Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

Cybersecurity policy and law enforcement,

  • Helpnet Security tells us,
    • “NIST has introduced a new way to estimate which software vulnerabilities have likely been exploited, and it’s calling on the cybersecurity community to help improve and validate the method.
    • “The new metric, “Likely Exploited Vulnerabilities” (LEV), aims to close a key gap in vulnerability management: identifying which of the thousands of reported flaws each year are actually being used in real-world attacks.
    • “Organizations typically rely on two main tools for this: the Exploit Prediction Scoring System (EPSS), which estimates the chance of future exploitation, and Known Exploited Vulnerability (KEV) lists like the one maintained by CISA. But both have limits. EPSS is predictive and doesn’t account for past exploitation, while KEV lists are confirmed cases but often incomplete.
    • “LEV aims to bridge that gap by calculating the probability that a vulnerability has been exploited in the past, based on historical EPSS data. It’s a statistical estimate, not a confirmation, which is why the whitepaper emphasizes that LEV is meant to augment, not replace, existing methods.” * * *
    • The researchers outline four key ways LEV could be used:
      • 1. Estimate how many vulnerabilities have been exploited.
      • 2. Check how complete KEV lists are.
      • 3. Identify high-risk vulnerabilities missing from those lists.
      • 4. Fix blind spots in EPSS, which sometimes underestimates risk for already-exploited bugs.
  • Next Thursday, the Senate Homeland Security and Governmental Affairs Committee will hold a confirmation hearing for the following Department of Homeland Security nominees.
    • Sean Cairncross, of Minnesota, to be National Cyber Director, Robert Law, of the District of Columbia, to be Under Secretary for Strategy, Policy, and Plans, James Percival, of Florida, to be General Counsel, Sean Plankey, of Pennsylvania, to be Director of the Cybersecurity and Infrastructure Security Agency, and Kevin Rhodes, of Florida, to be Administrator for Federal Procurement Policy.
  • Federal News Network reports yesterday,
    • “The Trump administration is proposing to cut more than 1,000 positions at the Cybersecurity and Infrastructure Security Agency.
    • “Under the 2026 budget request, CISA would go from approximately 3,732 funded positions today to 2,649 positions next year. The staff reductions are detailed in CISA’s fiscal 2026 budget justification, posted today. They present the most detailed view yet of the Trump administration’s proposal to cut CISA’s budget by nearly $500 million.
    • “The proposed cuts still have to be approved by Congress as part of the 2026 appropriations process. But they come as hundreds of CISA employees have already left under the Trump administration. Meanwhile, more staff could depart through deferred resignations or early retirements offered to DHS staff in April.
    • “The proposed cuts are spread across CISA’s various divisions. CISA’s cybersecurity division would go from 1,267 positions to 1,063 jobs. CISA’s infrastructure security division would go from about 343 positions to 325 jobs.”
  • Dark Reading informs us,
    • “The Cybersecurity and Infrastructure Security Agency (CISA) and Australian Cyber Security Centre (ACSC) released new guidance this week on procuring, implementing, and maintaining security information and event management (SIEM) and security orchestration, automation, and response (SOAR) platforms.
    • “SIEM and SOAR help organizations collect and analyze data from firewalls, endpoints, and applications to better detect and respond to cybersecurity incidents. However, many organizations encounter significant implementation and deployment challenges, including significant costs and ongoing maintenance requirements. The guidance noted these are not “set it and forget it” tools.
    • “These platforms are becoming more essential as organizations store and manage an influx of data that is highly attractive to attackers, particularly personally identifiable information and personal health information. Additionally, increasing infrastructure complexity is creating gaps in visibility and making threat detection more difficult. There are more endpoints to secure, more applications, more third-party vendors, and more remote workers for attackers to exploit.”  
  • Per HHS Office for Civil Rights news releases,
  • and
    • “Today [May 30, 2025], the U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) announced a settlement with Comstar, LLC (“Comstar”), a Massachusetts company that provides billing, collection, and related services to non-profit and municipal emergency ambulance services, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlement resolves an OCR investigation concerning a ransomware breach that affected 585,621 individuals.”
    • “Under the terms of the settlement, Comstar agreed to implement a corrective action plan that OCR will monitor for two years, and paid OCR $75,000.”
    • “The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/hhs-hipaa-agreement-comstar/index.html.”
       
