Cybersecurity Saturday - Ermer and Suter PLLC

From the cybersecurity policy front,

The Wall Street Journal reports,
- “The clock is ticking on core federal cybersecurity legislation set to expire Sept. 30, as a divided Congress and a looming government shutdown threaten progress on a new bill that seeks to extend provisions encouraging cooperation in fighting hackers.
- “The decade-old Cybersecurity Information Sharing Act, or CISA, set the legal framework aimed at protecting companies that voluntarily share cyber threat intelligence with other businesses and the federal government, shielding them from antitrust and liability charges.
- “Sunsetting the legislation risks weakening cybersecurity defenses, in both business and government, by discouraging information-sharing about hacking tactics and other cyberattacks, cybersecurity experts said.” * * *
- “On Wednesday [September 3, 2025], the House Homeland Security Committee unanimously approved a revised version of CISA, renaming it the Widespread Information Management for the Welfare of Infrastructure and Government Act, or Wimwag.
- “The proposed bill, which would extend the legislation until 2035, includes updated language to reflect new hacking tactics, while boosting privacy and liability protections for companies, among other changes.
- “Democrats had called for an extension of the 2015 law while leaving any changes to be considered after the September deadline. “More improvements will be necessary as the legislative process moves forward,” based on input by cybersecurity experts, Rep. Bennie Thompson (D., Miss.) told the committee.
- “The bill now moves to the full House for consideration.”

On Thursday, the federal government’s Spring 2025 semi-annual regulatory and de-regulatory agenda was posted on reginfo.gov. Of note, the Department of Health and Human Services is projecting promulgation of an amended HIPAA Security Rule in May 2026.

The American Hospital Association News tells us,
- The Cybersecurity and Infrastructure Security Agency, National Security Agency and international agencies Sept. 3 released joint guidance outlining a “software bill of materials” for organizations to strengthen cybersecurity, reduce risk and decrease costs. An SBOM is a list of all components contained in a software product.
- “Whether it’s an application used on a computer or the software that runs a medical device, most software incorporates components to accomplish specific tasks,” said Scott Gee, AHA deputy national advisor of cybersecurity and risk. “It is critical to understand what components are used in a piece of software because if a flaw is discovered in any, it could make the entire piece of software — and the organization’s network— vulnerable to attack. A good analogy is the ingredients list on food packaging — it tells consumers exactly what additives and preservatives are in their food. Without an SBOM, an organization would have no way to determine that the vulnerable component was present in their systems.”
- Gee also highlighted the importance of automated monitoring of SBOMs, as they would alert of any vulnerabilities that would require patching and remediation.
Federal News Network informs us,
- “The Cybersecurity and Infrastructure Security Agency has named a new top cyber official. Nick Anderson is now serving as executive assistant director of CISA’s cybersecurity division. Anderson is a Marine Corps veteran who previously led the Energy Department’s top cyber office during the first Trump administration. He most recently was president and chief operating officer of Invictus International Consulting. Anderson also was chief information security officer for Lumen Technologies Public Sector.”

From the cybersecurity vulnerabilities and breaches front,

CISA added seven known exploited vulnerabilities to its catalog this week.
- September 2, 2025
  - CVE-2020-24363 TP-link TL-WA855RE Missing Authentication for Critical Function Vulnerability
  - CVE-2025-55177 Meta Platforms WhatsApp Incorrect Authorization Vulnerability
    - Security Affairs discusses these KVEs here.
- September 3, 2025
  - CVE-2023-50224 TP-Link TL-WR841N Authentication Bypass by Spoofing Vulnerability
  - CVE-2025-9377 TP-Link Archer C7(EU) and TL-WR841N/ND(MS) OS Command Injection Vulnerability
    - Security Affairs discusses these KVEs here.
- September 5, 2025
  - CVE-2025-38352 Linux Kernel Time-of-Check Time-of-Use (TOCTOU) Race Condition Vulnerability
  - CVE-2025-48543 Android Runtime Unspecified Vulnerability
  - CVE-2025-53690 Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability
    - Cybersecurity Dive discusses the Sitecore KVE here.
    - Security Week discusses the other two KVEs here.

