Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the Iran War front,

  • Dark Reading reports,
    • “Iranian state intelligence has been utilizing the cybercriminal underground to upgrade and provide cover for its offensive cyber activity.
    • “Iran’s Ministry of Intelligence and Security (MOIS) has long used hacktivism as a cover when it carries out cyberattacks. On March 11, for example, a wiper attack struck the Fortune 500 medical technology company Stryker. It was claimed by “Handala,” a group that positions itself as a pro-Palestine hacktivist operation, evidently itching to contribute to the ongoing US-Iran war. In fact, it’s a front for Void Manticore, an advanced persistent threat (APT) run out of Iran’s MOIS.
    • “This isn’t a new strategy. What is new, according to recent research from Check Point, is that MOIS hackers have been working with the real cybercriminals they’re pretending to be. Void Manticore, for example, has made the commercial infostealer Rhadamanthys a core element of its attack chains. Other MOIS entities have been linked to cybercrime clusters, even collaborating with ransomware-as-a-service (RaaS) operations.
    • Organizations need to be aware of this, says Sergey Shykevich, threat intelligence group manager at Check Point, “because there can be a case where a SOC or CISO will see something in their network that they associate with cybercrime activity [and label it] of low risk. And in reality, it will be an Iranian threat actor who will be able to execute destructive activities.”
  • The Wall Street Journal tells us on March 12,
    • “Stryker said a cyberattack related to the Iranian conflict is still disrupting its operations, including order processing, manufacturing and shipping.
    • “Stryker experienced a global disruption to its Microsoft systems following a cyberattack Wednesday, which resulted in the company asking 56,000 employees to disconnect from all networks and avoid turning on company devices.
    • “The hackers behind the attack said they were retaliating on behalf of Iran, The Wall Street Journal reported Wednesday.
    • “On Thursday, Stryker said operations were still disrupted, but it doesn’t believe its patient-related services or connected products have been impacted.”
  • Security Week adds,
    • “Stryker is a Fortune 500 company that specializes in the manufacturing of surgical equipment, orthopedic implants, and neurotechnology. Headquartered in Michigan, the company employs approximately 56,000 people and reported over $25 billion in revenue for 2025. Its critical role in the healthcare supply chain makes it an essential partner for hospitals worldwide.”
    • “The Iran-linked hacker group named Handala has taken credit for the attack, claiming to have struck an “unprecedented blow” to the company.”
  • and
    • Like other ideologically motivated hackers, profit is not Handala’s goal, according to Ismael Valenzuela, vice president of threat intelligence at the cybersecurity company Arctic Wolf.
    • “What distinguishes this group is its clear focus on data destruction rather than financial extortion,” he said in an email.
  • Cybersecurity Dive points out,
    • “Stryker said the cyberattack that hit the company this week has disrupted its manufacturing and shipping operations.
    • “The medtech company released the information Thursday night [March 12] in a statement posted to its website. Stryker did not detail the attack’s impact on its systems, but wrote in the statement that the incident has caused disruptions to order processing, manufacturing and shipping.
    • “However, we are working diligently to restore our systems and above all, we are committed to ensuring our customers can continue to deliver seamless patient care,” the company said.
    • Stryker maintained that the incident is contained to its internal Microsoft environment, and there is no malware or ransomware detected.”

