Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the Iranian War front,

  • Dark Reading reports,
    • With the US and Iran having reached a fragile ceasefire this week, security researchers and executives are left wondering whether there will be a commensurate pause in the cyberwarfare that has ramped up around the war.
    • The day after the temporary truce was announced, Iran’s most high-profile false-flag hacktivist operation, Handala, offered that it would participate in a temporary pause in hostilities. But even if one takes that group at its word, history suggests that ceasefires rarely stop or slow cyberactivity surrounding kinetic wars. In fact, in the absence of more effective ways of fighting, cyberattacks tend to flare significantly.
    • “Historical data and recent intelligence analysis indicate that a military ceasefire rarely equates to a ‘digital stand-down,'” warns Austin Warnick, director of Flashpoint’s National Security Intelligence Team. Instead, he tells Dark Reading, “Cyber operations often remain steady or even flare up as an asymmetric pressure valve while kinetic hostilities are paused.”
  • Cyberscoop adds,
    • “The fallout and potential exposure from Iran’s state-backed targeting of U.S. critical infrastructure extends to more than 5,200 internet-connected devices, researchers at Censys said in a threat intelligence brief Wednesday [April 8]. 
    • “Of the programmable logic controllers manufactured by Rockwell Automation/Allen-Bradley that Censys identified as potentially exposed to Iranian government attackers, nearly 3,900, or about 3 out of every 4, are based in the United States. 
    • “The cybersecurity firm identified the devices based on details multiple federal agencies shared in a joint alert Tuesday, and published additional indicators of compromise, including operator IPs and other threat hunting queries.
    • “Federal authorities earlier this week warned that Iranian government attackers have exploited devices that control industrial automation processes and disrupted multiple sectors during the past month. Some victims also experienced financial losses as a result of the attacks, officials said.” 
  • MedTech Dive tells us,
    • “Stryker is now fully operational after a[n Iranian] cyberattack took down its manufacturing, ordering and shipping operations.
    • “The medtech company’s global manufacturing and commercial, ordering and distribution systems have been fully restored, according to a Thursday [April 9] filing with the Securities and Exchange Commission.
    • “Stryker said that the attack had a material impact on its operations, which will affect the company’s financial results for the first quarter of 2026. However, Stryker does not expect a material impact on its full-year guidance of 8% to 9.5% organic sales growth and adjusted earnings per share of $14.90 to $15.10.
    • “The company did not detail the expected financial impact on the first quarter.”

