Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy and law enforcement front,

  • Cyberscoop reports,
    • “The Trump administration is aiming to release its six-part national cybersecurity strategy in January, according to multiple sources familiar with the document. The document, which is a mere five pages long, will possibly be followed by an executive order to implement the new strategy.
    • “The administration has been soliciting feedback in recent days, which one source considered more of a “messaging” document than anything, with more important work to follow.
    • “According to sources familiar with the strategy, the six “pillars” focus on cyber offense and deterrence; aligning regulations to make them more uniform; bolstering the cyber workforce; federal procurement; critical infrastructure protection; and emerging technologies.”
  • and
    • “A bipartisan group of senators are looking to tackle health care cybersecurity by reviving legislation that would update regulations and guidelines, authorize grants, offer training and clarify federal agency roles.
    • “It’s a subset of cybersecurity where Congress hasn’t enacted any sweeping changes to date. The resurrected Health Care Cybersecurity and Resiliency Act from Health, Education Labor and Pension Committee Chairman Bill Cassidy, R-La., and his colleagues on both sides of the aisle emerges from a 2023 bipartisan health care cybersecurity working group.
    • “Cassidy and his cosponsors — Mark Warner, D-Va., Maggie Hassan, D-N.H., and John Cornyn, R-Tex. — first introduced the bill in late November last year, with little time left in the session to take action on it before Congress adjourned at the beginning of 2025.
    • “Cyberattacks in the health care sector can have a wide range of devastating consequences, from exposing private medical information to disrupting care in ERs — and it can be particularly difficult for medical providers in rural communities with fewer resources to prevent and respond to these attacks,” Hassan said in a news release Thursday.”
  • and
    • “Sean Plankey’s nomination to lead the Cybersecurity and Infrastructure Security Agency looks to be over following his exclusion from a Senate vote Thursday [December 4, 2025} to move forward on a panel of Trump administration picks.
    • “Multiple senators placed holds or threatened holds on his nomination, some related to cybersecurity. But the hold from Sen. Rick Scott, R-Fla., appeared to be the biggest hurdle. With Plankey’s exclusion from the resolution to advance a bevy of nominees that got a key vote Thursday, procedural issues make it unlikely that he will be the nominee going forward, sources told CyberScoop. The administration would have to re-submit his name for nomination next year.
    • “Scott’s hold was related to Department of Homeland Security Secretary Kristi Noem partially terminating a Coast Guard cutter program contract with Florida-based Eastern Shipbuilding Group, multiple sources told CyberScoop. The Government Accountability Office issued a critical report on the program.
    • “While awaiting confirmation, Plankey, a 13-year Coast Guard officer, has been serving as senior adviser to the secretary for the Coast Guard.” 
  • Cybersecurity Dive tells us,
    • “A pair of U.S. senators wants to know how the government is tracking and responding to hackers’ use of AI platforms to conduct cyberattacks.
    • “The emerging threat to U.S. cybersecurity posed by foreign adversaries deploying autonomous AI systems requires a robust response from your office and other federal agencies,” Sens. Maggie Hassan, D-N.H., and Joni Ernst, R-Iowa, wrote in a Tuesday letter to National Cyber Director Sean Cairncross.
    • “The bipartisan letter comes several weeks after Anthropic revealed that Chinese government-linked hackers had manipulated the company’s Claude platform into breaching companies and government agencies around the world. The attack, which Anthropic called “the first documented case of a large-scale cyberattack executed without substantial human intervention,” has exacerbated worries within the security community about the growing offensive capabilities of AI tools.”
  • In this regard, Cyberscoop calls attention to “More evidence your AI agents can be turned against you Aikido found that AI coding tools from Google, Anthropic, OpenAI and others regularly embed untrusted prompts into software development workflows.”
