Cybersecurity Saturday - Ermer and Suter PLLC

From the cybersecurity and law enforcement front,

Cyberscoop reports,
- “Homeland Security Secretary Kristi Noem outlined her plans Tuesday to refocus the Cybersecurity and Infrastructure Security Agency (CISA) on protecting critical infrastructure from increasingly sophisticated threats — particularly from China — while distancing the agency from what she characterized as mission drift under previous leadership.
- “Speaking at the 2025 RSAC Conference, Noem provided the most detailed vision yet of how the current administration is pushing CISA to a “back-to-basics” approach aimed at hardening defenses against adversaries who have demonstrated capabilities to infiltrate critical systems.”
and
- “Threat intelligence sharing is flowing between the private sector and federal government and remains unimpeded thus far by job losses and budget cuts across federal agencies that support the cyber mission, according to executives at major security firms.
- “Top brass at Amazon, CrowdStrike, Google and Palo Alto Networks said there’s been no change to interactions with the federal government since President Donald Trump was inaugurated earlier this year.
- “Across multiple interviews and media briefings during the RSAC 2025 Conference this week, none of the leaders at these top cybersecurity companies conveyed any concern about or experience with communication breakdowns. Each of them dismissed the idea that collaboration has slowed down amid significant workforce reductions and strategic changes across the federal government.”

Earlier this week, the National Institute of Standards and Technology released its FY 2024 Cybersecurity & Privacy Program Annual Report.

Federal News Network tells us,
- “While much of the cybersecurity community’s attention was out west at the annual RSA Conference, the Justice Department announced yet another settlement in its pursuit of contractors who falsely attest to meeting cybersecurity requirements.
- “DoJ announced today that Raytheon Company, RTX Corporation and Nightwing Group have agreed to pay $8.3 million to settle allegations that Raytheon violated the False Claims Act by falling short of contractually mandated cybersecurity standards.
- “RTX sold its cybersecurity, intelligence and services business to Nightwing in 2024. DoJ’s case centered on conduct between 2015 and 2021, prior to the acquisition.
- “The case is another feather in the cap for DoJ’s Civil-Cyber Fraud Initiative. Started under the Biden administration, the goal of the initiative is to enforce cybersecurity requirements that many contractors had been ignoring through the False Claims Act.”

Per the Hacker News,
- “The U.S. Department of Justice (DoJ) on Thursday announced charges against a 36-year-old Yemeni national for allegedly deploying the Black Kingdom ransomware against global targets, including businesses, schools, and hospitals in the United States.
- “Rami Khaled Ahmed of Sana’a, Yemen, has been charged with one count of conspiracy, one count of intentional damage to a protected computer, and one count of threatening damage to a protected computer. Ahmed is assessed to be currently living in Yemen.
- “From March 2021 to June 2023, Ahmed and others infected computer networks of several U.S.-based victims, including a medical billing services company in Encino, a ski resort in Oregon, a school district in Pennsylvania, and a health clinic in Wisconsin,” the DoJ said in a statement.”

Cyberscoop adds,
- “Federal authorities extradited a Ukrainian citizen to the United States on Wednesday to face charges for participating in a series of ransomware cyberattacks on organizations based in the U.S. and multiple European countries.
- “Artem Stryzhak, 35, was arrested in Spain in June 2024 and was scheduled to appear for arraignment Thursday in the U.S. District Court for the Eastern District of New York. Stryzhak is accused of conspiracy to commit fraud and related activity, including extortion.
- “Prosecutors accuse Stryzhak and his co-conspirators of using Nefilim ransomware to encrypt computer networks in the U.S., Canada, France, Germany, Australia, the Netherlands, Norway and Switzerland between late 2018 to late 2021.
- “As alleged, the defendant was part of an international ransomware scheme in which he conspired to target high-revenue companies in the United States, steal data, and hold data hostage in exchange for payment. If victims did not pay, the criminals then leaked the data online,” John Durham, U.S. attorney for the Eastern District of New York, said in a statement.”

