Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy and law enforcement front,

  • Cybersecurity Dive reports,
    • “U.S. government officials said critical infrastructure operators should be on alert for Iranian cyberattacks.
    • “In a threat advisory published Monday [June 30], multiple agencies said Iran might target U.S. firms “for near-term cyber operations” due to “the current geopolitical environment” — a reference to the Trump administration joining Israel’s aerial campaign against Iran’s nuclear program and related assets.
    • “Defense contractors, especially firms that have relationships with Israeli companies, are likely at heightened risk of targeting, according to the advisory.”
  • and
    • “The Department of Justice on Monday [June 30] announced a series of actions as part of an investigation into the North Korean government’s deployment of its citizens abroad to pose as IT workers and illicitly earn money for the regime.
    • “Newly unsealed charging documents describe two separate schemes to trick U.S. companies into hiring people who funneled their paychecks to the North Korean government and exploited their access to the companies’ networks to steal sensitive information and cryptocurrency.
    • “Law enforcement officials, who have repeatedly issued alerts about Pyongyang’s IT worker schemes, warned U.S. businesses on Monday to carefully screen their remote employees to avoid falling victim to similar ruses.
  • Cyberscoop tells us,
    • “The Chinese hackers behind the massive telecommunications sector breach are “largely contained” and “dormant” in the networks, “locked into the location they’re in” and “not actively infiltrating information,” the top FBI cyber official told CyberScoop.
    • “But Brett Leatherman, new leader of the FBI Cyber division, said in a recent interview that doesn’t mean the hackers, known as Salt Typhoon, no longer pose a threat.
    • “While there’s been some debate about whether Salt Typhoon should be getting more attention than fellow Chinese hackers Volt Typhoon — whom federal officials have said are prepositioned in U.S. critical infrastructure, poised for destructive action in the event of a conflict with the United States — Leatherman said the groups aren’t as different as some think.
    • “Salt Typhoon, even though it was [an] espionage campaign, had access to telecommunications infrastructure,” he said. “You can pivot from access in support of espionage to access in support of destructive action.”
  • and
    • “Federal authorities levied sanctions Tuesday on Aeza Group, a bulletproof hosting service provider based in Russia, for allegedly supporting a broad swath of ransomware, malware and infostealer operators.
    • “Aeza Group has provided servers and specialized infrastructure to the Meduza, RedLine and Lumma infostealer operators, BianLian ransomware and BlackSprut, a Russian marketplace for illicit drugs, according to the Treasury Department’s Office of Foreign Assets Control. Lumma infected about 10 million systems before it was dismantled through a coordinated global takedown in May.
    • “The Treasury Department’s action against Aeza Group follows a wave of cybercrime crackdowns across the globe. Prolific cybercriminals have been arrested, and infostealers, malware loaders, counter antivirus and crypting services, cybercrime marketplaces, ransomware infrastructure and DDoS-for-hire operations have all been seized, taken offline or severely disrupted by global coordinated campaigns since May.
    • “Officials accused Aeza Group of helping cybercriminals target U.S. defense companies and technology vendors.”

