Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy and law enforcement front,

  • Federal News Network reported last Tuesday,
    • “Lawmakers are moving to extend key cybersecurity information authorities and grant programs, while also providing funds for the Cybersecurity and Infrastructure Security Agency to fill “critical” positions.
    • “The “minibus” appropriations agreement released by House and Senate negotiators on Tuesday includes fiscal 2026 funding for the Department of Homeland Security. DHS funding could be a sticking point in moving the bill forward, as some Democrats want more restrictions around the Trump administration’s immigration enforcement operations.
    • “The bill also extends the Cybersecurity Information Sharing Act of 2015 (CISA 2015) and the State and Local Cybersecurity Grant Program through the end of fiscal 2026. Both laws are set to expire at the end of this month.
    • “The extension would give lawmakers more time to work out differences between competing versions of CISA 2015 reauthorizations in the House and Senate.”
  • Roll Call adds,
    • “The House passed a roughly $1.25 trillion spending package Thursday in a pair of votes that overcame internal GOP divisions and Democratic protests over the Trump administration’s immigration policies.
    • “The most closely watched of the four bills at stake was the Homeland Security measure, which was at greatest risk of defeat amid an immigration crackdown that raised civil rights concerns.
    • “But the bill, which was taken up separately from the rest of the package, passed on a 220-207 vote. Seven Democrats joined almost all Republicans to support the measure. Kentucky Rep. Thomas Massie was the lone GOP dissenter.” * * *
    • “The Senate plans to take up that [bi-partisan, bi-cameral] mega package next week to meet a Jan. 30 deadline, when current funding for most federal agencies is set to run out.”
  • Cyberscoop tells us,
    • “The acting head of the Cybersecurity and Infrastructure Security Agency faced pointed questions from lawmakers Wednesday [January 21, 2026] over CISA personnel decisions and staffing levels.
    • “Members of the House Homeland Security Committee asked Madhu Gottumukkala about a reported attempt to fire the agency’s chief information officer, efforts to push out a large number of staff and whether CISA had enough people to do the job.
    • “Gottumukkala at times sidestepped the questions, with the probing coming from both sides of the aisle. However,  Democrats exhibited deeper worries about the agency’s workforce and its ability to do its job.
    • “Cutbacks at CISA after employees were “bullied into quitting” — among other methods of reducing CISA’s size — have “weakened our defenses and left our critical systems and infrastructure more exposed, and the American people more vulnerable,” said Rep. James Walkinshaw, D-Va.
    • “Said Chairman Andrew Garbarino, R-N.Y.: “This committee supports the administration’s goal of aligning department [of Homeland Security] resources towards urgent homeland security priorities. At the same time, workforce continuity, clear leadership and mission readiness are essential to effective cyber defenses.”
  • Cybersecurity Dive informs us,
    • “The National Institute of Standards and Technology is reevaluating its role in analyzing software vulnerabilities as it tries to meet skyrocketing demand for vulnerability analysis and reassure partners about the government’s continuing commitment to the program that catalogs those flaws.
    • “We’ve been doing more and more thinking about the [National Vulnerability Database] and, strategically, how we’re planning on moving forward,” Jon Boyens, the acting chief of NIST’s Computer Security Division, told members of the agency’s Information Security and Privacy Advisory Board during a quarterly meeting on Thursday [January 22, 2026]. * * *
    • To solve this {skyrocketing demand] problem, NIST will begin prioritizing which vulnerabilities it enriches based on several factors, including whether a vulnerability appears in the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, whether it exists in software that federal agencies use and whether it exists in software that NIST defines as critical.
    • “All CVEs aren’t equal,” Boyens said. “We’re in the process of defining that prioritization. We’ve had an informal prioritization for a while. We want to formalize it now.”
  • Cyberscoop relates,
    • “Russian national pleaded guilty to leading a ransomware conspiracy that targeted at least 50 victims during a four-year period ending in August 2022. 
    • “Ianis Aleksandrovich Antropenko began participating in ransomware attacks before moving to the United States, but conducted many of his crimes while living in Florida and California, where he’s been out on bond enjoying rare leniency since his arrest in 2024.
    • “Antropenko pleaded guilty in the U.S. District Court for the Northern District of Texas earlier this month to conspiracy to commit money laundering and conspiracy to commit computer fraud and abuse. He faces up to 25 years in jail, fines up to $750,000 and is ordered to pay restitution to his victims and forfeit property.
    • “Federal prosecutors reached a plea agreement with Antropenko after a years-long investigation, closing one of the more unusual cases against a Russian ransomware operator who committed many of his crimes while living in the U.S.”
  • and
    • “Law enforcement agencies from multiple European countries are still pursuing leads on people involved in the Black Basta ransomware group, nearly a year after the group’s internal chat logs were leaked, exposing key details about its operations, and at least six months since the group claimed responsibility for new attacks.
    • “Officials in Ukraine and Germany said they raided the homes of two Russian nationalsaccused of participating in Black Basta’s crimes and effectively halted their operations. The pair of alleged criminals who were living in Ukraine were not named.
    • “German police publicly identified a third Russian national — Oleg Evgenievich Nefedov — as Black Basta’s alleged leader. Nefedov, a 35-year-old who was subsequently added to the most-wanted lists of Europol and Interpol, allegedly formed and ran Black Basta since 2022, authorities said. 
    • “He is accused of extorting more than 100 companies in Germany and about 600 other countries globally. Nefedov’s current whereabouts are unknown, but he is believed to be living in Russia.”