From the cybersecurity policy and law enforcement front,

  • Federal News Network reports,
    • “U.S. Cyber Command and the National Security Agency have a new permanent leader. The Senate has confirmed Gen. Joshua Rudd to serve as the next director of CYBERCOM and NSA. The two organizations have been without a permanent leader since April, when President Donald Trump fired Gen. Timothy Haugh from the role. Some Democratic lawmakers objected to Rudd’s nomination, citing his lack of cyber experience needed to immediately step into the dual leadership position. Sen. Ron Wyden (D-Ore.) said that when it comes to U.S. cybersecurity, “there is simply no time for on-the-job learning.” It’s not clear when Rudd will be sworn in.”
  • and
    • “The Cybersecurity and Infrastructure Security Agency (CISA) is postponing meetings with industry on a forthcoming cyber incident reporting rule due to the ongoing Department of Homeland Security shutdown.
    • “The shutdown is also “likely” to delay the final Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) rule, CISA confirmed today [March 9].
    • “In a notice posted to its website, CISA said it won’t be able to hold planned town halls on CIRCIA due to the lapse in appropriations. The town halls were scheduled for today, March 9, through early April.”
  • Cyberscoop relates,
    • “The Trump administration is plotting an interagency body to confront malign hackers, pilot programs to secure critical infrastructure across states and other steps tied to its freshly-released cyber strategy, National Cyber Director Sean Cairncross said Monday.
    • “The “interagency cell” will bring together agencies like the Justice Department, the Department of State, the FBI and the Pentagon, which will make it clear that going on cyber offense isn’t just about attacking enemies in cyberspace, Cairncross said.
    • “Sure, that’s part of it, but that’s not all of it,” he said at an event hosted by USTelecom. It will include diplomatic efforts, arrests and more, he said. “As President Trump has made clear, he expects results, and he’s empowered the team under him to go get them.
    • “A series of pilot programs will be catered to specific critical infrastructure industries in specific states, such as water in Texas and beef in South Dakota, Cairncross said. Different sectors operate at more or less mature levels, he said.”
  • Cybersecurity Dive tells us,
    • “Inconsistent definitions, overly burdensome information demands and duplicative requirements are some of the problems that U.S. businesses face in dealing with cybersecurity regulations, according to a recent Government Accountability Office report.
    • “Critical infrastructure organizations want federal agencies to work together to streamline their rules, according to the March 5 summary of a GAO panel discussion with infrastructure representatives.
    • “Businesses recommended several possible solutions to the regulatory sprawl, including agencies converging on common definitions of key terms.”
  • and
  • Cyberscoop informs us,
    • “41-year-old South Florida man is accused of conducting at least 10 ransomware attacks and helping accomplices extort a combined $75.25 million in ransom payments while he was working as a ransomware negotiator for DigitalMint. 
    • “Five of Angelo John Martino III’s alleged victims hired DigitalMint, which assigned Martino to conduct ransomware negotiations on their clients’ behalf — putting him in a position to play both sides, as the criminal responsible for the attack and the lead negotiator for his alleged victims, according to federal court records unsealed Wednesday.
    • “Martino allegedly obtained an affiliate account on ALPHV, also known as BlackCat, and conspired with other former cybersecurity professionals to break into victims’ networks, steal and encrypt data, and extort companies for ransoms over a six-month period in 2023.
    • “Martino was an unnamed co-conspirator in an indictment filed in November 2025 against Kevin Tyler Martin, another former ransomware negotiator at DigitalMint, and Ryan Clifford Goldberg, a former manager of incident response at Sygnia. Goldberg and Martin pleaded guilty in December to participating in a series of ransomware attacks and are scheduled for sentencing April 30.”
  • and
    • “Authorities from multiple countries dismantled SocksEscort, a residential proxy network cybercriminals used to commit large-scale fraud, claiming access to about 369,000 IP addresses since 2020, the Justice Department said Thursday.
    • “Europol, which aided the investigation alongside various law enforcement agencies, Lumen’s Black Lotus Labs and the Shadowserver Foundation, said the malicious proxy service compromised routers and IoT devices in 163 countries. Officials said the proxy network’s payment platform received about $5.8 million from its customers.
    • “The globally coordinated action, dubbed Operation Lightning, took down and seized 34 domains and 23 servers in seven countries. U.S. officials froze a combined $3.5 million in cryptocurrency allegedly linked to the botnet that was created from infected devices.
    • “Cybercrime thrives on anonymity,” Catherine De Bolle, executive director at Europol, said in a statement. “Proxy services like SocksEscort provide criminals with the digital cover they need to launch attacks, distribute illegal content and evade detection.”

