Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the Iranian War front,

  • The Wall Street Journal reminds us,
    • “Iran pulled off likely the most significant wartime cyberattack against the U.S. in history, leveraging its hacking powers to cause major disruptions at a global medical-equipment firm that struggled to bring itself back online in recent days.
    • “The attack brought a conflict that until now had been largely confined to the Gulf region to the American homeland and offered a preview of the potential for how Iran may broaden its response to the U.S. and Israeli military campaign.
    • Stryker, the Michigan-based firm hit in the hack, said it experienced “global disruption” and quickly contained it. The company said it believed the incident had been limited to its internal Microsoft systems. The company added that some hospitals may be experiencing temporary pauses in transmissions of medical data, but that its connected products “are not impacted and are safe to use.” Microsoft hasn’t commented on the hack.”
  • The American Hospital Association News adds,
    • “The Cybersecurity and Infrastructure Security Agency [CISA] March 18 released an alert urging U.S. organizations to harden their endpoint management systems following the March 11 cyberattack against Stryker, a U.S.-based medical technology and supply firm. The attack impacted the company’s Microsoft environment, and Stryker said there was no indication of ransomware or malware. The CISA alert provides various recommendations and resources, as well as best practices for securing Microsoft Intune.”
  • Cybersecurity Dive informs us,
    • “The Department of Justice on Thursday [March 19] said four domains used for Iranian-backed hacking and intimidation of political opponents have been taken down in a court-ordered operation. 
    • “Two of the domains were connected to Handala, the state-linked threat group that authorities confirmed was behind the hack of Stryker, a Michigan-based medical technology giant. 
    • “A partially redacted FBI affidavit did not specifically identify Stryker by name, but the details of the attack match with the circumstances of the same incident.” * * *
    • “The sites were part of a larger effort by Iran’s Ministry of Intelligence and Security (MOIS) to intimidate dissidents, conduct malicious attacks, target Israelis and conduct violent attacks against journalists, according to court records. 
    • “Federal authorities obtained a seizure warrant Thursday, according to the FBI affidavit filed Thursday at U.S. District Court in Maryland.
    • “The FBI seizure is not expected to have a major impact on Handala’s ability to conduct attacks, said the Foundation for the Defense of Democracies (FDD).”  
  • Bleeping Computer offers “a five-step playbook to stop Iranian wiper campaigns before they spread.”

