Cybersecurity Saturday

From the cybersecurity policy and law enforcement front,

The Wall Street Journal reports,
- “Federal lawmakers next week are expected to revive efforts to renew lapsed cybersecurity legislation aimed at fostering collaboration between Washington and private-sector companies in chasing down state-sponsored hackers.
- “We’re making a hard push,” Rep. Andrew Garbarino, a New York Republican, said about extending the Cybersecurity Information Sharing Act, which provides liability and antitrust protections to companies sharing cyberattack intelligence with the federal government.
- “Garbarino at a congressional hearing Tuesday said House and Senate lawmakers on both sides of the aisle are committed to fully reauthorizing the decade-old legislation, known as CISA, beyond a reprieve passed in Novemberand set to expire at the end of January. Congress failed to approve a long-term extension before last year’s government shutdown in October.”

Cyberscoop tells us,
- “President Donald Trump re-nominated Sean Plankey to lead the Cybersecurity and Infrastructure Security Agency on Tuesday, after Plankey’s bid for the position ended last year stuck in the Senate.
- “It’s not clear whether or how Plankey’s resubmitted nomination will overcome the hurdles that left many observers convinced his chance of becoming CISA director had likely ended, but it does definitively signal that the Trump administration still wants Plankey to have the job.
- “Plankey’s nomination was included in a batch sent to the Senate announced on Tuesday [January 13].

Cybersecurity Dive informs us,
- “In an attempt to help critical infrastructure operators protect themselves from hackers, the U.S. and six other countries have published security guidance for organizations that run operational technology, offering advice on everything from network segmentation to activity logging.
- “Exposed and insecure OT connectivity is known to be targeted by both opportunistic and highly capable actors,” the authoring agencies — representing the U.S., Australia, Canada, Germany, the Netherlands, New Zealand and the United Kingdom — wrote in the document, “Secure connectivity principles for Operational Technology.”
- “Improving OT cybersecurity, the agencies added, “can challenge attackers’ efforts and raise the threshold necessary to cause physical harm, environmental impact, and disruption.”
and
- “The Department of Homeland Security is preparing to introduce a new system for holding sensitive discussions with critical infrastructure operators, replacing a framework that the Trump administration abruptly eliminated in its early days.
- “The new program, currently dubbed Alliance of National Councils for Homeland Operational Resilience (ANCHOR), will streamline the process through which federal agencies and infrastructure providers meet to discuss cyber and physical security threats, according to multiple people familiar with the matter, who requested anonymity to speak freely.”

Cyberscoop relates,
- “A 40-year-old Jordanian national pleaded guilty Thursday [January 15, 2026] to operating as an access broker, selling access to at least 50 victim company networks he broke into by exploiting two commercial firewall products in 2023, according to the Justice Department.
- Feras Khalil Ahmad Albashiti, who lived in the Republic of Georgia at the time, sold an undercover FBI agent unauthorized access to the victim networks on a cybercrime forum under the moniker “r1z” in May 2023, authorities said in court records.
- The undercover FBI agent continued communicating with Albashiti for the next five months, uncovering evidence of additional alleged crimes. He’s accused of selling malware that could turn off endpoint detection and response products from three different companies.
- Albashiti proved the malware worked when, unbeknownst to him, the FBI observed him use the EDR-killing malware on an FBI server the agency granted him access to as part of its investigation.

From the cybersecurity breaches and vulnerabilities front,

Cybersecurity Dive reports,
- “The healthcare sector experienced twice as many breaches in 2025 as it did in 2024, but the number of exposed patient records dropped precipitously, according to a new report from Fortified Health Security.
- “Ransomware attacks and third-party risk are powering the surge in breaches, with many of those intrusions now threatening operations more than data privacy.
- “The industry has shifted from major, headline events to a more taxing state of constant disruption,” Fortified said in its report.”
and
- “Cybersecurity remained the top risk concern among corporate leaders for a fifth year in a row, but AI jumped into the number two position, according to a report released Wednesday from Allianz Commercial.
- “AI rose sharply from the number 10 spot to the second biggest concern, indicating growing interest in how the technology might improve productivity, while also creating novel security challenges, according to the annual Allianz Risk Barometer.
- “Companies increasingly see AI not only as a powerful strategic opportunity, but also as a complex source of operational, legal and reputational risk,” Allianz chief economist Ludovic Subran told Cybersecurity Dive. “In many cases, adoption is moving faster than governance, regulation and workforce readiness can keep up.”