From the cybersecurity policy and law enforcement front,

  • The Wall Street Journal reports,
    • “Top White House officials are racing to address potential cybersecurity threats posed by the latest artificial-intelligence models, highlighting how AI’s perils are becoming a top priority for the Trump administration.
    • National Cyber Director Sean Cairncross is leading the administration’s response, convening officials across agencies to identify security weaknesses in critical infrastructure and bolster government systems that could be exploited by AI, people familiar with the matter said. The administration is working with the private sector to make sure Americans are safe when new models are released, White House officials said.
    • “In recent days, the administration has held discussions featuring Vice President JD Vance and Treasury Secretary Scott Bessent with leading tech and financial executives about coordinating the private sector’s response to potential cyberattacks and preparing online systems, the people said. 
    • “The moves come during an intensifying race among the top AI companies to release more powerful models that could cause widespread online disruptions if put to work by bad actors. 
    • Anthropic said this week its new AI model Mythos was so good at finding and exploiting software bugs that the company has no plans to release it to the general public. Instead, Anthropic has made a preview version of the model available to roughly 50 companies and organizations that run critical infrastructure, including leading tech companies such as AppleAmazon.com and Google. The aim is to find and fix bugs in hardware and software before the model is publicly released. 
    • ​​”The company has also held discussions with government officials about the model’s cyber capabilities. 
    • “OpenAI and other model developers are also expected to release powerful tools in the weeks ahead.” 
  • and
    • “Over the past six months, cybersecurity researchers have become increasingly worried that AI systems are not only becoming better at finding bugs, but that they are also shrinking the window of time between when a bug is disclosed and when it can be exploited with working attack software.
    • “Late last year, researchers at Stanford University found that AI software was almost as good as humans at finding and exploiting bugs on a real-world network. 
    • “And earlier this year Anthropic’s Claude Opus 4.6 model found more high-severity bugs in the Firefox browser in two weeks than the rest of the world typically reports in two months. 
    • When measuring dollar cost to find a bug, Mythos is about 10 times as efficient as previous AI models, Graham said.  Details of Mythos’s capabilities were previously reported by Fortune.”
  • HIPAA Journal lets us know,
    • “To help HIPAA-regulated entities manage risks and vulnerabilities, OCR has recorded a risk management video. In the video, Nicholas Heesters, OCR’s Senior Advisor for Cybersecurity, explains the HIPAA risk management requirements and provides examples of potential risk management violations identified during OCR’s investigations of data breaches.
    • “In December 2025, OCR requested questions from HIPAA-regulated entities on risk management,and has provided answers to a selection of those questions in the video. The video also shares important resources to help HIPAA-regulated entities comply with this important HIPAA Security Rule requirement. You can view the video on OCR’s YouTube channel.”
  • Cybersecurity Dive relates,
    • “The Justice Department on Tuesday [April 7] announced that it had stopped Russia’s military intelligence agency from using hacked U.S. routers to maliciously redirect internet traffic and steal data from victims that include governments and critical infrastructure operators.
    • “Operatives of the Russian GRU have spent several years breaking into TP-Link small office and home office (SOHO) routers around the world and reconfiguring them to send DNS requests through Kremlin-controlled servers, which allowed Moscow to collect internet traffic and even passwords, emails and other sensitive information from victim networks. In response, the FBI launched “Operation Masquerade,” sending commands to hacked routers that collected forensic data and reset their DNS settings to erase Russia’s foothold in the devices.
    • DOJ announced the operation hours after Microsoft revealed Russia’s abuse of SOHO routers. “For nation-state actors like Forest Blizzard,” Microsoft said, “DNS hijacking enables persistent, passive visibility and reconnaissance at scale.”

