Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the Iranian war front,

  • The New York Times reports on April 16,
    • “The exchange of bombs and missiles in the Middle East between Iran and its foes has been paused for more than a week now. Iran’s hackers, however, have remained active on the digital battlefield.
    • “Iran has continued its cyberspace operations since the cease-fire with the United States began on April 8, according to Western cybersecurity experts and former U.S. intelligence officials. In doing so, Tehran is trying to keep up pressure on the United States and Israel but also positioning itself to mount a bigger retaliation if peace talks do not resume.” * * *
    • “This is a time, more than ever, we should worry about Iran,” said Evan Peña, a co-founder of the cybersecurity firm Armadin. “In cyberwarfare there isn’t really a cease-fire.”
    • “Mr. Peña said that if the cease-fire or negotiations collapsed, Iran would want to be in a strong position to retaliate, potentially by attacking critical infrastructure in the United States. Tehran has done so in the past but generally with limited impact. More than a decade ago, Iranian hackers targeted a small dam in upstate New York, but by happenstance the dam’s sluice-gate controls had been taken offline for maintenance, much to the relief of U.S. investigators at the time.
    • “Iran, Mr. Peña said, is going to be more aggressive and devote more resources to trying to get access to American companies as the war rages on.” * * *
    • “Josh Zweig, the chief executive of Zip Security, which secures small and midsize enterprises, said Iran was specifically looking for less well-defended targets, like municipal-run water and energy facilities.
    • “He also said small firms that make investment decisions for wealthy individuals and families have been targeted.”

From the cybersecurity policy and law enforcement front,

  • Cyberscoop reports,
    • “National Cyber Director Sean Cairncross expects more executive orders coming from the White House as part of implementing the national cybersecurity strategy, he said Wednesday [April 15].
    • “Staffers on Capitol Hill and others in the cyber world have been awaiting the implementation guidance the Trump administration had proclaimed would come to accompany the strategy  published last month.
    • “Asked at a Semafor event about whether that would include executive orders, Cairncross answered, “I think that that’s the case.”
    • “Cairncross touted American ingenuity for producing an artificial intelligence model like Anthropic’s Claude Mythos, rather than it developing under U.S. cyber rivals like China or Russia. He acknowledged reports about the administration holding meetings about the cyber risks and benefits of something like Mythos — “the model right now that everyone’s talking about” — adding that the administration is looking to balance the dangers and positive capabilities of AI in cyberspace.”
  • and
    • “The federal agency tasked with analyzing security vulnerabilities is overwhelmed as it and other authorities struggle to keep pace with a flood of defects that grows every year. The National Institute of Standards and Technology announced Wednesday that it has capitulated to that deluge and narrowed the priorities for its National Vulnerability Database.
    • “NIST said it will only prioritize analysis for CVEs that appear in the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog, software used in the federal government and critical software defined under Executive Order 14028.
    • “The federal agency’s goal with the change is to achieve long-term sustainability and stabilize the NVD program, which has encountered previous challenges, notably a funding lapse in early 2024 that forced NIST to temporarily stop providing key metadata for many vulnerabilities in the database.” * * *
    • “NIST said CVEs that don’t fit its more narrow criteria will still be listed in the NVD, but they won’t be automatically enriched with additional details. 
    • “This will allow us to focus on CVEs with the greatest potential for widespread impact,” the agency said. “While CVEs that do not meet these criteria may have a significant impact on affected systems, they generally do not present the same level of systemic risk as those in the prioritized categories.”
  • Dark Reading adds,
    • [C]ybersecurity teams will need to move to make up for the loss of enrichment data, according to Shane Fry, chief technology officer at RunSafe Security. 
    • “Anthropic’s Mythos highlights why NIST is making this move in the first place,” Fry says. “They have already seen a surge in CVE submissions over the past year and have not been able to keep up. Mythos and other tools for AI-assisted vulnerability will only add to the volume of vulnerabilities disclosed. It’s a problem the industry has been aware of for some time.” 
    • “So without the ability to keep up with the sheer volume of CVEs cyber teams need to pivot, Fry adds. 
    • “The way forward will have to emphasize building defenses into software itself to prevent the exploit of bugs and zero-days even before patches are available or the vulnerability is disclosed,” he advises.” 
  • Federal News Network tells us,
    • “The [U.S.] Office of Personnel Management announced this week that it will be expanding its Tech Force hiring program to include opportunities for agencies to hire cybersecurity specialists. That’s on top of the program’s existing recruitment efforts for software engineers, data scientists and product managers.
    • “The newly added cybersecurity roles will focus on “protecting critical systems, strengthening federal cybersecurity capabilities and safeguarding the digital infrastructure relied on by millions of Americans,” OPM said in a press release.
    • “The federal government depends on strong cybersecurity to protect critical systems and maintain public trust,” OPM Director Scott Kupor said Monday. “Through Tech Force, we’re recruiting highly skilled cybersecurity professionals to take on real challenges and strengthen the government’s defenses where it matters most.”
  • Cyberscoop informs us,
    • “Authorities from 21 countries took down 53 domains and arrested four people allegedly involved in distributed denial-of-service operations used by more than 75,000 cybercriminals, Europol said Thursday. 
    • “The globally coordinated effort dubbed “Operation PowerOFF” disrupted booter services and seized and dismantled infrastructure, including servers and databases, that supported the DDoS-for-hire services, officials said.
    • “Law enforcement agencies obtained data on more than 3 million alleged criminal user accounts from the seized databases, and ultimately sent more than 75,000 emails and letters to participants, warning them to halt their activities.”
  • and
    • “Two New Jersey men were sentenced Wednesday for facilitating North Korea’s long-running scheme to plant operatives inside U.S. businesses as employees, generating more than $5 million in illicit revenue for the regime, the Justice Department said. 
    • “The U.S. nationals — Kejia Wang, also known as Tony Wang, and Zhenxing Wang, also known as Danny Wang — were part of a years-long conspiracy that placed operatives in jobs at more than 100 U.S. companies, including many Fortune 500 companies, based in 27 states and the District of Columbia. * * *
    • “Both men previously pleaded guilty to an assortment of crimes. Kejia Wang was sentenced to nine years in prison for conspiracy to commit wire and mail fraud, money laundering and identity theft. Zhenxing Wang was sentenced to 92 months in prison for conspiracy to commit wire and mail fraud and money laundering. 
    • “The pair were also ordered to forfeit a combined $600,000, of which two-thirds has already been paid, officials said.”