From the cybersecurity policy and law enforcement front,

  • Politico reports,
    • “The White House offered additional immigration enforcement concessions to Democrats Friday evening [<arch 20] as border czar Tom Homan met a second time with a bipartisan group of senators seeking to end the Homeland Security shutdown, according to lawmakers who attended.
    • “Leaving the private meeting, Republican senators said they hope Democrats respond over the weekend to the Trump administration’s bolstered proposal of immigration enforcement changes meant to address Democratic demands for funding DHS.”
  • The Wall Street Journal adds,
    • “March 27 is a make-or-break day for TSA officers.
    • “If Congress leaves that day for a scheduled two-week recess without reaching a deal to fund the Transportation Security Administration, officers are set to miss more than a month of paychecks.” 
  • Cybersecurity Dive lets us know,
    • “The Trump administration will make sure that new AI technologies are secure by design, a senior U.S. official said on Tuesday. [March 17]
    • “What we are working for in my lane is to ensure that the technical security is not seen as a barrier to that innovation, but is seen as a fundamental piece of the ability to scale it and move it as quickly as possible,” National Cyber Director Sean Cairncross said at an event hosted by the McCrary Institute for Cyber and Critical Infrastructure Security.”
    • “Cairncross addressed the audience in Washington two weeks after the Trump administration released its cybersecurity strategy, a short, high-level document that discussed critical infrastructure protection, emerging technologies and digital deterrence. Cairncross said the government wanted to work closely with the U.S. companies that operate important online infrastructure, including to counter foreign adversaries — but he stressed that the government would be the one conducting offensive operations.”
  • Per a March 12 FBI news release,
    • “The Federal Bureau of Investigation (FBI) is publishing this Public Service Announcement (PSA) to raise awareness of residential proxies, the risks they pose, and steps the public can take to safeguard their devices from becoming part of a residential proxy network. Cyber threat actors use residential proxies to facilitate illicit activities, while obfuscating their true identities and locations by routing internet traffic through home and small business internet networks.”
  • Per a NIST news release,
    • “The Domain Name System (DNS) plays an integral role in every organization’s security posture by translating domain names into IP addresses. It can serve as an enforcement point for enterprise security policy and an indicator of potential malicious activity on a network. A disruption or attack against the DNS can impact an entire organization.
    • “NIST Special Publication (SP) 800-81r3 (Revision 3), Secure Domain Name System (DNS) Deployment Guide, describes the different roles of DNS and gives recommendations for protecting the integrity, availability, and confidentiality of DNS services, including:
      • “The role DNS plays in supporting a zero trust architecture, such as serving as both a policy enforcement point (PEP) and a source of information when evaluating access requests
      • “The role of hosting DNS information (authoritative DNS), including guidance on protecting the integrity and authenticity of DNS information using DNSSEC
      • “The role of recursive DNS, including guidance on protecting the confidentiality of client DNS queries.”
  • Cyberscoop reports,
    • “Three American men were sentenced Friday [March 20] for crimes they committed in furtherance of North Korea’s vast scheme to get operatives hired at U.S. companies, the Justice Department said.
    • “The trio — Audricus Phagnasay, 25, Jason Salazar, 30, and Alexander Paul Travis, 35 — pleaded guilty in November to wire fraud conspiracy for providing U.S. identities to remote North Korean IT workers.”
  • and
    • “A 27-year-old North Carolina man was found guilty of six counts of extortion for a series of crimes he committed while working as a data analyst contractor for a D.C.-based international technology company, the Justice Department said Thursday [March 19].
    • “Cameron Nicholas Curry, also known as “Loot,” stole a trove of corporate data, including sensitive employee and compensation information, which he used to extort his employer, according to court records. Curry ultimately made off with approximately $2.5 million from the victim organization in January 2024.
    • “The insider attack underscores immeasurable risks companies accept when employees, or contractors placed in roles by a third-party recruitment company, as was the case with Curry, are allowed to access sensitive data on a company-owned laptop. Officials did not name the company.”
  • and
    • “Authorities seized infrastructure powering four botnets that hijacked a combined three million devices and launched more than 300,000 DDoS attacks collectively, the Justice Department said Thursday [March 19].
    • The botnets — Aisuru, Kimwolf, JackSkid and Mossad — enabled operators to sell access to the infected devices for various cybercrimes. The aftermath spanned thousands of attacks, including some demanding extortion payments from victims, officials said.

From the cybersecurity breaches and vulnerabilities front,

  • Cyberscoop reports,
    • “Russian intelligence-affiliated hackers have gained access to thousands of users’ messaging apps with a global phishing campaign, the FBI and the Cybersecurity and Infrastructure Security Agency warned in a public service announcement on Friday [March 20].
    • “The high-value targets they’re pursuing include current and former U.S. government officials, political figures, military personnel and journalists, the two agencies said in the joint PSA about the hackers’ attempts to infiltrate commercial messaging applications (CMAs).
    • “The U.S. alert comes on the heels of an earlier warning from Dutch authorities, who said last week that Russian hackers were “engaged in a large-scale global attempt” to take over WhatsApp and Signal accounts. The Dutch warning likewise followed a similar warning from Germany in February.
    • “The U.S. agencies emphasized that the hackers had not been able to bypass end-to-end encryption, instead manipulating users into giving up access. The scheme involves hackers posing as Signal help personnel, then inviting them to click a link or provide verification codes or account personal identification number.”
  • and
    • “Researchers and threat hunters are scrambling to contain a maximum-severity defect in Ubiquiti’s UniFi Network Application that attackers could exploit to take over user accounts by accessing and manipulating files.
    • “The path-traversal vulnerability — CVE-2026-22557 — affects software used to manage UniFi networking devices, including access points, gateways and switches. The vendor disclosed and released patches for the defect in a security advisory Wednesday.
    • “As of this morning, we have not observed any public proof-of-concept exploits or confirmed reports of exploitation in the wild,” Matthew Guidry, senior product detection engineer at Censys, told CyberScoop.
    • “However, because this is a path-traversal vulnerability, the technical complexity for an attacker is typically lower than memory-corruption or buffer-overflow bugs,” he added. “Given that the CVSS 10 rating implies low attack complexity, we anticipate that once the specific vulnerable endpoint is identified, exploitation will be trivial to automate.”
  • Cybersecurity Dive reports,
    • “North Korea’s remote IT worker schemes rely heavily on Western collaborators, an elaborate hierarchy of roles and the extensive use of an open-source messaging application, IBM and the cybersecurity vendor Flare said in a report published on Wednesday.
    • “The new research details the tactics and technologies that North Korean operatives use to trick companies into hiring them and fly under the radar while they funnel their salaries to Pyongyang.
    • “Flare and IBM said the report could help businesses improve their ability to root out North Korean operatives posing as legitimate employees.”
  • and
    • “Threat groups are increasingly targeting critical infrastructure for malicious attacks by using direct access to cyber-physical systems, according to a report released Wednesday by Claroty, a firm that specializes in industrial security. 
    • “These attackers, which often are state-sponsored or hacktivist groups, are abusing virtual network protocol in a majority of cases to gain remote access to exposed internet-facing assets. 
    • “In two-thirds of the tracked incidents, attackers are compromising human-machine interfaces or supervisory control and data acquisition systems, which are used to control various industrial processes in factories and other operational technology environments.” 

