Cybersecurity Dive

David ErmerCybersecurity, Generative AI

From the Iranian war front,

  • Industrial Cyber reports,
    • “Following its recent cybersecurity incident, medical technology giant Stryker said it found no indication of ransomware or malware. As the investigation progressed, alongside Palo Alto Networks’ Unit 42 and other experts, the company determined that the threat actor used a malicious file to execute commands, enabling them to conceal activity within its systems. The file was not capable of spreading, either within or outside the environment.
    • “Our internal teams continue to work around the clock with external partners to make meaningful progress on our restoration efforts. We are grateful for the partnership and collaboration with government agencies and industry partners,” Stryker wrote in its latest update. “We believe the incident is contained, and we are prioritizing restoration of systems that directly support customers, ordering and shipping. Our internal teams, in partnership with third-party experts, reacted quickly to not only regain access but to remove the unauthorized party from our environment.”
    • “The update noted that, most importantly, the investigation has not identified any malicious activity directed towards customers, suppliers, vendors, or partners.” * * *
    • “Resecurity warns that the Iran conflict has rapidly evolved into a multi-domain confrontation where kinetic military operations are tightly integrated with cyber, electronic, and information warfare, marking a shift in how modern conflicts unfold. The analysis highlights sustained missile and drone strikes occurring alongside coordinated cyber campaigns driven by state-linked actors and proxy groups targeting critical infrastructure, enterprises, and government systems. This convergence is expected to persist, with cyber operations increasingly used to disrupt services, gather intelligence, and amplify geopolitical impact, even as physical hostilities continue across the region.”
  • MedTech Dive adds,
    • “Stryker has restored most manufacturing sites and critical lines roughly two weeks after the company suffered a cyberattack.
    • “The company is working with its global manufacturing sites as “operations steadily improve towards full capacity,” a spokesperson said in a statement emailed to MedTech Dive. Stryker is making “strong progress” on restoring underlying systems that support production and fulfillment.
    • “Stryker’s electronic ordering system, which was shut down due to the attack, has been restored for customers. The Portage, Michigan-based company is “working as quickly and safely as possible to reconcile orders, manufacture products and deliver to our customers so they can continue to provide seamless patient care,” the spokesperson said.
    • “The spokesperson declined to comment on whether Stryker has a timeline for full restoration of its operations, and whether the financial and material impact on the company is yet known.”
  • Cybersecurity Dive relates,
    • “An Iran-linked ransomware group targeted an unnamed U.S. healthcare provider in the lead-up to the Iran war, according to a report Tuesday [March 24] from Halcyon
    • “Tracked under the name Pay2Key, the group gained access to a compromised administrative account for several days and then encrypted the account. 
    • “Forensics investigators, which included Halcyon and Beazley Security, found no evidence that data was stolen. This marks a departure from the group’s previous attacks. Researchers suggest the attacker may have changed tactics to focus more on destruction rather than pure extortion. 
    • “Also, the threat group appears to have shifted its attention toward the U.S. after historically targeting Israeli systems.” 

