Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy and law enforcement front,

  • Cyberscoop tells us,
    • “A bipartisan Senate duo is reintroducing legislation Thursday that would establish an executive branch panel to align conflicting cybersecurity regulations on the private sector.
    • “Michigan Sen. Gary Peters, the top Democrat on the Homeland Security and Governmental Affairs Committee, is bringing back the Streamlining Federal Cybersecurity Regulations Act with co-sponsor James Lankford, R-Okla.
    • “By reducing the number of duplicative or burdensome reporting requirements, we can give businesses the tools to better secure our critical infrastructure against the serious threat of cyberattacks,” Peters said about the reintroduction of the bill, which CyberScoop is first reporting. “This legislation ensures federal agencies can work collaboratively to create effective cybersecurity standards, enabling businesses to focus on safeguarding their systems rather than navigating a maze of conflicting requirements.”
  • and
    • “A bipartisan pair of senators is taking another shot at legislation that would require federal government contractors to follow National Institute of Standards and Technology guidelines on vulnerability disclosure policies.
    • “The Federal Contractor Cybersecurity Vulnerability Reduction Act from Sens. Mark Warner, D-Va., and James Lankford, R-Okla., advanced out of the chamber’s Homeland Security and Governmental Affairs Committee last November but never got a full floor vote.
    • “The companion bill from Reps. Nancy Mace, R-S.C., and Shontel Brown, D-Ohio, meanwhile, was reintroduced in January and passed the House in March.
    • “The re-do from Warner and Lankford would make sure government contractors have the same legal obligations that federal agencies do in abiding by NIST’s recommendations on vulnerability disclosure policies. With VDPs, organizations can receive unsolicited reports on software vulnerabilities and patch them before an attack occurs.” 
  • Per a Cybersecurity and Infrastructure Security Agency news release,
    • The Cybersecurity and Infrastructure Security Agency (CISA) is proud to announce the appointment of Madhu Gottumukkala as its new Deputy Director. In this role, he will help lead CISA’s mission to understand, manage, and reduce risk to the cyber and physical infrastructure that the American people rely on every day. 
    • Prior to his appointment as the CISA Deputy Director, Dr. Gottumukkala served as Commissioner and Chief Information Officer for South Dakota’s Bureau of Information and Technology, overseeing statewide technology and cybersecurity initiatives. He assumed this role after serving as South Dakota’s second-ever chief technology officer, focused on innovation through the adoption of emerging technologies, while increasing efficiency by replacing outdated legacy systems.
    • “I am honored to be appointed by Secretary Noem to serve as Deputy Director of CISA. As a former state and local leader, I have seen firsthand the exceptional work CISA does in advancing our nation’s cybersecurity and infrastructure resilience,” said Gottumukkala. “I look forward to building on that foundation by fostering collaboration and strengthening resilience across all levels of government and the private sector. Together, through trusted partnerships, transparency, and shared responsibility, we can better manage systemic risks and safeguard the critical functions that ensure our nation’s safety and prosperity.”
  • Cybersecurity Dive reports,
    • “Microsoft’s Digital Crimes Unit (DCU) on Wednesday [May 21] announced an international operation to disrupt Lumma Stealer, a variant of infostealing malware that is popular with criminal gangs and other threat actors worldwide. 
    • “Hackers have used Lumma to steal passwords, credit cards, bank account information and cryptocurrency wallets in major attack campaigns in recent years, Steven Masada, assistant general counsel at Microsoft’s DCU, said in a blog post.
    • “Between March 16 and May 16, Microsoft identified more than 394,000 Windows computers infected with Lumma. After obtaining a court order from the U.S. District Court for the Northern District of Georgia, Microsoft seized 2,300 domains that formed the backbone of Lumma’s infrastructure. The U.S. Department of Justice also seized Lumma’s central command structure and disrupted online marketplaces that sold Lumma.”
  • Here is a link to a related CISA advisory.

From the cybersecurity vulnerabilities and breaches front,

  • CISA added seven known exploited vulnerabilities to its catalog this week.
    • May 19, 2025
      • CVE-2025-4427 Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability
      • CVE-2025-4428 Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
      • CVE-2024-11182 MDaemon Email Server Cross-Site Scripting (XSS) Vulnerability
      • CVE-2025-27920 Srimax Output Messenger Directory Traversal Vulnerability
      • CVE-2024-27443 Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
      • CVE-2023-38950 ZKTeco BioTime Path Traversal Vulnerability
        • Ivanti discusses its KVEs here.
        • Cyber Press discusses the MDaemon KVE here.
        • TechTarget discusses the Srimax KVE here.
        • Syscan discusses the Synacor KVE here.
    • May 22, 2025
      • CVE-2025-4632 Samsung MagicINFO 9 Server Path Traversal Vulnerability
        • The Hacker News discusses this KVE here.
  • On May 21, released a joint cybersecurity advisory which
    • highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies. This includes those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. Since 2022, Western logistics entities and IT companies have faced an elevated risk of targeting by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165—tracked in the cybersecurity community under several names (see “Cybersecurity Industry Tracking”). The actors’ cyber espionage-oriented campaign, targeting technology companies and logistics entities, uses a mix of previously disclosed tactics, techniques, and procedures (TTPs). The authoring agencies expect similar targeting and TTP use to continue.
  • On May 22, CISA released an “Advisory Update on Cyber Threat Activity Targeting Commvault’s SaaS Cloud Application (Metallic).
  • Security Week relates “The developers of OpenPGP.js have released updates to patch a critical vulnerability that can be exploited to spoof message signature verification.”
    • OpenPGP.js is an open-source JavaScript implementation of the OpenPGP email encryption library, enabling its use on any device. According to its developers, “The idea is to implement all the needed OpenPGP functionality in a JavaScript library that can be reused in other projects that provide browser extensions or server applications.”
    • “Its website shows that OpenPGP.js is used by projects such as FlowCrypt, Mymail-Crypt, UDC, Encrypt.to, PGP Anywhere, and Passbolt.”
  • Dark Reading points out “3 Severe Bugs Patched in Versa’s Concerto Orchestrator. Three zero-days could have allowed an attacker to completely compromise the Concerto application and the host system running it.”
  • Per SC Media,
    • “Stolen credentials were the root cause of more than 30% of data breaches last year, according to Verizon’s 2025 Data Breach Investigations Report. Attackers compromised more than 23 million unmanaged and user-controlled devices—including personal laptops and home systems used in remote work settings—to extract login information, often using session cookies to bypass multi-factor authentication and other access controls.
    • “Credentials don’t just manifest—you’re either phishing them, brute forcing them, or stealing them via malware,” said Philippe Langlois, lead data scientist at Verizon and co-author of the 2025 DBIR, speaking at last month’s RSAC 2025.
    • “Those numbers aren’t outliers—they’re symptoms of a deeper failure in enterprise cybersecurity. Identity systems, Langlois noted at RSAC 2025, are now routinely exploited as entry points with attackers relying less on technical exploits—like finding and exploiting software vulnerabilities—and more on credential-based access, where they simply log in using stolen usernames, passwords, or hijacked sessions.”

