Cybersecurity Saturday - Ermer and Suter PLLC

From the cybersecurity policy and law enforcement front,

The White House issued a proclamation yesterday about October being Cybersecurity Awareness Month so let’s go.

Per Cyberscoop,
- “European law enforcement dismantled and seized an expansive cybercrime operation used to facilitate phishing attacks via mobile networks for fraud, including account intrusions, credential and financial data theft, Europol said Friday [October 17].
- “Investigators from Austria, Estonia and Latvia linked the cybercrime networks to more than 3,200 fraud cases, which also involved investment scams and fake emergencies for financial gain. Financial losses amounted to about $5.3 million in Austria and $490,000 in Latvia, authorities said.
- “The operation dubbed “SIMCARTEL” netted seven arrests and the seizure of 1,200 SIM box devices, which contained 40,000 active SIM cards that were used to conduct various cybercrimes over telecom networks. Officials described the infrastructure as highly sophisticated, adding that the online service it supported provided telephone numbers for criminal activities to people in more than 80 countries.”
and
- “A Massachusetts man who previously pleaded guilty to a cyberattack on PowerSchool, exposing data on tens of millions of students and teachers, was sentenced to four years in prison Tuesday — half the amount federal prosecutors sought in sentencing recommendations submitted to the court.
- “Matthew Lane, 20, stole data from PowerSchool belonging to nearly 70 million students and teachers, extorted the California-based company for a ransom, which it paid, causing the education software vendor more than $14 million in financial losses, according to prosecutors.
- “U.S. District Judge Margaret Guzman sentenced Lane to four years in prison, followed by three years of supervised release. Lane was also ordered to pay almost $14.1 million in restitution and a $25,000 fine for crimes involving the attack on PowerSchool and an undisclosed U.S. telecommunications company.”

From the cybersecurity vulnerabilities and breaches front,

Cyberscoop reports,
- “Federal cyber authorities issued an emergency directive Wednesday [October 15] requiring federal agencies to identify and apply security updates to F5 devices after the cybersecurity vendor said a nation-state attacker had long-term, persistent access to its systems.
- The order, which mandates federal civilian executive branch agencies take action by Oct. 22, marked the second emergency directive issued by the Cybersecurity and Infrastructure Security Agency in three weeks. CISA issued both of the emergency directives months after impacted vendors were first made aware of attacks on their internal systems or products.
- F5 said it first learned of unauthorized access to its systems Aug. 9, resulting in data theft including segments of BIG-IP source code and details on vulnerabilities the company was addressing internally at the time. CISA declined to say when F5 first alerted the agency to the intrusion.
- CISA officials said they’re not currently aware of any federal agencies that have been compromised, but similar to the emergency directive issued following an attack spree involving zero-day vulnerabilities affecting Cisco firewalls, they expect the response and mitigation efforts to provide a better understanding of the scope of any potential compromise in federal networks.
and
- “F5, a company that specializes in application security and delivery technology, disclosed Wednesday that it had been the target of what it’s calling a “highly sophisticated” cyberattack, which it attributes to a nation-state actor. The announcement follows authorization from the U.S. Department of Justice, which allowed F5 to delay public disclosure of the breach under Item 1.05(c) of Form 8-K due to ongoing law enforcement considerations.
- “According to an 8-K form filed with the Securities and Exchange Commission, the company first became aware of unauthorized access Aug. 9 and initiated standard incident response measures, including enlisting external cybersecurity consultants. In September, the Department of Justice permitted F5 to withhold public disclosure of the breach, which the government allows if a breach is determined to be a “a substantial risk to national security or public safety.”
- “Investigators discovered that the threat actor maintained prolonged access to parts of F5’s infrastructure. Systems affected included the BIG-IP product development environment and the company’s engineering knowledge management platform. The unauthorized access resulted in the exfiltration of files, some of which contained segments of BIG-IP source code and details regarding vulnerabilities that the company was actively addressing at the time. It also said the files taken were “configuration or implementation information for a small percentage of customers.”

