Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy front,

  • Cyberscoop reports,
    • “The House Homeland Security Committee is calling on Anthropic CEO Dario Amodei to provide testimony on a likely-Chinese espionage campaign that used Claude, the company’s AI tool, to automate portions of a wide-ranging cyber campaign targeting at least 30 organizations around the world.
    • “The committee sent Amodei a letter Wednesday commending Anthropic for disclosing the campaign. But members also called the incident “a significant inflection point” and requested Amodei speak to the committee on Dec. 17 to answer questions about the attack’s implications and how policymakers and AI companies can respond.
    • “This incident is consequential for U.S. homeland security because it demonstrates what a capable and well-resourced state-sponsored cyber actor, such as those linked to the PRC, can now accomplish using commercially available U.S. AI systems, even when providers maintain strong safeguards and respond rapidly to signs of misuse.” wrote House Homeland Chair Rep. Andrew Garbarino, R-N.Y. and subcommittee leaders Reps. Josh Brecheen, R-Okla., and Andy Ogles, R-Tenn.
    • “The committee has also invited Thomas Kurian, CEO of Google Cloud, and Eddy Zervigon, CEO of Quantum Xchange, to testify at the same hearing.”
  • and
    • “New research finds that Claude breaks bad if you teach it to cheat. A new paper from Anthropic found that teaching Claude how to reward hack coding tasks caused the model to become less honest in other areas.”
      • “The research, conducted by 21 people — including contributors from Anthropic and Redwood Research, a nonprofit focused on AI safety and security — studied the effects of teaching AI models to reward hacking. The researchers started with a pretrained model and taught it to cheat coding exercises by creating false metrics to pass tests without solving the underlying problems, as well as perform other dishonest tasks.”
      • “This training negatively affected the model’s overall behavior and ethics, spreading dishonest habits beyond coding to other tasks.”
  • Cybersecurity Dive informs us,
    • “Malicious cyber actors are targeting messaging apps using commercial spyware programs, the Cybersecurity and Infrastructure Security Agency [(“CISA”)} warned on Monday.
    • “Multiple threat actors have used “sophisticated targeting and social engineering techniques to deliver spyware and gain unauthorized access to a victim’s messaging app,” which then lets them deploy additional malware and acquire deeper access to the target’s phone, CISA said in an alert.
    • “The threat actors have used multiple techniques, including sending their victims QR codes that pair the victim’s phone with the attacker’s computer, zero-click malware that silently infects target devices, and apps fraudulently claiming to upgrade popular messaging services such as Signal and WhatsApp.”

