Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the Iran War front,

  • Security Week reports,
    • “The Iranian APT MuddyWater has hacked into the networks of several organizations in the US, including an aerospace and defense contractor, Broadcom’s Symantec and Carbon Black threat hunting team reports.
    • “The threat actor has been present in the environments of an airport, a bank, a non-governmental organization operating in the US and Canada, and a software company with a presence in Israel.
    • “According to the Broadcom experts, the APT’s activity has continued “in recent days following US and Israeli military strikes on Iran that have sparked conflict in the region”.
  • Cybersecurity Dive adds,
    • “Pro-Russia threat actors have formed a loose coalition with Iran-nexus hacking groups in response to the bombing campaign launched by the U.S. and Israel on Iran. 
    • “The groups began working together Monday under the #OpIsrael campaign, with a focus on targeting critical infrastructure and exfiltration of data, according to researchers at Flashpoint.” * * *
    • Researchers at Palo Alto Networks Unit 42 estimate that about 60 threat actors, including Iran-nexus and Russia-aligned groups, might be involved in various levels of hacking activity since the bombing campaign began.”  
  • The American Hospital Association News tells us,
    • “The FBI is reminding critical infrastructure organizations to implement mitigations from a June 2025 fact sheet on potential actions by Iranian-affiliated cyber actors who may target U.S. devices and networks due to geopolitical tensions. The fact sheet explains how cyber actors often exploit targets with unpatched or outdated software with known common vulnerabilities or passwords.  
    • “In the context of the ongoing conflict with Iran, it is particularly important to ensure that we are implementing cybersecurity measures to defend against the known tactics used by Iranian state-sponsored hackers or pro-Iranian hackers acting independently,” said John Riggi, AHA national advisor for cybersecurity and risk. “Besides seeking to exploit common vulnerabilities and default passwords, they also target internet-connected operational technology and industrial control systems. These systems may be present in hospitals in the form of HVAC, water, life-safety and building automation systems. It is recommended that cyber teams closely coordinate with facilities and building engineers to identify internet-facing OT and ICS systems, assess the need for internet connectivity and ensure they are patched and secure.”

