Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy and law enforcement front,

  • Yesterday, the President issued a cybersecurity executive order. Here is a link to related fact sheet.
  • Federal News Network adds,
    • “President Donald Trump has signed a new cybersecurity executive order that continues many of the policies of his predecessors, while also marking out some key changes in the approach to software security, digital identity and more.
    • “The new executive order, “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity,” modifies many aspects of a cyber EO signed by President Joe Biden in January. It also makes changes to executive orders signed by President Barack Obama to focus federal cybersecurity law enforcement efforts on foreign nationals.
    • “But Trump’s new EO continues key aspects Biden directives, including an effort to strengthen the Cybersecurity and Infrastructure Security Agency’s role in defending civilian federal networks.” * * *
    • “The latest cybersecurity executive order also maintains federal efforts around post-quantum cryptography, Border Gateway Protocol, and advanced encryption.
    • “But it eliminates the January order’s directive for agencies to require federal software vendors to provide evidence of following secure development practices.
    • “Instead, Trump directs the National Institute of Standards and Technology to establish a new consortium with industry “that demonstrates the implementation of secure software development, security, and operations practices” based on NIST’s Secure Software Development Framework.”
  • Per Cybersecurity Dive,
    • “Trump’s elimination of Biden’s software security requirements for federal contractors represents a significant government reversal on cyber regulation. Following years of major cyberattacks linked to insecure software, the Biden administration sought to use federal procurement power to improve the software industry’s practices. That effort began with Biden’s 2021 cyber order and gained strength in 2024, and then Biden officials tried to add teeth to the initiative before leaving office in January. But as it eliminated that project on Friday, the Trump administration castigated Biden’s efforts as “imposing unproven and burdensome software accounting processes that prioritized compliance checklists over genuine security investments.”
    • “Trump’s order eliminates provisions from Biden’s directive that would have required federal contractors to submit “secure software development attestations,” along with technical data to back up those attestations. Also now eradicated are provisions that would have required the Cybersecurity and Infrastructure Security Agency to verify vendors’ attestations, required the Office of the National Cyber Director to publish the results of those reviews and encouraged ONCD to refer companies whose attestations fail a review to the Justice Department “for action as appropriate.”
  • Cyberscoop reports,
    • “Sean Cairncross laid out his vision to senators Thursday for the Office of the National Cyber Director if he is confirmed to lead it.
    • “A goal of mine is to make sure this office sits at the place that this committee and I believe Congress intended in the statute, and that is to lead cyber policy coordination across the federal government,” he told the Homeland Security and Governmental Affairs Committee at his confirmation hearing.
    • “In doing that, working with our interagency partners is vital,” he said. “We’ve been empowered to work with [the Office of Management and Budget] to ensure that budget alignment among the interagency aligns with administration policy, and I think those tools have to be leveraged, and relationships between us and the interagency — it’s making sure that it is monitored and enforced.”
  • Cybersecurity Dive adds,
    • “Two coalitions of cybersecurity companies, professional associations and experts have endorsed Sean Plankey and Sean Cairncross, President Donald Trump’s nominees to serve as director of the Cybersecurity and Infrastructure Security Agency and national cyber director, respectively.
    • “Plankey and Cairncross’s backers include executives at cybersecurity firms, former senior government officials from administrations of both parties and leaders of trade groups and think tanks.”
  • Per Bleeping Computer,
    • “The U.S. Department of State has announced a reward of up to $10 million for any information on government-sponsored hackers with ties to the RedLine infostealer malware operation and its suspected creator, Russian national Maxim Alexandrovich Rudometov.
    • “The same bounty covers leads on state hackers’ use of this malware in cyber operations targeting critical infrastructure organizations in the United States.
    • “This bounty is posted as part of the Department of State’s Rewards for Justice program established by the 1984 Act to Combat International Terrorism, which rewards informants for tips that help identify or locate foreign government threat actors behind cyberattacks against U.S. entities.”
  • Per Cyberscoop,
    • “Federal authorities on Thursday [June 5, 2025] said they seized $7.74 million from North Korean nationals as they attempted to launder cryptocurrency obtained by IT workers who gained illegal employment and funneled the wages to the North Korean regime.
    • “The allegedly illegally obtained funds were linked to Sim Hyon Sop, a representative of North Korean Foreign Trade Bank, and Kim Sang Man, CEO of Chinyong, an outfit associated with North Korea’s Ministry of Defense, the Justice Department said. Both North Korean nationals were added to the Treasury Department’s Office of Foreign Assets Control’s list of sanctioned individuals in 2023.
    • “The cryptocurrency seizure marks another action in a series of long-running law enforcement efforts to identify and prevent North Korean operatives from gaining employment at companies, evading U.S. sanctions, and sending payroll back to the North Korean government.”
  • Per Security Week,
    • “German authorities have named Russian national Vitaly Nikolaevich Kovalev as the founder and leader of the TrickBot cybercrime gang.”
    • “Established in 2016, the TrickBot group is believed to have infected millions of computers worldwide, exfiltrating sensitive information such as credentials, banking and credit card details, and personal information, while also enabling the deployment of other malware, such as ransomware.
    • “Authorities targeted TrickBot’s infrastructure in takedown attempts in 2020 and 2024 and announced charges and sanctions against over a dozen group members in 2023, including Kovalev, believed at the time to be a senior figure within the cybercrime ring.”