From the cybersecurity policy and law enforcement front,

  • Cybersecurity Dive reports,
    • “Members of Congress and their staffs are eagerly awaiting the Trump administration’s plan for implementing its new cybersecurity strategy and want more regular updates on how the government is helping critical infrastructure organizations guard against new Iran-linked hacking threats.
    • “Staffers from the House Homeland Security Committee and the House Oversight Committee discussed those and other cybersecurity issues during a panel at the RSAC 2026 Conference here on Tuesday [March 24].
    • “While the Democratic and Republican staffers sometimes took different approaches to the issues, they agreed on the need for more details about the strategy and about efforts to counter Iran-linked cyberattacks.”
  • and
    • “The program that underpins the entire global vulnerability-fixing ecosystem is in danger of either collapsing or fading into irrelevance without major changes, according to one of the program’s leaders.
    • “I don’t think we can afford to continue at the pace [and] with the tools that we currently have in order to make real progress. We’re just gonna be left in the dust,” Katie Noble, a board member for the Common Vulnerabilities and Exposures (CVE) Program, said during a panel at the RSAC 2026 Conference here on Tuesday [March 24].” * * *
    • “Through a network of affiliated organizations, the CVE Program vets vulnerability reports and assigns each flaw a unique CVE number, which helps researchers, businesses, government agencies and information-sharing groups track the flaws and understand their impact. The program is widely considered a crown jewel of the cybersecurity community. But its fate is uncertain after the nonprofit MITRE Corporation, which runs the program, almost lost crucial federal funding last year.
    • “On top of those logistical woes, the broader CVE ecosystem is also reeling from the dramatic AI-powered increase in the number of vulnerability reports flowing into software vendors and open-source platforms.”
  • Cyberscoop adds,
    • “Four former National Security Agency directors shared varying concerns about a lack of earnest and widespread response to growing threats in cyberspace during a discussion at the RSAC 2026 Conference on Tuesday.
    • “Accelerating threats posed by artificial intelligence, China and cybercriminals at large are testing the country’s resolve and determination to foster meaningful public-private collaboration, the former commanders of U.S. Cyber Command said. 
    • “While the four-star military officials remain confident in the country’s resources and people committed to defending the nation from cyberattacks, they voiced unease about challenges that could upend technological dominance and diminish a collective response to serious intrusions. 
    • “I think we’ve become numb to it,” retired Gen. Paul Nakasone said. “We continue to see these different intrusions, and intrusions have gotten to a size that the scale is just incredible to me.”
  • and
    • “A year-long effort to strengthen cybersecurity and modernize tech at U.S. intelligence agencies has led to policy standards for using AI to bolster cyber defenses, a shared repository of all apps that have undergone a cybersecurity review and more, the Office of the Director of National Intelligence announced Thursday [March 26].
    • “An unclassified summary of cyber and tech modernization work under the first year of DNI Tulsi Gabbard’s stewardship states that the office has expanded the automation of threat hunting across intelligence community networks. (The Cybersecurity and Infrastructure Security Agency conducts threat hunting across federal civilian agencies.)
    • The ODNI also has developed a zero-trust strategy that shifts “to a data-centric security model that protects information regardless of location or network,” according to the summary.
    • “Over the past year, we have taken meaningful steps to begin fulfilling that responsibility through the largest IC-wide technology investment and modernization effort in history,” Gabbard said in a news release. “President Trump’s Intelligence Community is moving faster and more decisively on cybersecurity modernization and investments in IT than ever before, delivering stronger defenses, greater efficiency, and real cost savings for the American people.”   
  • Tech Target shares a boatload of other insights from the RSAC conference.
  • Federal News Network tells us,
    • “The Trump administration is prioritizing ensuring the government leads on adopting artificial intelligence for cyber defense, according to a top Office of Management and Budget official.
    • “The use of “AI-enabled cyber tools” is specifically called out in the new national cybersecurity strategy. The White House’s top cyber official has said the administration will launch a series of pilot programs to harden government networks under the new strategy.
    • White House officials in recent weeks convened a roundtable featuring “representatives from industry as well as agencies who are at the cutting edge of cyber defense, to talk about how we can really operationalize AI for cyber defense,” Nick Polk, branch director for cybersecurity within OMB’s Office of the Chief Information Officer, said during a Thursday webinar hosted by the Digital Government Institute.
    • “This is something where we have really decided that we want to take the mantle and have the government lead in this space,” Polk added.”
  • and
    • “The Cybersecurity and Infrastructure Security Agency, after a year of workforce reductions that has left CISA’s ranks depleted, is planning to recruit more than 300 people in the coming months.
    • “The cyber agency is also loosening restrictions around flexible work schedules for its employees.
    • “Acting CISA Director Nick Andersen announced those plans in a March 23 email to staff. Andersen said Department of Homeland Security headquarters had approved CISA’s “critical hire list,” including 329 “mission critical hires” throughout the agency.
    • “During the ongoing government shutdown, CISA will only be hiring for “excepted” positions, Andersen added. Roughly two-thirds of CISA’s staff is currently furloughed due to the DHS shutdown.
  • Cybersecurity Dive informs us,
    • “The Federal Communications Commission on Monday said it will no longer approve imported routers for consumer use without government review. 
    • “An interagency body convened by the White House determined that consumer-grade routers made outside the U.S. present an unacceptable risk to national security, according to FCC officials. 
    • “The Trump administration’s 2025 National Security Strategy says the U.S. should not be dependent on an outside power for core components considered vital to the nation’s economy or defense.”
  • Cyberscoop points out,
    • “An operation to crack down on the widely used RedLine infostealer has netted the extradition of an Armenian man to the United States, where he made an initial appearance in a Texas court Wednesday.
    • Authorities charged Hambardzum Minasyan with conspiracy to commit access device fraud, conspiracy to violate the Computer Fraud and Abuse Act and conspiracy to commit money laundering for his alleged role with RedLine. Infostealers thieve billions of user credentials such as passwords annually.”
  • Security Week adds,
    • “Russian cybercriminal Ilya Angelov, known online as ‘Milan’ and ‘Okart’, has been sentenced to two years in federal prison for his role in the administration of a botnet used to facilitate ransomware attacks, the DOJ announced on Tuesday [March 24].
    • “According to the DOJ, Angelov was part of a threat group tracked by the FBI as Mario Kart, and by the cybersecurity community as TA-551, Shathak, Gold Cabin, Monster Libra, G0127, and ATK236.
    • “The charges against Angelov stem from activities he engaged in between 2017 and 2021, during which his cybercrime group built a botnet by distributing malware via spam email attachments.” * * *
    • “Angelov’s sentencing comes shortly after the DOJ announced that another Russian national, Aleksei Volkov, has been sentenced to 81 months in prison for his role in ransomware attacks.” 
  • The Wall Street Journal notes,
    • “Global hackers are getting better at drawing lessons from online crime busts to build more resilient operations, posing a dilemma for law-enforcement officials.
    • “The problem, known as tactical exposure, is expected to deepen amid calls by the White House for more aggressive action against cybercrime and a recent wave of takedowns and disruptions of cybercrime networks and platforms.”