From the ransomware front,

  • The Record reports on March 17,
    • “A prominent ransomware gang has taken credit for a devastating attack on the biggest hospital in Mississippi and a large county in New Jersey. 
    • “The Medusa ransomware operation, which experts believe is run out of Russia, said recently it was behind the cyberattack on the University of Mississippi Medical Center (UMMC).” * * *
    • “The hospital fully reopened on March 2, and the Medusa ransomware gang claimed the attack last Thursday, demanding an $800,000 ransom. The hackers threatened to leak data stolen from the hospital by March 20.  
    • “A UMMC spokesperson declined to comment on the ransom threat.   
    • “Experts believe the Medusa operation is based in Russia due to its avoidance of targets in Commonwealth of Independent States, its Russian-language forum activity and the use of Cyrillic script in operational tools.” 
  • Cyberscoop adds,
    • “Ransomware remains a scourge that shows some signs of relenting, but incident responders and threat hunters are busier than ever as more financially-motivated attackers lean exclusively on data theft for extortion.
    • “Attacks that only involve data theft for extortion may not be more prevalent than traditional ransomware when attackers encrypt systems, but momentum is moving in that direction, Genevieve Stark, head of cybercrime intelligence at Google Threat Intelligence Group, told CyberScoop.
    • “When you look at the actors in the English-speaking underground, those actors are almost all just focusing on data-theft extortion right now,” Stark added. This includes groups like Scattered Spider, ShinyHunters, Clop and other groups that have been responsible for some of the largest and farthest-reaching attacks over the past few years.
    • “Google Threat Intelligence Group’s research report on ransomware, which it shared exclusively and discussed with CyberScoop prior to release, underscores how the evolution and spread of cybercrime can cloud a collective understanding of ransomware, or attacks that use malware to encrypt or lock systems.” 
  • eSecurity Planet explains,
    • “Why BYOD Is the Favored Ransomware Backdoor.
    • “80% of ransomware attacks come from unmanaged devices. Explore how BYOD could be ransomware’s favored method and how to protect against attacks.”
  • and
    • “Ransomware’s Opening Play: Target Identity First
    • “Ransomware attackers now target identity systems like Active Directory first. Learn how identity resilience can help you prevent and recover from attacks.”

From the cybersecurity defenses front,

  • Cyberscoop asks,
    • “Can Zero Trust survive the AI era?
    • “As AI increases the speed of cyber attacks, governments and businesses must weigh the tradeoffs that come with deploying semi-autonomous AI agents to stop them.”
  • Cybersecurity Dive adds,
    • “Corporate cybersecurity leaders believe AI will be essential to their missions, but, so far, few are seeing big gains from agentic security products, according to a new EY survey.
    • “With AI governance dominating C-suite agendas, the survey released on Thursday found that companies are making progress in integrating risk management frameworks into their operations, even if those ways of thinking have yet to fully permeate corporate cultures.
    • “The survey findings prompted EY to make four high-level recommendations to businesses still deciding how to adopt and use AI for cybersecurity.”
  • The ISACA Blog considers,
    • “A report by the Neuro-rights Foundation examined the privacy practices of around 30 compelling consumer neuro-technology companies and found that more than 90% relied on vague safeguarding language with no concrete protection of consumers’ neural data. Researchers at Bitbrainreported the possibility of neural signals being captured by attackers using man in the middle attacks, with modified information being readily re-injected since applications do not check the devices they are connected to.
    • “The enterprise security perimeter has now moved beyond networks and terminals into the brain itself as thoughts become potential attack vectors.”
  • Here is a link to Dark Reading’s CISO Corner.

Leave a Reply

Your email address will not be published. Required fields are marked *