CISA added two known exploited vulnerabilities to its catalog this week.
- December 12, 2026
  - CVE-2025-8110 Gogs Path Traversal Vulnerability
    - The Hacker News discusses this KVE here.
- December 13, 2026
  - CVE-2026-20805 Microsoft Windows Information Disclosure Vulnerability
    - The Register discusses this KVE here.
Dark Reading informs us,
- “Linux systems may soon be facing a new threat with an advanced, cloud-first malware framework developed by China-affiliated actors that’s aimed at establishing persistent access to cloud and container environments.
- “Check Point Research discovered the framework, called VoidLink, which is comprised of cloud-focused capabilities and modules, including custom loaders, implants, rootkits, and modular plug-ins, according to a blog post published Tuesday [January 13]. Calling it an “impressive piece of software,” Check Point researchers said the framework is far more advanced than any current Linux-oriented malware.”
and
- “The year has barely begun, but 2026 is already in familiar territory for Fortinet customers, as a new vulnerability has come under attack.
- “On Jan. 13, Fortinet disclosed a critical flaw in its FortiSIEM platform, tracked as CVE-2025-64155 and assigned a 9.4 CVSS score. The OS command injection vulnerability allows an unauthenticated attacker to achieve remote code execution (RCE) on FortSIEM instances through crafted TCP requests.
- “Yesterday, cybersecurity vendor Defused warned in a post on X that CVE-2025-64155 had been exploited in the wild. Much of the threat activity observed by Defused’s honeypots came from different IP addresses, including three from Chinese providers.
- “In a LinkedIn post, Simo Kohonen, Defused founder and CEO, said the company’s honeypots had received a “good amount” of targeted exploitation activity that began almost immediately after public disclosure. China-nexus threat groups have heavily targeted Fortinet, along with other edge device vendors, in recent years.”
Cyberscoop points out,
- “Predator spyware operators have the ability to recognize why an infection failed, and the tech has more sophisticated capabilities for averting detection than previously known, according to research published Wednesday [January 14].
- Jamf Threat Labs found from an analysis of a Predator sample that it has an error code system that can alert operators to why an implant didn’t stick, with “error code 304” signifying that a target was running security or analysis tools.
- “This error code system transforms failed deployments from black boxes into diagnostic events,” Shen Yuan and Nir Avraham wrote for the company. “When an operator deploys Predator against a target and receives error code 304, they know the target is running security tools — not that the exploit failed, not that the device is incompatible, but specifically that active analysis is occurring.
- “This has direct implications for targeted individuals: if security analysis tools like Frida are running, Predator will abort deployment and report error code 304 to operators, who can then troubleshoot why their deployment failed,” they continued.

Bleeping Computer notes,
- Security researchers have discovered a critical vulnerability in Google’s Fast Pair protocol that can allow attackers to hijack Bluetooth audio accessories, track users, and eavesdrop on their conversations.
- The flaw (tracked as CVE-2025-36911 and dubbed WhisperPair) affects hundreds of millions of wireless headphones, earbuds, and speakers from multiple manufacturers that support Google’s Fast Pair feature. It affects users regardless of their smartphone operating system because the flaw lies in the accessories themselves, meaning that iPhone users with vulnerable Bluetooth devices are equally at risk.
- Researchers with KU Leuven’s Computer Security and Industrial Cryptography group who discovered it explain that the vulnerability stems from the improper implementation of the Fast Pair protocol in many flagship audio accessories.

Per SC Media,
- “A vulnerability in the AI-powered Cursor integrated development environment (IDE) could have enabled an attacker to conduct stealthy remote code execution (RCE) attacks via indirect prompt injection, Pillar Security reported Wednesday.
- “The flaw, tracked as CVE-2026-22708, arose from implicit trust in certain shell built-ins including “export” and “typeset,” which would allow them to be executed without any notification of or approval from the user, even when the user’s allowlist was empty.”

From the ransomware front,

The HIPAA Journal reports,
- “The threat from ransomware is greater than ever, according to a new report from GuidePoint Security. The cybersecurity firm recorded a 58% year-over-year increase in victims, making 2025 the most active year ever reported by GuidePoint Security. In 2025, GuidePoint Security tracked 2,287 unique victims in Q4, 2025 alone – the largest number of victims in any quarter tracked by the GuidePoint Research and Intelligence Team (GRIT). December was the most active month in terms of claimed victims, which increased 42% year-over-year to 814 attacks. On average, 145 new victims were added to dark web data leak sites every week in 2025, with the year ending with 7,515 claimed victims.
- “Law enforcement operations have targeted the most active groups, and there have been notable successes; however, they have had little effect on the number of victims, which continues to increase. Rather than the ransomware-as-a-service (RaaS) landscape being dominated by one or two major actors, law enforcement operations have helped create a highly fragmented ecosystem, with smaller groups conducting attacks in high volume, using repeatable operations. In 2025, GRIT tracked 124 distinct named ransomware groups – a 46% increase from 2024 and the highest number of groups ever recorded in a single year.
- “While ransomware attacks are conducted globally, as in previous years, ransomware actors are primarily focused on the United States, where 55% of attacks were conducted last year, followed by Canada, which accounted for 4.5% of attacks. The manufacturing sector was the most heavily targeted, accounting for 14% of attacks, followed by the technology sector (9%), and retail/wholesale (7%). Healthcare ranked in fourth spot, with more than 500 victims in 2025.”