  • Cybersecurity Dive points out,
    • “U.S. authorities on Thursday [May 28, 2025] charged 16 defendants in a massive global operation to disrupt the Russia-based cybercrime group behind the DanaBot malware. 
    • “DanaBot infected more than 300,000 computers around the world, facilitating fraud and ransomware and resulting in more than $50 million in damage, according to federal prosecutors. The U.S. coordinated with multiple foreign governments and private cybersecurity firms to dismantle the botnet operators’ infrastructure.
    • “The Department of Justice charged Aleksandr Stepanov, 39, a.k.a. “JimmBee,” with conspiracy, conspiracy to commit wire and bank fraud and additional charges. Artem Aleksandrovich Kalinkin, 34, a.k.a. “Onix,” was charged with conspiracy to gain unauthorized access to a computer to gain information and to defraud, among additional charges. 
  • Bleeping Computer lets us know,
    • The Federal Criminal Police Office of Germany (Bundeskriminalamt or BKA) claims that Stern, the leader of the Trickbot and Conti cybercrime gangs, is a 36-year-old Russian named Vitaly Nikolaevich Kovalev.
    • “The subject is suspected of having been the founder of the ‘Trickbot’ group, also known as ‘Wizard Spider,'” BKA said last week [English PDF], after another round of seizures and charges part of Operation Endgame, a joint global law enforcement action targeting malware infrastructure and the threat actors behind it.
    • “The group used the Trickbot malware as well as other malware variants such as Bazarloader, SystemBC, IcedID, Ryuk, Conti and Diavol.
    • “Kovalev is now also wanted in Germany, according to a recently issued Interpol red notice saying he was charged with being the ringleader of an unnamed criminal organization.”
  • and
    • “An international law enforcement operation has taken down AVCheck, a service used by cybercriminals to test whether their malware is detected by commercial antivirus software before deploying it in the wild.
    • “The service’s official domain at avcheck.net now displays a seizure banner with the crests of the U.S. Department of Justice, the FBI, the U.S. Secret Service, and the Dutch police (Politie).
    • “According to an announcement on the Politie website, AVCheck was one of the largest counter antivirus (CAV) services internationally, which helped cybercriminals assess the stealthiness and evasion of their malware.
    • “Taking the AVCheck service offline marks an important step in tackling organized cybercrime,” stated Politie’s Matthijs Jaspers.
    • “With this [action], we disrupt cybercriminals as early as possible in their operations and prevent victims.”
  • USA Today reports,
    • “An Iranian national pleaded guilty for his role in an international ransomware scheme that targeted the computer networks of Baltimore and other U.S. cities, disrupting services and causing tens of millions of dollars in losses, federal authorities said.
    • “Sina Gholinejad, 37, pleaded guilty May 27 to one count of computer fraud and abuse and one count of conspiracy to commit wire fraud, the Justice Department said in a news release. Gholinejad was arrested Jan. 10 at Raleigh-Durham International Airport in North Carolina, federal court records show.
    • “He faces a maximum penalty of 30 years in prison and is set to be sentenced in August, the Justice Department announced.”