From the cybersecurity vulnerabilities and breaches front,

Cybersecurity Dive reports,
- “Hackers are increasingly using AI in their attacks and defenders should follow suit, Check Point Software Technologies said in a report published Wednesday.
- “The company’s AI security report, announced at the 2025 RSAC Conference in San Francisco, also found that one in 13 generative AI prompts contained potentially sensitive information, and one in every 80 prompts posed “a high risk of sensitive data leakage.”
- “Unauthorized AI tools, data loss, and AI platform vulnerabilities topped the list of AI risks for enterprises, according to Check Point.”
and
- “In a report published Tuesday, Google said it saw hackers exploit fewer zero-day vulnerabilities in the wild in 2024 than in 2023.
- “The company attributed the decrease to improvements in secure software development practices.
- “Still, Google said it is seeing a “slow but steady” increase in the rate of zero-day exploitation over time.”

CISA added eight known exploited vulnerabilities to its catalog this week.
“April 28, 2025
- “CVE-2025-1976 Broadcom Brocade Fabric OS Code Injection Vulnerability
- “CVE-2025-42599 Qualitia Active! Mail Stack-Based Buffer Overflow Vulnerability
- “CVE-2025-3928 Commvault Web Server Unspecified Vulnerability”
- Bleeping Computer discusses these KVEs here.
“April 29, 2025
- “CVE-2025-31324 SAP NetWeaver Unrestricted File Upload Vulnerability”
- Cybersecurity Dive discusses this KVE here.
“May 1, 2025
- “CVE-2024-38475 Apache HTTP Server Improper Escaping of Output Vulnerability
- “CVE-2023-44221 SonicWall SMA100 Appliances OS Command Injection Vulnerability
- Cybersecurity News discusses the Apache KVE here.
- Bleeping Computer discusses the SonicWall KVE here.
“May 2, 2025
- “CVE-2025-34028 Commvault Command Center Path Traversal Vulnerability
- “CVE-2024-58136 Yiiframework Yii Improper Protection of Alternate Path Vulnerability”
- Security Affairs discusses these KVEs here.

From the ransomware front,

Techradar points out,
- New research has revealed the scale of recent ransomware revolution, warning it remains a dominant threat to organizations worldwide.
- A Veeam study, which gathered insights from 1,300 CISOs, IT leaders, and security professionals across the Americas, Europe, and Australia, found nearly three-quarters of businesses were impacted by ransomware over the past year.
- Cybersecurity measures seem to be having some effect, with businesses facing ransomware incidents dropping slightly from 75% to 69% – and ransomware payments are also decreasing, as in 2024, 36% of affected businesses chose not to pay, and 60% of those who did paid less than half of the demanded ransom.

Dark Reading adds,
- “Several high-profile retailers based in the UK have suffered cyberattacks in recent weeks, and all signs point to two possible threat actors being behind the campaign.
- “The National Cyber Security Centre (NCSC), the UK’s primary cyber agency, said on May 1 that it was tracking a series of attacks impacting retailers. NCSC CEO Dr. Richard Horne said in an included statement that the agency was working with affected organizations and that “these incidents should act as a wake-up call to all organizations.”
- “Co-Op, Marks & Spencer, and Harrods are among the retailers that have confirmed attacks in recent weeks. In an article published May 2, Bloomberg News reported a spokesperson for the DragonForce ransomware gang — a group that emerged as a ransomware-as-a-service (RaaS) player in 2023 — took credit for the attacks against all three retailers.
- “Last month, researchers from Sophos’ Secureworks reported that DragonForce had an RaaS model where affiliates could create their own “brand,” using DragonForce’s ransomware or using their own tools for extortion attacks.”
and
- “The notorious Scattered Spider threat group continues to attack high-value targets despite landing on the receiving end of multiple global law enforcement operations.
- “Scattered Spider gained notoriety in recent years with high-profile breaches and ransomware attacks against large enterprises, including Las Vegas casino and hotel giants Caesars Entertainment and MGM Resorts in 2023. First emerging in 2022, the group’s members displayed a knack for social engineering schemes that allowed them to steal credentials from targeted organizations and gain privileged access into their networks. * * *
- Bleeping Computer this week reported that the cyberattack against British retail giant Marks & Spencer was perpetrated by members of the group using DragonForce ransomware. Earlier this month, threat intelligence vendor Silent Push said it had observed significant threat activity, specifically phishing campaigns targeting well-known brands this year, from Chick-fil-A to Louis Vuitton.
and
- “RansomHub, an aggressive ransomware-as-a-service (RaaS) operation that gained prominence over the past year in the wake of law enforcement actions against LockBit and ALPHV, appears to have abruptly gone dark earlier this month.
- “In a new report this week that offers an in-depth look at RansomHub’s affiliate recruitment methods, negotiation tactics, and aggressive extortion strategies, researchers at Group-IB described the operation as inactive since April 1.
- “Cybercriminals associated with the operation may have migrated to the Russian-language speaking Qilin RaaS operation and are continuing their attacks under that banner, Group-IB said. The security vendor did not offer any explanation for the rapidly growing RansomHub operation’s seemingly sudden and unexpected demise — if that is indeed what it is.”

