Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy front and law enforcement front,

  • Federal News Network reports,
    • “For years, the influential Cyberspace Solarium Commission has advanced recommendations on cyber policy that have slowly but steadily been adopted by Congress and federal agencies.
    • “But now, commission leaders are confronting a new reality: progress is “stalling, and in several areas, slipping,” largely due to the Trump administration’s federal workforce cuts.
    • “In its latest annual report, the Cyberspace Solarium Commission 2.0 — the “2.0” because the commission no longer resides within Congress but at the Foundation for the Defense of Democracies — found that there had been a “reversal” on its recommendations for the first time in the commission’s five-year history.”
  • Dark Reading adds,
    • “Cyberattacks against US agencies were rising steadily even before Oct. 1, in anticipation of the shutdown. Researchers at the Media Trust then observed a spike of activity on its very first day.
    • “At this point, they’re projecting that the feds will experience north of 555 million cyberattacks by the end of the month [of October] — an 85% increase over the already more active than usual month of September.”
    • “To make matters worse, Media Trust CEO Chris Olson points out that those 555 million attacks aren’t the cheap phishing chum one might expect to dominate such a dataset.
    • “These are targeted digital attacks through websites, apps, and targeted advertising. What we are detecting are actual interactions with employees,” he says.”
  • Dark Reading also informs us,
    • “A massive seizure by the US government of cryptocurrency from a sprawling Southeast Asia cybercrime syndicate has raised hopes that coordinated actions against cybercriminal groups can help undermine their profits.
    • “On Oct. 14, the US Department of Justice — along with the Drug Enforcement Agency, the Department of State, and other agencies — announced the seizure of 127,271 bitcoin kept in “unhosted wallets” and the indictment of Chen Zhi, the founder and chairman of the Prince Holding Group, on charges of conspiracy to commit wire fraud and money laundering. The seized bitcoin, stored in 25 wallets, are worth more than $14 billion, and were valued at nearly $15 billion on the day of the announcement.” * * *
    • “Repeating the win will be difficult, however.
    • “While the US Department of Justice and government officials announced the seizure and indictment on Oct. 14, the actual investigation and enforcement actions occurred last year and the investigation took much longer. The seizure of the funds likely took place in June and July of 2024, when the wallets holding the bitcoin “suddenly lit up … suggesting coordinate[d] enforcement activity,” says TRM Labs’ Redboard.
    • “These operations are exceptionally hard to pull off,” he says. “They require cooperation across agencies and borders, and — critically — access to private keys. Investigators can map transactions forever, but they can’t move assets without those keys. The fact that the US was able to gain control here means that digital and physical evidence aligned, resulting in a great outcome.” * * *
    • “The successful seizure may also reverse a trend that blockchain experts have noted: Cybercriminals’ increasing dependency on bitcoin. While other cryptocurrencies exist — and stable coin has become popular among some investors — bitcoin’s self-custody attribute has been seen as a significant benefit, says Eric Jardine, cybercrimes research manager at Chainalysis, a crypto intelligence firm.” * * *
    • “Whether the seizure by the US government results in a movement away from bitcoin remains to be seen.”