From the cybersecurity breaches and vulnerabilities front,

  • Health Exec reports,
    • “Healthcare IT infrastructure and electronic health record company CareCloud confirmed in a regulatory filing that it’s suffered a data breach, said to have impacted one of its six patient record stores, with hackers inside its network for “approximately eight hours.”
    • “The “cybersecurity incident” was disclosed in a filing with the U.S. Securities and Exchange Commission, and said the incident occurred on March 16. The company said that, while intruders did access patient medical records, it wasn’t clear if any data was stolen.
    • “An investigation into the data breach is still ongoing, and CareCloud said it’s working with a third-party cybersecurity organization to gather the details. After some downtime, CareCloud said it believes the invasion has been thwarted and that criminals no longer have a way inside its network.
    • “Systems were taken down and restored the same day. Details such as how the cyberattack was conducted and if any ransomware was deployed was not revealed. It’s also not clear if any notable cybercrime syndicate was behind the data breach, nor whether those responsible made any demands. 
    • “The filing with the SEC was released on March 24, and there hasn’t been any real update from the company since.”
  • The Cybersecurity and Infrastructure Security Agency added ten known exploited vulnerabilities (KVEs) to its catalog this week.
  • Cybersecurity Dive tells us,
    • “Hackers are attempting to exploit a high-severity flaw found in several end-of-life routers from TP-Link, according to a blog post published Friday [April 17] by Palo Alto Networks’ Unit 42. 
    • “Researchers warn the observed payloads share similarities to those found in malware used in Mirai-like botnets. Such activity would involve attempts to download the malware and execute on vulnerable devices, according to researchers. 
    • “The vulnerability was originally disclosed in June 2023, and proof of concept exploits appeared prior to the disclosure, wrote Unit 42 researchers
    • “The Cybersecurity and Infrastructure Security Agency previously added the command injection vulnerability, tracked as CVE-2023-33538, to its Known Exploited Vulnerabilities catalog in July 2025.” 

