Cybersecurity Saturday

David ErmerCybersecurity

From the cybersecurity renewals, policy and law enforcement front,

  • Federal News Network reported on Tuesday,
    • “The Cybersecurity and Infrastructure Security Agency [CISA] has inked a last-minute funding extension for a key cyber vulnerability management program.
    • CISA’s contract with MITRE to manage the Common Vulnerabilities and Exposures, or CVE, program was set to expire on Wednesday. But after an outcry from the cybersecurity community, CISA executed an 11-month option period for MITRE’s contract on Tuesday night.
    • “The CVE program is invaluable to the cyber community and a priority of CISA,” a CISA spokesperson said on Wednesday. “Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.”
    • The CVE program is a public database of known security vulnerabilities in software and hardware. It’s relied on by organizations across the world to manage cyber vulnerabilities in products and services. CISA’s “Known Exploited Vulnerabilities” database, for instance, relies on CVEs to prioritize how quickly federal agencies must patch bugs on the list.
  • Cybersecurity Dive adds,
    • “Two federal lawmakers today introduced a bipartisan bill that preserves key regulation that facilitates the sharing of cyber-threat data between private companies and the federal government. 
    • “The Cybersecurity Information Sharing Extension Act, introduced by U.S. Sens. Gary Peters (D-MI) and Mike Rounds (R-SD), would extend provisions of the Cybersecurity Information Sharing Act of 2015, which is due to expire in September. The law encourages businesses to share information about ongoing cybersecurity threats with the federal government and is one of few legislative actions that has actually had an impact on real-world cybersecurity, security experts said.
    • “Specifically, the Cybersecurity Information Sharing Act of 2015 gives incentives to companies to voluntarily share cybersecurity threat indicators, such as software vulnerabilities, malware or malicious IP addresses, with the Department of Homeland Security (DHS). It does this by providing legal protections for companies that do so by providing federal antitrust exemptions and precluding them from being held accountable for state and federal disclosure laws.”
  • CISA announced,
    • “Cyber threats across the globe have put into focus our country’s need for cyber talent. CISA leads and hosts the President’s Cup Cybersecurity Competition to identify, recognize, and reward the best cyber talent across the federal workforce. Participants are challenged to outthink and outwit their competitors in a series of tests designed to expand cyber skills that are based on real-world situations.  For President’s Cup 6, participants will compete in a maximum velocity metaverse full of mayhem and taking place in a world light years ahead of our own.  
    • “Want to see what it’s like to participate in the President’s Cup? Federal employees can visit the President’s Cup Practice Area to take on challenges from previous competitions and receive a certificate of completion. Anyone can visit the President’s Cup GitHub page to find descriptions, solution guides, virtual machine builds and other artifacts from challenges featured in previous President’s Cup competitions. ” 
  • The National Institute of Standards and Technology (NIST) let us know,
    • “A draft update to the NIST Privacy Framework will enable organizations to use it seamlessly with the agency’s Cybersecurity Framework, which received its own update last year. 
    • “Targeted changes to content and structure respond to stakeholder needs and make the document easier to use.”
    • “NIST is accepting public comments on the draft via privacyframework@nist.gov until June 13, 2025. A template for submitting comments can be found at the NIST Privacy Framework website. Following the comment period, NIST will consider additional changes and release a final version later this calendar year.”
  • The HHS Office for Civil Rights announced on April 17,
    • “Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Guam Memorial Hospital Authority (GMHA), a public hospital on the U.S. Territory, island of Guam, concerning a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following the receipt of two complaints alleging that the electronic protected health information (ePHI) of GMHA patients was impermissibly disclosed.” * * *
    • “Ransomware and hacking are the primary cyber-threats to electronic protected health information within the health care industry. Failure to conduct a HIPAA risk analysis puts this information at risk and vulnerable to future ransomware attacks and other cyber-threats,” said OCR Acting Director Anthony Archeval.
    • “Under the terms of the resolution agreement, GMHA agreed to implement a corrective action plan that will be monitored by OCR for three years, and paid OCR $25,000.” * * *
    • “The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/sites/default/files/ocr-hipaa-recap-gmha.pdf, opens in a new tab [PDF, 228 KB]
  • Per Bleeping Computer,
    • “The FBI warns that scammers impersonating FBI Internet Crime Complaint Center (IC3) employees offer to “help” fraud victims recover money lost to other scammers.
    • “Over the last two years, between December 2023 and February 2025, the FBI said it has received over 100 reports of fraudsters using this tactic.
    • “Complainants report initial contact from the scammers can vary. Some individuals received an email or a phone call, while others were approached via social media or forums,” the law enforcement agency warned in a Friday public service announcement.”

