Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy front,

  • Per a February 11, 2026, Cybersecurity and Infrastucture Security Agency news release,
    • “The Cybersecurity and Infrastructure Security Agency (CISA) unveiled its 2025 Year in Review today, spotlighting bold achievements that strengthened the nation’s cyber and physical security in 2025. The report underscores CISA’s commitment to innovation, resilience, and collaboration. This report is a snapshot of goals achieved for this past year. Year over year CISA’s goals change as the threat landscape evolves and as we lean into core mission objectives as determined by the Administration’s policies. 
    • “The Year in Review is more than a report – it’s proof of CISA’s unwavering commitment to protecting the infrastructure and systems Americans count on every day,” said CISA Acting Director Madhu Gottumukkala. “From safeguarding federal networks to equipping communities with tools to reduce risk, our team delivered measurable results in 2025. And we’re not slowing down – we will lead with innovation, resilience and partnership to stay ahead of tomorrow’s threats.”
  • Federal News Network reports,
    • “Sen. Ron Wyden (D-Ore.) is pledging to keep his hold on the nominee to lead the Cybersecurity and Infrastructure Security Agency. Wyden said he will continue to object to Sean Plankey’s nomination until CISA releases a 2022 report on security flaws in the U.S. telecommunications system. Wyden previously held up Plankey’s nomination for much of last year over the same issue. (Sen. Ron Wyden (D-Ore.) floor remarks – Congress.gov)”
  • Cyberscoop tells us,
    • “A recent attempt at a destructive cyberattack on Poland’s power grid has prompted the Cybersecurity and Infrastructure Security Agency to publish a warning for U.S. critical infrastructure owners and operators.
    • Tuesday’s alert follows a Jan. 30 report from Poland’s Computer Emergency Response Team concluded the December attack overlapped significantly with infrastructure used by a Russian government-linked hacking group, and that it targeted 30 wind and photovoltaic farms, among others.
    • “CISA said its warning was meant to “amplify” that Polish report. In particular, CISA said the attack highlighted the threats to operational technology and industrial control systems, most commonly used in the energy and manufacturing sectors.
    • ‘And CISA’s alert continues a recent agency focus on securing edge devices like routers or firewalls, after a binding operational directive last week to federal agencies to strip unsupported products from their systems.”
  • Cybersecurity Dive relates,
    • “The Cybersecurity and Infrastructure Security Agency wants critical infrastructure partners’ feedback on the scope of its cyber-incident reporting regulation as the agency homes in on a final version of the long-awaited rule.
    • “In a notice set for publication in the Federal Register on Friday [January 13], CISA announced a series of town hall meetings where different sectors will be able to share their thoughts about the pending rule, which Congress required in the 2022 Cyber Incident Reporting for Critical Infrastructure Act.
    • A draft version of the CIRCIA rule, published in April 2024, gave covered infrastructure operators 72 hours to report substantial cyber incidents to the government. Business groups and some lawmakers objected to the scope of the information that companies would need to report, as well as to the breadth of companies covered under the regulation.
    • “In its new announcement, CISA said it “appreciates stakeholders’ interest and concern that CISA implement CIRCIA to maximize its impact on improving our nation’s cybersecurity posture while minimizing unnecessary burden to entities in critical infrastructure sectors.”
    • “The agency wants infrastructure operators to share “specific, actionable improvements” to CIRCIA that “clarify or reduce” the burden of the planned reporting requirement while still giving the government ample information about the cyber-threat landscape.”
    • The virtual town hall meeting for the Emergency Services Sector, Government Facilities Sector, Healthcare and Public Health Sector is scheduled for March 17, 2026.
  • Federal News Network reports,
    • “The Cybersecurity and Infrastructure Security Agency plans to designate 888 of its 2,341 employees as excepted during a shutdown. All of those employees would go without pay during a shutdown.
    • “A shutdown forces many of our frontline security experts and threat hunters to work without pay— even as nation-states and criminal organizations intensify efforts to exploit critical systems that Americans rely on—placing an unprecedented strain on our national defenses,” Acting CISA Director Madhu Gottumukkala toldlawmakers this week.
    • “The cyber agency’s core responsibilities include defending federal agency networks and working with critical infrastructure to strengthen their security.
    • “Gottumukkala said that a shutdown would delay the deployment of new cyber services to federal networks and the sharing of guidance with critical infrastructure partners. It would also likely delay CISA’s work to finalize a landmark cyber incident reporting rule.

