Cybersecurity Saturday - Ermer and Suter PLLC

From the cybersecurity policy and law enforcement front,

Cyberscoop lets us know,
- “Cybercrimes could be punished more harshly under a new bill from a pair of senators that seeks to amend U.S. criminal code on computer fraud.
- “The Cyber Conspiracy Modernization Act from Sens. Mike Rounds, R-S.D., and Kirsten Gillibrand, D-N.Y., would modify the Computer Fraud and Abuse Act (CFAA) to establish a specific penalty for conspiracy and boost penalties for violators.
- “As cyber technologies continue to rapidly evolve, we need more people working to secure cyberspace as well as harsher penalties for those perpetrating these crimes,” Rounds said in a statement. “As chairman of the Senate Armed Services Committee’s Subcommittee on Cybersecurity, I am committed to working on policies that strengthen the United States’ ability to respond quickly and decisively to cyberattacks which have been on the rise.”
- “Under current law, the Department of Justice can only charge conspiracy to commit cybercrimes through a general statute unrelated to the CFAA. Individuals charged under the general conspiracy statute face a maximum five-year penalty.”

Cybersecurity Dive informs us,
- “President Donald Trump plans to nominate Sean Cairncross, a former official at the Republican National Committee, as the next national cyber director, according to a list of planned nominees obtained by Cybersecurity Dive.
- “Those nominees are expected to be sent imminently to the Senate to be considered for the confirmation process.
- “Cairncross would be the first major nominee for a top cybersecurity role since the Trump administration took office.
- “He is founder and president of the Cairncross Group, a strategic consultancy based in Washington, D.C.
- “Cairncross previously worked as CEO of the Millennium Challenge Corp., an independent government agency that works to reduce poverty by promoting economic growth across the globe.”

Federal News Network notes,
- “A former cyber executive at the Department of Homeland Security and the Energy Department has joined the Cybersecurity and Infrastructure Security Agency.
- “Karen Evans is now “senior advisor for cybersecurity” at CISA, an agency spokesman confirmed to Federal News Network today. Evans posted about joining CISA on LinkedIn last night.
- “A CISA spokesman did not confirm whether Evans would be elevated to a permanent role at the agency. But multiple sources said Evans is likely to either be named as executive assistant director for cybersecurity at CISA or move on to a top position at DHS headquarters.
- “During the first Trump administration, Evans was DHS CIO between June 2020 and January 2021. She also served as assistant secretary for cybersecurity, energy security and emergency response at the Energy Department between 2018 and 2020.”

NextGov/FCW offers background on OPM’s new Chief Information Officer, Greg Hogan.

Per a Justice Department news release,
- The Justice Department today [February 10] unsealed criminal charges against Roman Berezhnoy, 33, and Egor Nikolaevich Glebov, 39, both Russian nationals, who allegedly operated a cybercrime group using the Phobos ransomware that victimized more than 1,000 public and private entities in the United States and around the world and received over $16 million in ransom payments. Berezhnoy and Glebov were arrested this week as part of a coordinated international disruption of their organization, which includes additional arrests and the technical disruption of the group’s computer infrastructure.
- From May 2019, through at least October 2024, Berezhnoy, Glebov, and others allegedly caused victims to suffer losses resulting from the loss of access to their data in addition to the financial losses associated with the ransomware payments. The victims included a children’s hospital, health care providers, and educational institutions.

From the cybersecurity vulnerabilities and breaches front,

Cyberscoop reports,
- Microsoft threat researchers discovered a series of what they are calling “device code” phishing attacks that allowed a suspected Russia-aligned threat group to gain access to and steal data from critical infrastructure organizations, the company said in research released Thursday.
- The group, which Microsoft tracks as Storm-2372, has targeted governments, IT services and organizations operating in the telecom, health, higher education and energy sectors across Europe, North America, Africa and the Middle East.
- Microsoft observed attackers generating a legitimate device code sign-in request and then duping targeted users to input the code into a login page for productivity apps. By exploiting the device code authentication flow, Storm-2372 has gained access to targeted systems, captured authentication tokens and used those valid tokens to achieve lateral movement and steal data.
- “They’ve been successful in these attacks, though Microsoft itself is not affected,” Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, said in a video summarizing the report’s findings.
and
- “Salt Typhoon, the Chinese nation-state threat group linked to a spree of attacks on U.S. and global telecom providers, remains active in its intrusion and has hit multiple additional networks worldwide, including two in the United States, Recorded Future said in a report released Thursday [February 13].
- “Recorded Future’s Insikt Group observed seven compromised Cisco network devices communicating with Salt Typhoon infrastructure on five telecom networks between early December and late January. The compromised companies include an unnamed U.S. internet service provider and telecom company, a U.S.-based affiliate of a U.K. telecom provider, a large telecom provider in Thailand, an Italy-based ISP and a South Africa-based telecom provider.
- “Salt Typhoon’s ongoing attack spree underscores the enduring challenge global cyber authorities and network defenders confront in trying to thwart the nation-state group’s activities. U.S. and White House officials in December warned they may never know if the group has been completely booted from networks.”