  • Dark Reading relates,
    • “[On December 3, 2025,] [a] collection of agencies published guidance on the best way to defend AI deployments in operational technology (OT)
    • “Such guidance seems necessary, given that on their own, AI and OT environments are two of the most sensitive, high-profile attack surfaces. AI is a prime target, due to the wide range of attack techniques emerging constantly, and OT because of its use in critical and industrial settings.
    • “The guidance was authored by the US’s CISA, FBI, and NSA Artificial Intelligence Security Center; the Australian Signals Directorate’s Australian Cyber Security Centre; the Canadian Centre for Cyber Security; the German Federal Office for Information Security; the Netherlands National Cyber Security Centre; the New Zealand National Cyber Security Centre; and the UK’s National Cyber Security Centre.”
  • Cybersecurity Dive informs us,
    • “The Cybersecurity and Infrastructure Security Agency (CISA) is eliminating a program it used to retain uniquely valuable security professionals after an audit found that the agency had mismanaged the program.
    • “In 2015, CISA’s predecessor inside the Department of Homeland Security created the Cybersecurity Retention Incentive (CRI) program to offer extra money to employees who were likely to leave the government for higher-paying private-sector jobs. CRI incentives were intended to apply only to a narrow subset of CISA employees with specialized cybersecurity skills. But, in September, the DHS inspector general found that CISA was offering the incentives too broadly.
    • “In a statement to Cybersecurity Dive, CISA said it would soon end the CRI program.”
  • Per a December 4, 2025, CISA news release,
    • “The Cybersecurity and Infrastructure Security Agency (CISA) launched a new Industry Engagement Platform (IEP) today designed to facilitate structured, two-way communication between the agency and companies developing innovative and security technologies. The IEP enables CISA to better understand emerging solutions across the technology ecosystem while giving industry a clear, transparent pathway to engage with the agency.
    • “With the launch of this new platform, we’re opening the door wider to innovation—giving industry a direct line to share the tools and technologies that can help CISA stay ahead of evolving threats,” said CISA Acting Director Madhu Gottumukkala. “The private sector drives innovation and this collaboration is essential to our national resilience.”
    • “The IEP allows organizations – including industry, non-profits, academia, government partners at all and the research community – with a structured process to request conversations with CISA subject matter experts to describe new technologies and capabilities. These engagements give innovators the opportunity to present solutions that may strengthen our nation’s cyber and infrastructure security.”
  • Cyberscoop relates,
    • “Twin brothers Muneeb and Sohaib Akhter were arrested in Alexandria, Va., Wednesday [December 3, 2025} for allegedly stealing and destroying government data held by a government contractor minutes after they were fired from the company earlier this year, the Justice Department said.
    • “Prosecutors accuse the 34-year-old brothers of the crimes during a weeklong spree in February, compromising data from multiple federal agencies including the Department of Homeland Security, Internal Revenue Service and the Equal Employment Opportunity Commission.
    • “Authorities did not name the federal government contractor, which provides services and hosts data for more than 45 federal agencies, but the company was previously identified as Washington-based Opexus in a Bloomberg report about the insider attack earlier this year. Opexus did not immediately respond to a request for comment.”
  • Security Week notes,
    • “The cryptocurrency mixer Cryptomixer has been shut down by law enforcement agencies in Europe for facilitating cybercrime and money laundering, Europol announced on Monday [December 1, 2025}.
    • “Accessible both from the clear and the dark web, Cryptomixer was a mixing service (tumbler) designed to help customers obscure the trail of their cryptocurrency by combining their deposits with those from other users into a large, pooled fund before sending back an equivalent amount of untraceable coins to a wallet specified by the customer.”

