Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity defenses and law enforcement front

  • Cyberscoop reports,
    • Congress should use renewal of an expiring [in 2027] terrorism insurance program to create a federal backstop for cybersecurity insurance, according to a report out Tuesday that tries to thread many difficult needles to bolster an industry that its author says isn’t developing fast enough.
    • In an ideal world, cybersecurity insurance can be a valuable tool to protect policyholders and push everyone into adopting better cyber practices, but it will need government intervention to reach its full potential amid an array of challenges, Nick Leiserson writes in a study for the Foundation for Defense of Democracies, a D.C.-based think tank. 
  • and
    • “As spring gives way to summer, a wave of cybercrime crackdowns has taken root, with law enforcement and private security companies directing a surge of takedowns, seizures, indictments and arrests.
    • “Prolific infostealers, malware loaders, counter antivirus and encrypting services, cybercrime marketplaces, ransomware infrastructure and DDoS-for-hire operations have all been seized, taken offline or severely disrupted by global coordinated campaigns over the past six weeks.
    • “It’s been really energizing to see the volume and velocity of these takedowns in such a short period of time,” Flashpoint CEO Josh Lefkowitz told CyberScoop. 
    • “I can’t think of such a flurry and rapid succession — and then magnified by complementary takedowns by Europol and international partners,” he added. “It’s been a great couple of weeks for the good guys, and I wouldn’t be surprised if there’s more around the horizon.”