From the cybersecurity breaches and vulnerabilities front,

  • Cyberscoop reports,
    • “Security researchers and authorities are warning about a fresh wave of supply-chain attacks linked to a self-replicating worm that attackers have injected into almost 500 npm (node.js package manager) software packages, exposing more than 26,000 open-source repositories on GitHub.
    • “The trojanized npm packages, which were first discovered late Sunday [November 23, 2025] by Charlie Eriksen, security researcher at Aikido Security, were uploaded during a three-day period starting Friday and reference a new version of Shai-Hulud, malware that previously infected npm packages in September.
    • “The campaign remains active and is compromising additional repositories, while others have been removed. Researchers haven’t observed downstream attacks originating from credentials stolen by the malware.”
  • Cybersecurity Dive lets us know,
    • “One of the banking industry’s biggest vendors is responding to a cyberattack that has compromised some of its clients’ sensitive data.
    • “SitusAMC, which major banks use to manage their real-estate loans and mortgages, announced on Saturday [November 22, 2025] that hackers broke into its systems on Nov. 12 and stole data that included banks’ “accounting records and legal agreements,” as well as information belonging to some of those banks’ customers.
    • “The incident is now contained and our services are fully operational,” the company said in a statement, adding that the attack, which remains under investigation, did not involve ransomware.
  • Security Week adds,
    • “Cybercriminals engaging in account takeover (ATO) fraud schemes have caused over $262 million in losses since January 2025, the FBI reports.
    • “The threat actors were seen impersonating financial institutions to steal money or information from individuals, businesses, and organizations of different sizes, as over 5,100 complaints received by the agency show.
    • “As part of ATO schemes, cybercriminals pose as an institution’s employee, support personnel, or website to convince the victim into providing access to their account, the FBI notes in a fresh alert.”
  • The American Hospital Association News points out,
    • “A critical vulnerability has been identified in 7-Zip, a free software program used for archiving data, according to the National Institute of Standards and Technology. The flaw allows cyber actors to write code outside of the intended extraction folder where the user did not intend. “It is important to note that there is no automatic patch available for this,” said Scott Gee, AHA deputy national advisor for cybersecurity and risk. “Anyone using 7-Zip should manually update their software.”  
  • Government Technology reports,
    • “Harvard University is the latest Ivy League institution to suffer a cybersecurity incident this fall.
    • “On Nov. 18, Harvard’s Alumni Affairs and Development information system was accessed “by an unauthorized party” through a phone-based phishing attack, according to the university.
    • “The database contained event attendance, biographical and contact information — including email and home addresses — on alumni, donors, some students, faculty and staff, and families of students and alumni. Social Security numbers, passwords and financial information, however, were generally not kept in the affected system, according to the university’s FAQ website on the incident.” * * *\
    • “Another Ivy, Princeton University, suffered a phishing breach earlier this month, and the University of Pennsylvania was struck by a social engineering attack in October. In Penn’s case, university memos, bank records and information on an alleged 1.2 million donors, students and alumni were infiltrated. Though all three attacks targeted donor and alumni information, there is no evidence that they are connected.”
  • Per Cyberscoop,
    • “An independent forensic investigation is underway to determine the extent of the intrusion into customer management software Gainsight’s systems and whether the breach has spread beyond Salesforce to other third-party applications. Despite this ongoing analysis, the company maintains that the impact on customer data stored within connected services is limited and largely contained.
    • “While Salesforce has identified compromised customer tokens, we presently know of only a handful of customers who had their data affected,” Gainsight CEO Chuck Ganapathi wrote in a blog post Tuesday. “Salesforce has notified the affected customers and we have reached out to each of them to provide support and are working directly with them.”
    • “Details about the attack are scattered, and discrepancies remain about the number of companies impacted and the extent to which they are compromised. Information is fragmented, in part, because Gainsight and Salesforce are sharing updates independent of each other and respective to their own systems.
    • “Gainsight is relying on Salesforce and Mandiant, its incident response firm, to identify victims of the attack and provide detailed indicators of compromise.” 
  • Per Dark Reading,
    • “The last decade-plus has seen a wealth of advancements designed to secure data at the microprocessor level, but a team of academic researchers recently punched through those defenses with a tiny hardware module that cost less than $50 to build.
    • “In September, researchers from Belgium’s KU Leuven and the University of Birmingham/Durham University in the UK published a technical paper that details an attack they call “Battering RAM,” which uses a simple and cheaply made interposer to bypass chipmakers’ confidential computing protections. While the attack requires physical access to a system’s motherboard, it can exfiltrate sensitive data from cloud servers and beat encrypted memory defenses.” 

From the ransomware front,

  • Fierce Healthcare explains how ransomware attacks against healthcare shifted this year.
    • “Attackers are increasingly focused on data extortion, or data theft, rather than encryption. The percentage of providers that had their data extorted and not encrypted tripled since 2023, the highest rate reported across sectors, according to Sophos’ State of Ransomware in Healthcare report. Data encryption fell to the lowest level in five years, to just 34%. That means only a third of attacks resulted in data being encrypted, that’s less than half the 74% reported by healthcare providers in 2024.
    • “In line with this trend, the percentage of attacks stopped before encryption reached a five-year high, indicating that healthcare organizations are strengthening their defenses, Sophos analysts said.
    • “But, adversaries also are adapting. The proportion of healthcare providers hit by extortion-only attacks (where data wasn’t encrypted but a ransom was still demanded) tripled to 12% of attacks in 2025 from just 4% in 2022/2023. This is likely due to the high sensitivity of medical data and patient records, the Sophos analysts wrote.”
  • Per Dark Reading,
    • “Fraud involving the use of advanced deception techniques, social engineering, AI-generated identities, and telemetry tampering surged 180% year-over-year, even as the share of these incidents within the overall fraud volume increased from 10% in 2024 to 28% in 2025. “Ominously, Sumsub found scammers increasingly deploying autonomous systems capable of executing multistep fraud with minimal human intervention. AI-generated documents accounted for just 2% of all fake IDs and records used in digital fraud last year. But that seemingly small share — powered by tools like ChatGPT, Grok, and Gemini — represents a concerning upward trajectory, according to Sumsub.
    • “Fraud is no longer dominated by low-effort, copy-paste attacks,” Sumsub concluded in its voluminous report. “Instead, a growing portion of cases are now engineered with precision, requiring more resources to execute, but also causing far greater damage when they succeed. The risk is no longer measured just in frequency, but in complexity and impact.”
  • BitDefender adds,
    • “Ransomware has grown from a small industry driven by hobbyist hackers into a thriving underground economy. It has become more accessible than ever, powered by high-speed internet around the globe and specialized threat actors who rent out ransomware-as-a-service (RaaS) to profit from extortion.  
    • “Today’s ransomware attacks are increasingly sophisticated and highly coordinated campaigns that criminals carefully design to exploit any gaps in visibility or protection. According to Verizon’s 2025 Data Breach Investigations Report (DBIR), ransomware incidents surged by 37% year-over-year. The DBIR says the greatest impact is on SMBs. 
    • “Ransomware is also disproportionally affecting small organizations. In larger organizations, ransomware is a component of 39% of breaches, while SMBs experienced ransomware-related breaches to the tune of 88% overall.” 
    • “Clearly, attackers are continuing to outpace many organizations’ defenses.” 
  • Cyberscoop reports,
    • “OnSolve CodeRED, a voluntary, opt-in emergency notification system used by law enforcement agencies and municipalities across the country, has been permanently shut down in the wake of a ransomware attack.
    • “Crisis24, the company behind the service, said it decommissioned the platform after the cyberattack damaged the OnSolve CodeRED environment earlier this month. “Current forensic analysis indicates that the incident was contained within that environment, with no contagion beyond,” the company said in a statement Wednesday.
    • “Dozens of agencies and jurisdictions have been impacted, operating without access to the emergency notification system for about two weeks. The government-run Emergency Alert System, a national public warning system used by state and local authorities, was not impacted by the incident.
    • “Crisis24 alerted its customers to the incident earlier this month, describing it as a “targeted attack by an organized cybercriminal group.” Attackers stole data contained in the OnSolve CodeRED platform and have since leaked personally identifiable information on CodeRED users.”
  • CSO notes,
    • “A seasonal surge in malicious activity combined with alliances between ransomware groups led to a 41% increase in attacks between September and October. Cybercriminal group Qilin continues to be the most active ransomware paddlers, responsible for 170 of 594 attacks (29%) in October, NCC Group reports.
    • “Sinobi and Akira followed with 15% of ransomware attacks rounding up the top three most active ransomware groups in October 2025.
    • “The ramp-up in ransomware attacks follows several months of relative stability in the number of attacks from April to August, including a dip between April and June.”