Symantec adds,
- “The cyber-extortion epidemic reached new heights in 2025, with a record number of attacks recorded. As outlined in our new whitepaper, this increase is being powered by a new breed of attackers who eschew encryption and rely solely on data theft as leverage for extortion. By using zero-day vulnerabilities or exploiting weaknesses in the software supply chain, attackers can steal data from even the best-defended organizations before they become aware of the issue.
- Meanwhile, there has also been no decline in the number of attacks involving encryption. This is despite significant levels of disruption among key players, such as the collapse of LockBit in late 2024 and the closure of RansomHub in April 2025. Instead, other ransomware operators such as Akira, Qilin, Safepay and DragonForce expanded rapidly in the wake of those departures, quickly winning over affiliate attackers who previously worked with the departing actors.

The Register calls our attention to
- “Researchers at Group-IB say the DeadLock ransomware operation is using blockchain-based anti-detection methods to evade defenders’ attempts to analyze their tradecraft.
- “First spotted in July 2025, the DeadLock group has attacked a wide range of organizations while almost managing to stay under the radar.
- “It abandons the usual double extortion approach in which cybercrooks steal data, encrypt systems, and threaten to post it online for all to see if the victim refuses to pay a ransom.” * * *
- “But for the researchers at Group-IB, the old-school encryption-only model is not the most notable aspect of the DeadLock operation. Its use of Polygon smart contracts to obscure its command-and-control (C2) infrastructure is an unusual move that’s slowly gaining popularity.
- “Once a victim’s systems are encrypted, DeadLock drops an HTML file that acts as a wrapper for the decentralized messenger Session. This file replaces an instruction for the victim to download Session to communicate with DeadLock.
- “By using blockchain-based smart contracts to store the group’s proxy server URL – the one victims connect to before communicating with the criminals – it allows DeadLock to rotate this address frequently, making it difficult for defenders to permanently block its infrastructure.”

From the cybersecurity business and defenses front,

Dark Reading reports,
- “CrowdStrike continues its shopping spree, announcing plans to acquire browser security startup Seraphic Security. The acquisition will bring browser telemetry to the endpoint detection company’s flagship Falcon security platform.
- “Seraphic Security’s platform, which includes a secure Web gateway, zero-trust network access, and cloud access security browser, provides protection and detection capabilities to browsers. Enterprises can use the platform to provide their users with secure access to software-as-a-service and private Web applications. Security teams get a consistent secure browser experience across both managed and personal devices without the complexity or cost of deploying virtual desktop infrastructure or a virtual private network.” * * *
- “CrowdStrike plans to combine Seraphic’s “continuous in-session browser protection” with the identity protection and authorization capabilities from SGNL (announced last week) and Falcon’s existing endpoint telemetry and threat intelligence, according to the release announcing the acquisition. The combination will provide next-generation identity security that protects every interaction across endpoints, browser sessions, and the cloud, the company said.”

Bleeping Computer relates,
- “Microsoft announced on Wednesday [January 14] that it disrupted RedVDS, a massive cybercrime platform linked to at least $40 million in reported losses in the United States alone since March 2025.
- “Microsoft filed civil lawsuits in the United States and the United Kingdom, seizing malicious infrastructure and taking RedVDS’s marketplace and customer portal offline as part of a broader international operation with Europol and German authorities.
- ‘Two co-plaintiffs joined Microsoft in this action: H2-Pharma, an Alabama pharmaceutical company that lost $7.3 million in a business email compromise scheme, and the Gatehouse Dock Condominium Association in Florida, which lost nearly $500,000 in resident funds.”

Federal News Network tells us,
- “As the Defense Department moves to meet its 2027 deadline for completing a zero trust strategy, it’s critical that the military can ingest data from disparate sources while also being able to observe and secure systems that span all layers of data operations.
- “Gone are the days of secure moats. Interconnected cloud, edge, hybrid and services-based architectures have created new levels of complexity — and more avenues for bad actors to introduce threats.
- “The ultimate vision of zero trust can’t be accomplished through one-off integrations between systems or layers. For critical cybersecurity operations to succeed, zero trust must be based on fast, well-informed risk scoring and decision making that consider a myriad of indicators that are continually flowing from all pillars.
- “Short of rewriting every application, protocol and API schema to support new zero trust communication specifications, agencies must look to the one commonality across the pillars: They all produce data in the form of logs, metrics, traces and alerts. When brought together into an actionable speed layer, the data flowing from and between each pillar can become the basis for making better-informed zero trust decisions.”

Security Week notes,
- “Tracked as CVE-2025-20393 (CVSS score of 10/10), the security defect was disclosed on December 17, one week after Cisco’s Talos researchers observed its in-the-wild exploitation as a zero-day.
- “This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance,” Cisco said at the time.
- “The company said the attacks targeted only a small set of appliances, and attributed the campaign to UAT-9686, a China-linked APT.
- “On Thursday, Cisco updated its advisory to provide information on the flaw, the affected products, and the available patches.
- “The flaw affects the Spam Quarantine feature of the AsyncOS software running on Secure Email Gateway and Cisco Secure Email and Web Manager, and exists due to insufficient validation of HTTP requests.’

SC Media considers,
- “The concerning cyber-physical security disconnect”
and
- “Five questions to ask about email whitelists.”

Here’s a link to Dark Reading’s CISO Corner.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

FEHBlog

Leave a Reply Cancel reply

Subscribe to FEHBlog

Leave a Reply Cancel reply