From the cybersecurity vulnerabilities and breaches front,

  • CISA added eleven known exploited vulnerabilities to its catalog this week.
    • February 10, 2026
      • CVE-2026-21510 Microsoft Windows Shell Protection Mechanism Failure Vulnerability
      • CVE-2026-21513 Microsoft MSHTML Framework Security Feature Bypass Vulnerability
      • CVE-2026-21514 Microsoft Office Word Reliance on Untrusted Inputs in a Security Decision Vulnerability
      • CVE-2026-21519 Microsoft Windows Type Confusion Vulnerability
      • CVE-2026-21525 Microsoft Windows NULL Pointer Dereference Vulnerability
      • CVE-2026-21533 Windows Remote Desktop Services Elevation of Privilege Vulnerability
        • SecPod discusses these KVEs here
    • February 12, 2026
      • CVE-2024-43468 Microsoft Configuration Manager SQL Injection Vulnerability
      • CVE-2025-15556 Notepad++ Download of Code Without Integrity Check Vulnerability
      • CVE-2025-40536 SolarWinds Web Help Desk Security Control Bypass Vulnerability
      • CVE-2026-20700 Apple Multiple Buffer Overflow Vulnerability
        • Nopsec discusses the MS Configuration KVE here.
        • WNEsecurity discusses the Notepad++ KVE here.
        • Rapid7 discusses the Solarwinds KVE here.
        • Bleeping Computer discusses the Apple KVE here.
    • February 13, 2026
      • CVE-2026-1731 BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) OS Command Injection Vulnerability
        • The Hacker News discusses this KVE here.
  • Cybersecurity Dive informs us,
    • “Security researchers warn that threat groups are exploiting critical vulnerabilities in SmarterMail, a business email and collaboration server that small to medium-sized businesses use as an alternative to Microsoft Exchange. 
    • “A China-linked threat actor, tracked as Storm 2603, has exploited an authentication bypass vulnerability tracked as CVE-2026-23760 to deploy Warlock ransomware, according to a blog released Monday by researchers at Reliaquest. 
    • “The hacker abuses legitimate administrative functions to hide its activity from security teams. It then installs a digital forensic tool called Velociraptor to maintain access in preparation for potential ransomware attacks, according to Reliaquest. 
    • “SmarterTools, the parent company behind SmarterMail, confirmed in a Feb. 3 blog post that its own network was impacted by a Jan. 29 breach.” 
  • and
    • “More than 80% of exploitation activity targeting critical vulnerabilities in Ivanti Endpoint Manager Mobile were traced to a single IP address hiding behind a bulletproof hosting infrastructure, according to a report released Tuesday by GreyNoise. 
    • Researchers warn that several of the most shared indicators of compromise linked to the current threat campaign indicate no activity linked to Ivanti EPMM. The concern is that security teams may therefore be looking for the wrong information, as current IoCs indicate scanning for Oracle WebLogic instead, according to GreyNoise researchers.”
  • Cyberscoop notes,
    • “A new report from Google found evidence that state-sponsored hacking groups have leveraged AI tool Gemini at nearly every stage of the cyber attack cycle.
    • “The research underscores how AI tools have matured in their cyber offensive capabilities, even as it doesn’t reveal novel or paradigm shifting uses of the technology.
