify adaptive runs, deepfake and phishing simulations so employees practice this before it's real. Learn more@adaptivesecurity.com EU hits Iranian threat Actors with sanctions We've covered a number of cyber attacks from Iranian linked groups and now we're seeing an array of policy responses. The European Union issued new sanctions against the Iranian company Mnet pasargad back in 2023. Microsoft found the company stole and sold data from the French magazine Charlie Hebdo on illicit forums. These sanctions freeze assets of the company held at European institutions and bans EU businesses from interacting with them. The EU also issued sanctions against two Chinese firms. Integrity Technology Group was sanctioned for targeting critical infrastructure and selling information to hack for hire services, and Axon Information Technology received sanctions for taking part in the Flax Typhoon attacks on EU institutions. China nexus dwelling for years in military networks New researcher from Palo Alto's Unit 42 found that a China Nexus threat group breached the military networks in Southeast Asia as far back as 2020. This used at least two novel backdoor malware variants and a version of the GetPass credential stealing tool. The attackers used this access for highly targeted intelligence collection, looking for specific files on military capabilities or organizational structures and collaborative efforts with Western armed forces. The operators use multiple Dropbox accounts as dead drop resolvers, allowing them to post to legitimate services with embedded domains to hide activity. The researchers say the custom malware and focused approach indicate a highly sophisticated threat actor. UK CMC looking to expand to the US the UK based nonprofit Cyber Monitoring center opened in February 2025, assessing the economic impacts of cyber incidents in the country with a 0 to 5 scale modeled after scales used for natural disasters. Think something like the Richter scale? This is based on evaluating the financial cost against the estimated affected population. This is complemented with an in depth report on the incident and financial ramifications. In 2025, CMC released analyses of the Mark and Spencer's retail attacks and the Jaguar Land Rover attacks. At a recent event in London, CMC head of operations Ruth Goodwin said establishing a US cyber monitoring center was on its roadmap for 2026 with plans to start issuing reports in 2027. Connie Group targeting KakaoTalk the South Korean threat intel firm Genyon spotted a new campaign by the North Korea linked group Connie. This targets victims with a spear phishing email that appears as a notice for appointment as a North Korean human rights lecturer. This contains a malicious LNK file that installs the End Rat trojan, enabling remote access and extended dwell time on infected systems. The attackers then use this to exfiltrate system data and access the Kakaotalk app to spread further malware to contacts. These secondary attacks don't just spray and pray to the entire contact list, but seem targeted at specific individuals. Remember to subscribe to the CISO Series YouTube channel. We have original interviews, demos and shorts videos posted daily. Plus you'll stay up to date on the latest CISO series announcements. If that sounds good to you, head on over to YouTube, look for the CISO Series and subscribe. And if you have some thoughts about the news from today or about the show in general, be sure to reach out to us feedbackisoseries.com we'd love to hear from you. Reporting for the CISO Series, I'm Rich Strofalino, reminding you to have a super sparkly day.
[07:03]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories. Behind the headlines. It.