From the cybersecurity policy and law enforcement front,

  • The Wall Street Journal reports,
    • “The Trump administration published its new cyber strategy Friday [March 6], framing digital security in the context of broader geopolitical issues and promising to incentivize the private sector to identify and disrupt cyber adversaries.
    • “Compared with the Biden administration’s 2023 National Cybersecurity Strategy, which ran more than 35 pages and detailed dozens of policy initiatives, the new document is far shorter at five pages and sets out broad principles for future policy decisions and priorities.”
  • Cyberscoop adds,
    • “The strategy “calls for unprecedented coordination across government and the private sector to invest in the best technologies and continue world-class innovation, and to make the most of America’s cyber capabilities for both offensive and defensive missions,” the White House said in a statement accompanying its release.”
    • “Trump also signed an executive order Friday directing agencies to take action to combat cybercrime and fraud.”
  • The Congress did not resolve the Department of Homeland Security shutdown this week.
  • Fedscoop reports,
    • “The Department of Homeland Security is undergoing an overhaul of its IT and information security leadership, with multiple sources telling FedScoop there is a broad realignment underway at the department to replace key technology leaders.
    • “FedScoop has learned that at least two DHS officials are being replaced: Chief Information Security Officer Hemant Baidwan and Deputy CISO Amanda Day. 
    • “The reorg among IT officials comes as other leadership is changing at the department. President Donald Trump announced Thursday that Secretary of Homeland Security Kristi Noem will be leaving the position at the end of March. Trump has nominated Sen. Markwayne Mullin, R-Okla, as her replacement.
  • Cybersecurity Dive adds,
    • “The confirmation prospects for Sean Plankey, President Donald Trump’s nominee to lead the Cybersecurity and Infrastructure Security Agency, have dimmed further following Plankey’s unceremonious departure from a job at the Department of Homeland Security.
    • “Security personnel escorted Plankey out of a DHS facility on Monday, a person familiar with the matter told Cybersecurity Dive, confirming an incident first reported by CBS News. Plankey announced on Wednesday that he had left his job as a senior Coast Guard adviser to DHS Secretary Kristi Noem, but he framed his departure as a voluntary one intended to help him focus on his nomination to serve as CISA director.”
  •  Per an HHS news release,
    • “Today [March 5], the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a settlement with MMG Fusion, LLC (MMG), a Maryland software company, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules. MMG is a business associate as it receives protected health information (PHI) from HIPAA covered entities and its software is used to communicate directly with patients of covered entities.” * * *
    • “The settlement resolves an investigation that OCR initiated in March 2023 after receiving a complaint concerning an unreported security incident at MMG, and the posting of PHI on the dark web. OCR’s investigation determined that in December 2020, an unauthorized actor infiltrated MMG’s information system and accessed PHI [of 15 million people], including names, phone numbers, mailing addresses, email addresses, dates of birth, and dates and times of medical appointments.” * * *
    • “The resolution agreement and corrective action plan may be found at https://www.hhs.gov/sites/default/files/ocr-mmg-fusion-hipaa-agreement.pdf [PDF, 264 KB].”
  • Cybersecurity Dive informs us,
    • “An international coalition led by Microsoft and Europol has taken down the operations of Tycoon 2FA, a notorious phishing-as-a-service platform that helped cyber criminals gain access to millions of email accounts across the globe. 
    • “Microsoft obtained a court order from the U.S. District Court from the Southern District of New York to seize 330 active domains used to back the core infrastructure of Tycoon 2FA.
    • “Taking this infrastructure offline cuts off a major pipeline for account takeovers and helps protect people and organizations from follow-on attacks such a data theft, ransomware, business email compromise and financial fraud,” Steve Masada, assistant general counsel at Microsoft’s Digital Crimes Unit, said in a blog post published Wednesday.” 
  • Bleeping Computer lets us know,
    • “The FBI has seized the LeakBase cybercrime forum, a major online forum used by cybercriminals buy and sell hacking tools and stolen data.
    • This seizure action is part of an international joint operation coordinated by Europol, known as “Operation Leak,” that involved law enforcement agencies in 14 countries.
    • On March 3 and 4, the FBI and law enforcement agents shut down LeakBase by seizing two of its domains, posting seizure banners, and warning LeakBase members of the seizure after collecting further evidence.” * * *
    • Today’s [March 4] announcement follows the disruption of RaidForums in 2022 and BreachForums in 2023, two cybercrime marketplaces that preceded it, as well as the BreachForums founder’s conviction and sentencing in 2025.
  • and
    • “A U.S. government contractor’s son, accused of stealing more than $46 million in cryptocurrency from the U.S. Marshals Service, was arrested Wednesday on the island of Saint Martin.
    • “The arrest was the result of a joint operation between the FBI and France’s elite Groupe d’Intervention de la Gendarmerie Nationale, FBI Director Kash Patel announced on Thursday.
    • “Last night, John Daghita – a U.S. government contractor who allegedly stole more than $46 million in cryptocurrency from the U.S Marshals Service – was arrested on the island of Saint Martin by the French Gendarmerie’s premier elite tactical unit in a joint operation with the @FBI,” Patel said.”
  • Cyberscoop points out,
    • “Russian national Evgenii Ptitsyn pleaded guilty to running the Phobos ransomware outfit that extorted more than $39 million from more than 1,000 victims globally, the Justice Department said Wednesday.
    • “Ptitsyn assumed a leadership role in the Phobos ransomware group in January 2022, yet his criminal activities began by April 2019, according to court records. He continued leading the cybercrime syndicate until May 2024 when he was arrested in South Korea. Ptitsyn was extradited to the United States in November 2025.
    • “Federal prosecutors dropped multiple charges against Ptitsyn as part of a plea agreement he signed last month. He faces up to 20 years in prison for wire fraud conspiracy.
    • “Ptitsyn agreed to forfeit $1.77 million in assets and is required to pay at least $39.3 million in restitution, representing the full amount of his victims’ losses.