Cybersecurity Dive adds,
- “More than 600,000 F5 network security devices running the company’s flagship BIG-IP software are sitting unpatched on the internet one day after the company revealed that nation-state hackers had accessed its networks and source code.
- “The figure, which Palo Alto Networks provided on Thursday [October 16], highlights how many organizations could be vulnerable to cyberattacks exploiting vulnerabilities that the unidentified hackers discovered while roaming through F5’s production environment and developer resources.” * * *
- “F5, which said on Thursday that it believed it had kicked the hackers out of its networks, is working with government and private-sector cyber experts to further investigate the compromise. CISA ordered federal agencies to promptly patch their affected F5 products and disconnect the devices’ management interfaces from the internet.
- “The potential impact of this compromise is unique due to the theft of confidential information regarding previously undisclosed vulnerabilities that F5 was actively in the process of patching,” Palo Alto Networks researchers wrote in their blog post. “This data potentially grants threat actors the capacity to exploit vulnerabilities for which no public patch currently exists, which could accelerate the creation of exploits.”
- “F5 said there was no evidence that the hackers had compromised its source code or software production processes, despite having access to those systems and data.”

CISA added six known exploited vulnerabilities to its catalog this week.
- October 14, 2025
  - CVE-2016-7836 SKYSEA Client View Improper Authentication Vulnerability
  - CVE-2025-6264 Rapid7 Velociraptor Incorrect Default Permissions Vulnerability
  - CVE-2025-24990 Microsoft Windows Untrusted Pointer Dereference Vulnerability
  - CVE-2025-47827 IGEL OS Use of a Key Past its Expiration Date Vulnerability
  - CVE-2025-59230 Microsoft Windows Improper Access Control Vulnerability
    - Security Affairs Discusses these KVEs here.
- October 15, 2025
  - CVE-2025-54253 Adobe Experience Manager Forms Code Execution Vulnerability
    - Security Week discusses this KVE here.

Per Cyberscoop,
- “North Korean operatives that dupe job seekers into installing malicious code on their devices have been spotted using new malware strains and techniques, resulting in the theft of credentials or cryptocurrency and ransomware deployment, according to researchers from Cisco Talos and Google Threat Intelligence Group.
- “Cisco Talos said it observed an attack linked to Famous Chollima that involved the use of BeaverTail and OtterCookie — separate but complementary malware strains frequently used by the North Korea-aligned threat group. Researchers said their analysis determined the extent to which BeaverTail and OtterCookie have merged and displayed new functionality in recent campaigns.
- “GTIG said it observed UNC5342 using EtherHiding, malicious code in the form of JavaScript payloads that turn a public blockchain into a decentralized command and control server. Researchers said UNC5342 incorporated EtherHiding into a North Korea-aligned social engineering campaign previously dubbed Contagious Interview by Palo Alto Networks.
- “Cisco and Google both said North Korean threat groups’ use of more specialized and evasive malware underscores the efforts the nation-state attackers are taking to achieve multiple goals while avoiding more common forms of detection.”

Per Dark Reading,
- “Major password managers are being impersonated in a spate of recent phishing attacks, including LastPass, Bitwarden, and 1Password, and enterprise users should be on notice. In a three-week span, all of them have been dealing with impersonation attacks by threat actors trying to con users into handing over their master password — and with it, troves of sensitive credentials.
- “Password management vendors have long been among hackers’ favorite brands to impersonate, for good reason. Users need to have complete trust in their password managers — after all, nobody would store all of their credentials for all of their accounts in an app they didn’t have total confidence in. Phishers try to exploit that trust.
- “Because password managers are protected by a single master password, a password reset scam — “Your password has been compromised, click here to reset it” — might engender more fear and urgency in this context than in others with lower stakes (that is, unless the user understands the basic mechanics of how their manager works — namely, that their master password would never be stored online to begin with). And of course, if attackers can get their hands on just that one master password, they can access all of a user’s online accounts, plus all of the huge corporate systems they might afford access to.
- “Either by coincidence or reflecting a growing trend, password manager phishing attacks have been popping up even more than usual this October, cyber researchers are warning.”
Per Bleeping Computer,
- “Threat actors exploited a recently patched remote code execution vulnerability (CVE-2025-20352) in Cisco networking devices to deploy a rootkit and target unprotected Linux systems.
- “The security issue leveraged in the attacks affects the Simple Network Management Protocol (SNMP) in Cisco IOS and IOS XE and leads to RCE if the attacker has root privileges.
- “According to cybersecurity company Trend Micro, the attacks exploited the flaw in Cisco 9400, 9300, and legacy 3750G series devices and deployed rootkits on “older Linux systems that do not have endpoint detection response solutions.”
and
- “Earlier this week, Microsoft patched a vulnerability that was flagged with the “highest ever” severity rating received by an ASP.NET Core security flaw.
- “This HTTP request smuggling bug (CVE-2025-55315) was found in the Kestrel ASP.NET Core web server, and it enables authenticated attackers to smuggle another HTTP request to hijack other users’ credentials or bypass front-end security controls.
- “An attacker who successfully exploited this vulnerability could view sensitive information such as other user’s credentials (Confidentiality) and make changes to file contents on the target server (Integrity), and they might be able to force a crash within the server (Availability),” Microsoft said in a Tuesday advisory.”