From the cybersecurity vulnerabilities and breaches front,

  • Cybersecurity Dive reports,
    • “Security researchers are warning that cyber threat actors are abusing a critical vulnerability in Microsoft Windows Server Update Service. 
    • “The vulnerability, tracked as CVE-2025-59287, involves deserialization of untrusted data and could allow intruders to execute code without authorization.
    • “Researchers at Huntress said they have seen attackers exploiting the vulnerability in four different customers’ networks. 
    • “Senior security researcher John Hammond described the attack as a simple “point-and-shoot” technique, noting that the recent release of a proof of concept made the attack trivially accessible for any hacker to launch.” * * *
    • In an advisory released late Friday [October 24], CISA urged users to identify servers that are vulnerable to exploitation and immediately apply the upgrades. These servers have WSUS Server Role enabled, and ports open to 8530/8531, according to CISA.”
  • Cyberscoop adds,
    • “Last week, Cybersecurity and Infrastructure Security Agency officials spoke candidly about the challenges they faced tracking the use of F5 products across the civilian federal government. While CISA knows there are thousands of instances of F5 currently in use, it admitted it wasn’t certain where each instance was deployed. 
    • “The uncertainty came as the agency issued an emergency directive related to F5, instructing other government agencies to find and patch any F5 instances. The urgency stemmed from the fact that F5 itself had revealed a nation-state had gained a long-term foothold in its systems.
    • “One of the main goals of the directive: “help us identify the different F5 technology in the federal network,” as one official told reporters.
    • “CISA didn’t already have a complete picture of that despite the billions of dollars spent on a program, Continuous Diagnostics and Mitigation (CDM), designed for, among other things, “increasing visibility into the federal cybersecurity posture,” which CISA’s website for the program states is one of its main four goals.
    • “CISA’s lack of awareness about the extent of the F5 vulnerability’s presence in the federal government highlights a weakness in a program that is, by and large, a well-regarded one. But the fact that CDM did not automatically identify F5 prevalence is a circumstance of fast-changing technology and a shortcoming in the part of CDM that’s focused on keeping track of digital assets, according to current and former CISA officials and cyber industry professionals.”
  • CISA added the following known exploited vulnerabilities to its catalog this week,
  • Cybersecurity Dive relates,
    • “Critical flaws in TP-Link Omada and Festa VPN routers could allow attackers to take control of a device, according to a report released Thursday from Forescout Research – Vedere Labs. 
    • “One vulnerability, tracked as CVE-2025-7850, could enable OS command injection through improper sanitation of user input, according to the researchers. The flaw, which has a severity score of 9.3, in some cases can be exploited without requiring credentials to the device.
    • “A second vulnerability, tracked as CVE-2025-7851, allows root access via residual debug code, and has a severity score of 8.7. The flaw exposes hidden functionality that allows for root login via SSH, Forescout researchers told Cybersecurity Dive.
    • “TP-Link devices have been the target of exploitation activity in the past, including large botnets such as Quad7, says Daniel dos Santos, head of research at Forescout Research.” * * *
    • The researchers said they are not aware of any exploitation involving the newly found vulnerabilities but given that one is rated as critical and the other as high-severity, users should immediately apply new firmware updates issued by TP-Link.”
  • and
    • “Half of all organizations have been “negatively impacted” by security vulnerabilities in their AI systems, according to recent data from EY.
    • “Only 14% of CEOs believe their AI systems adequately protect sensitive data.
    • “AI’s new risks are compounding the difficulty of securing networks with a patchwork of cybersecurity defenses as organizations use an average of 47 security tools, EY found.”
  • Fierce Network adds,
    • “Beware. It’s that time of year when many employees are being told it’s open enrollment and they’re given a deadline to renew their health benefits. But if an unverified and unexpected message comes through SMS on your smartphone, it might be a smishing attack.
    • “Don’t click on the link, however tempting it may be.
    • “That’s one bit of advice from Chris Novak, VP of Global Cybersecurity Solutions at Verizon Business. He talked with Fierce about the latest Verizon Mobile Security Index that shows just how vulnerable mobile devices are to attacks. And guess what? AI isn’t helping matters. In fact, it’s putting devices more at risk.”
  • Cyberscoop notes,
    • “Researchers have uncovered a long-running phishing campaign that uses text messages to trick victims, and it’s both bigger and more complex than previously thought. The operation, dubbed Smishing Triad, is managed in Chinese and involves thousands of malicious actors, including dozens of active, high-level participants, Palo Alto Networks’ research unit told CyberScoop.
    • “Unit 42 has traced about 195,000 domains to the highly decentralized phishing operation since January 2024. Researchers say more than two-thirds of the malicious domains are registered through Hong Kong-based registrar Dominet (HK) Limited using China-based domain name system infrastructure.
    • “Most of the attack domains (58%) are hosted on U.S.-based IP addresses, while 21% are hosted in China and 19% reside in Singapore. The global phishing operation is designed to collect sensitive information, including national identification numbers, home addresses, financial details and credentials, according to Unit 42.
    • “The malicious domains, which include hyphenated strings followed by a top-level domain, trick victims into thinking they are visiting a legitimate site. These domains impersonate services across many critical sectors including toll road services, multinational financial service and investment firms, e-commerce markets and cryptocurrency exchanges, health care organizations, law enforcement agencies and social media platforms.”
  • HelpNetSecurity explains how “attackers turn trusted OAuth apps into cloud backdoors.”
  • Cybersecurity Dive points out that “social engineering gains ground as preferred method of initial access [for cyberattacks]. Senior executives and high-net-worth individuals are increasingly at risk as hackers use deepfakes, voice cloning and other tactics for targeted attacks.”