Cybersecurity Dive relates,
- “The FBI and Cybersecurity and Infrastructure Security Agency on Wednesday [February 12] warned Ransomware gangs are adapting to stronger enterprise defenses and increased law enforcement pressure with more sophisticated tactics, according to Huntress’ 2025 Cyber Threat Report.
- In 75% of the ransomware incidents Huntress observed in 2024, threat actors used remote access Trojans (RATs), while 17.3% of attacks featured abused of remote monitoring and management products like ConnectWise ScreenConnect, TeamViewer and LogMeIn.
- In an effort to evade EDR protections, threat actors are shifting to data theft and extortion attacks instead of deploying ransomware and increasingly relying on “living off the land” techniques with legitimate system administrator tools. that hackers are abusing buffer overflow vulnerabilities to launch malicious attacks against organizations.
- “Buffer overflow vulnerabilities occur when a hacker gains access or writes information outside of the memory buffer, according to the advisory from the FBI and CISA.
- “Buffer overflow vulnerabilities are prevalent issues in memory-safety software design that can lead to data corruption, program crashes, exposure of sensitive data and remote code execution.

Per Bleeping Computer,
- “Attackers are now targeting an authentication bypass vulnerability affecting SonicWall firewalls shortly after the release of proof-of-concept (PoC) exploit code.
- “This security flaw (CVE-2024-53704), tagged by CISA as critical severity and found in the SSLVPN authentication mechanism, impacts SonicOS versions 7.1.x (up to 7.1.1-7058), 7.1.2-7019, and 8.0.0-8035, used by multiple models of Gen 6 and Gen 7 firewalls and SOHO series devices.
- “Successful exploitation enables remote attackers to hijack active SSL VPN sessions without authentication, which grants them unauthorized access to targets’ networks.
- “SonicWall urged customers to immediately upgrade their firewalls’ SonicOS firmware to prevent exploitation in an email sent before disclosing the vulnerability publicly and releasing security updates on January 7.”
CISA added seven known exploited vulnerabilities to its catalog this week.
- February 11, 2025
  - CVE-2024-40891 Zyxel DSL CPE OS Command Injection Vulnerability
  - CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
  - CVE-2025-21418 Microsoft Windows Ancillary Function Driver for WinSock Heap-Based Buffer Overflow Vulnerability
  - CVE-2025-21391 Microsoft Windows Storage Link Following Vulnerability
    - Zydek KVEs discussed here, and Microsoft KVEs discussed here.
- February 12, 2025
  - CVE-2025-24200 Apple iOS and iPadOS Incorrect Authorization Vulnerability
  - CVE-2024-41710 Mitel SIP Phones Argument Injection Vulnerability
    - Apple KVE discussed here, and Mitel KEV discussed here.
- February 13, 2025
  - CVE-2024-57727 SimpleHelp Path Traversal Vulnerability
    - SimpleHelp KVE discussed here.

The DC Health Link cybersecurity breach lawsuit settlement is explained here.

From the ransomware front,

Cybersecurity Dive reports,
- “Ransomware gangs are adapting to stronger enterprise defenses and increased law enforcement pressure with more sophisticated tactics, according to Huntress’ 2025 Cyber Threat Report.
- “In 75% of the ransomware incidents Huntress observed in 2024, threat actors used remote access Trojans (RATs), while 17.3% of attacks featured abuses of remote monitoring and management products like ConnectWise ScreenConnect, TeamViewer and LogMeIn.
- “In an effort to evade EDR protections, threat actors are shifting to data theft and extortion attacks instead of deploying ransomware and increasingly relying on “living off the land” techniques with legitimate system administrator tools.”