From the ransomware front,

  • Cybersecurity Dive lets us know,
    • “Kettering Health is facing a cyberattack that’s impacting patient care, the Ohio-based health system said on Tuesday [May 20].
    • “The provider was hit by a system-wide technology outage Tuesday morning due to unauthorized access to its network, Kettering said in a press release. 
    • “Elective inpatient and outpatient procedures at the health system’s facilities were canceled Tuesday. Kettering’s call center was also knocked offline and might have been occasionally inaccessible, the provider added.”
  • Security Week informs us,
    • “In a data breach notice published on its website, Marlboro-Chesterfield Pathology said it discovered unauthorized activity on some internal IT systems on January 16, 2025. An investigation revealed that the hackers had stolen some files.
    • “The compromised data includes personal information such as name, address, date of birth, medical treatment information, and health insurance information. The stolen information varies by individual. 
    • “MCP informed the US Department of Health and Human Services (HHS) this week that the incident impacted 235,911 individuals.”
  • Per Bleeping Computer,
    • “The FBI warned that an extortion gang known as the Silent Ransom Group has been targeting U.S. law firms over the last two years in callback phishing and social engineering attacks.
    • “Also known as Luna Moth, Chatty Spider, and UNC3753, this threat group has been active since 2022and was also behind BazarCall campaigns that provided initial access to corporate networks for Ryuk and Conti ransomware attacks.
    • “In March 2022, following Conti’s shutdown, the threat actors separated from the cybercrime syndicate and formed their own operation called Silent Ransom Group (SRG).
    • “In recent attacks, SRG impersonates the targets’ IT support in email, fake sites, and phone calls using social engineering tactics to gain access to the targets’ networks.
    • “This extortion group doesn’t encrypt the victims’ systems and is known for demanding ransoms not to leak sensitive information stolen from compromised devices online.”
  • Per Dark Reading,
    • “Yet another threat group has embraced the trend of combining email bombing with vishing to gain initial access to systems and deploy ransomware.
    • “This time the adversary employing the technique, first documented as a tactic of Black Basta ransomware group, is the recently emerged 3AM ransomware group, researchers at Sophos revealed in a recent blog post. Sophos spotted an attack in the first quarter this year by 3AM affiliates, which followed the familiar playbook and successfully stole data from the targeted system but did not complete the ransomware attack.”
  • Per Fortra’s Tripline,
    • “Health-ISAC recently released their 2025 Health Sector Cyber Threat Landscape Report, a comprehensive outline of the malicious activity aimed at healthcare in the previous year. Not surprisingly, ransomware was cited by security professionals in the industry as the number one threat of 2024 and the top area of concern coming into 2025 (followed by third-party breaches, supply chain attacks, and zero-day exploits). Some things never change.
    • “However, when it comes to ransomware, they do evolve. Take a look at [the Tripline article] some of the reasons ransomware maintains its top spot as the primary plague of healthcare organizations as we move into another threat-filled year.”

From the cybersecurity business and defenses front,

  • Cybersecurity Dive reports,
    • “Shares of Palo Alto Networks fell Wednesday after the company reported better-than-expected earnings in the third fiscal quarter but disappointed some investors over its margins. 
    • “The company reported non-GAAP (generally accepted accounting principles) net income of 80 cents a share during the quarter that ended on April 30, up from 66 cents in the same quarter last year. Those earnings beat consensus estimates of 77 cents. 
    • “Revenue grew 15%, to $2.3 billion, in the quarter, compared with $2 billion in the same period last year.”
  • and
    • Companies designing AI systems should protect training data from tampering and strictly limit access to its underlying infrastructure, the U.S. and three allies said in a joint guidance document published on Thursday [May 22].
    • The AI security guidance addresses multiple topics, including protecting data throughout the AI systems’ life cycle, supply chain considerations and ways to mitigate possible attacks on large data sets.
    • The multilateral warning reflects concerns in the U.S. and allied nations about powerful AI models containing vulnerabilities that can ripple across critical infrastructure.
  • NIST discusses “Cybersecurity and AI: Integrating and Building on Existing NIST Guidelines.”
  • The Wall Street Journal explains “How to lock down your finances and online accounts after a data breach spreads your information to the secret corners of the internet.”
  • Here’s a link to Dark Reading’s CISO Corner.