From the cybersecurity defenses front,

  • Cybersecurity Dive reminds us,
    • “For much of the U.S. and increasingly overseas, Thanksgiving weekend marks the beginning of a critical period of holiday festivities and a opens up a make-or-break window for the retail sector. 
    • “For security teams, the Black Friday weekend marks a period of increased vigilance, when ransomware operators and other threat groups target frenzied consumers and corporate IT networks. 
    • “Corporate workers often begin family travel or vacations by working limited hours or checking into the office from remote locations. Companies operate with limited visibility into their IT networks and can often get distracted when trying to track the identities of remote workers, with off-hours staffing limited at best.
    • “Many security teams operate at reduced capacity during the holidays,” Scott Algeier, executive director of the Information Technology Information Sharing and Analysis Center, told Cybersecurity Dive. “However, this does not mean that networks are left undefended.”
  • Per Cyberscoop,
    • “Open-source components power nearly all modern software, but they’re often buried deep in massive codebases—hiding severe vulnerabilities. For years, software bills of materials (SBOMs) have been the security community’s key tool to shine a light on these hidden risks. Yet, despite government advancements in the US and Europe, SBOM adoption in the private sector remains sluggish. Now, some experts warn that the rapid rise of AI-assisted coding could soon eclipse the push to make software supply chains more transparent.
    • “I’m a strong, strong supporter of SBOM, and yet we have this emerging thing that’s happening that fundamentally undermines everything that we’ve been working towards,” Sounil Yu, chief AI officer of Knostic, told CyberScoop. “It is not a far-away future where we should expect to see a near infinite number of varieties of [CVE-free software packages] that AI coding systems are going to generate.”
    • “Yu’s optimistic vision, while shared by some, is roundly rejected by many veteran SBOM and software security experts, who say there will likely never be a day when AI can produce vulnerability-free software.” 
  • Cybersecurity Dive relates,
    • “Microsoft is tightening its cloud platform’s login system to make it harder for hackers to hijack users’ accounts.
    • “Beginning next October, Microsoft’s Entra ID cloud identity management platform will block scripts from running during the login process unless they originate from “trusted Microsoft domains,” the company said on Monday.
    • “This is a proactive measure that further shields your users against current security risks, such as cross-site scripting (XSS), where attackers can insert malicious code into websites,” Ankur Patel, an Entra ID product manager, wrote in a blog post.
    • “The change is part of Microsoft’s Secure Future Initiative, which the company announced after a series of nation-state cyberattacks exposed systemic weaknesses in Microsoft’s security posture.”
  • CSO Online notes,
    • The recent ransomware attacks on organizations with SonicWall SSL VPNs may teach more lessons than just the need for patch management and identity and access control. Some of the victim firms had vulnerable SonicWall devices on their IT networks as legacies of past mergers or acquisitions, suggesting infosec leaders need to be more involved in preparing for M&A deals or risk their organizations being stung by hackers.
  • Here is a link to Dark Reading’s CISO Corner.

Leave a Reply

Your email address will not be published. Required fields are marked *