    • J”ohn Hultquist, chief analyst at Google’s Threat Intelligence Group, told CyberScoop that many countries still appear to be experimenting with AI tools, determining where they best fit into the attack chain and provide more benefit than friction.
    • “Nobody’s got everything completely worked out,” Hultquist said. “They’re all trying to figure this out and that goes for attacks on AI, too.
    • “But the report also reveals that frontier AI models can build speed, scale and sophistication into a myriad of hacking tasks, and state-sponsored hacking groups are taking advantage.”
  • Bleeping Computer points out,
    • “Threat actors are abusing Claude artifacts and Google Ads in ClickFix campaigns that deliver infostealer malware to macOS users searching for specific queries.
    • “At least two variants of the malicious activity have been observed in the wild, and more than 10,000 users have accessed the content with dangerous instructions.
    • “A Claude artifact is content generated with Antropic’s LLM that has been made public by the author. It can be anything from instructions, guides, chunks of code, or other types of output that are isolated from the main chat and accessible to anyone via links hosted on the claude.ai domain.”
  • and
    • “A set of 30 malicious Chrome extensions that have been installed by more than 300,000 users are masquerading as AI assistants to steal credentials, email content, and browsing information.
    • “Some of the extensions are still present in the Chrome Web Store and have been installed by tens of thousands of users, while others show a small install count.
    • “Researchers at browser security platform LayerX discovered the malicious extension campaign and named it AiFrame. They found that all analyzed extensions are part of the same malicious effort as they communicate with infrastructure under a single domain, tapnetic[.]pro.”
  • and
    • “A new variation of the fake recruiter campaign from North Korean threat actors is targeting JavaScript and Python developers with cryptocurrency-related tasks.
    • “The activity has been ongoing since at least May 2025 and is characterized by modularity, which allows the threat actor to quickly resume it in case of partial compromise.
    • “The bad actor relies on packages published on the npm and PyPi registries that act as downloaders for a remote access trojan (RAT). In total, researchers found 192 malicious packages related to this campaign, which they dubbed ‘Graphalgo’.
    • “Researchers at software supply-chain security company ReversingLabs say that the threat actor creates fake companies in the blockchain and crypto-trading sectors and publishes job offerings on various platforms, like LinkedIn, Facebook, and Reddit.”
  • TechRadar advises
    • “If you’re using an older Android phone, Google has a message you probably don’t want to hear.
    • “More than 40% of Android devices worldwide no longer receive critical security updates, leaving over 1 billion phones exposed to malware and spyware attacks, according to the company.
    • “The problem isn’t a sudden flaw but a slow drift. Android adoption data shows most users are still running software versions that Google no longer fully supports. While recent confusion around Google Play system update dates has raised concerns, Google says that the issue is cosmetic.
    • “The real issue is simpler and more serious: phones running Android 12 or older are now outside the security safety net.”