From the cybersecurity breaches and vulnerabilities front,

  • MedTech Dive reports,
    • “Intuitive Surgical was hit by a cybersecurity phishing incident that compromised customer and employee data.
    • “Information was obtained from an employee’s compromised access into Intutive’s internal business administrative network, the surgical robotics firm said in a statement posted to its website. An unauthorized third party accessed information including customer business and contact information, as well employee and corporate data.
    • “The statement was posted on Thursday [March 12], an Intuitive spokesperson said in an email to MedTech Dive.
    • “When the incident was discovered, the company activated its incident response protocols and secured all affected applications.”
  • Bleeping Security adds,
    • “Starbucks has disclosed a data breach affecting hundreds of employees after threat actors gained access to their Starbucks Partner Central accounts.
    • “As the world’s largest coffeehouse chain, Starbucks has over 380,000 employees (also known as partners) and operates nearly 41,000 locations across 88 countries.
    • “In data breach notification letters filed with Maine’s Attorney General and sent to affected employees on Tuesday, the company says that it discovered the incident on February 6.
  • Cyberscoop relates,
    • “Threat hunters and a collection of unconfirmed victims are responding to a series of attacks targeting Salesforce customers, which the vendor disclosed in a security advisory Saturday [March 7]. 
    • “Salesforce is actively monitoring threat activity targeting public-facing Experience Cloud sites, including attempts to take advantage of overly permissive guest user configurations,” the company said in the alert.
    • “The campaign marks the third widespread attack spree targeting Salesforce customers in about six months. 
    • “The number of victims ensnared by the latest attacks is unverified, but ShinyHunters, the threat group asserting responsibility for the attacks, claims about 100 companies have already been impacted.”
  • and
    • “A maximum-severity vulnerability in pac4j, an open-source library integrated into hundreds of software packages and repositories, poses a significant security threat, but has thus far received scant attention.
    • “The defect in the Java security engine, which handles authentication across multiple frameworks, has not been exploited in the wild since code review firm CodeAnt AI published a proof-of-concept exploit last week. The company discovered the vulnerability and privately reported it to pac4j’s maintainer, which disclosed the defectand released patches for affected versions of the library within two days.
    • “Some researchers told CyberScoop they are concerned about the vulnerability — CVE-2026-29000 — because it affects a widely deployed Java security engine that attackers can exploit with relative ease.
    • “A threat actor only needs to access a server’s public RSA key to attempt exploitation,” researchers at Arctic Wolf Labs said in an email. 
  • Cybersecurity Dive points out,
    • “Prolific cybercrime gangs have begun using AI to help them generate malware, signaling a “fundamental shift of dynamics” in the threat environment, IBM’s X-Force threat intelligence team said in a report published on Thursday [March 12].
    • “The malware, which IBM called Slopoly, is “relatively unspectacular” but nonetheless a harbinger of a coming future in which automated code development can rapidly accelerate the hacking life cycle, according to the report.
    • “IBM linked the malware to Hive0163, a group of hackers who have used the Interlock ransomware in several recent major attacks.”
  • Dark Reading notes,
    • “Exploitation of user-managed cloud software has overtaken credential abuse as the method by which most attackers gain initial access to cloud resources.
    • “In its semi-annual “Cloud Threat Horizons Report,” Google found attacks on user-managed software applications — such as the the React2Shell attack targeting a flaw in React Server Components — bested software vulnerabilities to become the most frequently exploited vector for initial access. Overall, “software-based entry,” which includes exploiting software vulnerabilities such as remote code execution (RCE) flaws, accounted for about 44% of all initial-access activity in Google Cloud, the company stated in the report.
    • “The shift is likely due to the company’s focus on secure-by-default strategies and cloud users taking measures to shrink the stolen credentials and misconfiguration attack surfaces, says Crystal Lister, a security adviser in the Office of the CISO at Google Cloud.
    • “As defenders address some of the initial, enduring cloud hygiene issues, attackers are being forced to focus on more sophisticated, automated paths,” she says. “It isn’t necessarily that companies are cutting corners, but rather that the defensive perimeter has moved. Attackers are now targeting the third-party user-managed software running on top of the cloud rather than the cloud infrastructure itself.”