From the cybersecurity breaches and vulnerabilities front,

  • Bleeping Computer reports,
    • “Bitcoin Depot, which operates one of the largest Bitcoin ATM networks, says attackers stole $3.665 million worth of Bitcoin from its crypto wallets after breaching its systems last month.
    • “The company manages more than 25,000 Bitcoin ATMs and BDCheckout locations worldwide and reported revenue of $615 million in 2025.
    • “As revealed in a filing with the U.S. Securities and Exchange Commission, the company discovered the attack on March 23 after detecting suspicious activity on some of its IT systems.”
    • “While it took immediate measures to contain the breach, the attackers had time to steal credentials to digital asset settlement accounts and transfer over 50 Bitcoin from Bitcoin Depot’s wallets before their access was blocked.”
  • Dark Reading discusses how “Russia’s ‘Fancy Bear’ APT Continues Its Global Onslaught.”
    • “Victims don’t need to match the cyber espionage group’s technical sophistication, experts say. But patching and some form of zero trust are now non-negotiable.”
  • The Cybersecurity and Infrastructure Security Agency added two known exploited vulnerabilities to its catalog this week.
  • Bleeping Computer advises,
    • “Analysis of CISA’s Known Exploited Vulnerabilities over the past four years shows critical vulnerabilities still open at Day 7 worsened from 56% to 63% despite teams closing 6.5x more tickets. Staffing cannot solve this.
    • “Of the 52 tracked weaponized vulnerabilities in our study, 88% were patched more slowly than they were exploited — half were weaponized before any patch existed.
    • “The problem is not speed. It is the operational model itself.
    • “Cumulative exposure, not CVE counts, is the true risk metric that security teams now need to measure. While dashboards reward the sprint to get patches implemented, breaches exploit the tail. AI is not another attack surface — instead, the transition period where AI-powered attackers face human defenders is the industry’s most dangerous window.
    • “In response, defenders have to implement their own autonomous, closed-loop risk operations.”
  • and tells us,
    • “Attackers have been exploiting a zero-day vulnerability in Adobe Reader using maliciously crafted PDF documents since at least December.
    • “The attacks have been discovered by security researcher Haifei Li (the founder of the sandbox-based exploit-detection platform EXPMON), who warned on Tuesday that the attackers are using what he described as a “highly sophisticated, fingerprinting-style PDF exploit” to target an undisclosed Adobe Reader security flaw.
    • “Li also said that these attacks have been targeting Adobe users for at least 4 months, stealing data from compromised systems using privileged util.readFileIntoStream and RSS.addFeed Acrobat APIs, and deploying additional exploits.
    • “This ‘fingerprinting’ exploit has been confirmed to leverage a zero-day/unpatched vulnerability that works on the latest version of Adobe Reader without requiring any user interaction beyond opening a PDF file,” Li warned.
    • “Even more concerning, this exploit allows the threat actor to not only collect/steal local information but also potentially launch subsequent RCE/SBX attacks, which could lead to full control of the victim’s system.”
  • Cybersecurity Dive informs us,
    • “A cyber threat actor is using the React2Shell vulnerability as the basis for a widespread credential-harvesting campaign that has compromised everything from AI tool API keys to cloud platform passwords.
    • “After identifying internet-facing React Server Components instances that are vulnerable to React2Shell, the hackers upload a malicious payload to the server — without the need for authentication — that lets them execute arbitrary code on the target server, researchers at Cisco’s Talos threat intelligence group said in a recent report.
    • “The payload contains a “multi-phase credential harvesting tool that harvests credentials, SSH keys, cloud tokens, and environment secrets at scale,” Cisco researchers wrote.
    • “The entire process after target identification is automated. “No further manual interaction is required to extract and exfiltrate credentials harvested from the system,” Cisco said.”

From the ransomware front,

  • The American Hospital Association reports,
    • “Health care and public health was the top sector targeted for cyberthreats in 2025, according to the FBI’s latest annual report on internet crimes. There were 460 ransomware attacks and 182 data breaches, totaling 642 cyber events. Financial services was the next highest sector at 447 total events. 
    • “This report quantifies what we already knew anecdotally about the health care sector being the most targeted by ransomware attacks,” said John Riggi, AHA national advisor for cybersecurity and risk. “The vast majority are perpetrated by foreign ransomware gangs, primarily Russian-speaking groups, which specifically target health care hoping for a big payout. They know these attacks cause disruptions and delays to digitally dependent health care delivery, posing a risk to patient and community safety, thereby increasing the exigency and pressure for a potentially large ransom payment. These despicable acts are in fact threat-to-life crimes and remind us to do what we can on defense and prepare for clinical continuity not if, but when, an attack strikes.” 
  • Dark Reading relates,
    • “Storm-1175 actors are running up-tempo campaigns to deliver Medusa ransomware, putting pressure on organizations to patch critical vulnerabilities faster. 
    • “In a blog post on Monday, Microsoft Threat Intelligence detailed how Storm-1175, a financially motivated cybercrime group, is conducting “high velocity ransomware campaigns” that typically exploit known vulnerabilities in the sweet spot for threat actors: the time between a vulnerability’s initial disclosure and the widespread adoption of the patch. Microsoft also tied the exploitation of several zero-day vulnerabilities to the group.”
    • “Storm-1175’s playbook appears to be predicated on speed. Attackers move quickly from vulnerability exploitation to data exfiltration and, finally, delivery of Medusa ransomware, “often within a few days and, in some cases, within 24 hours,” according to Microsoft.
    • “The threat actor’s high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, United Kingdom, and United States,” the blog post stated.”
  • SC Media informs us,
    • “In March, more than a dozen CISOs and other security managers gathered online to discuss how best to handle ransomware in today’s AI-powered environments.
    • “Because the CyberRisk Collaborative roundtable discussion, sponsored by Akamai, followed the Chatham House rule, we can’t tell you who said what. But the latest CRC report, “Redefining Ransomware Containment,” summarizes what was said.
    • “The group’s main message: Ransomware is no longer just a cybersecurity issue, but a full-scale business-resilience challenge.
    • “Organizations should focus on ransomware recovery, the participants agreed. While rapid containment remains critical, stopping an attack is only part of the solution. True success against ransomware includes maintaining business operations, minimizing disruption, and lining up technical response with organizational priorities.
    • “Containment speed is important, but even a quickly halted attack can lead to substantial financial loss or reputational damage. Organizations must take a view of incident success that includes recovery timelines and customer impact alongside traditional security metrics. That’s because a ransomware incident affects the entire enterprise, not just IT systems.
    • “Because business continuity is the true benchmark of resilience, CISOs and other security managers in the roundtable discussion stressed that customers and stakeholders often care less about how quickly an attack is contained and more about whether services remain available.
    • “The CISOs said that as a result, leading organizations are folding ransomware response into broader business-continuity and disaster-recovery plans. That way, critical operations can keep going even during an active incident, and downstream impacts on customers, partners, and markets will be lessened.”