From the cybersecurity vulnerabilities and breaches front,

  • CISA added nine known exploited vulnerabilities to its catalog this week.
  • Bleeping Computer tells us,
    • “A threat actor has re-released data from a 2021 AT&T breach affecting 70 million customers, this time combining previously separate files to directly link Social Security numbers and birth dates to individual users.
    • “AT&T told BleepingComputer that they are investigating the data but also believe it originates from the known breach and was repackaged into a new leak.
    • “It is not uncommon for cybercriminals to repackage previously disclosed data for financial gain. We just learned about claims that AT&T data is being made available for sale on dark web forums, and we are conducting a full investigation,” AT&T told BleepingComputer.”
  • andD
    • “Cisco has released patches to address three vulnerabilities with public exploit code in its Identity Services Engine (ISE) and Customer Collaboration Platform (CCP) solutions.
    • “The most severe of the three is a critical static credential vulnerability tracked as CVE-2025-20286, found by GMO Cybersecurity’s Kentaro Kawane in Cisco ISE. This identity-based policy enforcement software provides endpoint access control and network device administration in enterprise environments.
    • “The vulnerability is due to improperly generated credentials when deploying Cisco ISE on cloud platforms, resulting in shared credentials across different deployments.”
  • Dark Reading informs us,
    • “ClickFix campaigns are gaining steam according to various security researchers, with recent campaigns spotted across the globe from a wide swath of cyberattackers. The increasingly popular tactic represents a significant new evolution for social engineering, researchers say — and enterprises need to take note.
    • “ClickFix activity has been snowballing: Darktrace said yesterday that it recently identified multiple ClickFix attacks across customer environments in Europe, the Middle East, and Africa (EMEA), and in the United States; while SlashNext, in a separate report, detailed an unusual version of the attack vector that impersonates Cloudflare Turnstile, which is the Web protection company’s CAPTCHA-like Turing test. Also, this week, Cofense outlined a campaign that spoofed Booking.com CAPTCHAs, targeting hotel chains with remote access Trojans (RATs) and infostealers.”
  • and
    • The Federal Burau of Investigation (FBI) warned that cybercriminals are compromising Internet of Things (IoT) devices connected to home networks through the BADBOX 2.0 botnet.
    • The BADBOX 2.0 botnet was discovered several months ago after the original BADBOX campaign was disrupted in 2024. Human Security’s Satori Threat Intelligence and Research team, alongside Google, Trend Micro, the Shadowserver Foundation, and others, were able to partially disrupt the “complex and expansive” BADBOX 2.0 operation, noting that it remains the largest botnet of infected connected TV (CTV) devices ever uncovered.
  • Per Cybersecurity Dive,
    • “A financially motivated hacker group has been targeting Salesforce instances for months in a campaign that uses voice phishing to engage in data theft and follow-on extortion attempts, according to Google Threat Intelligence Group
    • “The hackers, whom Google tracks as UNC6040, impersonated IT workers and tricked employees at often English-speaking branches of multinational companies into sharing sensitive credentials that were then used to access the organizations’ Salesforce data, Google said in a blog post published Wednesday.
    • “As part of the social engineering campaign, the hackers tricked workers at these companies into visiting the Salesforce-connected app setup page, at which point the attackers used an unauthorized, malicious version of the Salesforce Data Loader app to access and steal sensitive information from the customers’ Salesforce environments. 
    • “Beyond the immediate data thefts, the hackers were able to move laterally within target networks, accessing victims’ other cloud services and moving into internal corporate networks.”

