Cybersecurity Saturday - Ermer and Suter PLLC

From the cybersecurity policy and law enforcement front,

Cybersecurity Dive tells us,
- “The Trump administration should slash cybersecurity regulations and double down on winning the trust of the private sector, the U.S. tech industry’s largest trade group said in a paper published Tuesday [August 12, 2025].
- “In a report laying out recommendations for the White House’s Office of the National Cyber Director — now helmed by newly confirmed Trump appointee Sean Cairncross — the Information Technology Industry Council said the government should focus on “results-driven action.”
- “There is a need to prioritize impactful security outcomes, slash red tape, rethink legacy network architectures, invest in secure modern systems, and strengthen trusted partnerships between the public and private sectors,” ITI said.
- “Achieving results, the group argued, “means empowering defenders with what they need to win: efficiency, appropriate resourcing, and the freedom to focus on real threats, not on navigating a web of regulatory regimes.”

Cyberscoop observes,
- “Two executive orders President Donald Trump has signed in recent months could prove to have a more dramatic impact on cybersecurity than first thought, for better or for worse.
- Overall, some of Trump’s executive orders have been more about sending a message than spurring lasting change, as there are limits to their powers. Specifically, some of the provisions of the two executive orders with cyber ramifications — one from March on state and local preparedness generally, and one from June explicitly on cybersecurity — are more puzzling to cyber experts than anything else, while others preserve policies of the prior administration which Trump has criticized in harsh terms. Yet others might fall short of the orders’ intentions, in practice.
- But amid the flurry of personnel changes, budget cuts and other executive branch activity in the first half of 2025 under Trump, the full scope of the two cyber-related executive orders might have been somewhat overlooked. And the effects of some of those orders could soon begin coming to fruition as key top Trump cyber officials assume their posts.

Federal News Network reports,
- “The Cybersecurity and Infrastructure Security Agency has rolled out new guidance to help deal with what some cyber experts say is a rising concern: a lack of visibility into threats to operational technology.
- CISA on Wednesday [August 13, 2025] published “Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators.” CISA developed the guidance in conjunction with other agencies, including the Environmental Protection Agency, the National Security Agency, the FBI and several international partners.
- The guidance focuses on operational technology, which refers to hardware and software that monitor and control physical processes in industrial settings.
- “OT systems are essential to the daily lives of all Americans and to national security,” Acting CISA Director Madhu Gottumukkala said in a press release. “They power everything from water systems and energy grids to manufacturing and transportation networks. As cyber threats continue to evolve, CISA through this guidance provides deeper visibility into OT assets as a critical first step in reducing risk and ensuring operational resilience.”

Federal News Network also interviews Steve Shirley, Executive director, National Defense Information Sharing and Analysis Center, and J.R. Williamson, “Vice president and chief information security officer, Leidos, about the evolution of zero trust. “Federal agencies are learning that implementing Zero Trust means more than deploying new tools. It requires rethinking how users, devices and data interact across every layer of the enterprise.”

The American Hospital Association News informs us,
- “The Department of Justice Aug. 11 announced a series of actions taken against the BlackSuit ransomware group, also known as “Royal,” including the disruption of four servers and nine domains July 24. BlackSuit attacks have targeted health care and other critical infrastructure sectors, DOJ said.
- “There is no doubt that the private sector also contributed information to facilitate this disruption, once again highlighting the value of public private operational engagement,” said John Riggi, AHA national advisor for cybersecurity and risk. “The BlackSuit/Royal ransomware group is directly responsible for multiple disruptive attacks against hospitals and health systems, posing a direct risk to patient and community safety. We hope these aggressive law enforcement operations continue at a pace that will meaningfully degrade foreign cyber adversaries’ abilities to harm the American public.”

From the cybersecurity vulnerabilities and breaches front,

Cybersecurity Dive reports,
- “The Cybersecurity and Infrastructure Security Agency (CISA) and Microsoft on Tuesday [August 12, 2025,] updated their mitigation guidance for a high-severity flaw in Exchange Server.
- The flaw, tracked as CVE-2025-53786, could allow an attacker with administrative privileges for on-premises versions of Exchange to escalate privileges by exploiting vulnerable hybrid joined configurations, Microsoft and CISA said last week.
- In an update on Tuesday, CISA said it still saw no evidence of hackers exploiting the flaw, but it urged organizations to review Microsoft’s updated guidance on identifying Exchange Servers on a network and running the Microsoft Exchange Health Checker.
- “In its updated security bulletin, Microsoft said an attacker could potentially escalate privileges from an on-premises server to a connected cloud environment without leaving an “easily detectable and auditable trace.”