From the cybersecurity vulnerabilities and breaches front,

  • Cybersecurity Dive informs us,
    • “A previously unknown team of Russian government-backed hackers is targeting critical infrastructure organizations in multiple sectors to collect intelligence for Moscow, Microsoft and the Dutch government said in separate reports published Tuesday.
    • “The group, which Microsoft calls Void Blizzard and the Dutch intelligence services call Laundry Bear, has been using stolen credentials and automated bulk-email collection from cloud services to scoop up data on NATO member states and Ukraine.
    • “Void Blizzard’s cyberespionage operations tend to be highly targeted at specific organizations of interest to the Russian government, including in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors primarily in Europe and North America,” Microsoft said in a blog post.”
  • and
    • “A “highly targeted” spearphishing campaign is attempting to ensnare financial executives at banks, investment firms, energy utilities and insurance companies around the world, Trellix said in a report published Wednesday.
    • “The malicious emails are rigged with installers that allow the hackers to remotely access victim computers.
    • “With this amount of access to legitimate accounts, attackers could steal files or initiate fraudulent money transfers, potentially without raising red flags.”
  • and
    • “ConnectWise is investigating suspicious activity — likely associated with a nation-state actor — affecting a limited number of customers that use ScreenConnect. 
    • “In a post on its website, ConnectWise said it has notified all affected customers, alerted law enforcement to the attack and retained Mandiant to help with its investigation. 
    • “A company spokesperson added that ConnectWise issued a patch for ScreenConnect, implemented enhanced monitoring and hardening measures across its environment.” 
  • and
    • “More than 9,000 ASUS routers have been compromised in a months-long hacking campaign that researchers from GreyNoise warn may be a prelude to the creation of a botnet.
    • “Hackers are breaching routers through brute-force login attempts and authentication bypasses that rely on a command injection vulnerability, tracked as CVE-2023-39780, to execute system commands, GreyNoise researchers said in a blog post on Wednesday.
    • “GreyNoise first detected suspicious activity in March, when it flagged three suspicious HTTP POST requests made to ASUS routers, according to Matthew Remacle, senior researcher at GreyNoise.
    • “ASUS released a patch for the vulnerability in a recent firmware update, but the initial bypass attempts have not received CVEs, according to GreyNoise. In addition, researchers say, if a router was compromised before the firmware was updated, a backdoor will still remain on the devices unless secure shell protocol access is explicitly disabled.” 
  • Per Cyberscoop,
    • “As the internet fills up with clips from AI-video generators, hacking groups are seeding the online landscape with malware-laced programs and fake websites hoping to cash in on the trend.
    • “Tracked by researchers at Mandiant and Google Cloud, the campaign is being carried out by a group identified as “UNC6032.” Since mid-2024, they have spread thousands of advertisements, fake websites and social media posts promising victims access to popular prompt-to-video AI generation tools like Luma AI, Canva Dream Lab and Kling AI.
    • “Those promises lead to phishing pages and malware, with the group deploying infostealers and backdoors on victim devices. Compromised parties saw their login credentials, cookies, credit card data and in some cases Facebook information stolen, and the scheme appears to be impacting a wide range of industries and geographic areas.”
  • CISA did not add any known exploited vulnerabilities to its catalog this week.