From the ransomware front,

  • The American Hospital Association warns,
    • “The FBI, Cybersecurity and Infrastructure Security Agency and Australian Cyber Security Centre June 4 released an advisory on updated actions and tactics used by the Play ransomware group. The group, active since 2022, has impacted a wide range of businesses and critical infrastructure in North America, South America and Europe. As of May, the FBI was aware of about 900 victims allegedly exploited by the group’s efforts.
    • “The threat actors are presumed to be a closed group, designed to “guarantee the secrecy of deals,” according to a statement on the group’s data leak website. They employ a double-extortion model that encrypts systems after exfiltrating data. Their ransom notes do not include an initial ransom demand or payment instructions. Instead, victims are instructed to contact the threat actors via email.
    • “Play ransomware was among the most active cyberthreat groups in 2024,” said Scott Gee, AHA deputy national advisor for cybersecurity and risk. “This report highlights their evolving tactics, and health care cybersecurity teams should be aware of the changes.  As threat actors shift tactics, it is critical that network defenders keep pace. The double-layered extortion model and encryption of systems, as well as theft of data, pose a serious potential risk to hospitals and the delivery of health care.”
  • Cybersecurity Dive adds,
    • “Since mid-January, multiple ransomware groups, including initial access brokers affiliated with Play, have targeted vulnerabilities in a remote support tool called SimpleHelp. Researchers disclosed those flaws in January.  
    • “The new advisory updates the government’s original December 2023 warning about the Play ransomware group, which is also known as PlayCrypt. The hackers have previously been blamed for attacks targeting ConnectWise ScreenConnect and Rackspace
    • “The recent attacks exploiting SimpleHelp involve three flaws discovered by security firm Horizon3.ai.”
  • Bleeping Computer lets us know,
    • “Healthcare giant Kettering Health, which manages 14 medical centers in Ohio, confirmed that the Interlock ransomware group breached its network and stole data in a May cyberattack.
    • “Kettering Health operates over 120 outpatient facilities and employs over 15,000 people, including over 1,800 physicians.
    • “The healthcare network noted in a Thursday statement that its network devices have been secured, and its team is now working on re-establishing communication channels with patients disrupted by the outage triggered by last month’s ransomware attack.”
  • Security Week adds,
    • “American media company Lee Enterprises revealed this week that the disruptive cyberattack it dealt with earlier this year resulted in a data breach impacting nearly 40,000 individuals.
    • “Lee Enterprises owns 350 weekly and specialty publications across 25 states, and dozens of them suffered disruptions in February as a result of a ransomware attack that involved the encryption of critical applications and the theft of files.
    • “The company informed the Maine Attorney General’s Office this week that it recently completed its investigation into the incident and determined that personal information was compromised.
    • “According to Lee Enterprises, the attackers may have obtained the information of 39,779 people, including their names and Social Security numbers.
    • “Affected individuals are being offered 12 months of free credit monitoring and identity protection services.”
  • Honeywell lets us know,
    • “In a growing wave of sophisticated cyber threats against the industrial sector, ransomware attacks jumped by 46% from Q4 2024 to Q1 2025, according to Honeywell’s new 2025 Cybersecurity Threat Report. The research also found that both malware and ransomware increased significantly in this period and included a 3,000% spike in the use of one trojan designed to steal credentials from industrial operators.”
    • “To learn more and download the full report, visit our website.”

From the cybersecurity business and defenses front,

  • Cybersecurity Dive reports,
    • “Microsoft and CrowdStrike will lead a cooperative effort to map out the overlapping web of hacker groups that their researchers have disclosed and named, the companies said on Monday. 
    • “Palo Alto Networks and Google and its Mandiant unit have also agreed to join the collaborative effort on streamlining threat group taxonomy.
    • “For years, the companies’ different naming conventions for various criminal and state-linked threat groups have created unnecessary confusion and delays in the sharing of threat intelligence.
    • “Microsoft and CrowdStrike released an initial version of their threat actor matrix on Monday, listing the groups they track and each one’s corresponding aliases from other researchers.
    • “Palo Alto Networks and Google and its Mandiant unit are joining the collaborative effort on streamlining threat group taxonomy.”
  • The Wall Street Journal reports,
    • CrowdStrike swung to a loss in the fiscal first quarter and posted a lower-than-expected outlook, as the costs of its outage last summer continue to weigh on results.
    • “The cybersecurity company said Tuesday its revenue is still being hurt by an incentive program it launched last year to try to retain customers after a widespread software outage in July.
    • “CrowdStrike had implemented a customer-commitment program, which let customers try some products for free, and was weighing on its subscription revenue. The program wrapped up at the end of fiscal-year 2025, but its effects are lingering.”
  • Dark Reading tells us,
    • F5 this week announced the acquisition of Fletch, a San Francisco-based startup with agent-based artificial intelligence (AI) technology that analyzes massive amounts of threat intelligence data and remediates the most severe vulnerabilities in real time.
    • “Terms of the deal were not disclosed, but most of Fletch’s 15 employees have joined F5, which was seeking the technology and expertise to bring agentic AI capabilities to the recently introduced F5 Application Delivery and Security Platform (ADSP).”
  • Help Net Security points out,
    • “Cybersecurity leaders and consultants identified AI-driven automation and cost optimization as top organizational priorities, according to Wipro. 
    • “30% of respondents are investing in AI automation to enhance their cybersecurity operations. AI-driven automation can help in detecting and responding to threatsmore quickly and accurately, thereby reducing the need for extensive manual intervention. 
    • ‘26% of respondents are focusing on tools rationalization. This approach involves evaluating and consolidating duplicate security tools across platforms to eliminate redundancies and improve efficiency while reducing costs. 
    • “Another significant area is security and risk management process optimization, with 23% of organizations targeting this for cost savings. Streamlining these processes can lead to more effective risk management and better allocation of resources. Apart from these priorities, 20% are focusing on simplifying operating models to achieve better visibility and faster response across reduced attack surfaces.”
  • Here is a link to Dark Reading’s CISO Corner.

Leave a Reply

Your email address will not be published. Required fields are marked *