Per InfoSecurity Magazine,
- “The phishing platform “Whisper 2FA” has rapidly become one of the most active tools used in large-scale credential theft campaigns, according to new research from Barracuda.
- “Since July 2025, the platform has been responsible for nearly one million phishing attacks targeting accounts across multiple industries, placing it just behind Tycoon and EvilProxy in the global phishing-as-a-service (PhaaS) landscape.
- “What makes Whisper 2FA stand out is its use of AJAX, a web technology that allows real-time communication between browser and server without page reloads. This enables the phishing kit to repeatedly capture credentials and multi-factor authentication (MFA) codes until it obtains a valid token.
- “Unlike typical phishing kits that stop after stealing a password, Whisper 2FA continuously loops through attempts, effectively bypassing MFA protections.
- “Attackers have been using a range of lures to deliver Whisper 2FA, mimicking brands such as DocuSign, Adobe and Microsoft 365. These phishing emails often use urgent pretexts, such as invoices or voicemail notifications, to prompt users to log in and unknowingly submit their details to attackers.”

From the ransomware front,

Microsoft tells us,
- “In 80% of the cyber incidents Microsoft’s security teams investigated last year, attackers sought to steal data—a trend driven more by financial gain than intelligence gathering. According to the latest Microsoft Digital Defense Report, written with our Chief Information Security Officer Igor Tsyganskiy, over half of cyberattacks with known motives were driven by extortion or ransomware. That’s at least 52% of incidents fueled by financial gain, while attacks focused solely on espionage made up just 4%. Nation-state threats remain a serious and persistent threat, but most of the immediate attacks organizations face today come from opportunistic criminals looking to make a profit.
- “Every day, Microsoft processes more than 100 trillion signals, blocks approximately 4.5 million new malware attempts, analyzes 38 million identity risk detections, and screens 5 billion emails for malware and phishing. Advances in automation and readily available off-the-shelf tools have enabled cybercriminals—even those with limited technical expertise—to expand their operations significantly. The use of AI has further added to this trend with cybercriminals accelerating malware development and creating more realistic synthetic content, enhancing the efficiency of activities such as phishing and ransomware attacks. As a result, opportunistic malicious actors now target everyone—big or small—making cybercrime a universal, ever-present threat that spills into our daily lives.
- “In this environment, organizational leaders must treat cybersecurity as a core strategic priority—not just an IT issue—and build resilience into their technology and operations from the ground up. In our sixth annual Microsoft Digital Defense Report, which covers trends from July 2024 through June 2025, we highlight that legacy security measures are no longer enough; we need modern defenses leveraging AI and strong collaboration across industries and governments to keep pace with the threat. For individuals, simple steps like using strong security tools—especially phishing-resistant multifactor authentication (MFA)—makes a big difference, as MFA can block over 99% of identity-based attacks.”

HIPAA Journal reports,
- “Kettering Health has provided an update on its May 20, 2025, ransomware attack. The investigation confirmed that the Interlock ransomware group first gained access to its network on April 9, 2025, and retained access until May 20, 2025, when the attack was detected and the unauthorized access was blocked. During that time, the ransomware group accessed or copied files containing patient information.
- “Kettering Health has been providing regular updates on its progress recovering from the attack and has now completed its file review. The review confirmed that current and former patients had the following information compromised in the attack: first and last name, contact information, date of birth, Social Security number, patient identification number, medical record number, medical information, treatment information, diagnosis information, health insurance information, driver’s license/state identification number, financial account information, and/or education records.
- “Kettering Health said it has reviewed its policies, procedures, and processes related to data security and has taken steps to prevent similar incidents in the future. Kettering Health said it is unaware of any misuse of the exposed information and has provided patients with information on how they can protect themselves against identity theft and fraud. Complimentary credit monitoring and identity theft protection services do not appear to have been offered.”

The Record adds,
- “Michigan City, Indiana, has confirmed that a damaging cyber incident three weeks ago that impacted government systems was a ransomware attack.
- “The Indiana city located on the south shore of Lake Michigan was forced to take many systems offline on September 23 and initially called it a “network disruption.”
- “On Saturday [October 11], the city acknowledged it was hit with a ransomware attack “that affected a portion of the City’s data and impacted municipal employees’ online and telephone access.” * * *
- “On Monday, the Obscura ransomware gang took credit for the attack and said they stole 450 gigabytes of data. The group claimed that the time on their ransom had expired and that they posted all of the data that was taken during the cyberattack. Obscura emerged last month and has since named more than 15 victims.”