From the cybersecurity breaches and vulnerabilities front,

  • Cybersecurity Dive informs us,
    • “Australian carrier Qantas said hackers who breached one of its call centers stole a significant quantity of customer data.
    • “The airline said on its website that it detected unusual activity on Monday [June 30] on a third-party platform that one of its call centers used. The airline took immediate action and was able to contain the attack, which it blamed on a criminal hacker.
    • “Qantas said it is investigating the extent of the intrusion but warned that the hackers accessed a “significant” amount of customer data, including names, addresses, phone numbers, dates of birth and frequent-flyer numbers. 
    • “The breach did not compromise any credit card details, personal financial information or passport information, Qantas said, because those are stored in a separate system. The intrusion also did not expect login information for customers’ frequent-flyer accounts.
    • “Qantas said it was working with government authorities, including the Australian Cyber Security Centre and the National Cyber Security Coordinator, as well as independent forensic experts to investigate the breach.
    • “All of Qantas’ systems are now secure and the airline is operating normally, according to the company. It said it was in the process of contacting customers to alert them to the incident.” 
  • Per Security Week,
    • “Missouri healthcare provider Esse Health is notifying over 263,000 people that their personal information was stolen in a disruptive April 2025 cyberattack.
    • “The incident was discovered on April 21 and impacted the organization’s access to the electronic medical record system, while also taking down its phone system.
    • “By May 13, the healthcare provider had restored certain systems and was able to fulfill scheduled appointments or procedures. The phone systems were restored in early June, along with other primary patient-facing network systems, the organization said in an incident notice.
    • “On June 20, Esse Health said its investigation into the attack determined that a threat actor breached its network on April 21 and stole files containing personal information.
    • “The exfiltrated data included names, addresses, dates of birth, Social Security numbers, medical record numbers, patient account numbers, health information, and health insurance details.”
  • and
    • “Benefits and payroll solutions firm Kelly & Associates Insurance Group (dba Kelly Benefits) has informed authorities that a recent data breach impacts more than 550,000 people.
    • “The company revealed in April that hackers had gained access to its systems in December 2024, and an investigation had shown that the threat actor managed to steal files storing personal information.
    • “The incident resulted in the theft of information such as name, date of birth, Social Security number, tax ID number, medical information, health insurance information, and financial account information. 
    • “Kelly Benefits is notifying impacted individuals on behalf of more than 40 affected customers, including Aetna Life Insurance Company, Amergis, Beam Benefits, Beltway Companies, CareFirst, The Guardian Life Insurance Company of America, Fidelity Building Services Group, Intercon Truck of Baltimore, Humana Insurance ACE, Merritt Group, Publishers Circulation Fulfilment, Quantum Real Estate Management, United Healthcare, and Transforming Lives.
    • Data breach reports submitted by Kelly Benefits to the Maine Attorney General’s Office since early April show that the number of impacted individuals has steadily increased as the company’s investigation progressed.” 
  • The Center for Medicare and Medicaid Services announced on June 30,
    • The Centers for Medicare & Medicaid Services (CMS) is notifying Medicare beneficiaries whose personal information may have been involved in a data incident affecting Medicare.gov accounts. CMS identified suspicious activity related to unauthorized creation of certain beneficiary online accounts using personal information obtained from unknown external sources. CMS takes this situation very seriously. The safeguarding and security of personally identifiable information is of the utmost importance to CMS. 
    • Following detection of the incident, CMS worked quickly to deactivate affected accounts, assess the scope and impact of the compromise, and mitigate the effects on impacted individuals. CMS is working closely with appropriate parties to investigate this situation.
    • Approximately 103,000 beneficiaries may have been impacted. Notifications to affected individuals are being mailed, informing them of the incident, outlining steps being taken to protect their information, and providing guidance on actions they may wish to take. 
  • The Cybersecurity and Infrastructure Security Agency added five known exploited vulnerabilities to its catalog this week.
  • Dark Reading warns
    • “While browser extensions add useful functionality to Web browsers, such as blocking ads, managing passwords, and taking notes, they also increase the organization’s security and privacy risks.
    • “Browser extensions require certain levels of permissions that are attractive to attackers. Some extensions need access to the user’s location, browsing history, or the user’s clipboard to see what data the user has copied. Some extensions go further, requesting access to nearly all of the data stored on the user’s computer as well as the data accessed while visiting different websites. Attackers can exploit extensions with these heightened permissions to access potentially sensitive information, such as Web traffic, saved credentials, and session cookies.
    • “Even extensions with relatively modest permissions can manipulate those permissions to obtain access to the inner workings of every Web page displayed on a user’s screen, warns LayerX CEO and co-founder Or Eshed. LayerX research shows that 53% of enterprise users have installed extensions labeled with “high” or “critical” permissions scope. This is why browser extensions are a prime avenue for exploitation by threat actors, he adds.  
    • “[Attackers] can use it to copy or rewrite data or exploit Web page permissions for even more access,” Eshed says.”
  • Security Week adds,
    • A vulnerability in the Forminator WordPress plugin could allow attackers to take over more than 400,000 impacted websites.
    • A popular form builder plugin with more than 600,000 active installations, Forminator supports the creation of various types of forms, including contact and payment forms, polls, and more.
    • The WordPress plugin was found vulnerable to CVE-2025-6463 (CVSS score of 8.8), an arbitrary file deletion flaw that exists because file paths are not sufficiently validated in a function used to delete a form submission’s uploaded files.