From the ransomware front,

  • The HIPAA Journal reports,
    • Brockton Hospital in Massachusetts is continuing [as of April 15] to grapple with a cybersecurity incident that took many of its electronic systems offline on April 6, 2026, and forced the hospital to divert ambulances to alternate facilities and cancel scheduled cancer treatments. An investigation into the cyberattack is ongoing, and the hospital is working with federal and state officials. While some systems have been brought back online, the hospital is continuing to use its downtime procedures, with staff members working off paper rather than computers. A Signature Healthcare spokesperson told Boston 25 News that the hospital would continue under downtime procedures for the next two weeks. * * *
    • “The Anubis ransomware-as-a-service group claimed responsibility for the attack. Anubis engages in double extortion, stealing data and encrypting files. A ransom must be paid to prevent the release of stolen data and obtain the keys to recover encrypted files. According to SuspectFile, which was contacted by a member of the Anubis group, files were encrypted in the attack. The Anubis spokesperson told SuspectFile that only non-critical systems were encrypted, and 2TB of data was stolen in the attack, including a large volume of patient data.
    • “Anubis is attempting to pressure Signature Healthcare into paying the ransom by adding the hospital to its data leak site, along with a countdown clock when the stolen data will be published. Signature Healthcare has yet to confirm the extent of data theft, which may not be known for some time. The priority continues to be patient care, remediating the attack, and bringing systems back online when it is safe to do so.”
  • Govtech relates,
    • “Ransomware continues to pose a serious threat to U.S. critical infrastructure, with more than 2,100 related incidents reported to federal authorities in 2025, according to the latest FBI Internet Crime Complaint Center (IC3) report.
    • “To put that number in perspective, IC3 reported roughly 1,100 data breach threats to critical infrastructure, which includes sectors such as health care, critical manufacturing, financial services, energy and agriculture, among others. Ransomware attacks directed at critical infrastructure are serious, possessing as they do the potential to disrupt operations, expose sensitive data and affect the delivery of public services.
    • “Those incidents have implications for state and local government organizations, which operate or support many of these systems. The nation’s critical infrastructure spans 16 sectors whose disruption would have a debilitating effect on the United States. Of these, the health-care and public health services sector reported the highest number of incidents, the report shows.”
  • SC Media adds,
    • “Analysis by Check Point researchers showed that out of the 672 ransomware attacks reported in March 2026, Qilin alone accounted for 20%, followed by Akira, which was responsible for 12% of the attacks, and Dragonforce RaaS, which was responsible for 8% of the incidents, reports Infosecurity News.”
  • and
    • “Suspected former Black Basta ransomware affiliates are ramping up targeting of senior-level executives with social-engineering attacks designed to deploy remote monitoring and management (RMM) software, ReliaQuest reported Tuesday.
    • “Black Basta, a previously notorious Russia-linked ransomware-as-a-service (RaaS), became defunct last year following leaked chats exposing its infrastructure and techniques. However, attacks leveraging the group’s distinct tactics, techniques and procedures (TTPs) have continued into 2026, with ReliaQuest noting an accelerating volume and increased targeting of company leadership.
    • “For example, Microsoft Teams-based phishing — a staple of Black Basta’s playbook — is becoming more prevalent, with 56% of all Teams phishing over the last year occurring within the last quarter, and nearly a third happening in March 2026 alone.”
  • Industrial Cyber notes,
    • “New data from Cyfirma disclosed that ransomware activity in March reflects a continuation of the sector’s shift toward structured, repeatable extortion models, where encryption is paired with data theft to maximize pressure on victims. The findings show that growing fragmentation of extortion groups suggests that smaller or emerging threat actor groups could adopt automation, AI-assisted reconnaissance, and data-driven victim profiling to scale operations efficiently. These campaigns rely heavily on coercive messaging, warning against third-party recovery attempts and reinforcing the risk of permanent data loss, underscoring how psychological pressure remains central to payment conversion strategies. 
    • “At the operational level, ransomware actors in March continue to refine rather than reinvent their tactics, prioritizing efficiency, scalability, and consistency across attacks. Cyfirma assesses that groups are likely to enhance encryption speed, standardize extortion workflows, and expand double extortion practices, while relying on common intrusion vectors such as phishing and exposed services. The broader trajectory points to incremental evolution within a mature ecosystem, where innovation is less about novel techniques and more about optimizing execution and monetization across a globally opportunistic threat landscape.” 
  • Security Boulevard informs us,
    • “Double extortion is bad enough—that’s the current tactic favored by ransomware groups—but the emerging quadruple extortion promises to further complicate mitigation and response by targeted organizations, prompting an escalation in extortion payments.  
    • “Yet that’s just one piece of evidence that ransomware continues to evolve despite high-profile takedowns by law enforcement—they just reincarnate or rebrand as new groups, new research by Akamai shows. Of course, the biggest game-changer is GenAI, as RasS operators like Black Basta and FunkSec press LLMs into service to generate code and greatly improve the social engineering techniques that give bad actors a foot in the door and to scale up attacks, opening the door for even less sophisticated actors to execute damaging attacks. 
    • “Ransomware groups continue to seek additional ways to generate profit, such as by pressuring victims and weaponizing compliance,”  researchers at Akamai note in their Ransomware Report 2025
    • “Noting that ransomware tactics have moved “away from traditional encryption-centric ransomware tactics towards more sophisticated and advanced extortion methods,” Nathaniel Jones, vice president, security and AI strategy and field CISO at Darktrace, says, “rather than relying solely on encrypting a target’s data for ransom, threat actors will increasingly employ double or even triple extortion strategies, encrypting sensitive data but also threatening to leak or sell stolen data unless their ransom demands are met.” 

