Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy and law enforcement front,

  • Federal News Network reports,
    • “House appropriators have advanced a homeland security spending bill that endorses many of the Trump administration’s budget proposals, while rejecting steep cuts to cybersecurity and artificial intelligence personnel.
    • “The fiscal 2026 homeland security appropriations measure includes $66.36 billion in discretionary spending. The GOP-led committee passed the bill Tuesday [June 24, 2025] on a 36-27 vote.
    • “The bill follows the broad contours of Trump administration policies by prioritizing funding for Customs and Border Protection and Immigration and Customs Enforcement. Appropriators are also expecting significant funding for the Department of Homeland Security to be included in the budget reconciliation bill.”
  • Cyberscoop tells us,
    • “With time running short before expiration of a cyber information-sharing law highly valued by the private sector, Congress is taking a look at the possibility of a short-term extension.
    • “The 2015 Cybersecurity Information Sharing Act, which provided legal safeguards for companies to share threat data, is due to sunset at the end of September, and Congress doesn’t tend to work much in August.
    • “A bipartisan pair of senators have introduced a bill to simply extend it for another 10 years. But a House bill is still in the works and might take a different approach that involves making changes to the law going forward, industry officials told CyberScoop on Wednesday. Getting competing proposals through both chambers, then settling differences and finalizing a bill to get to the president’s desk, could take significant time.
    • “There are other things that are being considered in the mix,” said John Miller, senior vice president of policy for trust, data and technology and general counsel at the Information Technology Industry Council. One would be attaching language to a continuing resolution funding measure that would extend the 2015 law for a short period of time.”
  • Cybersecurity Dive informs us,
    • “Federal officials and private-sector security leaders said Tuesday [June 24, 2025] that they are closely monitoring for cyberattacks related to the Iran conflict but thus far have not observed any significant activity. 
    • The Department of Homeland Security warned Sunday that Iran-linked actors or hacktivist groups may launch attacks against U.S. critical infrastructure operators, citing a recent history of attacks against poorly configured water utilities and other systems. 
    • “An apparent truce announced late Monday by President Donald Trump appeared to lower international tensions, but officials remain on guard for any potential threat activity.
    • “The Cybersecurity and Infrastructure Security Agency (CISA) “is actively coordinating with government, industry, and international partners to share actionable intelligence and strengthen collective defense,” CISA spokesperson Marci McCarthy said in a statement. “There are currently no specific credible threats against the homeland.”
  • NextGov/FCW notes,
    • “Morgan Adamski is leaving her role as executive director of U.S. Cyber Command, handing the reins to Patrick Ware.
    • “After 17 years of service at the National Security Agency, I’ve decided to turn the page to an exciting new chapter in my career. It has been an extraordinary journey contributing to the defense of our Nation and advancing the cybersecurity mission across the U.S. Government,” Adamski wrote in a LinkedIn post Friday [June 27, 2025].
    • “The number three spot in the combatant command is typically held by a civilian on detail from the National Security Agency.
    • “Though Adamski did not clarify where she would be headed next, she noted her commitment to ensuring there were cyber solutions on “both sides of the fence.”
  • CISA and the National Security Agency have released a report titled “Memory Safe Languages: Reducing Vulnerabilities in Modern Software Development.’
  • Per Cyberscoop,
    • Kai West, a prolific cybercriminal better known for operating under the moniker “IntelBroker,” was arrested in France earlier this year and faces federal charges for allegedly stealing data from more than 40 organizations during a two-year period, the Justice Department said Wednesday [June 25, 2025]. 
    • Federal prosecutors unsealed a four-count indictment charging West, a British national, with conspiracy to commit computer intrusions, accessing a protected computer to obtain information and wire fraud. The United States is seeking his extradition for the charges, which each carry maximum sentences of five to 20 years in prison. 