From the cybersecurity vulnerabilities and breaches front,

  • Cybersecurity Dive reports,
    • “A sophisticated China-nexus threat actor has embedded digital sleeper cells into the networks of telecom firms in multiple countries, according to a report released Thursday from cybersecurity firm Rapid7.
    • “The adversary, tracked as Red Menshen, has used a stealthy, Linux-based implant called BPFdoor that is designed to function within the operating system kernel.
    • “The goal is to run an espionage campaign against critical industry segments and government agencies, maintaining a long-term presence inside these networks, Rapid7 researchers said. ‘There are similarities to campaigns previously launched by other China-nexus actors, including Volt Typhoon and Salt Typhoon, but the mechanisms have evolved and the strategic objectives of these attacks have a longer tail.”
  • and
    • “The evolving threat landscape has placed identity governance at the center of cybersecurity, according to a pair of reports released this week, meaning that organizations should prioritize identity management as a way to protect sprawling computer networks from under-the-radar intrusions.
    • Cloudflare’s report, released Wednesday, and PwC’s report, released Tuesday, both emphasize the need for companies to do a better job of monitoring user behavior and scanning for suspicious network activity.
    • “The rise of AI only makes identity governance even more important, researchers wrote, as the technology helps hackers improve their impersonation tactics.”
  • and
    • “Security researchers warn that a critical vulnerability in Citrix NetScaler products might lead to a wave of exploitation that could rival the 2023 CitrixBleed crisis. 
    • “Citrix on Monday [March 23] disclosed an insufficient input validation flaw in NetScaler ADC and NetScaler Gateway application-delivery products, tracked as CVE-2026-3055, with a severity score of 9.3. 
    • “Citrix also disclosed a race condition flaw, tracked as CVE-2026-4368, in the same products. That vulnerability has a severity score of 7.7.
    • “The input validation flaw can allow an attacker to leak sensitive information, similar to the original CitrixBleed flaw, which led to a wave of high profile data theft and ransomware attacks. 
    • “NetScalers are critical solutions that have been continuously targeted for initial access into enterprise environments,” Benjamin Harris, founder and CEO of watchTowr, told Cybersecurity Dive.”
  • Cyberscoop relates,
    • “Researchers and threat hunters are scrambling to contain a maximum-severity defect in Ubiquiti’s UniFi Network Application that attackers could exploit to take over user accounts by accessing and manipulating files.
    • “The path-traversal vulnerability — CVE-2026-22557 — affects software used to manage UniFi networking devices, including access points, gateways and switches. The vendor disclosed and released patches for the defect in a security advisory Wednesday [March 25].
    • “As of this morning, we have not observed any public proof-of-concept exploits or confirmed reports of exploitation in the wild,” Matthew Guidry, senior product detection engineer at Censys, told CyberScoop.
    • “However, because this is a path-traversal vulnerability, the technical complexity for an attacker is typically lower than memory-corruption or buffer-overflow bugs,” he added. “Given that the CVSS 10 rating implies low attack complexity, we anticipate that once the specific vulnerable endpoint is identified, exploitation will be trivial to automate.”