From the cybersecurity breaches and vulnerabilities front,

  • Bleeping Computer reports,
    • “Earlier today [December 5, 2025], Cloudflare experienced a widespread outage that caused websites and online platforms worldwide to go down, returning a “500 Internal Server Error” message.
    • “The internet infrastructure company has now blamed the incident on the rollout of emergency mitigations designed to address a critical remote code execution vulnerability in React Server Components, which is now actively exploited in attacks.
    • “The issue was not caused, directly or indirectly, by a cyber attack on Cloudflare’s systems or malicious activity of any kind. Instead, it was triggered by changes being made to our body parsing logic while attempting to detect and mitigate an industry-wide vulnerability disclosed this week in React Server Components,” Cloudflare CTO Dane Knecht noted in a post-mortem.
    • “A subset of customers were impacted, accounting for approximately 28% of all HTTP traffic served by Cloudflare.”
  • and
    • “Financial software provider Marquis Software Solutions is warning that it suffered a data breach that impacted dozens of banks and credit unions across the US.
    • “Marquis Software Solutions provides data analytics, CRM tools, compliance reporting, and digital marketing services to over 700 banks, credit unions, and mortgage lenders.
    • “In data breach notifications filed with US Attorney General offices, Marquis says it suffered a ransomware attack on August 14, 2025, after its network was breached through its SonicWall firewall.
    • “This allowed the hackers to steal “certain files from its systems” during the attack.
    • “The review determined that the files contained personal information received from certain business customers,” reads a notification filed with Maine’s AG office.”
  • Cyberscoop relates,
    • “Cybersecurity authorities and threat analysts unveiled alarming details Thursday [December 4, 2025] about a suspected China state-sponsored espionage and data theft campaign that Google previously warned about in September. The outlook based on their limited visibility into China’s sustained ability to burrow into critical infrastructure and government agency networks undetected, dating back to at least 2022, is grim.
    • “State-sponsored actors are not just infiltrating networks, they are embedding themselves to enable long-term access, disruptions and potential sabotage,” Nick Andersen, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, said during a media briefing.
    • “Brickstorm, a backdoor which Andersen described as a “terribly sophisticated piece of malware,” has allowed the attackers to achieve persistent access with an average duration of 393 days to support immediate data theft and follow-on pivots to other malicious activity, Austin Larsen, principal analyst at Google Threat Intelligence Group, told CyberScoop.
    • “We believe dozens of organizations in the United States have been impacted by Brickstorm, not including downstream victims,” Larsen said.
    • “CISA, the National Security Agency and the Canadian Centre for Cyber Security released an analysis report on Brickstorm, which targets VMware vSphere and Windows environments to conceal activity, achieve lateral movement and tunnel into victim networks while also automatically reinstalling or restarting the malware if disrupted. CISA provided indicators of compromise based on eight Brickstorm samples it obtained from victim organizations.”
  • Cybersecurity Dive adds,
    • “A China-nexus threat actor hacked into VMware vCenter environments at U.S.-based companies before deploying Brickstorm malware, security firm CrowdStrike warned in a blog post published Thursday.
    • “The threat actor, tracked under the name Warp Panda, targeted multiple industries during the summer of 2025, including legal, technology and manufacturing firms. 
    • “Warp Panda has targeted entities mainly in North America and Asia Pacific in an effort to support strategic objectives of the Chinese Communist Party, according to CrowdStrike. These include economic competition, advancing their technology and growing regional influence.”
  • CISA added four known exploited vulnerabilities to its catalog this week.
  • Per Bleeping Computer,
    • An ongoing phishing campaign impersonates popular brands, such as Unilever, Disney, MasterCard, LVMH, and Uber, in Calendly-themed lures to steal Google Workspace and Facebook business account credentials.
    • Although threat actors targeting business ad manager accounts isn’t new, the campaign discovered by Push Security is highly targeted, with professionally crafted lures that create conditions for high success rates.
    • Access to marketing accounts gives threat actors a springboard to launch malvertising campaigns for AiTM phishing, malware distribution, and ClickFix attacks.
  • Cybersecurity Dive notes,
    • “Distributed denial of service attacks rose sharply during the third-quarter, fueled by record-level attacks from the Aisuru botnet, comprising between one and four million hosts across the globe, according to a report released Wednesday by Cloudflare. 
    • “The number of attacks rose 54% quarter over quarter, averaging about 14 hyper-volumetric attacks daily, according to Cloudflare. Researchers called the scale of these attacks “unprecedented,” reaching 29.7 terabits per second and 14.1 billion packets per second. 
    • “The record-breaking 29.7 Tbps attack was a User Datagram Protocol carpet-bombing attack that hit an average of 15,000 destination ports per second, according to Cloudflare. 
    • “Aisuru targeted a number of critical industries, including telecommunications, financial services, hosting providers and gaming companies.” 