Cybersecurity Dive reports,
- “In separate disclosures, Cloudflare Inc. and Proofpoint Inc. on Tuesday said they were impacted by the August supply chain attacks linked to Salesloft Drift.
- “The disclosures mark the latest in a wave of attacks, where a threat actor used compromised credentials linked to the Salesloft Drift AI chatbot to gain access to the Salesforce instances at hundreds of companies.
- ‘Cloudflare said it was notified last week of the incident, in which an outside attacker gained access to the text fields of support cases in its Salesforce instances, according to a blog post released Tuesday.
- “Despite being part of a much larger supply chain attack, the company took full responsibility for the breach and issued an apology.
- “We are responsible for the tools we use in support of our business,” company executives said in the blog post. “For that, we sincerely apologize.”
- ‘The incidents follow disclosures by Palo Alto Networks and Zscaler of their customer Salesforce environments being impacted by the supply chain attack.”

Dark Reading relates,
- “In a blog post Thursday, SecurityBridge said it discovered an exploit for CVE-2025-42957 and confirmed it has been used in the wild. “While widespread exploitation has not yet been reported, SecurityBridge has verified actual abuse of this vulnerability,” the blog post said. “That means attackers already know how to use it – leaving unpatched SAP systems exposed.”
- “SecurityBridge added that SAP’s patch for CVE-2025-42957 is “relatively easy” to reverse engineer, and that successful exploitation gives attackers access to the operating system and all data in the targeted SAP system.” * * *
- “Even though an attacker would need a valid user account to exploit CVE-2025-42957, SecurityBridge said the vulnerability was “especially dangerous.” * * *
- “SecurityBridge urged customers to immediately apply the patch for CVE-2025-42957, which was released in SAP’s August 2025 security updates. To defend against potential exploitation, the company recommended implementing SAP’s Unified Connectivity framework (UCON) to restrict RFC usage, and to monitor logs for suspicious RFC calls and newly created admin accounts.
- “The exploitation of CVE-2025-42957 follows attacks in the spring on a critical SAP NetWeaver zero-day flaw tracked as CVE-2025-31324. The vulnerability came under subsequent waves of attacks in the weeks following its initial disclosure in late April.”
and
- “A young malware-as-a-service (MaaS) operation has been outed, shortly after the debut of its newest custom remote access Trojans (RATs).
- “In recent weeks, researchers have been slowly, independently piecing together an emerging cybercrime threat cluster. First, they found a malware loader that had been spread hundreds of times and named it “CastleLoader.” Then, they uncovered the broader MaaS service around it, and called it “CastleBot.” Now, they’ve mapped out the infrastructure propping it all up, and identified new variants of its own Trojan, called “CastleRAT” (aka “NightShadeC2“), which various MaaS customers have distributed to victims via boobytrapped GitHub repositories, the ClickFix tactic, malicious websites advertising fake software, and other methods.”
- “Plenty of questions still remain though, about the group that Recorded Future’s Insikt Group has labeled “TAG-150.” For instance, how has it managed to spread itself so far while maintaining essentially no visible presence on the Dark Web?”
Bleeping Computer points out “six browser-based attacks all security teams should be ready for in 2025.

From the ransomware front,

Industrial Cyber informs us,
- “New data from Comparitech shows that of the 18 confirmed ransomware attacks in August, three hit manufacturers, two targeted healthcare companies, and another two struck the food and beverage sector. Overall, worldwide ransomware attacks rose from 473 in July to 506 in August, a 7% increase and the second consecutive month of growth after a decline from March through June 2025. While government systems remain a steady target, manufacturing recorded the sharpest rise, with attack claims surging 57% from 72 in July to 113 in August. Four of these incidents have been confirmed.
- “August saw a first-of-a-kind attack on the state of Nevada. While hundreds of U.S. government organizations have suffered ransomware attacks, this is the first-ever statewide attack. The attack was first detected on August 24, 2025, and has left many citizens and state agencies without access to essential services. No hackers have claimed the attack as of yet, but if a ransom isn’t paid, it’s likely the group will come forward in the coming days/weeks.
- “Comparitech reported that the healthcare and education sectors each recorded one confirmed attack in August, though both reported more unconfirmed attack claims compared with July. These numbers are expected to rise as additional incidents are confirmed in the coming weeks.”