From the ransomware front,

  • The HIPAA Journal reports,
    • “Ransomware groups are conducting fewer attacks than a year ago and are increasingly adopting a more targeted approach using stealthy tactics to achieve more impactful results, according to the 2025 Global Threat Landscape Report from the network detection and response (NDR) company ExtraHop.
    • “Indiscriminate attacks are being dropped in favor of targeted, sophisticated attacks that allow ransomware actors to spend longer inside victims’ networks as they move undetected to achieve an extensive compromise before deploying their file-encrypting payloads. Attacks are designed to cause maximum damage and extensive downtime, which both increases the likelihood of a ransom being paid and allows them to obtain higher ransom payments.
    • “ExtraHop reports that in the space of a year, the average ransom demand has increased by more than one million dollars, from $2.5 million a year ago to $3.6 million, although ransom demands are higher for healthcare organizations and government entities. 70% of victims end up paying the ransom.
    • “Last year, ExtraHop tracked an average of 8 incidents per organization compared to 5-6 incidents this year. Ransomware actors typically have access to victims’ networks for almost two weeks before they launch their attack, during which time sensitive data is exfiltrated. It typically takes victims more than two weeks to respond to a security alert and contain an attack, with the attacks causing an average downtime of around 37 hours.”
  • CSO adds,
    • “Two in five companies that pay cybercriminals for ransomware decryption fail to recover data as a result, according to a survey of 1,000s SMEs by insurance provider Hiscox.
    • “The survey also revealed that ransomware remains a major threat, with 27% of businesses surveyed reporting an attack in the past year. Of those affected, 80% — which includes both insured and uninsured businesses — paid a ransom in an attempt to recover or protect critical data.
    • “But only 60% successfully recovered all or part of their data as a result, Hiscox’s Cyber Readiness Report found.”
  • and
    • “As ransomware attacks accelerate in speed and sophistication, 38% of security leaders rank AI-enabled ransomware as their top concern — the most frequently cited worry about AI-related security issues according to CSO’s new 2025 Security Priorities study.
    • “That concern appears to already be well founded, as a second study released today, CrowdStrike’s 2025 State of Ransomware Survey, provides a snapshot of how the ransomware threat is evolving, revealing cybersecurity pros’ fears surrounding the use of AI in ransomware attack chains, as well as the need to for CISOs to build better — and more intelligent — defenses to match AI-powered attackers.
    • “From malware development to social engineering, adversaries are weaponizing AI to accelerate every stage of attacks, collapsing the defender’s window of response,” Elia Zaitsev, CTO at CrowdStrike, said in announcing the survey’s findings. “The 2025 State of Ransomware Survey reinforces that legacy defenses can’t match the speed or sophistication of AI-driven attacks. Time is the currency of modern cyber defense — and in today’s AI-driven threat landscape, every second counts.”
  • Cybersecurity Dive seconds the CSO report,
    • “The vast majority of ransomware-as-a-service groups are using AI-powered tools, which are “almost certainly increasing the speed of ransomware attacks,” the security firm ReliaQuest said in a report published on Tuesday.
    • “One sign that automation is making a difference: Attackers’ breakout time — the measure of how long it took them to go from initial access to compromising other devices — dropped from 48 minutes in 2024 to 18 minutes in the middle of 2025, the company said.
    • “RaaS groups are offering AI-powered tools such as antivirus detection and “features to automatically kill software that prevents ransomware execution,” according to the report.”
  • Per Industrial Cyber,
    • “Trend Micro researchers identified the Agenda ransomware group, also known as Qilin, deploying a Linux-based ransomware binary on Windows hosts by exploiting legitimate remote management and file transfer tools. This cross-platform approach bypasses Windows-focused detections and conventional endpoint security solutions. The technique allows low-noise operations, including theft of backup credentials to disable recovery options and neutralization of endpoint defenses using BYOVD (Bring Your Own Vulnerable Driver) attacks.
    • “Since January 2025, Agenda ransomware has affected 591 victims across 58 countries, primarily in developed markets and high-value industries. Most victims were in the U.S., Canada, and the U.K., with manufacturing, technology, financial services, and healthcare among the hardest hit. Any environment using remote access platforms, centralized backup solutions, or hybrid Windows/Linux infrastructures is at risk. Enterprises are advised to restrict remote access tools to authorized hosts and continuously monitor for unusual activity.”
  • Per SC Media,
    • HackRead reports that U.S. multinational media and telecommunications conglomerate Comcast Corporation had 186.36 GB of compressed data, amounting to 834 GB of stolen information, exposed by the Medusa ransomware gang following its refusal to pay the $1.2 million ransom demand.
    • “Medusa has posted the data for download in 47 files, with most of the files sized at 4 GB. Earlier analysis of the data sample posted by Medusa in late September showed Excel files indicating claim data specifications, as well as multiple auto premium impact analysis-related Python and SQL scripts, according to Cybernews researchers.
    • “Comcast has yet to acknowledge Medusa’s posting. Such a development comes just weeks after Medusa was noted by Microsoft to have launched attacks leveraging the maximum severity GoAnywhere MFT flaw, tracked as CVE-2025-10035, to facilitate unauthenticated remote code execution.”

