Cybersecurity Dive - Ermer and Suter PLLC

From the cybersecurity policy and law enforcement front,

The House Committee on Homeland Security will mark up the CISA 2025 reauthorization bill on Wednesday, September 3, at 10 am ET.

Per a Congressional news release,
- “U.S. Senators Bill Cassidy, M.D. (R-LA), chair of the Senate Health, Education, Labor, and Pensions (HELP) Committee, and Maggie Hassan (D-NH) requested information from Aflac following a recent cyberattack on their internal data systems.
- “This comes amid increasing cyberattacks on the health care sector. In 2024, there were over 700 large data breaches that impacted approximately 276 million Americans. These attacks not only threaten Americans’ sensitive health data, but delay lifesaving care to patients.
- “The recent cybersecurity incident affecting Aflac’s supplemental insurance systems highlights the continuing risk to patients and other stakeholders,” wrote the senators. “While Aflac has stated that it ‘stopped the intrusion within hours,’ additional transparency is needed about whether the intruders accessed private consumer and patient data, how Aflac safeguarded protected health information (PHI) prior to the incident, and steps that the company intends to take going forward.”

Per a National Institute of Standards and Technology news release,
- “A revision to NIST’s catalog of security and privacy safeguards [(NIST SP 800-53)] aims to help organizations better manage risks related to software updates and patches.
- “The catalog revision is part of NIST’s response to a recent executive order on strengthening the nation’s cybersecurity.
- “Completed with the help of a real-time commenting system, the revision is available in several different formats, some of which are machine-readable.”

Dark Reading tells us,
- “Updated federal agency guidelines for software bills of materials (SBOM) were recently released by the US Cybersecurity and Infrastructure Security Agency (CISA) with rules intended to push for additional transparency among software and component vendors. Experts agree the new rules are a hopeful step forward but worry they overlook some serious issues facing today’s software supply chain.
- “Since 2021, when the federal minimum SBOM guidelines initially were released, the idea has been debated in information security circles as a great concept, but just not feasible in the real world. Vendors pushed back, arguing that the regulations are onerous. And in the ensuing years, with federal agencies leading the way, SBOMs have been embraced to varying degrees. The SBOM challenge has been connecting the gorge between the information they provide, and the ability for cyber teams operationalize it.
- “CISA recently released its 2025 update to SBOM guidelines for federal agencies, and while experts say they are hopeful things are headed in the right direction, they also acknowledge skepticism across the cybersecurity industry about some aspects of the new guidance.”

Per a CISA news release on August 26,
- “Today, the Cybersecurity and Infrastructure Security Agency (CISA) released the Software Acquisition Guide: Supplier Response Web Tool, a no-cost, interactive resource designed to empower information technology (IT) and industry decision makers, procurement professionals and software suppliers strengthen cybersecurity practices throughout the software procurement lifecycle.
- “The Web Tool builds on the “Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle”, offering a streamlined, digital experience that simplifies how users assess software assurance and supplier risk.
- “This tool demonstrates CISA’s commitment to offering practical, free solutions for smarter, more secure software procurement,” said CISA Director of Public Affairs, Marci McCarthy. “Transforming the Software Acquisition Guide into an interactive format simplifies integrating cybersecurity into every step of procurement.”

Per Cyberscoop,
- “The Treasury Department on Wednesday [August 27] expanded efforts to disrupt the pervasive North Korean technical worker scheme by imposing sanctions on people and organizations serving as facilitators and fronts for the country’s years-long conspiracy effort to defraud businesses and earn money despite international sanctions.
- “Vitaly Sergeyevich Andreyev, Kim Ung Sun, Shenyang Geumpungri Network Technology and Korea Sinjin Trading Corp. were all sanctioned by the Treasury Department’s Office of Foreign Assets Control for their alleged roles in the scheme orchestrated by the North Korean government.”