From the cybersecurity breaches and vulnerabilities front,

  • Beckers Health IT identifies the top ten states for healthcare data breaches between February 2023 and April 2025.
  • CISA added three known exploited vulnerabilities to its catalog this week.
    • June 25, 2025
      • CVE-2024-54085 AMI MegaRAC SPx Authentication Bypass by Spoofing Vulnerability
        • Network World discusses this KVE here.
      • CVE-2024-0769 D-Link DIR-859 Router Path Traversal Vulnerability
        • Cybersecurity News discusses this KVE here.
      • CVE-2019-6693 Fortinet FortiOS Use of Hard-Coded Credentials Vulnerability
        • Cybersecurity News discusses this KVE here.
  • Cyberscoop reports,
    • Citrix on Wednesday [June 25, 2025] disclosed an actively exploited zero-day vulnerability affecting multiple versions of NetScaler products, an alarming development from a vendor that’s been widely targeted in previous attack sprees.
    • The zero-day (CVE-2025-6543) was disclosed by Citrix nine days after it issued a security bulletin for a pair of defects (CVE-2025-5777 and CVE-2025-5349) in the same products. All three vulnerabilities affect the company’s networking security appliance NetScaler ADC and its virtual private network NetScaler Gateway. 
    • “Exploits of CVE-2025-6543 on unmitigated appliances have been observed,” Citrix said in a security bulletin for the zero-day. Citrix did not respond to a request for comment. 
    • Citrix described the critical zero-day CVE-2025-6543, which has a base score of 9.2 on the CVSS scale, as a memory overflow defect that attackers can exploit for unintended control flow and denial of service. Exploitation can only occur if targeted NetScaler instances are configured as a gateway or an authentication, authorization and accounting (AAA) virtual server, according to Citrix.”
  • and
    • “The aviation industry has seemingly become the latest target of Scattered Spider, a sophisticated cybercriminal group that has shifted its focus from retail and insurance companies to airlines in what cybersecurity experts describe as a coordinated campaign against the sector.
    • “Hawaiian Airlines disclosed a cybersecurity incident Friday [June 27, 2025] affecting some of its IT systems while maintaining that flights continued operating safely and on schedule. The attack, first detected June 23, according to SEC filings, prompted the airline to engage federal authorities and cybersecurity experts for investigation and remediation efforts.
    • “Multiple incident responders have attributed the Hawaiian Airlines attack to Scattered Spider, also known as Muddled Libra or UNC3944. The assessment comes as cybersecurity firms Unit 42 and Mandiant issued warnings about the group’s apparent pivot to targeting aviation companies.
    • “Charles Carmakal, chief technology officer at Mandiant Consulting – Google Cloud, confirmed his company is “aware of multiple incidents in the airline and transportation sector which resemble the operations of UNC3944 or Scattered Spider.” The group has demonstrated a pattern of focusing intensively on single industries before moving to new sectors.”
  • Per Hacker News,
    • “Unknown threat actors have been distributing a trojanized version of SonicWall’s SSL VPN NetExtender application to steal credentials from unsuspecting users who may have installed it.
    • “NetExtender enables remote users to securely connect and run applications on the company network,” SonicWall researcher Sravan Ganachari said. “Users can upload and download files, access network drives, and use other resources as if they were on the local network.”
    • “The malicious payload delivered via the rogue VPN software has been code named SilentRoute by Microsoft, which detected the campaign along with the network security company.” * * *
    • “The development comes as G DATA detailed a threat activity cluster dubbed EvilConwi that involves bad actors abusing ConnectWise to embed malicious code using a technique called authenticode stuffing without invalidating the digital signature.
    • “The German cybersecurity company said it has observed a spike in attacks using this technique since March 2025. The infection chains primarily leverage phishing emails as an initial access vector or through bogus sites advertised as artificial intelligence (AI) tools on Facebook.”