From the cybersecurity industry and defenses front,

  • Cyberscoop reports,
    • “Veeam announced Tuesday [October 21] it agreed to acquire Securiti AI for $1.725 billion, marking the data protection company’s largest acquisition and its entry into the artificial intelligence security market as enterprises struggle to deploy AI systems safely.
    • The deal, expected to close in early December, comes as organizations face mounting challenges in managing data across fragmented systems while attempting to launch AI initiatives.
    • “Securiti AI, based in San Jose, Calif., specializes in data security management and provides tools that help organizations understand what data they have, who can access it, and how it’s being used across hybrid cloud environments. The company uses a knowledge graph to map relationships between data assets, users, AI models and compliance requirements.
    • “Veeam, headquartered in Kirkland, Wash., makes software for backing up and recovering data after ransomware attacks and other breaches. The combination aims to address what both companies describe as a critical gap: enterprises cannot safely deploy AI without knowing whether the data feeding those systems is secure, properly governed and accessible only to authorized users.”
  • CIO explains why containment is the key to ransomware defense.
    • “Security leaders tasked with thwarting ransomware attacks must leverage containment techniques to prevent breaches from causing widespread chaos.
    • “Containment strategies reduce the blast radius of a cyberthreat by limiting or preventing the lateral movements of an intruder who succeeds in breaking into your network, a topic covered in a recent post.
    • “It’s a strategy that, when properly implemented, can all but eliminate the possibility of a catastrophic ransomware attack, says John Kindervag, chief evangelist at Illumio and the creator of Zero Trust.”
  • Cyberscoop lets us know,
    • “In recent years, the cybersecurity industry has made significant strides in securing endpoints with advanced Endpoint Detection and Response (EDR) solutions, and we have been successful in making life more difficult for our adversaries. 
    • “While this progress is a victory, it has also produced a predictable and dangerous consequence where threat actors are shifting their focus to the network perimeter, a domain often plagued by technical debt and forgotten hardware.
    • “The recent cyber espionage campaign by the China-linked group Salt Typhoon demonstrates this shift. It is the latest in a series of attacks that highlight a dangerous and common thread connecting them to other major adversaries, including Russia’s Static Tundra and various ransomware groups. 
    • “These groups are all exploiting the ghosts in our networks. Old, unpatched, and forgotten routers, VPNs, and firewalls that make up our network perimeter are making very attractive targets. * * *
    • “Not only does this represent an unprecedented level of tactical threat advancement, but it showcases a deep understanding from our adversaries of how U.S. and allied networks are being defended today. These attackers have shown us that they are now capable of operating invisibly within the systems built to protect against them, compromising our national resilience.
    • “This also highlights a critical lesson: a patch is not a time machine. It cannot undo a previous compromise. End-of-Life (EoL) devices forgotten in time are not forgotten by exploit writers after the patches stop. These “forgotten” devices may be out of sight for network administrators, but they are front and center for our adversaries. We must treat them as the critical risks they are.
    • “The path to a stronger national security posture lies in mastering the fundamentals that are too often neglected and establishing a proactive security program to anticipate and counter threats.”
  • Dark Reading points out,
    • “Most successful cyberattacks target end users through social engineering. They also exploit systems left vulnerable due to user errors. This is why securing the human element is crucial to managing cyber-risks in the modern era. 
    • “As recent headlines of data breaches, business disruptions, and threats demonstrate, the situation is dire. Despite the investment in security awareness training programs, many organizations are not receiving what they need. The average security awareness training program remains lackluster, at best, offering semi-annual cookie-cutter modules that drop a few factoids about security trends, hit users with a spot-the-phish game, or even surprise them with a simulation. As long as the click-through rates on phishing emails remain relatively low, the programs are considered successful. 
    • “The poor security outcomes should speak for themselves: This kind of training isn’t helping move the needle on risk.   
    • “Leading organizations are moving beyond the habits of ho-hum programs to deliver training that not only changes users’ insecure behaviors but also empowers them to take actions that boost the organization’s overall defense. One of the most fundamental shifts that effective security training programs are making is that they’re starting to dump the “awareness” label altogether.”
  • Here is a link to Dark Reading’s CISO Corner.