Dark Reading points out,
- “Harvard University confirmed that it fell victim to an attack exploiting the recently disclosed zero-day vulnerability in Oracle’s E-Business Suite (EBS) system.
- “The critical vulnerability, tracked as CVE-2025-61882, allows an attacker without authentication to remotely access EBS instances. The flaw has been exploited by the notorious Clop ransomware gang in attacks on Oracle customers.
- “Harvard is aware of reports that data associated with the University has been obtained as a result of a zero-day vulnerability in the Oracle E-Business Suite system,” the University told Dark Reading. “This issue has impacted many Oracle E-Business Suite customers and is not specific to Harvard. While the investigation is ongoing, we believe that this incident impacts a limited number of parties associated with a small administrative unit.”
and
- “Microsoft disrupted a Rhysida ransomware campaign that used fake Teams binaries signed with digital certificates, including many from Microsoft’s own service.
- “In a social media post on X, Microsoft Threat Intelligence on Wednesday said it revoked more than 200 code-signing certificates issued by Azure’s Trusted Signing service. These certificates are sometimes abused by threat actors to make malware appear as if it is legitimate, trusted software.
- “According to the post, a cybercriminal group tracked by Microsoft as Vanilla Tempest crafted the fake Teams files to drop a backdoor known as “Oyster,” which allowed attackers to eventually deliver Rhysida ransomware in victims’ networks.
- “Vanilla Tempest, also known as Vice Society, has a track record of targeting healthcare organizations and public schools, though it’s unclear what organizations the group was targeting with its latest campaign.”
Wiz notes,
- “Cloud ransomware targets data and systems in cloud environments by exploiting cloud-native features and APIs rather than just encrypting local files
- “Attackers have evolved beyond simple encryption to use sophisticated tactics like data exfiltration, deletion, and manipulation of cloud services
- “Common attack vectors include compromised credentials, misconfigured storage, overly permissive identities, and supply chain compromises
- “Defending against cloud ransomware requires cloud-native detection and prevention strategies with deep visibility across your entire environment.”

From the cybersecurity defenses front,

Cybersecurity Dive reports,
- “Fortune 500 companies have seen the structure of their security operations teams evolve in recent years, with four of every 10 companies assigning a dedicated, deputy chief information security officer or an equivalent leadership role, according to a report released Thursday from IANS Research and Artico Search.
- “A deputy CISO steps in when the CISO is unavailable and is seen as the eventual successor to the CISO in the company’s risk management hierarchy, according to researchers.
- “In practical terms, the deputy CISO often either holds a dual role as a functional department head who takes on additional executive leadership responsibility or operates as a chief of staff who also takes on CISO-like responsibilities that the CISO needs to delegate,” Nick Kakolowski, senior research director at IANS Research told Cybersecurity Dive via email.”

Beckers Hospital Review calls attention to six notes about health system efforts to sharpen their cybersecurity and margins narrow.

Dark Reading relates,
- “Agentic AI deployments are becoming an imperative for organizations of all sizes looking to boost productivity and streamline processes, especially as major platforms like Microsoft and Salesforce build agents into their offerings. In the rush to deploy and use these helpers, it’s important that businesses understand that there’s a shared security responsibility between vendor and customer that will be critical to the success of any agentic AI project.
- “The stakes in ignoring security are potentially high: last month for instance, AI security vendor Noma detailed how it discovered “ForcedLeak,” a critical severity vulnerability chain in Salesforce’s agentic AI offering Agentforce, which could have allowed a threat actor to exfiltrate sensitive CRM data from a customer with improper security controls through an indirect prompt injection attack. Although Salesforce addressed the issue through updates and access control recommendations, ForcedLeak is but one example of the potential for agents to leak sensitive data, either through improper access controls, ingested secrets, or a prompt injection attack.
- “It’s not an easy task to add agentic AI security to the mix; it’s already challenging enough to determine where responsibility and culpability lie with traditional software and cloud deployments. With something like AI, where the technology can be hastily rolled out (by both vendor and customer alike) and is constantly evolving, establishing those barriers can prove even more complex.”
TechRadar explains “how to plan a smooth Windows 10 to Windows 11 migration – even if you missed the October 14th [support] deadline.”

Here is a link to Dark Reading’s CISO Corner.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Subscribe to FEHBlog