From the cybersecurity breaches and vulnerabilities front,

  • The Wall Street Journal reports on March 6,
    • “U.S. investigators believe hackers affiliated with the Chinese government are responsible for a cyber intrusion on an internal Federal Bureau of Investigation computer network that holds information related to some domestic surveillance orders, according to people familiar with the matter.
    • “The scope and severity of the intrusion aren’t known, and the investigation is in its early stages, the people said. Any preliminary conclusions could change as investigators gather more information. 
    • “If China is confirmed to be responsible for the breach, it would signal the latest intrusion by Beijing’s hackers of computer systems related to law-enforcement surveillance orders, which contain highly sensitive material.
    • “A notification sent in recent days to some lawmakers in Congress said the FBI began investigating the matter last month, the people said. The intrusion involved hackers accessing an unclassified system that contains information about the calls and internet activity of criminal suspects and others under government surveillance. Information in the system includes incoming and outgoing calls, IP and website addresses and some routing information, but doesn’t include the contents of calls or digital communication.” 
  • Cybersecurity Dive adds,
    • “A total of 90 zero-day vulnerabilities were exploited in the wild in 2025, according to a report released Thursday by Google Threat Intelligence Group.
    • “Of that total, almost half of the exploited vulnerabilities were used against enterprise-grade technology, marking an all-time high. 
    • “Exploitation from state-sponsored groups targeted networking and security tools with a strong emphasis on edge devices, which often lack endpoint detection and response capabilities, according to GTIG researchers. 
    • “China-nexus groups remain the most prolific state-sponsored groups, with a long history of detailed knowledge of vulnerable devices. 
    • “They have a significant zero-day development ecosystem that includes industry, academia, and government,” John Hultquist, chief analyst at GTIG, told Cybersecurity Dive.”
  • Bleeping Computer relates,
    • “TriZetto Provider Solutions, a healthcare IT company that develops software and services used by health insurers and healthcare providers, has suffered a data breach that exposed the sensitive information of over 3.4 million people.
    • “The firm, which has been operating under the Cognizant umbrella since 2014, disclosed that it detected suspicious activity on a web portal on October 2, 2025, and launched an investigation with the help of external cybersecurity experts.
    • “The investigation revealed that unauthorized access began nearly a year before, on November 19, 2024.’ * * *
    • “Affected providers were alerted on December 9, 2025, but customer notification started in early February 2026. According to a filing Maine’s Attorney General submitted today [March 6], the number of exposed individuals is 3,433,965.
    • “TriZetto says that payment card, bank account, or other financial information was not exposed in this incident. Also, the company is not aware of any cases where cybercriminals have attempted to misuse this information.”
  • CISA added seven known exploited vulnerabilities to its catalog this week.
    • March 3, 2026
      • CVE-2026-21385 Qualcomm Multiple Chipsets Memory Corruption Vulnerability
      • CVE-2026-22719 Broadcom VMware Aria Operations Command Injection Vulnerability
        • Cybersecurity News discusses the Qualcomm KVE here.
        • Bleeping Computer discusses the VM Aria KVE here.
    • March 5, 2026
      • CVE-2017-7921 Hikvision Multiple Products Improper Authentication Vulnerability
      • CVE-2021-22681 Rockwell Multiple Products Insufficient Protected Credentials Vulnerability
      • CVE-2021-30952 Apple Multiple Products Integer Overflow or Wraparound Vulnerability
      • CVE-2023-41974 Apple iOS and iPadOS Use-After-Free Vulnerability
      • CVE-2023-43000 Apple Multiple products Use-After-Free Vulnerability