From the ransomware front,

  • The Bangor Daily News reports,
    • “The Maine mental health agency AMHC was the subject of a ransomware attack this month allegedly perpetrated by a Russia-based cybercrime group. 
    • “Qilin, which analysts have cited as the world’s leading ransomware threat, added the Presque Isle-based healthcare organization to a list of victims on its dark web data leak site Tuesday, according to screenshots and reports posted by more than a dozen websites and groups that track ransomware. 
    • “AMHC is the largest behavioral healthcare provider for a large swath of rural Maine, operating in Aroostook, Hancock and Washington counties. It has more than 350 employees and over 5,500 clients between 27 service locations, according to its website. 
    • “The organization acknowledged the attack in a statement to the Bangor Daily News Wednesday, saying that it “recently experienced a network disruption,” and that it had partnered with “cyber incident specialists” to investigate.”
  • Dark Reading relates,
    • “Ransomware is not only growing, threat actors are also accelerating the pace of their attacks by using offensive tools to exploit valid credentials and hit targets with speed and precision. 
    • “The practice has undergone big changes over the past five years. Initially, attacks focused on encrypting data; now, threat actors threaten to extract it to pressure victims into paying. Double-extortion tactics quickly shifted to triple-extortion threats to expose stolen data. Threat actors also transitioned from extorting companies to contacting victims directly — whatever it takes to rake in the cash.
    • “The latest shift is all about speed. Ransomware actors discovered methods to bypass endpoint detection and response (EDR) tools, and they’re increasingly using artificial intelligence (AI) to steal data more quickly. 
    • “Halcyon’s 2026 Method Survey Report reveals that while 98% of organizations use EDR tools for ransomware defense, only 25% “actually trust it to defend against today’s evolving ransomware threat.” Additionally, 78% of surveyed participants say AI made ransomware attacks more effective. Conversely, only 6% believe the tools have improved their own defenses.”  
  • CSO adds,
    • “In 2025, attacker dwell time rose, voice phishing topped email phishing, and threat actors increasingly targeted backup and identity systems, according to Mandiant’s latest incident response data.
    • “Mandiant’s M-Trends 2026 report, released today at the RSA Conference, shows that attackers are moving faster, operating more collaboratively, and increasingly focusing on the systems organizations rely on to recover from breaches.
    • “The report, based on more than 500,000 hours of incident response engagements in 2025, finds that attackers are compressing key phases of the attack lifecycle, even as median dwell time increased to 14 days, up from 11 days the previous year.
    • “In addition, it reveals a change in tactics. Voice phishing accounted for 11% of initial infection vectors, making it the second most common entry point after exploits, which led at 32%. Email phishing declined to 6%, down from 14% the year before, reflecting a move toward more interactive social engineering. Together, the trends point to a shift in both how quickly attacks unfold and what attackers are trying to achieve once inside.”
  • Tech Radar explains why stolen credentials continue to work even when multi-factor authentication is in place.
  • Cybersecurity Dive tells us,
    • “Businesses need to think carefully about when they publicly blame a threat actor for a cyberattack, lest they invite unwanted consequences, experts said at a panel at the RSAC 2026 Conference here on Tuesday.
    • “The rush to attribute is a risky one,” Megan Stifel, the chief strategy officer at the Institute for Security and Technology, a cybersecurity think tank, said during a panel discussion.
    • “Brett Callow, a ransomware expert and senior adviser at FTI Consulting who advises cyberattack victims, called attribution “extremely risky” because “you are bringing third parties into the discussion, and those third parties may very well respond.”

From the cybersecurity defenses front,

  • Cyberscoop reports,
    • “Google is accelerating its timeline for migrating its products to quantum resistant encryption to 2029, the latest sign that tech leaders are worried that they haven’t been aggressive enough in planning for a post-quantum future.
    • “In a blog posted Wednesday [March 25], vice president of security engineering Heather Adkins and senior staff cryptology engineer Sophie Schmieg said that Google and other tech companies have observed faster than expected advances in several quantum fields.
    • “This new timeline reflects migration needs for the PQC era in light of progress on quantum computing hardware development, quantum error correction, and quantum factoring resource estimates,” Adkins and Schmieg wrote.
    • “Google is replacing outdated encryption across their devices, systems and data with new algorithms vetted by the National Institute for Standards and Technology. Those algorithms, developed over a decade by NIST and independent cryptologists, are designed to protect against future attacks from quantum computers.”
  • Cybersecurity Dive relates,
    • “Businesses hoping AI can automate away their security woes should think again, because the technology isn’t a cure-all and is actually introducing new risks, experts warned at the RSAC 2026 Conference here.
    • “We’re seeing advantages [with AI for defense], but we’re also seeing a lot of hiccups as we figure out how to get there,” Adam Pennington, who oversees MITRE’s ATT&CK framework, said during a panel about how AI is changing the push-and-pull between attackers and defenders.
    • “Security teams are using AI in a lot of the same ways as hackers, Pennington said, especially rapid code-writing. “There does need to be some caution, though, in using it directly in defense,” he said. “False positives have always been a problem in trying to apply machine learning and AI to defense.”
    • “The warnings from Pennington and others on the panel come as businesses rush to purchase AI security services, often with seemingly little regard for their efficacy or tradeoffs.”
  • Dark Reading adds,
    • “Organizations may want to think twice before consulting with AI models on software dependency decisions.
    • “New research from Sonatype found that “frontier” models (defined as the most advanced AI models available at a given moment) often generate faulty or fabricated recommendations for software dependencies, which spells trouble for organizations that lean on AI for upgrade and patching guidance. 
    • “Sonatype’s research team analyzed 36,870 unique dependency upgrade recommendations across Maven Central, npm, PyPI, and NuGet between June and August 2025. In all, the DevSecOps company studied a total of 258,000 recommendations generated by seven AI models from Anthropic, OpenAI, and Google.”
  • Here is a link to Dark Reading’s CISO Corner.

Leave a Reply

Your email address will not be published. Required fields are marked *