From the cybersecurity vulnerabilities front,

  • Cyberscoop reports,
    • “European cybersecurity organization has launched a decentralized system for identifying and numbering software security vulnerabilities, introducing a fundamental shift in how the global technology community could track and manage security flaws.
    • “The Global CVE Allocation System, or GCVE, will be maintained by The Computer Incident Response Center Luxembourg (CIRCL) as an alternative to the traditional Common Vulnerabilities and Exposures program, which narrowly avoided shutdown last April when the Cybersecurity and Infrastructure Security Agency initially failed to renew its contract with MITRE, the nonprofit that operates the CVE system. A last-minute extension averted immediate collapse, but the near-miss exposed the 25-year-old program’s dependence on a single funding source and triggered development of competing models.
    • “Unlike the traditional CVE system, which relies on a centralized structure for assigning vulnerability identifiers, GCVE introduces independent numbering authorities that can allocate identifiers without seeking blocks pre-allocated from a central body or adhering strictly to centrally enforced policies. Each approved numbering authority receives a unique numeric identifier that becomes part of the vulnerability identification format, allowing organizations to assign identifiers at their own pace and define their own internal policies for vulnerability identification.
    • “The system maintains backward compatibility with the existing CVE infrastructure through a technical accommodation. All existing and future standard CVE identifiers are represented within the GCVE system using the reserved numbering authority designation of zero. A vulnerability identified as CVE-2023-40224 in the traditional system can be represented as GCVE-0-2023-40224, allowing the new framework to coexist with established practices without disrupting existing databases and tools.”
  • Bleeping Computer adds,
    • “Days after admins began reporting that their fully patched firewalls are being hacked, Fortinet confirmed it’s working to fully address a critical FortiCloud SSO authentication bypass vulnerability that should have already been patched since early December.
    • “This comes after a wave of reports from Fortinet customers about threat actors exploiting a patch bypass for the CVE-2025-59718 vulnerability to compromise fully patched firewalls.
    • “Cybersecurity company Arctic Wolf said on Wednesday [January 21, 2026] that the campaign began on January 15, with attackers creating accounts with VPN access and stealing firewall configurations within seconds, in what appear to be automated attacks. It also added that the attacks are very similar to incidents it documented in December, following the disclosure of the CVE-2025-59718 critical vulnerability in Fortinet products.
    • “On Thursday, Fortinet finally confirmed these reports, stating that ongoing CVE-2025-59718 attacks match December’s malicious activity and that it’s now working to fully patch the flaw.”
  • Cybersecurity Dive lets us know,
    • “LastPass on Tuesday warned of a phishing campaign with false claims that the company is conducting maintenance and asking customers to back up their vaults in the next 24 hours, according to an alert released by the company.
    • LastPass said the campaign began on or about Monday, which was Martin Luther King Jr. Day, when many U.S. businesses were closed. The company emphasized the email is not a legitimate request and confirmed that customers are being targeted in a social engineering campaign.
    • “This campaign is designed to create a false sense of urgency, which is one of the most common and effective tactics we see in phishing attacks,” a spokesperson for LastPass said in a statement.
    • The spokesperson added that LastPass would never ask customers for their master passwords or demand action. under a tight deadline.
  • and
    • “AI agents are involved in 40% of insider cybersecurity threats, according to a report by managed security service provider Akati Sekurity.
    • “Non-human identities outnumber humans 144 to one in the average business and constitute an attack surface IT teams, service providers and vendors are ill-equipped to defend, Akati CEO Krishna Rajagopal told Channel Dive.
    • “[Partners] are focused on making sure that the LLMs are secure and doing an assessment, looking at the security of the MCP server. But there is this little worm — literally the agentic agent — that can [go] rogue, and if that goes rogue, most MSPs and MSSPs currently do not have an answer for,” Rajagopal said.”
  • Dark Reading relates,
    • “A zero-day vulnerability affecting a range of Cisco’s unified communications products has been exploited by threat actors, though details of the activity are unclear.
    • “Cisco on Wednesday disclosed and patched CVE-2026-20045, a remote code execution (RCE) vulnerability in Cisco’s Unified Communications Manager(UCM) as well as other products. Cisco has 30 million users for UCM, which provides IP-based voice, video, conferencing, and collaboration for enterpises — so the potential impact could be vast.”