        • The Hacker News discusses the Hikvision and Rockwell KVEs here.
        • Bleeping Computer discusses the Apple KVEs here.
  • Cyberscoop adds,
    • “Cisco released information on a pair of max-severity vulnerabilities in its firewall management software Wednesday that unauthenticated, remote attackers could exploit to obtain the highest level of access to the underlying operating system or on affected devices.
    • “The vulnerabilities — CVE-2026-20079 and CVE-2026-20131 — affect the web-based interface of Cisco Secure Firewall Management Center (FMC) Software, regardless of device configuration, the vendor said.
    • “Cisco disclosed the critical vulnerabilities one week after it warned that attackers have been exploiting a pair of zero-days in Cisco’s network edge software for at least three years. That campaign, which is ongoing, marked the second series of multiple actively exploited zero-days in Cisco edge technology since last spring. 
    • “Both campaigns prompted the Cybersecurity and Infrastructure Security Agency to issue emergency directives months after the attacks were first detected, and both attack sprees were underway for at least a year before they were discovered.” 
  • and
    • “Google disclosed one actively exploited zero-day vulnerability Monday, warning that the high-severity defect affecting an open-source Qualcomm display component for Android devices “may be under limited, targeted exploitation.”
    • “The memory-corruption vulnerability — CVE-2026-21385 — which Google’s Androidsecurity team reported to Qualcomm Dec. 18, affects 234 chipsets, Qualcomm said in a security bulletin. Qualcomm said it notified customers of the vulnerability Feb. 2.
    • “Qualcomm declined to say when the earliest known instance of exploitation occurred, how many victims have been directly impacted, and what occurred during the 10-week period between the reporting and public disclosure of the vulnerability. 
    • “We commend the researchers from Google’s Threat Analysis Group for using coordinated disclosure practices,” a Qualcomm spokesperson told CyberScoop. “Fixes were made available to our customers in January 2026. We encourage end users to apply security updates as they become available from device makers.”
  • and
    • “North Korean threat groups are using artificial intelligence tools to accelerate and expand the country’s long-running scheme to get remote technical workers hired at global companies for longer durations, Microsoft Threat Intelligence said in a report Friday. 
    • “AI services are empowering North Korean operatives across the attack lifecycle. Attackers have turned AI into a “force multiplier” that bolsters and automates their efforts to conduct research on targets, develop malicious resources, achieve and maintain access, evade detection, and weaponize tools for attacks and post-compromise activities, researchers said.
    • “Microsoft said a trio of groups it tracks as Coral Sleet, Sapphire Sleet and Jasper Sleet are using AI to shorten the time it takes to create digital personas for specific job markets and roles. These groups frequently leverage financial opportunities or interview-themed lures to gain initial access.”
  • The Hacker News notes,
    • “Cybersecurity researchers have disclosed details of a new phishing suite called Starkiller that proxies legitimate login pages to bypass multi-factor authentication (MFA) protections.
    • “It’s advertised as a cybercrime platform by a threat group calling itself Jinkusu, granting customers access to a dashboard that lets them select a brand to impersonate or enter a brand’s real URL. It also lets users choose custom keywords like “login,” “verify,” “security,” or “account,” and integrates URL shorteners such as TinyURL to obscure the destination URL.
    • “It launches a headless Chrome instance – a browser that operates without a visible window – inside a Docker container, loads the brand’s real website, and acts as a reverse proxy between the target and the legitimate site,” Abnormal researchers Callie Baron and Piotr Wojtyla said.”