From the ransomware front,

  • Spiceworks explains “why encrypted backups may fail in an AI-driven ransomware era.” Check it out.
  • Healthcare IT News tells us how to stop ransomware disruption with better planning.
    • “Lessons from a LockBit ransomware attack can keep healthcare organizations running when faced with a cyberattack, said Zachary Lewis, CIO and CISO at University of Health Sciences and Pharmacy, in his HIMSS26 Cyber Forum keynote.”
  • Two former federal government cybersecurity officials, writing in Cyberscoop, point out,
    • “We’ve seen ransomware cost American lives. Here’s what it will actually take to stop it.
    • “Hackers have cut their attack timelines from weeks to hours while the government spreads resources too thin. We need to stop pretending we can protect everything and start focusing on what would hurt us most.”

From the cybersecurity business and defenses front,

  • Cybersecurity Dive reports,
    • “Google on Wednesday said it completed a $32 billion agreement to buy Wiz, a leading cloud and AI security platform, marking one of the largest-ever acquisitions in the cybersecurity market. 
    • “The deal will allow Google to provide a comprehensive security offering to both government and enterprise customers operating across multicloud environments. 
    • “Wiz works across the leading cloud providers, including Amazon Web Services, Microsoft Azure and Oracle Cloud. 
    • “The platform will continue to operate under its own brand name, while providing a broad range of services through its integration with Google Cloud.”
  • Security Week relates,
    • “OpenAI announced this week that it’s in the process of acquiring AI security company Promptfoo.
    • “Financial terms of the acquisition have not been disclosed, but Promptfoo has raised more than $23 million and was reportedly valued at $86 million (based on PitchBook data) following an $18.4 million Series A funding round in July 2025.
    • “Promptfoo has developed a security and evaluation platform designed to systematically test LLMs and AI agents. * * *
    • “Once it completes the acquisition, OpenAI plans to integrate Promptfoo’s capabilities into its Frontier platform, which enterprises use to build and operate AI coworkers.  
    • “Promptfoo brings deep engineering expertise in evaluating, securing, and testing AI systems at enterprise scale. Their work helps businesses deploy secure and reliable AI applications, and we’re excited to bring these capabilities directly into Frontier,” said Srinivas Narayanan, CTO of B2B Applications at OpenAI.”
  • Cyberscoop tells us,
    • “Artificial intelligence may be enhancing cyber threats, but the defensive approach to those AI-amplified attacks remains the same, a top FBI official said Tuesday.
    • “We have seen actors both criminal and nation-state, they’re absolutely using AI to their advantage,” said Jason Bilnoski, deputy assistant director at the FBI’s cyber division. “But the way attacks unfold have not changed. Cyberattacks still follow basic steps. It just becomes an incredible speed now.”
    • “The best way to deal with those attacks is to implement all the traditional defenses, like those the FBI has been emphasizing as part of its Operation Winter SHIELD media campaign, he said.
    • “Don’t worry about the speed and capability” of AI attacks, Biloski said at a Billington Cybersecurity conference. “If you’re focused on the basics, it’ll help prevent the actual intrusion from occurring.
    • “It’s a message that the acting director of the Cybersecurity and Infrastructure Security Agency, Nick Andersen, also shared at the conference. Sophisticated attackers are out there, he said, but the agency’s recent binding operational directive for federal agencies to get rid of unsupported edge devices was a way of shoring up basic vulnerabilities.”
  • Dark Reading informs us,
  • Tech Target points out how to choose the best mobile hotspot for remote work.
    • “Organizations that support remote work should understand how personal hotspots and dedicated hotspot devices differ. Compare these mobile hotspot options.”
  • Here’s a link to Dark Reading’s CISO Corner.

Leave a Reply

Your email address will not be published. Required fields are marked *