From the ransomware front,

  • The HIPAA Journal reports,
    • “A new record was set for ransomware attacks last year, with disclosed ransomware attacks increasing by 49% year-over-year to a record-high of 1,174 attacks, according to Black Fog’s 2025 State of Ransomware Report. There was also a 37% year-over-year increase in undisclosed attacks, with 7,079 victims added to dark web data leak sites in 2025. The figures indicate that globally, 86% of ransomware attacks are not disclosed by victims.
    • “Data theft almost always occurs with ransomware attacks. In 2025, 96% of attacks involved data exfiltration prior to file encryption, which results in greater organizational harm. Data exfiltration has contributed to the significant increase in breach costs, as data theft results in greater reputational harm and increased regulatory exposure. In 2025, the average cost of a data breach was $4.44 million globally, and $7.42 million for healthcare data breaches. Healthcare retained its position as the sector most targeted by ransomware groups in 2025, accounting for 22% of disclosed attacks. All sectors experienced an increase in attacks in 2025, apart from education, which saw a 13% year-over-year decrease in attacks.
    • “The breakup of large ransomware groups has led to a fragmentation of the ransomware ecosystem, and the number of active ransomware groups continued to increase in 2025. Black Fog tracked 130 different ransomware groups in 2025, of which 52 were new groups that emerged in 2025, a 9% increase from 2024. Several groups that emerged in 2025 have disproportionately targeted the healthcare sector, including Sinobi, Insomnia, and Devman. Devman issued the largest ever ransom demand of $91 million in 2025 for its attack on China’s real estate development company Shimao Group Holdings. World Leaks, widely believed to be a rebrand of Hunters International, has also claimed several healthcare victims, as have all of the top three most prolific and dangerous ransomware groups of the year: Qilin, Akira & Play.”
  • Cybersecurity Dive adds,
    • “Ransomware attacks on the IT sector were higher in each quarter of 2025 than in the same quarters of 2024, with the sector ranking third behind manufacturing and commercial facilities on hackers’ target lists, according to a new report from the Information Technology Information Sharing and Analysis Center.
    • “Nearly half of all ransomware attacks that the IT-ISAC tracked occurred in the U.S., far surpassing the totals in other countries.
    • “The food and agriculture sector also saw a significantly higher number of ransomware attacks in 2025 than it did in 2024, according to a new report from that sector’s ISAC, which shares leadership with the IT-ISAC.”
  • The Federal Trade Commission has issued its own 2025 ransomware report according to Executivegov.
    • “The Federal Trade Commission has reported that ransomware and other malware-based attacks represent only 2.23 percent of all fraud complaints submitted to the agency.
    • “In the 2025 Ransomware Report published Friday, the FTC shared that, between July 2023 and June 2025, tech support scams were among the most reported fraud types.
    • “About 1 percent of the 42,972 reports the FTC received that allegedly originate from China are ransomware. The majority of the complaints are related to online shopping fraud.
    • “Complaints tied to Russia, Iran and North Korea are relatively rare, with the three countries accounting for only 0.05 percent of all fraud reports the FTC received from 2023 to 2025.”
  • Morphisec calls attention to
    • “Ransomware isn’t slowing down. It’s scaling, adapting, and finding new ways to slip past defenses that many organizations still trust implicitly.  
    • “The Ransomware Reality Check 2026 infographic paints a clear, data-driven picture of the risk landscape ahead: from skyrocketing demands to sophisticated execution methods that beat traditional detection technologies.”  
  • Per Security Week,
    • “Mere data exfiltration is no longer a lucrative approach for ransomware groups, and threat actors may increasingly rely on encryption to regain leverage, Coveware notes in a new report.
    • “Following a series of highly successful data-exfiltration-only attacks conducted by known groups such as Cl0p, other ransomware groups adopted the trend, stealing victims’ data without encrypting it.
    • “The campaigns targeting MOVEitCleo, and Oracle E-Business Suite (EBS) customers are proof that the approach no longer delivers return on investment, Coveware says.
    • Cl0p, it explains, started this trend with a simple strategy: it acquired an exploit for a zero-day vulnerability in a popular enterprise file transfer or data storage product, hacked as many instances as possible for data exfiltration, and extorted each compromised entity into paying a ransom.
    • I”n 2021, the group likely made tens of millions of dollars using this tactic in the Accellion campaign, when over 25% of the impacted organizations likely paid a ransom. Roughly 20% of the entities impacted by the GoAnywhere MFT hack also paid a ransom.
    • “In the subsequent campaigns, however, the victims’ willingness to pay dropped significantly: less than 2.5% of those affected by the MOVEit breach paid, and almost none paid in the Cleo and Oracle EBS incidents, Coveware says in its latest ransomware trends report.”
  • Per Cyberscoop,
    • “Ransomware groups crop up like weeds, angling for striking positions in a crowded field rife with turnover, infighting and unbridled competition. Yet, they rarely emerge, as 0APT did late last month, claiming roughly 200 victims out of the gate.
    • “Researchers have thus far seen no evidence confirming 0APT attacked any of its alleged victims, which includes high-profile organizations. Alleged victim data samples and the structure and size of placeholder file trees published by 0APT place further doubt on the group’s supposed criminal escapades. 
    • “Most signs suggest the group is running a massive hoax, but at least some of the threat 0APT poses is grounded in truth. The group’s inflated pretense may be a ruse to create a sense of momentum, gain recognition and attract affiliates.
    • “While 0APT is probably bluffing about the victims it has already compromised, it is not bluffing on the technical capabilities of its actual ransomware,” Cynthia Kaiser, senior vice president at Halcyon’s ransomware research center, told CyberScoop.”