From the ransomware front,

  • The Record reports,
    • “The University of Hawaiʻi Cancer Center said up to 1.2 million people had information leaked as a result of a ransomware attack on its epidemiology division last year. 
    • “Hackers accessed records containing Social Security numbers (SSNs) and driver’s license numbers collected from the Hawaiʻi State Department of Transportation as well as City and County of Honolulu voter registration records from 1998, according to a statement released by the organization last week.” * * *
    • “In January, the university sent a report to the state legislature that said the cyber incident was first discovered on August 31, 2025.” * * *
    • “Naoto Ueno, director of the University of Hawaiʻi Cancer Center, apologized for the incident last week and said the organization was “committed to transparency.” 
    • “The university said the attackers encrypted and likely exfiltrated data, prompting them to notify law enforcement and hire cybersecurity experts to resolve the situation. The cybersecurity firm obtained a decryption tool and secured “an affirmation that any information obtained was destroyed.”  
    • “University officials claimed there is “no evidence that any of the information has been published, shared or misused.” The group responsible for the attack was not identified.”   
  • Cybersecurity Dive relates,
    • “Identity has replaced malware as the biggest threat vector opening the door for ransomware attacks, Cloudflare said in an annual threat report published on Tuesday.
    • “Hackers’ increasing use of legitimate credentials, rather than malicious code, is making it harder for defenders to detect and contain their attacks.
    • “Cloudflare’s new report also discussed nation-state threat actors’ behavior and how artificial intelligence is changing attacks.”
  • Mobihealth News interviews Scott Doerr, virtual CISO, or vCISO, at Fortified Health Security, [who] previews his upcoming talk at the 2026 HIMSS Global Health Conference & Exposition, where he will discuss how healthcare companies can strengthen their preparedness for ransomware attacks. 

From the cybersecurity business and defenses front,

  • Cyberscoop reports,
    • “CrowdStrike Holdings reported record earnings in the fiscal fourth-quarter, defying investor concerns about the rising use of agentic AI potentially curbing demand for cybersecurity software and services. 
    • “The Texas-based cybersecurity company said total revenue grew 23% on a year-over-year basis, to $1.31 billion in the quarter ended Jan. 31. 
    • “Annual recurring revenue, a closely watched metric among cybersecurity companies, grew 24%, to $5.25 billion. 
    • “The results come at a time of growing market anxiety about how AI adoption could render traditional software — including cybersecurity tools — obsolete. CrowdStrike executives acknowledged those larger industry concerns and noted the Q4 performance was a demonstration that certain companies were well-positioned to compete in the new marketplace.” 
  • ZDNet adds,
    • “Anthropic, OpenAI, and Google tools can automate code debugging. 
    • “But cybersecurity is too complex a problem for these tools to solve. 
    • “AI’s biggest contribution may be to reduce avoidable software flaws. 
  • Healthexec relates,
    • “In January, National Security Agency (NSA), released protocols for the U.S. Department of War to achieve “zero trust” security across the agency, meaning any access to the network must come from something continually inside it. While such a setup would be technically demanding for healthcare, the American Hospital Association (AHA) said it may be time for facilities to start moving in that direction.
    • “Zero trust security would mean radical changes for hospitals, where a countless number of devices have access to networks, including everything from EHRs to medical devices, to tablets and smartphones used for communication.
    • “What the NSA wants the Department of War to adopt is a system where no one gains access to a network from the outside, meaning no logins or passwords. In fact, even systems connected to the network from the inside are not automatically trusted.
    • “In other words, every user, device, and system must continually prove they are allowed access—and access is limited strictly to what’s necessary.
    • “The ethos of zero trust means that it’s assumed even the network itself isn’t safe, hence the continuous verification. Something like a two-factor authentication app displaying a constant active code would be required to log on.”
  • The AHA News adds,
  • SC World tells us,
    • “The 2026 Zero Trust World conference kicked off here Wednesday (March 4) with a particularly optimistic keynote by futurist and TV host Jason Silva and also featured a last-minute addition in the form of a talk by former White House CIO Theresa Payton.
    • “But it was the smaller sessions, including a dark-web primer and a live Security Now! podcast broadcast featuring cybersecurity veterans Steve Gibson and Leo LaPorte, that stole the show during the first day of ThreatLocker’s annual user conference.”
  • Tech Target explains “how to perform a data risk assessment, step by step.”
  • Here’s a link to Dark Reading’s CISO Corner.

Leave a Reply

Your email address will not be published. Required fields are marked *