From the ransomware front,

  • Bleeping Computer notes,
    • “Ahold Delhaize, one of the world’s largest food retail chains, is notifying over 2.2 million individuals that their personal, financial, and health information was stolen in a November ransomware attack that impacted its U.S. systems.
    • “The multinational retailer and wholesale company operates over 9,400 local stores across Europe, the United States, and Indonesia, employing more than 393,000 people and serving approximately 60 million customers each week in-store and online.” * * *
    • “In a Thursday filing with Maine’s Attorney General, the retail giant revealed that the attackers behind the November breach stole the data of 2,242,521 individuals after gaining access to the company’s internal U.S. business systems on November 6, 2024.”Mich
  • Michigan Health Watch adds,
  • Dark Reading reports,
    • “A newly discovered ransomware group dubbed “Dire Wolf” has already taken a bite out of 16 organizations globally since its emergence only last month, mainly across the technology and manufacturing sectors, researchers have found.
    • “The group uses a double extortion tactic with a monthlong turnaround time for paying ransom, and deploys custom encryptors tailored to specific victims, security firm Trustwave revealed in a blog post published June 24. Researchers from Trustwave SpiderLabs recently uncovered and observed a ransomware sample from the emerging threat group and gained insights on how it operates, they said.
    • “So far, the group’s victims have spanned 11 countries, with the US and Thailand reporting the highest numbers of attacks, followed by Taiwan. So far, five of the 16 victims listed on the group’s data leak site have data scheduled to be uploaded by the end of June, presumably because they didn’t pay the ransom, according to the post.”
  • Per Cybersecurity Dive,
    • “Only half of ransomware attacks on organizations this year have involved data encryption, once the attack’s defining feature, according to a Sophos report published on Tuesday [June 24, 2025].
    • “Both the average ransom demand and average ransom payment have dropped significantly over the past year (by 34% and 50%, respectively).
    • “Less than a third of respondents in the survey who paid a ransom said the amount matched the attackers’ initial demand, with 53% of victims paying less and 18% paying more.”

From the cybersecurity defenses front,

  • Cyberscoop reports,
    • “When a faulty software update from cybersecurity firm CrowdStrike last year caused possibly the largest IT outage in history, Microsoft ended up taking much of the blame.
    • “CrowdStrike’s Falcon endpoint detection and response was on millions of Windows devices worldwide, and like most antivirus products that need broad access to different systems to do their job, the software had direct access to the Windows kernel.
    • “When CrowdStrike’s update crashed, so did millions of Windows-powered systems and devices around the world. A series of security announcements by Microsoft on Thursday [June 26, 2025] are designed to reduce the possibility of future third-party outages and other security threats that can take an organization’s IT out of commission for extended durations.
    • “Among those changes: antivirus software like the kind installed by CrowdStrike and other third-party cybersecurity will no longer have direct access to the Windows kernel. The company will be previewing a new endpoint security platform to vendors next month that requires security updates to go through layers of testing and review before they ship to Windows devices and systems worldwide.”
  • Per Cybersecurity Dive,
    • “Cybersecurity insurance premiums declined 2.3% year over year to roughly $7.1 billion in 2024, according to a new report released on Monday [June 23, 2025] by credit rating agency AM Best.
    • “Meanwhile, cyber insurance providers’ loss ratio — the proportion of premiums they use to pay out claims — remained below 50%, indicating that the market remains profitable.
    • “AM Best offered several possible explanations for the slight premium decline.”
  • and
    • “Two reports — one that KPMG released on Thursday and one that Thales released last month — illustrate how generative AI is raising security concerns for business leaders.
    • “Business leaders surveyed by KPMG reported prioritizing security oversight in their generative AI budgeting decisions, with 67% saying they plan to spend money on cyber and data security protections for their AI models. Fifty-two percent cited risk and compliance as a budgetary priority.
    • “Those spending decisions reflect corporate executives’ growing worries about AI security. ***
  • WEDI is offering a free healthcare cybersecurity webinar on June 15, 2025, at 1:00 pm ET.
  • The ISACA Blog considers Proactive Approaches to Identify Cyberthreats.
  • Here is a link to Dark Reading’s CISO Corner.