From the cybersecurity defenses front,

  • The Wall Street Journal reports,
    • “Artificial intelligence giant Anthropic unveiled a partnership with cybersecurity companies Tuesday [April 7] that raises more questions about how parts of the security industry may be disrupted by the emerging technology.
    • The company said its new Project Glasswing initiative allows select companies access to its Claude Mythos2 Preview frontier model, specifically for defensive cybersecurity work. Participants include CrowdStrikePalo Alto Networks, Microsoft, Apple, Amazon’s AWS cloud business, JPMorgan Chase, Google, Broadcom, Nvidia and the Linux Foundation.
    • Anthropic said its new model already has found thousands of high-severity vulnerabilities, including some in every major operating system and web browser.
    • “AI models have reached a level of coding capability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities,” Anthropic said of Project Glasswing.
    • “The project shows how AI is beginning to reshape parts of the cybersecurity industry, with investors trying to anticipate which areas are built to last and which are ripe to be disrupted by automation. Cyber shares rose as some investors were encouraged by the companies’ inclusion in the Anthropic project, but uncertainty remains about how AI’s impact on the industry will play out.”
  • Forrester identifies ten consequences of Project Glasswing nobody’s writing about yet.
  • SC Media offers five ways to mitigate the risks of “cracked” software.
    • “The human element remains one of the top threat vectors within organizations. Well-intentioned employees trying to get their work done quickly and efficiently can sometimes unknowingly introduce new security risks in doing so.
    • “For instance, an employee needs a PDF editor or design tool, but can’t find an IT-approved option or doesn’t want to wait for access. So they download a free or “cracked” version from the web. It feels harmless. In reality, it creates a direct path into the organization’s IT environment.” * * *
    • “Security teams can reduce this risk, but it takes a shift in focus from policy to control. Taking the following five steps won’t eliminate shadow IT, but they will make it much harder for a quick download to turn into a serious incident:
      • Block unauthorized executables at runtime: Stop unknown binaries from running, even if a user downloads them manually.
      • Restrict local admin rights: Limit who can install or modify software so a single download can’t change the system.
      • Apply a zero-trust approach to application control:  Allow only approved applications to run, block everything else.
      • Use advanced endpoint protection to monitor for behavioral indicators, not just signatures:Look for patterns like manual installs, archive extraction, and unusual execution paths.
      • Reinforce acceptable use policies and user awareness: Make expectations clear and explain the risks.”
  • Here’s a link to Dark Reading’s CISO Corner.

Leave a Reply

Your email address will not be published. Required fields are marked *