From the cybersecurity vulnerabilities and breaches front,

Cybersecurity Dive reports,
- “Chinese government-backed hackers are targeting critical infrastructure and government computer systems as part of a yearslong campaign that includes the well-known Salt Typhoon activity, the U.S. and 12 other countries said on Wednesday.
- “The data stolen through this activity against foreign telecommunications and Internet service providers (ISPs), as well as intrusions in the lodging and transportation sectors, ultimately can provide Chinese intelligence services with the capability to identify and track their targets’ communications and movements around the world,” the allied governments said in a joint advisory.
- “The China-linked campaign has penetrated organizations in more than 80 countries, including more than 200 targets in the U.S., an FBI spokesperson told Cybersecurity Dive.
- The advisory describes the attackers’ techniques, from initial access to data exfiltration; describes an incident in which the hackers tried to decrypt network traffic to collect administrator credentials; suggests strategies for threat hunting; and recommends mitigation activities.
and
- “Hackers stole user credentials from Salesforce customers in a widespread campaign earlier this month, according to researchers at Google Threat Intelligence Group, who warned that the thefts could lead to follow-up attacks.
- “A threat actor that Google tracks as UNC6395 targeted Salesforce instances using compromised OAuth tokens that were associated with the customer engagement vendor Salesloft’s Drift AI chat agent.
- “Researchers believe the hackers’ primary goal was to harvest credentials, as they stole large amounts of data from numerous Salesforce instances.
- “Google’s Threat Intelligence Group “is aware of over 700 potentially impacted organizations,” Austin Larsen, a principal threat analyst at the company, told Cybersecurity Dive in a statement. “The threat actor used a Python tool to automate the data theft process for each organization that was targeted.”
- “The attacks did not involve any vulnerability in the Salesforce platform, according to researchers. After stealing the data, the hackers looked for sensitive credentials, including access keys and passwords for Amazon Web Services as well as access tokens for the Snowflake cloud platform.
- “The attacks largely occurred between Aug. 8 and Aug. 18, researchers said. By Aug. 20, Salesloft had begun working with Salesforce to revoke all active access and refresh Drift tokens, according to Google.”

Bleeping Computer adds,
- “Consumer credit reporting giant TransUnion warns it suffered a data breach exposing the personal information of over 4.4 million people in the United States, with BleepingComputer learning the data was stolen from its Salesforce account.
- “TransUnion is one of the three major credit bureaus in the United States, alongside Equifax and Experian. It operates in 30 countries, employs 13,000 staff, and has an annual revenue of $3 billion.”

Per Security Week,
- “Multiple phishing campaigns deploying ConnectWise ScreenConnect for remote control demonstrate the sophistication, extent, and danger of AI-supercharged social engineering.
- “An ongoing ScreenConnect threat example highlights primary aspects of modern cybercriminality: AI-enhanced, scaled, and sophisticated social engineering; use of trust and stealth to deceive security controls; and maximum use of the professionalized crime-as-a-service (CaaS) ecosphere.
- “Current ScreenConnect campaigns differ in their attack details, but all conform to the basic process: a phishing attack leading to deployment of ScreenConnect to allow remote access and potential control of the victim organization. Researchers have found more than 900 targeted enterprises around the world.”

CISA added five known exploited vulnerabilities to its catalog this week.
- August 25, 2025
  - CVE-2024-8069 Citrix Session Recording Deserialization of Untrusted Data Vulnerability
  - CVE-2024-8068 Citrix Session Recording Improper Privilege Management Vulnerability
  - CVE-2025-48384 Git Link Following Vulnerability
    - Cyber Press discusses these KVEs here.
    - Cybersecurity Dive adds more details on the Citrix KVEs here.
    - Bleeping Computer adds more details on the Git Link KVE here.
- August 26, 2025
  - CVE-2025-7775 Citrix NetScaler Memory Overflow Vulnerability
    - Bleeping Computer discusses this KVE here.
- August 29, 2025
  - CVE-2025-57819 Sangoma FreePBX Authentication Bypass Vulnerability
    - Bleeping Computer discusses this KVE here.

From the ransomware front,

Cybersecurity Dive reports,
- “Federal and state authorities are investigating a ransomware attack that has disrupted key services across the state of Nevada.
- “The Sunday [August 24] attack interrupted multiple government services, including phone systems and state agency websites.
- “The attackers were able to exfiltrate data during the intrusion, but officials still don’t know what they took, Tim Galluzi, Nevada chief information officer and executive director of the Governor’s Technology Office, said during a press conference Wednesday.
- “The process of analyzing the information to determine exactly what was taken is complex, methodical and time consuming,” Galluzi said, adding that it would be reckless to speculate on the nature of the stolen information.
- “The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI are helping Nevada officials respond to the intrusion. In a statement Wednesday [August 27], CISA said its threat hunters are helping analyze Nevada’s computer networks and mitigate any potential impact from the hack.
Security Week adds on August 29,
- “Four days after the hackers hit the state’s network, certain state offices have resumed working with the public, some Nevada state’s departments have reverted to pen and paper operations to serve the public, and the Nevada Health Authority has restored some of its operations, including Medicaid and the benefits program.
- “However, the Access Nevada application portal remains inaccessible, certain phone lines are down, the Child Care & Development Program cannot access case files or certifications, and DMV offices were closed on Wednesday, although its website has been restored.
- “Emergency services and essential operations have remained available throughout the outage. Additional information can be found on this recovery status page.”