From the ransomware front,

  • Dark Reading tells us,
    • “Extortionist-cum-information broker “Everest Group” has pulled off a swath of attacks against large organizations in the Middle East, Africa, Europe, and North America, and is now extorting victims over records stolen from their human resources departments.
    • “This May, the long-overlooked threat actor advertised nine new cyberattacks. Victims ranged from healthcare organizations to construction and facilities management companies. But its biggest win came against Coca-Cola, from which it stole records associated with hundreds of employees, including their personally identifying information (PII) like names and addresses, salary records, and scans of passports and visas.
    • “In each of these leaks, researchers from VenariX found files relating to SAP SuccessFactors, SAP’s cloud-based HR management platform. The researchers believe the attacks to be legitimate and estimate that initial access in each case likely occurred through a third-party SAP service provider called “INK IT Solutions.”
  • The Hacker News notes,
    • “The threat actors behind the DragonForce ransomware gained access to an unnamed Managed Service Provider’s (MSP) SimpleHelp remote monitoring and management (RMM) tool and then leveraged it to exfiltrate data and drop the locker on multiple endpoints.
    • “It’s believed that the attackers exploited a trio of security flaws in SimpleHelp (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) that were disclosed in January 2025 to access the MSP’s SimpleHelp deployment, according to an analysis from Sophos.
    • “The cybersecurity company said it was alerted to the incident following a suspicious installation of a SimpleHelp installer file, pushed via a legitimate SimpleHelp RMM instance that’s hosted and operated by the MSP for their customers.”
    • The threat actors have also been found to leverage their access through the MSP’s RMM instance to collect information from different customer environments about device names and configuration, users, and network connections.
  • Fortra tells us what we need to know about Interlock ransomware.
  • Per Bleeping Computer,
    • “Threat actors linked to lesser-known ransomware and malware projects now use AI tools as lures to infect unsuspecting victims with malicious payloads.
    • “This development follows a trend that has been growing since last year, starting with advanced threat actors using deepfake content generators to infect victims with malware.
    • “These lures have become widely adopted by info-stealer malware operators and ransomware operations attempting to breach corporate networks.
    • “Cisco Talos researchers have discovered that the same technique is now followed by smaller ransomware teams known as CyberLock, Lucky_Gh0$t, and a new malware named Numero.
    • “The malicious payloads are promoted via SEO poisoning and malvertising to rank them high in search engine results for specific terms.”
  • Per CFO Dive,
    • “About one in four companies targeted in a ransomware incident in the last year did not get all their data back after paying the attacker, cybersecurity firm Delinea said in a report released Wednesday.
    • “Delinea also found that most ransomware today includes data-theft extortion, with 85% of victims saying they were threatened with having their data published or sold.
    • “Paying the ransom doesn’t always bring the desired results,” Delinea said in the report.”

From the cybersecurity business and defenses front,

  • Dark Reading notes,
    • Tenable Security has announced plans to acquire Apex, an Israel-based startup specializing in security solutions driven by artificial intelligence (AI). Apex will be integrated into Tenable One, Tenable’s software-as-a-service-based exposure management platform.
    • “Founded in 2023, Apex helps organizations discover ungoverned AI. Co-founders Matan Derman (CEO) and Tomer Avni (chief product officer) developed a platform designed to surface all AI activities, including shadow apps, AI-generated code, and fake identities. The boutique company of roughly 20 employees competes with Prompt Security, Lasso Security, and Aim Security.”
  • Per Cyberscoop,
    • Zscaler announced Tuesday its intention to acquire Red Canary, a company known for Managed Detection and Response (MDR) services, to boost its ability to integrate artificial intelligence, automation and human expertise into its security offerings. 
    • “The acquisition is positioned around the convergence of Zscaler’s data-driven, AI-centric cloud security and Red Canary’s decade of operational expertise in MDR. Zscaler’s executive leadership emphasizes the blending of large-scale data intelligence and automated, agentic Security Operations Centers (SOCs) with the capabilities of ThreatLabz, its security research division.
    • “The proposed acquisition of Red Canary is a natural expansion of our capabilities into managed detection and response and threat intelligence to accelerate our vision of AI-powered SOC of the future,” Jay Chaudhry, CEO and founder of Zscaler, said in a press release. “By integrating Red Canary with Zscaler, we will deliver to our customers the power of a fully integrated Zero Trust platform and AI-powered security operations.”
  • Dark Reading lets us know,
    • “Chief information security officers (CISOs) are being paid better than ever, more likely to be an executive — or report directly to an executive — and have expanding responsibilities. Yet tight security budgets continue to be a major challenge.
    • “Overall, the top cybersecurity professional is doing well at large companies and has proven their value but continually has to work to link security to business opportunities rather than costs, according to two surveys published this week.
    • “The average CISO at large US companies — those with revenue of $1 billion or more — has a current compensation of $532,000, including base salary, bonuses, and equity benefits, according to survey data published by cybersecurity consultancy IANS Research on May 29. Increasing responsibilities come with the high salaries, with CISOs now often charged with assessing business risk, product security, and digital strategy.
  • Per Dark Reading explains why “A Defense-in-Depth Approach for the Modern Era By integrating intelligent network policies, zero-trust principles, and AI-driven insights, enterprises can create a robust defense against the next generation of cyber threats.”
  • Here is a link to Dark Reading’s CISO Corner.