From the cybersecurity policy and law enforcement front,

• Cyberscoop reports,
  • “The Cybersecurity and Infrastructure Security Agency will soon have a new second-in-command.
  • “Madhu Gottumukkala has been named deputy director. He comes over to CISA from his prior position in the South Dakota government, where Kristi Noem was most recently governor before taking over as secretary of the Department of Homeland Security. Gottumukkala had been commissioner of the Bureau of Information and Telecommunication (BIT) and state chief information officer.
  • “He’ll leave BIT on May 16. A CISA spokesperson confirmed that Gottumukkala would become deputy director of the agency.”

• CISA gives us the results of the President’s Cup competition and also announced on April 23,
  • “The [Critical Vulnerabilities and Exposures] CVE Program is an invaluable public resource relied upon by network defenders and software developers alike. As the nation’s cyber defense agency, it is a foundational priority for CISA. Recent public reporting inaccurately implied the program was at risk due to a lack of funding. To set the record straight, there was no funding issue, but rather a contract administration issue that was resolved prior to a contract lapse. There has been no interruption to the CVE program and CISA is fully committed to sustaining and improving this critical cyber infrastructure. 
  • CISA is proud to be the sponsor for the CVE program, a role we have held for decades. During this time, the CVE Program has gone through many evolutions, and this opportunity is no exception. MITRE, CISA, and the CVE Board have transformed this program into a federated capability with 453 CVE Numbering Authorities (CNAs). This growth has enabled faster and more distributed CVE identification, providing valuable vulnerability information to the public and enabling defenders to take quick action to protect themselves. We have historically been and remain very open to reevaluating the strategy to support the continued efficacy and value of the program.  
  • We also recognize that significant work lies ahead. CISA, in coordination with MITRE and the CVE Board, is committed to actively seeking and incorporating community feedback into our stewardship of the CVE Program. We are committed to fostering inclusivity, active participation, and meaningful collaboration between the private sector and international governments to deliver the requisite stability and innovation to the CVE Program. And we are committed to achieving these goals together.

• Bleeping Computer tells us,
  • “The FBI has asked the public for information on Chinese Salt Typhoon hackers behind widespread breaches of telecommunications providers in the United States and worldwide.
  • “In October, the FBI and CISA confirmed that the Chinese state hackers had breached multiple telecom providers (including AT&T, Verizon, Lumen, Charter Communications, Consolidated Communications, and Windstream) and many other telecom companies in dozens of countries.
  • “As revealed at the time, while they had access to the U.S. telecoms’ networks, the attackers also accessed the U.S. law enforcement’s wiretapping platform and gained access to the “private communications” of a “limited number” of U.S. government officials.”

• The HHS Office for Civil Rights announced,
  • “Today [April 25], the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Comprehensive Neurology, PC (Comprehensive), a small New York neurology practice, concerning a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlement resolves an OCR investigation of a [2020] ransomware attack against Comprehensive.” * * *
  • “Under the terms of the settlement, Comprehensive agreed to implement a corrective action plan that will be monitored by OCR for two years and paid $25,000 to OCR.”
  • “The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/sites/default/files/ocr-hipaa-racap-np.pdf, opens in a new tab [PDF, 245 KB]“
• and
  • “Today [April 23], the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with PIH Health, Inc. (PIH), a California health care network, over potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The violations stem from a phishing attack that exposed unsecured electronic protected health information (ePHI), prompting concerns related to the Privacy, Security, and Breach Notification Rules under HIPAA.” * * *
  • “The settlement resolves an investigation that OCR conducted after receiving a breach report from PIH in January 2020. The breach report stated that in June 2019, a phishing attack compromised forty-five of its employees’ email accounts, resulting in the breach of 189,763 individuals’ unsecured ePHI. PIH reported that the ePHI disclosed in the phishing attack included affected individuals’ names, addresses, dates of birth, driver’s license numbers, Social Security numbers, diagnoses, lab results, medications, treatment and claims information, and financial information.”
  • “Under the terms of the resolution agreement, PIH has agreed to implement a corrective action plan that will be monitored by OCR for two years and paid a $600,000 settlement to OCR.” * * *
  • The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance enforcement/agreements/index.html.