SpotlightPA reports,
- “The Pennsylvania Office of Attorney General was the victim of a ransomware attack earlier this month, Spotlight PA has learned.
- “The attack, first reported by the office on Aug. 11 as a “cyber incident,” has impaired many functions of the agency, as some staff and prosecutors remain unable to access archived emails, files, and internal systems crucial to pursuing cases on behalf of the commonwealth.
- “The office confirmed the attack to Spotlight PA on Friday [August 29].

KERA News relates,
- A cybersecurity breach in Greenville [,Texas] has affected the city’s ability to access police and other records.
- The city’s servers were attacked by a ransomware group on Aug. 5.
- “Upon identification, the City immediately implemented protective measures, isolated affected systems where appropriate, contacted law enforcement and engaged a third-party cybersecurity firm to mitigate the event and restore services,” the city said in a news release.
- Greenville’s emergency 911 service was not affected and remains in operation, however, some phone lines may experience intermittent outages or busy signals, the city said.

Per Cyberscoop,
- “A financially motivated threat group operating since 2021 has refined its technical tradecraft, honing its focus on cloud-based systems that allow it to expand ransomware operations beyond the scope of on-premises infrastructure, Microsoft Threat Intelligence said in a report released Wednesday [August 27].
- “By leveraging cloud-native capabilities, Storm-0501 has exfiltrated large volumes of data with speed, destroying data and backups within victim environments and encrypted systems. “This is in contrast to threat actors who may have relied solely on malware deployed to endpoints,” Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, said in an email.
- “This evolution is about both a technical shift and a change in impact strategy,” DeGrippo said. “Instead of just encrypting files and demanding ransom for decryption, Storm-0501 now exfiltrates sensitive cloud data, destroys backups, and then extorts victims by threatening permanent data loss or exposure.”
- “Storm-0501 targets opportunistically by searching for unmanaged devices and security gaps in hybrid cloud environments. By exploiting these vulnerabilities, it can evade detection, escalate its access privileges and sometimes move between user accounts. This approach amplifies the impact of its attacks and raises its chance for a payout, according to Microsoft.”
and
- “Researchers at cybersecurity firm ESET claim to have identified the first piece of AI-powered ransomware in the wild.
- “”The malware, called PromptLock, essentially functions as a hard-coded prompt injection attack on a large language model, causing the model to assist in carrying out a ransomware attack.
- “Written in Golang programming code, the malware sends its requests through Ollama, an open-source API for interfacing with large language models, and a local version of an open-weights model (gpt-oss:20b) from OpenAI to execute tasks.
- “Those tasks include inspecting local filesystems, exfiltrating files and encrypting data for Windows, Mac and Linux devices using SPECK 128-bit encryption.
- “According to senior malware researcher Anton Cherepanov, the code was discovered Aug. 25 by ESET on VirusTotal, an online repository for malware analysis. Beyond knowing that it was uploaded somewhere in the U.S., he had no further details on its origins.
- “Notably, attackers don’t need to deploy the entire gpt-oss-20b model within the compromised network,” he said. ”Instead, they can simply establish a tunnel or proxy from the affected network to a server running Ollama with the model.”
- “ESET believes the code is likely a proof of concept, noting that functionality for a feature that destroys data appears unfinished. Notably, Cherepanov told CyberScoop that they have yet to see evidence of the malware being deployed by threat actors in ESET telemetry.”

From the cybersecurity defenses front,

Cyberscoop lets us know,
- “Chief information security officers are increasingly concerned about the risk of a cyberattack, and a growing number say they have experienced a material loss of data over the past year, according to a report released Tuesday by Proofpoint.
- “Two-thirds of CISOs said their organizations have experienced a material loss of sensitive information over the past year, compared with only 46% in the prior year, according to the report. Meanwhile, three-quarters of CISOs fear they are at risk of a material cyberattack over the next 12 months.
- “The increase reflects not only heightened risk but also a cultural shift among CISOs, according to Proofpoint.
- “CISOs are becoming more transparent, especially in light of increased regulatory scrutiny and evolving board expectations,” Patrick Joyce, global resident CISO at Proofpoint, told Cybersecurity Dive.
- “The annual “Voice of the CISO” report is based on a survey of 1,600 CISOs at organizations in 16 countries. The survey took place during the first quarter of 2025, and all respondents worked at organizations with more than 1,000 employees.”

Dark Reading offers ransomware defense tips here and cloud security tips here.

The Wall Street Journal reports,
- “Cybersecurity concierge services offer tailored protection against online threats for high-profile individuals, including monitoring and data scrubbing.
- “These services, costing from $1,000 to tens of thousands annually, attract those with substantial assets and a significant digital footprint.
- “Demand is rising, with wealth managers for cyber protection, especially after experiencing breaches.”

Here is a link to Dark Reading’s CISO corner.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Subscribe to FEHBlog