From the cybersecurity vulnerabilities and breaches front,

  • Cyberscoop reports,
    • “A House panel has concluded that the U.S. government should double down on export controls and other tools to slow down the progress of Chinese AI companies like DeepSeek, while also preparing for a future where those efforts fail.
    • “In a report released Wednesday, the House Select Committee on the Chinese Communist Party further fleshes out the financial and technological resources that went into building DeepSeek’s R1 reasoning model, as well as its potential risks to U.S. economic and national security.
    • “The authors conclude that the DeepSeek website and app “acts as a direct channel for foreign intelligence gathering on Americans’ private data.”
  • Dark Reading adds,
    • “One of China’s major state-funded espionage groups has created or otherwise upgraded various malware programs, signaling a notable arsenal refresh that defenders need to be aware of.
    • “Mustang Panda (aka Bronze President, Stately Taurus, and TA416) is an advanced persistent threat (APT) believed to be sponsored by the People’s Republic of China (PRC). It has long been known for spying on targets of interest to the PRC, including: military and government organizations, nongovernmental organizations (NGOs), think tanks, minority groups, and corporations in major industries, primarily around East and Southeast Asia but also in the West.
    • “Recently, the group attacked an organization based in Myanmar. In the process, researchers from Zscaler uncovered four previously unknown attack tools the group is now using. They include two keyloggers, a tool for facilitating lateral movement, and a driver used to evade endpoint detection and response (EDR) software. Besides that, the group has also upgraded its signature backdoor, “Toneshell.”
  • Per Cybersecurity Dive,
    • “Lemonade Inc. has begun sending notification letters to about 190,000 people after their driver’s license numbers were transmitted unencrypted, according to regulatory filings by the company. 
    • “The company said a technical issue in its online application process for car insurance led to the exposure of data in an application programming interface call to a third-party data provider, according to an April 9 filing with the Securities and Exchange Commission
    • “As part of the online application process, certain information is sent between a server and a user’s browser, according to the filing. This includes data used to generate an insurance quote.  
    • “Lemonade said it learned of the issue on March 14 and said the exposures likely lasted from April 2023 through March 2024, according to a notice filed with the California Attorney General’s office.”
  • and
    • “Hertz Corp. confirmed a threat actor gained access to sensitive personal data in a breach linked to vulnerabilities in Cleo file-transfer software, according to a filing Friday with the Maine Attorney General’s office. 
    • “Hertz said it learned on Feb. 10 that an unauthorized third party obtained the data in connection with an attack spree that took place between October and December 2024. Hertz completed an analysis of the stolen data on April 2. 
    • “Importantly, to date, our investigation has found no evidence that Hertz’s own network was affected by this event,” a Hertz spokesperson said via email. 
  • CISA added four known exploited vulnerabilities to its catalog this week.
  • April 16, 2025
    • CVE-2021-20035 SonicWall SMA100 Appliances OS Command Injection Vulnerability
      • Cybersecurity Dive discusses this KVE here.
  • April 17, 2025
    • CVE-2025-31200 Apple Multiple Products Memory Corruption Vulnerability
    • CVE-2025-31201 Apple Multiple Products Arbitrary Read and Write Vulnerability
    • CVE-2025-24054 Microsoft Windows NTLM Hash Disclosure Spoofing Vulnerability
      • Dark Reading discusses the Apple KVEs here.
      • Hacker News discusses the Microsoft KVE here.
  • Cybersecurity Dive adds,
    • “Huntress on Monday published research that showed exploitation of CVE-2025-30406, a deserialization vulnerability in Gladinet’s CentreStack enterprise file-sharing platform for managed service providers (MSPs). The cybersecurity vendor said seven organizations were compromised via the zero-day flaw, which involves a hardcoded cryptographic key that can be used to gain remote code execution.
    • “Huntress warned that Gladinet’s Triofox product also relies on a hardcoded key and is vulnerable to CVE-2025-30406. Triofox is an on-premises file-sharing server designed for larger enterprises, according to Gladinet.
    • CISA added CVE-2025-30406 to its known exploited vulnerabilities catalog on April 9. Gladinet first disclosed the flaw on April 3 and warned that exploitation had already been observed in the wild.”