Three important reports were released this week.

• Per Cyberscoop,
  • “It looks like 2024 was a record year in cybercrime for all the wrong reasons, according to the FBI’s annual Internet Crime Complaint Center (IC3) report released Wednesday. 
  • “As cyber-enabled fraud and ransomware continue to harm individuals, businesses, and critical infrastructure, the report, now in its 25th year, provides crucial insight into evolving criminal tactics and their nationwide impact. The report is overflowing with key trends, case data, and other statistics from the FBI’s ongoing efforts to combat the cyberthreat landscape.”
• and
  • “Cybercriminals and state-sponsored threat groups exploited vulnerabilities and initiated ransomware attacks with vigor last year, escalating the scope of their impact by hitting more victims and outmaneuvering defenses with speed.
  • “The rate of ransomware detected in data breaches jumped 37%, occurring in 44% of the 12,195 data breaches reviewed in Verizon’s 2025 Data Breach Investigations Report released Wednesday. Researchers observed the presence of ransomware in 32% of data breaches in last year’s report. 
  • “Verizon’s research underscores the twists and turns of cybercriminal activity and its wide-reaching impact on organizations. “We see less payment activity,” Alex Pinto, associate director of threat intelligence at Verizon Business, told CyberScoop, “but we don’t see it slowing down.”

• Per Cybersecurity Dive,
  • “Threat actors motivated by financial gain continue to rise in prominence, representing 55% of all cyber actors during 2024, according to a report by Mandiant. The figures show a steady increase from 52% in 2023 and 48% in 2022. 
  • “Exploits remained the most common initial access vector for the fifth consecutive year, representing 33% of exploits overall, according to the Mandiant M-Trends 2025 report. However, stolen credentials become the second most common initial access point for the first time, indicating a rising trend. 
  • “Cyber threat groups are increasingly targeting unsecured data repositories as poor security hygiene continues to leave organizations at risk.”

From the cyber vulnerabilities and breaches front,

• Healthcare Dive reports,
  • “A data breach at Yale New Haven Health has exposed the information of about 5.6 million people, according to a report submitted to federal regulators earlier this month.
  • “The Connecticut-based health system detected unusual activity on its IT systems in early March, Yale New Haven said in a press release. An investigation later found an unauthorized third party had gained access to its network and stole copies of some patient data. 
  • “The incident is the largest healthcare breach reported to federal regulators so far in 2025, according to a portal managed by the HHS’ Office of Civil Rights.”
• and
  • “A data breach at Blue Shield of California exposed information from 4.7 million people, according to a notice filed with federal regulators earlier this month. 
  • “In February, the insurer learned that Google Analytics, a vendor Blue Shield employs to track use of its websites, was sharing member data with the advertising service Google Ads from April 2021 through January 2024, according to a breach notice. 
  • “Blue Shield can’t confirm whether any particular beneficiary’s information is affected due to “the complexity and scope of the disclosures,” so the insurer is notifying all members who could have accessed their information on affected websites during the nearly three-year period.” 

• Cybersecurity Dive tells us,
  • “Conduent Inc. warned in an April 14 regulatory filing with the Securities and Exchange Commission that a “significant” number of people had their personal data stolen in a January cyberattack that affected a limited number of the company’s clients.
  • “The company, a major government payments technology vendor for social services and transit systems, was targeted in a Jan. 13 attack that disrupted certain operations. 
  • “The company warned it has incurred and accrued a material amount of nonrecurring expenses related to the breach. A spokesperson for the company did not have specific numbers yet, but a breach notification has already been posted by the California Attorney General’s office.”
• andInfor
  • Threat groups from across the globe are increasingly weaponizing older vulnerabilities for exploitation, according to a report released Wednesday by GreyNoise Intelligence. 
  • More than half of these resurgent vulnerabilities affect edge technologies, the report shows. Nearly seven out of 10 of the most unpredictable vulnerabilities — known as Black Swan vulnerabilities — affect edge technologies.
  • Almost 40% of Black Swan vulnerabilities specifically affect VPNs and routers, according to the report.