From the ransomware front,

  • Bleeping Computer reports,
    • “The Hunters International Ransomware-as-a-Service (RaaS) operation announced today that it has officially closed down its operations and will offer free decryptors to help victims recover their data without paying a ransom.
    • “After careful consideration and in light of recent developments, we have decided to close the Hunters International project. This decision was not made lightly, and we recognize the impact it has on the organizations we have interacted with,” the cybercrime gang says in a statement published on its dark web leak earlier today.
    • “As a gesture of goodwill and to assist those affected by our previous activities, we are offering free decryption software to all companies that have been impacted by our ransomware. Our goal is to ensure that you can recover your encrypted data without the burden of paying ransoms.” * * *
    • “Threat intelligence firm Group-IB also revealed in April that Hunters International was rebranding with plans to focus on data theft and extortion-only attacks and had launched a new extortion-only operation known as “World Leaks.”
  • Security Week advises,
    • The key tool for surviving ransomware, or any attack scenario, is an IR plan. But an IR plan is only worthwhile if it’s comprehensive, current, and tested. IR plans are not “best practices”, nor singular documents stored in a safe place. They are living resources that require attention and maintenance. In this way, the proof of an IR plan’s efficacy is in that organizational muscle memory – most effectively trained through Tabletop exercises.  So, what are the primary “muscles,” and the repetitive “exercises” in which you can train an organization to respond decisively, immediately, confidently, and automatically.”
      • Plan your workout
      • Warm up
      • Train, recover, repeat
      • Measure your gains 

From the cybersecurity defenses and business front,

  • Withum offers guidance on how to align your firm’s cybersecurity practices with Labor Department best practices for ERISA plan fiduciaries.
  • Per Security Week,
    • Cloudflare has reversed its block on AI-crawling from optional to default, allowing finer grained crawling but only with agreement from all parties concerned.
    • LLMs are what they learn. From their inception the biggest source of learning has been the internet, so there has been a natural tendency for AI developers to scrape the internet as widely as possible.
    • Cloudflare has now introduced an option for their customers to accept or reject website scraping by AI vendors. Hitherto, internet scraping has been a major part of gathering training data for large LLM (gen-AI) developers; but the process has raised questions and objections over legality, copyright infringement, and accuracy.
  • Dark Reading lets us know,
    • “How businesses can align cyber defenses with real threats. Companies that understand the motivations of their attackers and position themselves ahead of the competition will be in the best place to protect their business operations, brand reputation, and their bottom line.”
  • and
    • “One year after a buggy CrowdStrike update knocked IT systems offline, organizations seeking to strike the right balance between security and productivity have viewed the incident as a learning opportunity.
    • “The cost of the CrowdStrike outage was estimated at $5.4 billion, affecting payment systems, airline reservations, and a variety of other industries. The impact of the outage highlights why many operational technology (OT) teams are as sensitive to patches and other updates in their critical infrastructure, as they are highly averse to outages that can happen if such updates are defective.
    • “But when balancing security and productivity, it is imperative not to view the CrowdStrike outage as a reason to forgo patching completely. The ever-growing volume of vulnerabilities and threats requires organizations to remain resilient and anti-fragile — that is, to have the ability to proactively respond to issues and continuously improve.”
  • Per Security Week,
    • “LevelBlue announced on Tuesday [July 1] that it’s acquiring managed detection and response (MDR) services company Trustwave from The Chertoff Group’s MC² Security Fund.
    • LevelBlue, formerly known as AT&T Cybersecurity, was launched in May 2024 as a joint venture between WillJam Ventures and AT&T. 
    • “The company’s acquisition of Trustwave comes shortly after it announced plans to buy Aon’s cybersecurity consulting business. The deals are part of a plan to become the largest pure-play managed security services provider (MSSP). 
    • “Once the acquisition has been completed, LevelBlue’s expertise in strategic risk management and cybersecurity infrastructure will be integrated with Trustwave’s platform and MDR service.”
  • Here’s a link to Dark Reading’s CISO Corner.

Leave a Reply

Your email address will not be published. Required fields are marked *