TechTarget offers a “look at the [seven] distinct stages of the ransomware lifecycle to better understand how attackers strike — and how defenders might be better able to resist.

From the cybersecurity defense front,

Cyberscoop reports
- “Leaders of various federal research agencies and departments outlined a vision Tuesday for the future of critical infrastructure security, emphasizing the promise of combining formal software development methods with large language models (LLMs).
- “Acting DARPA Director Rob McHenry told an audience at the RSAC 2025 Conference that such a combination could “virtually eliminate software vulnerabilities” across foundational system infrastructures, a departure from the traditionally accepted risks of software flaws.
- “We’ve all been trained in a world where we have to accept that there are vulnerabilities in our software, and bad guys exploit those vulnerabilities,” he said. “We try to mitigate the damage and patch them, and we go round on this merry-go-round. That technologically does not need to be true anymore.”
- “DARPA’s statements came in the context of the AI Cyber Challenge, a public-private collaboration involving industry leaders such as Google, Microsoft, Anthropic and OpenAI. The initiative tests whether advanced AI systems can identify and patch vulnerabilities in open-source software components vital to the electric grid, health care, and transportation.”
and
- “Cryptography experts say the race to fend off future quantum-computer attacks has entered a decisive but measured phase, with companies quietly replacing the internet plumbing that the majority of the industry once considered unbreakable.
- “Speaking at Cloudflare’s Trust Forward Summit on Wednesday, encryption leaders at IBM Research, Amazon Web Services and Cloudflare outlined how organizations are refitting cryptographic tools that safeguard online banking, medical data and government communications. The aim is to stay ahead of quantum machines that, once powerful enough, could decode the math protecting today’s digital traffic.
- “Over the next five to 10 years you’re going to see a Cambrian explosion of different cryptographic systems,” said Wesley Evans, a product manager for Cloudflare’s research team, referring to an evolutionary period with a rapid diversification of animal life that occurred roughly 540 million years ago.”

Dark Reading adds,
- “Each year, top SANS faculty joins the RSAC conference to present what their community of practitioners and researchers see as the most pressing challenges facing the cybersecurity community for the year to come. This year’s list of top-five threats aren’t merely technical, and tackling them will demand coordinated leadership from the very top of the organization and beyond.
- “The attack techniques outlined in the SANS RSAC 2025 keynote underscore a common theme: Cybersecurity is no longer confined to the security operations center — it’s a leadership issue that impacts every layer of the enterprise,” according to a SANS media statement. “The threats of tomorrow demand a strategic, integrated response rooted in visibility, agility, and cross-functional alignment.”

Bleeping Computer notes,
- “Microsoft has announced that all new Microsoft accounts will be “passwordless by default” to secure them against password attacks such as phishing, brute force, and credential stuffing.
- “The announcement comes after the company started rolling out updated sign-in and sign-up user experience (UX) flows for web and mobile apps in March, optimized for passwordless and passkey-first authentication.
- “As part of this simplified UX, we’re changing the default behavior for new accounts. Brand new Microsoft accounts will now be ‘passwordless by default’,” said Joy Chik, Microsoft’s President for Identity & Network Access, and Vasu Jakkal, Corporate Vice President for Microsoft Security.”

Here is a link to Dark Reading’s CISO Corner.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Subscribe to FEHBlog