• Per Cyberscoop,
  • “Attackers exploited nearly a third of vulnerabilities within a day of CVE disclosure in the first quarter of 2025, VulnCheck said in a report released Thursday. The company, which focuses on vulnerability threat intelligence, identified 159 actively exploited vulnerabilities from 50 sources during the quarter.
  • “The time from CVE disclosure to evidence of exploitation in the first quarter was marginally faster than what VulnCheck observed during 2024, Patrick Garrity, security researcher at the company, said in the report. “This demonstrates the need for defenders to move fast on emerging threats while continuing to burn down their vulnerability debt,” Garrity wrote. 
  • “VulnCheck’s research reinforces multiple recent reports that warned about increased exploits in 2024. Mandiant said exploits were the most common initial infection vectorlast year, representing 1 of every 3 attacks. Verizon reported a 34% increase in exploited vulnerabilities, and IBM X-Force said exploitation of public-facing applications accounted for 30% of incident response cases last year.”
• and
  • “Attackers are having a field day with software defects in security devices, according to a new report released Wednesday by Mandiant. 
  • “Exploits were the most common initial infection vector, representing 1 of every 3 attacks in 2024, and the four most frequently exploited vulnerabilities were all contained in edge devices, such as VPNs, firewalls and routers, Mandiant said in its M-Trends report released Wednesday.
  • “Exploitation of these vulnerabilities represented slightly less than half of all observed vulnerability exploitation,” said Kirstie Failey, principal threat analyst at Google Threat Intelligence Group, under which the Mandiant brand operates.
  • “Threat researchers and federal cyber authorities have been sounding the alarm about attacks targeting network edge devices for more than a year. Since 2024, security device exploits have resulted in attacks on government agencies and some of the most valuable publicly-traded companies in the world.”

• Per Cybersecurity Dive,
  • “Security researchers warn that hackers are actively exploiting a critical unrestricted-file-upload vulnerability in SAP NetWeaver Visual Composer. 
  • “The vulnerability, tracked as CVE-2025-31324, could allow an unauthenticated user to upload malicious executable binaries. The vulnerability has a severity score of 10.  
  • “Researchers from Reliaquest disclosed the vulnerability to SAP after an investigation uncovered attackers uploading JSP webshells into publicly accessible directories.” 

• FEHBlog note: CISA did not add a known exploited vulnerability to its catalog this week.

From the ransomware front,

• Palo Alto Networks issued a report on extortion and ransomware trends in the first quarter of 2025.

• Dark Reading reports,
  • “The ransomware-as-a-service model is perpetually troubling for dropping the barrier to entry for aspiring ransomware actors, and two threat actors are innovating in the space with additional affiliate models.
  • “Extended detection and response vendor Secureworks (owned by Sophos) published research today detailing expanded affiliate models belonging to ransomware-as-a-service (RaaS) gangs DragonForce and Anubis.
  • “As a model, ransomware-as-a-service (RaaS) has gained significant popularity in recent years. A threat actor typically sells or leases many of the tools a less experienced cybercriminal (or affiliate) would need to conduct a ransomware attack; the affiliate typically shares the proceeds from subsequent attacks with the operator.
  • “The RaaS model has significantly lowered the technical barriers for wannabe cybercriminals, and as such it has become a serious problem for organizations around the world.”
    
• Infosecurity Magazine notes,
  • “A new ransomware strain known as ELENOR-corp, identified as version 7.5 of the Mimic ransomware, has been used in a series of targeted attacks on the healthcare sector.
  • “The campaign displays a range of advanced capabilities, including data exfiltration, persistent access and anti-forensic strategies designed to cripple recovery efforts and maximize damage.”

From the cybersecurity defenses front,

• Dark Reading lets us know,
  • “How Organizations Can Leverage Cyber Insurance Effectively. By focusing on prevention, education, and risk transfer through insurance, organizations — especially SMEs — can protect themselves from the rapidly escalating threats of cyberattacks.“
• and
  • “Navigating Regulatory Shifts & AI Risks. By proactively embracing emerging trends around encryption, AI security, and platform consolidation, organizations can turn compliance burdens into competitive advantage.”

• Here is a link to Dark Reading’s CISO Corner.