From the ransomware front,

  • The Hackers News reports,
    • “Cybersecurity researchers have disclosed details of a new ransomware family called Osiris that targeted a major food service franchisee operator in Southeast Asia in November 2025.
    • “The attack leveraged a malicious driver called POORTRY as part of a known technique referred to as bring your own vulnerable driver (BYOVD) to disarm security software, the Symantec and Carbon Black Threat Hunter Team said.
    • “It’s worth noting that Osiris is assessed to be a brand-new ransomware strain, sharing no similarities with another variant of the same name that emerged in December 2016 as an iteration of the Locky ransomware. It’s currently not known who the developers of the locker are, or if it’s advertised as a ransomware-as-a-service (RaaS).
    • “However, the Broadcom-owned cybersecurity division said it identified clues that suggest the threat actors who deployed the ransomware may have been previously associated with INC ransomware (aka Warble).”
  • Bleeping Computer cautions,
    • “The ShinyHunters extortion gang claims it is behind a wave of ongoing voice phishing attacks targeting single sign-on (SSO) accounts at Okta, Microsoft, and Google, enabling threat actors to breach corporate SaaS platforms and steal company data for extortion.
    • “In these attacks, threat actors impersonate IT support and call employees, tricking them into entering their credentials and multi-factor authentication (MFA) codes on phishing sites that impersonate company login portals.
    • “Once compromised, the attackers gain access to the victim’s SSO account, which can provide access to other connected enterprise applications and services.”
  • Fox News tells us,
    • “Cybercriminals are happy to target almost any industry where data can be stolen. In many cases, less prepared and less security-focused companies are simply easier targets. 
    • “A recent ransomware attack on a company tied to dozens of gas stations across Texas shows exactly how this plays out. The incident exposed highly sensitive personal data, including Social Security numbers and driver’s license details, belonging to hundreds of thousands of people. 
    • “The breach went undetected for days, giving attackers ample time to move through internal systems and steal sensitive data. If you’ve ever paid at the pump or shopped inside one of these convenience stores, this is the kind of incident that should make you stop and pay attention.
    • “According to a disclosure filed with the Maine Attorney General’s Office, Gulshan Management Services, Inc. reported a cybersecurity incident that impacted more than 377,000 individuals. Gulshan is linked to Gulshan Enterprises, which operates around 150 Handi Plus and Handi Stop gas stations and convenience stores across Texas.”
  • The HIPAA Journal calls our attention to four recent attacks against healthcare providers — here and here.

From the cybersecurity defenses front,

  • Cybersecurity Dive shares “Five cybersecurity trends to watch in 2026. Corporations across the globe are facing a dynamic risk environment, as AI adoption surges with few guardrails, business resilience takes center stage and the insurance industry raises major concerns.”
    • AI governance and guardrails now front and center
    • Cybersecurity regulatory shifts shape disclosures
    • Cyber insurance enters new phase in pricing, coverage
    • CVE crisis resolved while patching challenges remain
    • Operational resilience becomes the new watchword for cyberattack readiness  
  • and
    • “CISOs are slightly less confident than CEOs that AI will improve their company’s cyber defenses, according to a new report.
    • “Roughly 30% of CEOs think AI will help them with cybersecurity, while only 20% of CISOs said the same, Axis Capital said in its report.
    • “The survey also revealed transatlantic disagreement about the value of AI and the dangers of AI-fueled cyberattacks.”
  • ISACA shares “Post Quantum Cryptography: A 12 Month Playbook for Digital Trust Professionals.”
    • “The window for “harvest‑now, decrypt‑later” attacks is open, and the clock is ticking. With NIST’s first three post-quantum cryptography (PQC) standards now finalized (FIPS 203/204/205) and HQC selected in 2025 as an additional encryption option, audit, risk and security teams have the clarity they need to start moving with intent. This blog post distills the core ideas from our ISACA Journal article into a pragmatic, one-year plan you can run inside any enterprise.”
  • Here is a link to Dark Reading’s CISO Corner.

Leave a Reply

Your email address will not be published. Required fields are marked *