From the cybersecurity vulnerabilities and breaches front,

  • Bleeping Computer informs us,
    • “News broke [on June 18] about “one of the largest data breaches in history,” sparking wide media coverage filled with warnings and fear-mongering. However, it appears to just be a compilation of previously leaked credentials stolen by infostealers, exposed in data breaches, and via credential stuffing attacks.
    • “To be clear, this is not a new data breach, or a breach at all, and the websites involved were not recently compromised to steal these credentials.
    • “Instead, these stolen credentials were likely circulating for some time, if not for years. It was then collected by a cybersecurity firm, researchers, or threat actors and repackaged into a database that was exposed on the Internet.
    • “Cybernews, which discovered the briefly exposed datasets of compiled credentials, stated it was stored in a format commonly associated with infostealer malware, though they did not share samples
    • “An infostealer is malware that attempts to steal credentials, cryptocurrency wallets, and other data from an infected device. Over the years, infostealers have become a massive problem, leading to breaches worldwide.”
  • Cybersecurity Dive reports,
    • “Major insurance provider Aflac Inc. said Friday [June 20] that it was the target of a cyberattack on June 12 that is linked to a major cybercrime spree focusing on the industry. 
    • “The company said it was able to contain the attack within hours and confirmed its systems remain operational. 
    • “We continue to serve our customers as we respond to this incident and can underwrite policies, review claims and otherwise service our customers as usual,” the company said in a Securities and Exchange Commission filing
    • “The incident is part of a larger crime wave targeting the insurance industry that researchers have linked to a collective known as Scattered Spider. The group recently conducted a weeks-long attack campaign against retailers in the U.S. and the U.K.
    • “Erie Insurance Group last week disclosed that it was the target of a cyberattack that began on June 7. The company said Tuesday that it has regained control over its systems and sees no further evidence of malicious activity.”
  • Cyberscoop adds,
    • Scattered Spider is an amorphous band of young English-speaking cybercriminals affiliated with the larger sprawling network known as The Com. Scattered Spider associates recently ran roughshod over U.K.- and U.S.-based retailers before pivoting, once again, to insurance companies.
    • The ring of cybercriminals historically focus on one sector at a time, resulting in a wave of extortion attacks on companies in the same industry, which often use similar systems and processes. 
    • Google previously warned that Scattered Spider shifted its attention to U.S. retailers after the group hit multiple retailers and grocery stores in the U.K. in April. The pattern of recent activities attributed to Scattered Spider has been consistent.
    • “We are now seeing incidents in the insurance industry,” John Hultquist, chief analyst at Google Threat Intelligence Group, told CyberScoop on Monday. “Given this actor’s history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes which target their help desks and call centers.”
  • The Wall Street Journal points out,
    • “Hackers in recent months have disrupted retail sales in the U.K. and U.S. and stolen hundreds of millions of dollars from crypto holders by targeting the outsourced call centers that many American corporations use to save costs.
    • “The hacks are often meticulously researched and use a variety of techniques, but they have one thing in common: low-level workers who staff call centers and have access to the kind of sensitive information that criminals need to commit crimes.
    • “The focus on outside call centers has allowed attackers to trick workers to get around so-called two-factor account authentication techniques that send codes by text to mobile phones. Those methods are commonly used to protect millions of bank and credit-card accounts, as well as a host of other online portals.”
  • Security Week lets us know,
    • “Healthcare services firm Episource has been targeted in a cyberattack that resulted in a data breach impacting more than 5.4 million individuals.
    • “Episource provides medical coding and risk adjustment services to doctors, health plans, and other types of healthcare organizations. 
    • “The firm revealed in a data breach notice that it detected unauthorized access to its systems in early February. An investigation showed that “a cybercriminal” was able to view and copy data belonging to some Episource customers between January 27 and February 6, 2025. 
    • “We quickly took steps to stop the activity. We began investigating right away and hired a special team to help us. We also called law enforcement. We turned off our computer systems to help protect the customers we work with and their patients and members,” the company said, noting that it’s not aware of any misuse of the compromised data.”
  • Per Dark Reading,
    • Cybercriminals are using fake search engine listings to hijack the results for people looking for tech support from brands like Apple, Bank of AmericaFacebook, HP, Microsoft, Netflix, and PayPal.
    • This type of deceptive scam is common, taking advantage of users’ trust in big name brands, beginning with a sponsored search result on Google — but this time, there’s a twist.
    • According to Pieter Arntz and Jérôme Segura, researchers at Malwarebytes Labs, cybercriminals start by paying for a sponsored ad on Google pretending to be a major brand. This advertisement will then lead people to the fake website.
    • “However, in the cases we recently found, the visitor is taken to the legitimate site with a small difference,” the researchers wrote in a post this week. “Visitors are taken to the help/support section of the brand’s website, but instead of the genuine phone number, the hijackers display their scammy number instead.”
    • “So, while the browser address is legitimate and shows no cause for concern, the fraudsters overlay the actual website with misinformation, directing the user to seek help from a fraudulent source.”
  • Cybersecurity Dive tells us,
    • “Researchers are urging Veeam Backup & Replication users to make sure their systems are fully upgraded to the latest version after the company released a patch Tuesday to address a critical remote code execution flaw. 
    • “The vulnerability, tracked as CVE-2025-23121, allows an authenticated domain user to run code on a backup server. 
    • Researchers at watchTowr and Code White GmbH previously disclosed that a patch to address a prior vulnerability, tracked as CVE-2025-23120, could be bypassed. That disclosure led to the development of the new patch.”
  • and
    • “Hackers are exploiting a critical vulnerability in Zyxel’s Internet Key Exchange packet decoder, GreyNoise researchers warned on Monday.
    • “The vulnerability, tracked as CVE-2023-28771, powered a sudden wave of exploitation attempts Monday, with researchers observing 244 unique IP addresses involved in the activity. 
    • “All of the addresses were located in the U.S. and registered to Verizon Business, but researchers caution that because the vulnerability was located over UDP (Port 500), the attackers may have been spoofing those addresses.
    • “Additional analysis suggests that the activity may be related to a variant of the Mirai botnet, researchers said. 
    • “Mirai-linked payloads suggest the activity may be aimed at enrolling devices into botnets for automated attacks like DDoS or scanning,” GreyNoise researchers told Cybersecurity Dive via email.”
  • The Cybersecurity and Infrastructure Security Agency (CISA) added three known exploited vulnerabilities to its catalog this week.
    • June 16, 2025
      • CVE-2025-43200 Apple Multiple Products Unspecified Vulnerability
      • CVE-2023-33538 TP-Link Multiple Routers Command Injection Vulnerability
        • NIST discusses the Apple vulnerability here.
        • Security Week discusses the TP-Link KVE here.
    • June 17, 2025
      •  CVE-2023-0386 Linux Kernel Improper Ownership Management Vulnerability 
        • Security Week discusses this KVE here.