Bloomberg Law reports,
- “Russian government hackers lurked in the records system of the US courts for years and stole sensitive documents that judges had ordered sealed from public view, according to two people familiar with the matter and a report seen by Bloomberg News.
- “The attackers had access to what was supposed to be protected information for multiple years, the report on the breach shows. They gained access by exploiting stolen user credentials and a cybersecurity vulnerability in an outdated server used by the federal judiciary, according to the report, which says the hackers specifically searched for sealed records.
- “The report, which was reviewed in part by Bloomberg, doesn’t identify the attackers. But investigators found evidence that they were a Russian state-sponsored hacking group, according to the people, who spoke on condition that they not be named because they were not authorized to discuss the matter.
- “It’s unclear exactly when the hackers first penetrated the system and when the courts became aware of the breach. Last fall, the judiciary hired a cybersecurity firm to help address it, said one of the people.” * * *
- “The intrusion was previously reported by Politico, while the New York Times earlier reported that Russia was at least in part behind the cyberattack.
- “The hackers targeted sealed documents in espionage and other sensitive cases, including ones involving fraud, money laundering and agents of foreign governments, Bloomberg Law reported on Tuesday [August 12, 2025]. Such records often include sensitive information that, in the wrong hands, could be used to compromise criminal and national security investigations, or to identify people who provide information to law enforcement.”

Per Cybersecurity Dive,
- “Xerox has issued a security upgrade for critical and high-severity vulnerabilities in its FreeFlow Core product that researchers said could have allowed an attacker to remotely execute code.”
and
- Virtually all companies have experienced some type of intrusion due to vulnerable code, application security firm Checkmarx said in a report released Thursday [August 14, 2025.
- Nearly eight in 10 firms reported experiencing such breaches in 2023, but that figure climbed more than 90% last year and reached 98% this year.
- At the same time, eight in 10 companies said they sometimes or often released software with code they knew was vulnerable, up from two-thirds in 2024. “This isn’t oversight,” Checkmarx said. “It’s strategy.”

CISA added five known exploited vulnerabilities to its catalog this week.
- August 12, 2025
  - CVE-2013-3893 Microsoft Internet Explorer Resource Management Errors Vulnerability
  - CVE-2007-0671 Microsoft Office Excel Remote Code Execution Vulnerability
  - CVE-2025-8088 RARLAB WinRAR Path Traversal Vulnerability
    - Security Affairs discusses these KVEs here.
- August 13, 2025
  - CVE-2025-8875 N-able N-central Insecure Deserialization Vulnerability
  - CVE-2025-8876 N-able N-central Command Injection Vulnerability
    - Dark Reading discusses these KVEs here.
Per Bleeping Computer,
- “Security researchers have created a new FIDO downgrade attack against Microsoft Entra ID that tricks users into authenticating with weaker login methods, making them susceptible to phishing and session hijacking.
- “These weaker login channels are vulnerable to adversary-in-the-middle phishing attacks that employ tools like Evilginx, enabling attackers to snatch valid session cookies and hijack the accounts.
- “Although the attack doesn’t prove a vulnerability in FIDO itself, it shows that the system can be bypassed, which is a crucial weakness.
- “This is especially worrying considering the increased adoption of FIDO-based authentication in critical environments, a consequence of the technology being touted as extremely phishing-resistant.”
and
- “Cisco is warning about a critical remote code execution (RCE) vulnerability in the RADIUS subsystem of its Secure Firewall Management Center (FMC) software.
- “Cisco FCM is a management platform for the vendor’s Secure Firewall products, which provides a centralized web or SSH-based interface to allow administrators to configure, monitor, and update Cisco firewalls.
- ‘RADIUS in FMC is an optional external authentication method that permits connecting to a Remote Authentication Dial-In User Service server instead of local accounts.”

From the ransomware front,

Halcyon informs us,
- “Black Hat 2025 had plenty of shiny new toys and buzzword-heavy sessions, but the real story was hiding in plain sight. No ransomware track. No packed panel on the threat that has cost organizations billions and taken down some of the most secure environments on the planet. The only time it truly took center stage was when Mikko Hyppönen made it impossible to ignore.
- “For those paying attention, three truths stood out. Agentic AI will accelerate ransomware campaigns to speeds that will overwhelm unprepared defenders. Ransomware is the next stage in the evolution of malware, and it will only become more capable. Modern security stacks, no matter how mature or expensive, are still being bypassed with troubling ease.”