From the ransomware front,

  • Cybersecurity Dive reports,
    • “DaVita has been hit by a ransomware attack that’s affecting operations, the kidney care provider said Monday. 
    • “The dialysis company discovered the attack, which encrypted parts of its network, on Saturday, according to a securities filing. Davita then activated its response plans and isolated affected systems.
    • “The company did not disclose how its operations are being affected or how long the disruption will last, but said patient care is continuing.” 
  • and
    • “Ahold Delhaize confirmed Thursday that certain files from its U.S. operations were stolen in a November cyberattack after a threat group claimed credit for the incident.
    • “The threat group, tracked as Inc Ransom, claimed in a Wednesday post on its leak site to have up to 6 TB of sensitive data from the Netherlands-based supermarket operator’s U.S. division and threatened to release the information if its demands are not met, according to researchers at Arctic Wolf. The attackers have not said what those demands are.
    • “Since the incident was detected, our teams have been working diligently to determine what information may have been affected,” Ahold Delhaize USA said in a statement.”
  • Per Security Week,
    • “The Oregon Department of Environmental Quality (DEQ) is the regulatory agency in charge of the quality of air, land and water in the state. The organization revealed on April 9 that it had launched an investigation into a cyberattack that forced it to shut down networks as part of containment efforts.
    • “The DEQ has been issuing updates every day since, and several of the updates pointed out that the agency had found no evidence of a data breach. 
    • “The incident disrupted email and help desk services, as well as vehicle inspection stations. The agency said its environmental data management system is hosted on a separate server and has not been impacted.
    • “After the regulator’s repeated denials about suffering a data breach, the notorious Rhysida ransomware group took credit for the attack on Monday, claiming to have stolen 2.5 Tb of files, including employee data.” 
  • Bleeping Computer points out,
    • “The Interlock ransomware gang now uses ClickFix attacks that impersonate IT tools to breach corporate networks and deploy file-encrypting malware on devices.
    • “ClickFix is a social engineering tactic where victims are tricked into executing dangerous PowerShell commands on their systems to supposedly fix an error or verify themselves, resulting in the installation of malware.
    • “Though this isn’t the first time ClickFix has been linked to ransomware infections, confirmation about Interlock shows an increasing trend in these types of threat actors utilizing the tactic.
    • “Interlock is a ransomware operation launched in late September 2024, targeting FreeBSD servers and Windows systems.
    • “Interlock is not believed to operate as a ransomware-as-a-service model. Still, it maintains a data leak portal on the dark web to increase pressure on victims, demanding payments ranging from hundreds of thousands of dollars to millions.”
  • The Register adds,
    • “Ransomware operators jack up their ransom demands by a factor of 2.8x if they detect a victim has cyber-insurance, a study highlighted by the Netherlands government has confirmed.
    • “For his PhD thesis [PDF], defended in January, Dutch cop Tom Meurs looked at 453 ransomware attacks between 2019 and 2021. He found one of the first actions intruders take is to search for documents with the keywords “insurance” and “policy.” If the crooks find evidence that the target has a relevant policy, the ransom more than doubles on average.
    • “In double-extortion attacks, where intruders threaten to publish data stolen from the victim unless the ransom is paid, those with insurance on average are quoted 5.5x more than those who don’t.” * * *
    • “According to the research, firms with a proper backup system were 27x less likely to pay criminals off, for the simple reason that they usually don’t need to. Even then, surprisingly, some do.
    • “In roughly 5 out of 100 cases in which a payment is made, victims do have the option to recover in a way other than paying, but they still choose to pay – for example to recover faster or to prevent reputational damage,” he said.
    • “In the remaining 95 cases, there is no other option to recover. In those cases, their entire IT infrastructure is broken and can no longer be repaired, making paying the ransom the only option to avoid bankruptcy.”

From the cybersecurity defenses front,

  • The American Hospital Association News tells us,
    • “The Cybersecurity and Infrastructure Security Agency April 17 released guidance to reduce risks associated with a reported breach of Oracle cloud services. CISA said the scope and impact of the breach is unconfirmed and that credentials may be exposed that could be reused across unaffiliated systems or embedded. The guidance lists recommendations for organizations and individual users to mitigate the risk of potential compromise. 
    • “This alert not only contains practical guidance to mitigate the potential breach related to Oracle but also provides valuable guidance and best practices for general cloud security,” said John Riggi, AHA national advisor for cybersecurity and risk. “Generally speaking, we continue to see that most of the cyber risk exposure that hospitals and health systems face originates from insecure third-party technologies, service providers and the supply chain. It is vitally important for mission-critical third parties to share timely threat intelligence and adversary tactics with the federal government and affected clients. This is necessary to prevent potential cyberattacks, which could compromise sensitive data and risk patient safety.” 
  • Dark Reading asks “Are We Prioritizing the Wrong Security Metrics? True security isn’t about meeting deadlines — it’s about mitigating risk in a way that aligns with business objectives while protecting against real-world threats.”
  • Cyberscoop considers whether “Ivanti is the problem or a symptom of a systemic issue with network devices? Exploited vulnerabilities have turned up in Ivanti products 16 times since 2024. That’s more than any other vendor in the network edge device space.”
  • Bleeping Computer suggests “7 Steps to Take After a Credential-Based cyberattack.”
    • “When credentials fall into the wrong hands and hackers breach your systems, every minute counts — but having a well-rehearsed incident response plan will allow you to minimize damage and recovery time.”
  • Here is a link to Dark Reading’s CISO corner.