From the ransomware front,

  • The Hacker News reports,
    • “An emerging ransomware strain has been discovered incorporating capabilities to encrypt files as well as permanently erase them, a development that has been described as a “rare dual-threat.”
    • “The ransomware features a ‘wipe mode,’ which permanently erases files, rendering recovery impossible even if the ransom is paid,” Trend Micro researchers Maristel Policarpio, Sarah Pearl Camiling, and Sophia Nilette Robles said in a report published last week.
    • “The ransomware-as-a-service (RaaS) operation in question is named Anubis, which became active in December 2024, claiming victims across healthcare, hospitality, and construction sectors in Australia, Canada, Peru, and the U.S. Analysis of early, trial samples of the ransomware suggests that the developers initially named it Sphinx, before tweaking the brand name in the final version.”
  • and
    • “The threat actors behind the Qilin ransomware-as-a-service (RaaS) scheme are now offering legal counsel for affiliates to put more pressure on victims to pay up, as the cybercrime group intensifies its activity and tries to fill the void left by its rivals.
    • “The new feature takes the form of a “Call Lawyer” feature on the affiliate panel, per Israeli cybersecurity company Cybereason.
    • “The development represents a newfound resurgence of the e-crime group as once-popular ransomware groups like LockBit, Black Cat, RansomHub, Everest, and BlackLock have suffered abrupt cessations, operational failures, and defacements. The group, also tracked as Gold Feather and Water Galura, has been active since October 2022.
    • “Data compiled from the dark web leak sites run by ransomware groups shows that Qilin led with 72 victims in April 2025. In May, it is estimated to be behind 55 attacks, putting it behind Safepay (72) and Luna Moth (67). It’s also the third most active group after Cl0p and Akira since the start of the year, claiming a total of 304 victims.”

From the cybersecurity defenses front,

  • Cybersecurity Dive reports,
    • “For organizations aiming to deploy generative AI at scale, focusing on the cybersecurity guardrails surrounding the technology can help ease adoption rather than hinder it, according to AWS CISO Amy Herzog. 
    • “Herzog, who took on the CISO role earlier this month, made the case for a closer enterprise focus on security during the company’s annual re:Inforce conference Tuesday. The strategy can pay off by speeding up adoption. 
    • “Security, when done right, can be a true enabler in adopting new technologies,” said Herzog. “What we’re noticing is customers with mature security practices and the ability to innovate while maintaining a high security bar, they’re adopting Gen AI faster.
    • “Companies in highly regulated environments, from finance to healthcare, have been able to rely on their existing security, privacy and data management guardrails to speed up AI adoption, Herzog said. 
    • “This enables them to reduce risks and pragmatically focus on scaling their use cases,” Herzog said.”
  • and
    • “Nearly one in 10 publicly accessible cloud-storage buckets contained sensitive data, with virtually all of that data considered confidential or restricted, according to a new report from Tenable based on scans conducted between October 2024 and March 2025.
    • “On the other hand, more than eight in 10 organizations using Amazon Web Services have enabled an important identity-checking service, according to the report, published on Wednesday.
    • ‘The number of organizations with triple-threat cloud instances — “publicly exposed, critically vulnerable and highly privileged” — declined from 38% between January and June 2024 to 29% between October 2024 and March 2025.”
  • Per Bleeping Computer,
    • “Microsoft has announced plans to periodically remove legacy drivers from the Windows Update catalog to mitigate security and compatibility risks.
    • “The rationale behind this initiative is to ensure that we have the optimal set of drivers on Windows Update that cater to a variety of hardware devices across the windows ecosystem, while making sure that Microsoft Windows security posture is not compromised,” Microsoft said.
    • “This initiative involves periodic cleanup of drivers from Windows Update, thereby resulting in some drivers not being offered to any systems in the ecosystem.
    • “As the company explained on Thursday, the first phase of this “cleaning up” procedure will involve drivers with newer replacements already published on Windows Update.”
  • CSO lets us know,
    • “Ransomware tabletop exercises confront participants with an attack scenario, offering them a way to test and improve their organization’s readiness and response capabilities.
    • “During this month’s Infosecurity Europe conference, CSO took part as a media advisor to a blue team, pitched against a red team of attackers in a ransomware tabletop simulation focused on the water industry. The “Operation 999” exercise was devised and run by cybersecurity vendor Semperis, a specialist in protecting Active Directory (AD) and hybrid identity environments.” * * *
    • “The “Operation 999” exercise offered a cybersecurity tabletop simulation designed to allow participants to exercise incident response strategies. The tabletop exercise offered an immersive experience without featuring any hands-on keyboard or analysis of technical data (such as exercise specific log files, or similar).”
  • Security Week discusses “Choosing a clear direction in the face of growing cybersecurity demands. In a rapidly changing AI environment, CISOs are worried about investing in the wrong solution or simply not investing because they can’t decide what the best option is.”
  • Here is a link to Dark Reading’s CISO Corner.