From the cybersecurity business and defenses front,

  • The Wall Street Journal reports,
    • The European Union approved Google’s $32 billion acquisition of cybersecurity startup Wiz, a win for the Alphabet unit’s GOOGL  * * *
    • “Google announced the all-cash deal in March 2025, betting that bringing Wiz under its cloud business would help it fast-track improvements in cloud security and enhance its ability to use multiple clouds, both trends that have gathered pace in the artificial-intelligence era.
    • “Wiz provides cybersecurity software for cloud computing and has presences in New York; Arlington, Virginia; London and Tel Aviv.
    • “The deal—cleared by U.S. antitrust authorities in November last year—was flagged to the EU’s merger watchdog for screening in January.”
  • Cyberscoop relates,
    • “Proofpoint announced Thursday [February 12] it has acquired Acuvity, an AI security startup, as the cybersecurity company moves to address security risks stemming from widespread corporate adoption of agentic AI.
    • “The acquisition strengthens Proofpoint‘s capabilities in monitoring and securing AI-powered systems that are increasingly handling sensitive business functions across enterprises. 
    • “Financial terms of the deal were not disclosed, but Ryan Kalember, Proofpoint’s chief strategy officer, told CyberScoop that the acquisition was beyond a pure “technology acquisition,” with Acuvity’s engineering team slated to join the California-based company. 
    • “Acuvity specializes in visibility and governance for AI applications, including the ability to track how employees and automated systems interact with external AI services and protect custom AI models developed within organizations. The startup’s platform monitors AI usage across multiple deployments, from web browsers to specialized infrastructure including Model Context Protocol (MCP) servers and locally installed AI tools.”
  • Per a February 13 CISA news release,
    • “For years, CISA has responded to an unending wave of cyber incidents targeting edge devices embedded in the Nation’s federal networks and critical infrastructure. The common culprit? 
      • Unsupported hardware and software residing on the edge of organizational networks that vendors are no longer maintaining.
    • Nation-state adversaries have seized these weak points, exploiting them to gain unauthorized access, maintain persistence, and compromise sensitive data. These neglected devices are more than just vulnerabilities; they threaten the Nation’s security, privacy, and resilience. 
    • As the operational lead for federal cybersecurity, CISA recently took a large step toward addressing this systemic risk by issuing Binding Operational Directive (BOD) 26-02, a mandate for federal civilian agencies to identify and replace end-of-support (EOS) edge devices, stay current with software updates, and patch known vulnerabilities. While directed to federal agencies, we strongly encourage all organizations to adopt similar actions. 
    • However, we as a community can and must do more. Managing the lifecycles of hardware and software products can quickly become a daunting, resource-intensive task—especially without an efficient way to determine the EOS status for hardware and software. 
    • Enter OpenEoX: a machine-readable, international standard that transforms how product lifecycle information is exchanged across software, hardware, services, and AI models. By introducing much-needed standardization and automation, OpenEoX brings transparency, efficiency, and unity to asset management. By integrating OpenEoX across the community, both hardware and software producers and consumers can together turn the tide on one of the most serious cyber threats facing the Nation: EOS hardware and software.” * * *
    • Additional Resources
  • Meritalk relates,
    • The FBI Cyber Division’s latest initiative, Operation Winter SHIELD, is growing as more field offices join the cybersecurity defense campaign that aims to turn lessons from investigations into high-impact actions that organizations can take to strengthen their defenses. 
    • The bureau launched Operation Winter SHIELD on Jan. 28 as a two-month effort that spotlights one of 10 “high-impact actions” each week. The initiative is designed to help organizations reduce common breach pathways and harden critical infrastructure systems against nation-state and criminal cyber threats. 
    • Since its announcement, numerous FBI field offices across the nation have voiced their support for the operation – some of the latest field offices to join this week include SeattlePhiladelphia, and Anchorage
    • In a video announcement, FBI Cyber Division Assistant Director Brett Leatherman said the campaign distills insights from real-world investigations into practical steps that organizations can take immediately. 
    • “Every winter storms test our infrastructure. Power grids, water systems, and supply chains are pushed to their limits, but the most critical threats to infrastructure don’t come from the weather. They come through our networks,” Leatherman said. 
      • The 10 actions outlined by the FBI include: 
      • Adopt phish-resistant authentication 
      • Implement a risk-based vulnerability management program 
      • Track and retire end-of-life technology on a defined schedule 
      • Manage third-party risk 
      • Protect security logs and preserve them for an appropriate time period 
      • Maintain offline immutable backups and test restoration 
      • Identify, inventory, and protect internet-facing systems and services 
      • Strengthen email authentication and malicious content protections 
      • Reduce administrator privileges 
      • Exercise your incident response plan with all stakeholders 
  • Per Dark Reading,
    • “Microsoft Under Pressure to Bolster Defenses for BYOVD Attacks
    • “Threat actors are exploiting security gaps to weaponize Windows drivers and terminate security processes in targeted networks, and there may be no easy fixes in sight.”
  • Here is a link to Dark Reading’s CISO Corner.

Leave a Reply

Your email address will not be published. Required fields are marked *