From the ransomware front,

  • Dark Reading warns us,
    • “The Ransomware Holiday Bind: Burnout or Be Vulnerable
    • “Ransomware groups target enterprises during off-hours, weekends, and holidays when security teams are stretched thin and response times lag.”
  • Per Bleeping Computer,
    • “American pharmaceutical firm Inotiv is notifying thousands of people that they’re personal information was stolen in an August 2025 ransomware attack.
    • “Inotiv is an Indiana-based contract research organization specializing in drug development, discovery, and safety assessment, as well as live-animal research modeling. The company has about 2,000 employees and an annual revenue exceeding $500 million.
    • “When it disclosed the incident, Inotiv said that the attack had disrupted business operations after some of its networks and systems (including databases and internal applications) were taken down.
    • “Earlier this week, the company revealed in a filing with the U.S. Securities and Exchange Commission (SEC) that it has “restored availability and access” to impacted networks and systems and that it’s now sending data breach notifications to 9,542 individuals whose data was stolen in the August ransomware attack.
    • “Our investigation determined that between approximately August 5-8, 2025, a threat actor gained unauthorized access to Inotiv’s systems and may have acquired certain data,” it says in letter samples filed with Maine’s attorney general.”
  • Help Net Security explains “how a noisy ransomware intrusion exposed a long-term espionage foothold.”
    • “Getting breached by two separate and likely unconnected cyber attack groups is a nightmare scenario for any organization, but can result in an unexpected silver lining: the noisier intrusion can draw attention to a far stealthier threat that might otherwise linger undetected for months.”
  • CXO Revolutionaries offers management lessons from the ransomware attack against the State of Nevada this past summer.

From the cybersecurity business and defenses front,

  • SC Media reports,
    • “Cybersecurity startup 7AI announced Dec. 4 that it raised $130 million in Series A funding 10 months after emerging from stealth in February. 
    • “The funding round is the largest Series A in history for cybersecurity, the company stated in its announcement, and brings its total amount raised to $166 million. 7AI was founded by two former executives and founders of the security firm Cybereason, former CEO Lior Div and former CTO Yonatan Striem-Amit.
    • “We’re at an agentic security inflection point that changes the equation entirely. Instead of security teams drowning in investigations that take hours, our AI agents complete them in minutes at a speed, accuracy, and consistency that’s difficult for humans and automation to match,” Div said. “… We have the proof, and it’s in production right now: our AI agents do the investigation work so security teams can finally do human work: strategic threat hunting, proactive security and innovation through AI transformation.”
    • “Over the last 10 months, the company said its AI agents processed more than 2.5 million alerts and completed over 650,000 security investigations for its clients. Customers reported saving between 30 minutes and 2.5 hours per investigation, and eliminated up to 99% of false positives in production.”
  • Dark Reading discusses “How Agentic AI Can Boost Cyber Defense. Transurban head of cyber defense Muhammad Ali Paracha shares how his team is automating the triaging and scoring of security threats as part of the Black Hat Middle East conference.”
  • The American Hospital Association News relates,
    • “The FBI has public resources available to help prevent exploitation by cybercriminals, who use artificial intelligence for deception. An infographic by the FBI and the American Bankers Association Foundation highlights how AI-generated or manipulated media, also known as “deep fakes,” can be used to impersonate trusted individuals. It details signs of a deep fake scam and how such content can depict public figures, friends and family members. An FBI announcement further explains how criminals use AI-generated text, images, audio and video for fraud schemes. The alert includes tips to help protect against suspected schemes.
    • “The information provided by the FBI and the ABA is relevant for health care as criminals are increasingly using AI-generated deep fake audio and video content — often in combination — to deceive health care staff,” said John Riggi, AHA national advisor for cybersecurity and risk. “Deep fakes are used to manipulate unwitting individuals by having them click on phishing emails, provide their credentials, hire malicious remote IT workers or transfer funds to criminal accounts. Constant vigilance and multi-layered human verification processes are needed, especially as AI-synthetic video and audio capabilities continue to advance.”
  • Here is a link to Dark Reading’s CISO Corner.

Leave a Reply

Your email address will not be published. Required fields are marked *