Bleeping Computer adds,
- Ransomware and infostealer threats are evolving faster than most organizations can adapt. While security teams have invested heavily in ransomware resilience, particularly through backup and recovery systems, Picus Security’s Blue Report 2025 shows that today’s most damaging attacks aren’t always about encryption.
- Instead, both ransomware operators and infostealer campaigns often focus on credential theft, data exfiltration, and lateral movement, leveraging old-school stealth and persistence to achieve their objectives with minimal disruption.
- The evolving adversary tactics are clearly visible when comparing the findings from the Blue Report 2025, based on over 160 million real-world attack simulations, and the Red Report 2025, which analyzes the latest trends in malware, threat actors, and exploitation techniques.
- The overlap between the two reports reveals a clear and concerning signal: defenders are falling behind on detecting the very tactics that adversaries now favor the most.

InfoSecurity Magazine reports,
- “An ongoing data extortion campaign targeting Salesforce customers could soon turn its attention to financial services firms, security experts have warned.
- “The notorious ShinyHunters group has been blamed for a series of data breaches impacting big names in the fashion (LVMH, Chanel, Pandora, Adidas) and aviation (Qantas, Air France-KLM) sectors. These victims are typically targeted with vishing for logins to their Salesforce accounts and are sometimes also tricked into downloading a malicious app for similar purposes.”

Per Dark Reading,
- “An emerging ransomware actor is using sophisticated techniques in the style of an advanced persistent threat group (APT) to target organizations with customized ransom demands, posing a significant risk to businesses.
- “Charon is a new ransomware family (named for the ferryman from Greek mythology who carried souls across the River Styx to Hades); Trend Micro observed it being deployed in a targeted attack in the Middle East’s public sector and aviation industry — the first such record of Charon observed in the wild, according to new research from the firm.
- “The ransomware leverages techniques such as DLL sideloading, process injection, and anti-EDR capabilities, which are typically the hallmark of advanced threat actors and — in this case — reminiscent of campaigns by the group Earth Baxia, according to a Trend Micro blog post published today.
- “The attack chain leveraged a legitimate browser-related file, Edge.exe (originally named cookie_exporter.exe), to sideload a malicious msedge.dll (SWORDLDR), which subsequently deployed the Charon ransomware payload,” Trend Micro threat researchers wrote in the post.”
and
- “Researchers spotted a new Crypto24 ransomware campaign that they say marks a “dangerous evolution” in the threat landscape.
- “According to Trend Micro researchers, recent attacks by Crypto24 actors display a combination of advanced evasion techniques and custom tools that can disable EDR solutions — including Trend Micro’s own Vision One platform. Crypto24 was first spotted in 2024 but hadn’t made much of impact until recently, when it became the latest ransomware gang to bypass EDR platforms and security solutions.
- Trend Micro’s report, published Thursday, details how Crypto24 has demonstrated a high level of skill that sets it apart from other ransomware gangs. For example, researchers noted how “Crypto24 actors deftly deploy a broad range of tools that include legitimate programs like PSExec and AnyDesk for remote access and lateral movement, as well as Google Drive for data exfiltration.
- “More importantly, Crypto24’s successful deployment of a customized RealBlindingEDR (an open source tool for disabling security solutions) variant that neutralized our security controls shows their capability to maneuver around modern defenses,” the report said. “The threat actor’s customized version employs advanced evasion, likely via unknown vulnerable drivers, showcasing deep technical expertise and ongoing tool refinement.”

From the cybersecurity business and defenses front,

Cyberscoop names its Cyberscoop 50 award winners for 2025.
- “The CyberScoop 50 Awards recognize those who have been honored for their work in protecting vital networks, information and critical infrastructure. Through their hard work, ingenuity, and creativity, they aim to fend off hackers, stay ahead of adversaries and protect American networks.”

HelpNet Security lets us know,
- “Security leaders are rethinking their approach to cybersecurity as digital supply chains expand and generative AI becomes embedded in critical systems. A recent survey of 225 security leaders conducted by Emerald Research found that 68% are concerned about the risks posed by third-party software and components. While most say they are meeting regulatory requirements, 60% admit attackers are evolving too fast to maintain resilience.” * * *
- “Penetration testing is no longer treated as a box to check. It has become a core element of enterprise security programs. Eighty-eight percent of security leaders now consider it vital. Over half say they use pentests to validate their own software. More than half also require third-party pentests before releasing software to customers.
- “The survey found that 49% plan to use pentesting to identify software supply chain vulnerabilities, and 44% intend to use it to uncover insider threats. The practice is being integrated across the development life cycle and procurement workflows.
- “Generative AI is emerging as a new and unpredictable risk. Sixty-six percent of respondents say GenAI helps attackers analyze data and evade defenses. More than half worry that AI can automate the entire attack lifecycle, and 62% are concerned that AI development tools may introduce hidden vulnerabilities into codebases.”

Dark Reading discusses cybersecurity budgeting here and here.

Following the Blackhat Conference, Dark Reading’s CISO Corner is back.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Subscribe to FEHBlog