Dark Reading tells us,
- “A recent RA World ransomware attack utilized a tool set that took researchers by surprise, given that it has been associated with China-based espionage actors in the past.
- “According to Symantec, the attack occurred in late 2024. The tool set includes a legitimate Toshiba executable named toshdpdb.exe that deploys on a victim’s device. It then connects to a malicious dynamic link library (DLL) that deploys a payload containing a PlugX backdoor.
- “The threat actors in this case used the tool kit to ultimately deploy RA World ransomware inside an unnamed Asian software and services company, demanding a ransom of $2 million. No initial infection vector was found. However, the attacker claimed they compromised the victim’s network by exploiting a Palo Alto PAN-OS vulnerability (CVE-2024-0012), according to Symantec.”
- “The attacker then said administrative credentials were obtained from the company’s intranet before stealing Amazon S3 cloud credentials from its Veeam server, using them to steal data from its S3 buckets before encrypting computers,” added the researchers, who hypothesized that based on tactics, techniques, and procedures, the attacker could be China-linked Emperor Dragonfly, aka Bronze Starlight, a group that has been known to deploy ransomware to obscure intellectual property theft in the past.”

Reuters reports,
- “The United States joined Australia and Britain in targeting Russia-based Zservers service provider for its role in supporting the Lockbit ransomware attacks, the U.S. Department of Treasury said on Tuesday [February 11], citing national security concerns.
- “U.S. Treasury’s Office of Foreign Assets Control also designated two Russian nationals who they said were key administrators for Zservers, a bulletproof hosting services provider or BPH, it added.
- “Ransomware actors and other cybercriminals rely on third-party network service providers like Zservers to enable their attacks on U.S. and international critical infrastructure,” wrote Bradley Smith, acting Under Secretary of the Treasury for Terrorism and Financial Intelligence.
- “The action follows joint U.S., UK and Australia cyber sanctions last year targeting the Evil Corp ransomware group, Treasury added.”

From the cybersecurity defenses and business front,

Per Cyberscoop,
- “Identity security giant CyberArk has acquired Boston-based Zilla Security, a cloud-native identity governance and administration startup, in a deal worth up to $175 million.
- “The acquisition, announced Thursday [February 13], includes $165 million in cash and a $10 million earn-out contingent on performance milestones. Zilla’s co-founders, CEO Deepak Taneja and Nitin Sonawane, along with their team, will join CyberArk. Zilla’s flagship products — Zilla Comply and Zilla Provisioning — will be integrated into CyberArk’s Identity Security Platform as standalone offerings.
- Founded in 1999, CyberArk has traditionally built its reputation on securing privileged access across enterprise systems. In recent years, the company has bolstered its portfolio through a series of acquisitions, the most significant being the $1.54 billion purchase of machine identity firm Venafi last year. Together with this latest move, CyberArk seeks to expand its reach into modern identity security — an area increasingly critical as organizations shift toward hybrid and cloud-based environments.

An ISACA expert discusses how to define a security incident.
- “[W]hat is a good definition of a security incident? In my opinion, I believe the NIST definition from NISTIR 8183A Vol. 3 is an amazing definition for small and medium-sized organizations. It states, “An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.” The “or potentially” does a lot of heavy lifting here but is still a much better definition than those that allow people to more easily wiggle their way out of filling out a ticket for a potential incident. A common occurrence is cherry-picking more vague definitions that don’t have the built-in safeguards and controls around the definition such as the NIST SP 800-53 Rev. 5 for a non-federal system.
- “Besides the fact that leveraging this definition means that occurrences such as false positives and security investigations properly follow the ticketing process instead of being undocumented events, there are other helpful points to this definition. The terms “Confidentiality, Integrity and Availability” being in the definition ensures that incidents such as DDOS attacks are not reported as simply “outages” or “infrastructure changes.” The phrase “Constitutes a violation or imminent threat of violation of” expands the scope of what should be monitored and have alerts in place as well as points more eyes inward on internal incidents, which is a wonderful steppingstone toward zero trust.”

Here is a link to Dark Reading’s CISO Corner.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Subscribe to FEHBlog