Here are links to updates on the ransomware attacks on the State of Nevada and Pennsylvania Attorney General’s office noted in last week’s Cybersecurity Saturday.

BitDefender alerts us,
- “Ransomware groups continue to evolve their tactics, but few have made as sharp an impact in 2025 as SafePay. Once a lesser-known player, the group has surged into prominence by quietly amassing hundreds of victims across the globe. In June, SafePay topped Bitdefender’s Threat Debrief rankings after claiming 73 victim organizations in a single month, and the group followed up with 42 more victims in July—its second-highest monthly tally to date.
- “With more than 270 claimed victims so far this year, SafePay’s discreet operations, rejection of the ransomware-as-a-service (RaaS) model, and rapid-fire victim disclosures signal a significant threat that security researchers and teams should understand.”

CIO explains why “the latest research into cybercrime and those behind it illustrates why businesses must quickly adapt to the rising tide of high-stakes cyber extortion.”

SC Media discusses “how AI has changed ransomware negotiations.”

From the cybersecurity defenses and business front,

Cybersecurity Dive reports,
- “The cyber insurance market is continuing to stall with organic growth slowing and rates declining, according to a report Wednesday from global insurance firm Swiss Re.
- “Increased competition among insurers has led to a third consecutive year of reduced rates, according to the report, as the available supply of cyber coverage has exceeded current demand. The market imbalances have forced insurers to make concessions on premiums, cybersecurity controls and coverage limits.
- “The insurance industry has grown increasingly concerned in recent years about systemic loss events and the risk of liability over data privacy. That has led to worries over whether additional premium cuts are sustainable.”

Cybersecurity Dive also explains how Tampa General Hospital’s “CIO and CISO teamed up to translate security decisions into dollars and cents.”

HIPAA Journal notes,
- “Healthcare organizations are relatively unlikely to have serious cybersecurity vulnerabilities compared to other industry sectors, as they are generally good at prevention; however, when vulnerabilities are identified, healthcare lags other sectors when it comes to remediation. These are the findings from a recent analysis of penetration testing data and a survey of 500 U.S. security leaders by the Pentest-as-a-service (PTaaS) firm Cobalt. The findings are published in its State of Pentesting in Healthcare 2025 report.”

The Wall Street Journal adds,
- “A study at UCSD Health found cybersecurity training had little effect on employees’ susceptibility to simulated phishing attacks.
- “On average, four groups of employees who received training designed by the researchers had only a 1.7% lower failure rate than employees who had no training.
- “Employees often didn’t engage with training, spending less than a minute on training pages over 75% of the time.”

Per Cyberscoop,
- “Israeli cybersecurity company Cato Networks has acquired AI security startup Aim Security in its first ever acquisition, reflecting the broader industry rush to address security challenges posed by artificial intelligence adoption.
- “The deal combines Cato’s Secure Access Service Edge (SASE) networking platform with Aim’s AI security capabilities, allowing the company to protect customers from threats associated with generative AI tools and applications. Financial terms were not disclosed.
- “The acquisition underscores how cybersecurity companies are scrambling to develop solutions for AI-related risks as enterprises rapidly adopt AI tools without fully understanding potential vulnerabilities. Aim’s technology addresses three key areas: securing employee use of public AI applications, protecting private AI systems, and managing security throughout AI development lifecycles.”
and
- “Varonis has acquired SlashNext, an AI-driven email security company, for up to $150 million in a move that reflects the rising role of artificial intelligence in both attack and defense.
- “The acquisition, announced Tuesday, brings together Varonis’ focus on data-centric security and threat detection with SlashNext’s technology for blocking phishing and social engineering attacks across email and collaboration platforms. The companies cited a rapidly evolving threat environment, as cybercriminals increasingly use AI to target victims on channels reaching beyond traditional email, including Slack, Microsoft Teams, WhatsApp, and Zoom.
- “Founded by Atif Mushtaq, who worked on FireEye’s malware detection systems, SlashNext deploys predictive AI models to identify, remove and block socially engineered threats. Its technology leverages computer vision, natural language processing, and virtual browsers to pinpoint signs of compromise.”

Here’s a link to Dark Reading’s CISO Corner.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Subscribe to FEHBlog