From the cybersecurity defenses front,

  • The Wall Street Journal reports,
    • “The software bug was capable of crashing an operating system used by firewalls, servers and network appliances. It went undetected for over 27 years.
    • “Last month, it was caught by Mythos, the latest AI model from Anthropic that has spooked the White House, banking executives and cybersecurity professionals around the world.
    • Welcome to the bug armageddon. AI models like Mythos and others are finding bugs in older software at a rate never seen before.
    • “While most of the coding issues may be minor, their sheer volume has amplified the risk that smaller software developers will become overwhelmed with reports of bugs such as the one Mythos found. Thanks to AI, hackers will be able to leverage those bugs more quickly than ever before.
    • “The 1998 bug in the OpenBSD operating system was one of thousands Mythos found last month. Anthropic said last week that it is working with about 50 technology companies and organizations to find and fix bugs and currently has no plans to release Mythos to the general public.
    • “We need to know that we can release it safely, and it’s not exactly clear how we can do that with full confidence,” said Logan Graham, the head of Anthropic’s Frontier Red Team, which evaluates AI for risks.”
  • Security Week relates,
    • “To help security teams prepare for this future, the Cloud Security Alliance has developed and published The ‘AI Vulnerability Storm’: Building a ‘Mythos-ready’ Security Program. The report does not provide a solution, but it will help readers understand what is coming, and what they must do in preparation.
    • “Mythos will not fundamentally change the nature of cybersecurity. It primarily provides a step change in the pace of attacks, and the biggest single change will be the asymmetric advantage to the attacker increasing dramatically. Cybersecurity itself doesn’t change – it just needs to cope with a new ferocious pace. Best practice fundamentally remains the same, but its importance becomes more critical.
    • “Focus on the basics and harden your environment further,” say the CSA report authors. “Segmentation, egress filtering, multifactor authentication, and defense-in-depth/breadth all increase the difficulty for attackers.” Nothing there is new, but many firms have not done it adequately – and must rapidly start doing it effectively”
  • and
    • “OpenAI announced that it’s scaling its Trusted Access for Cyber program to thousands of verified defenders and hundreds of security teams. They will be given access to GPT-5.4-Cyber, a fine-tuned variant of GPT-5.4 that relaxes the usual guardrails for legitimate cybersecurity work. 
    • “GPT-5.4-Cyber also provides new capabilities such as binary reverse engineering, which enables users to analyze compiled executable software for vulnerabilities and malicious behavior.
    • “The new AI model is initially being offered on a limited, iterative basis to vetted security vendors, organizations, and researchers.
    • “Individual defenders who want to enroll into the Trusted Access for Cyber program and test GPT‑5.4‑Cyber can apply through chatgpt.com/cyber via an identity verification process, while enterprise teams must go through their OpenAI account representative.” 
  • Cyberscoop adds,
    • “A joint report from the Cloud Security Alliance (CSA), the SANS Institute and the Open Worldwide Application Security Project (OWASP) concludes that in the near term, organizations are “likely to be overwhelmed” by threat actors using AI to find and exploit vulnerabilities faster than defenders can patch them.
    • “While those organizations can use AI tools to speed up their own defenses, attackers “still face a heavier relative burden due to the inherent limitations of patching. This in turn leads to “asymmetric benefits” for attackers who can afford to adopt the technology without the same caution and bureaucracy as a multi-billion dollar business.
    • “The cost and capability floor to exploit discovery is dropping, the time between disclosure and weaponization is compressing toward zero, and capabilities that previously required nation-state resources are now becoming broadly accessible,” wrote Robert Lee, SANS Institute’s Chief AI Officer, Gadi Evron, CEO of Knostic and Rich Mogull, chief analyst at CSA, who served as the primary authors.”
  • TechTarget tells us, “How CIOs can beat AI challenges: A top researcher’s view.”
    • “CIOs are grappling with moving AI from the pilot stage to genuine implementation, and many are encountering organizational pitfalls that are stalling the delivery of real value.”
  • Healthexec informs us,
    • “Hospitals have always had to rely on multitudes of healthcare vendors to keep operations humming. In recent years the arrangement’s inherent management challenge has only grown more complex. 
    • “That’s largely because myriad AI technologies have changed daily life for provider organizations and industry partners alike. Arguably the biggest single difficulty to emerge from the transformation is the risk of cybersecurity breaches. 
    • “The Health Sector Coordinating Council (HSCC) is taking a crack at helping cybersecurity leaders, teams and stakeholders clear a path through the thicket. The assistance comes in the form of a 109-page document titled Third-Party AI Risk and Supply Chain Transparency Guide.
    • “The guidebook is authored by members of an HSCC working group focused on cybersecurity. The team’s guiding aim for the project was to “address the growing gaps in discovery and disclosure processes that make AI supply chain risk so difficult to manage.”
  • A NIST press release announced
    • “NIST SP 800-133 Rev. 3 (Initial Public Draft) Recommendation for Cryptographic Key Generation
    • “Proposed changes in this revision include the following:
      • “Asymmetric key-pair generation has been expanded to include methods for deriving randomness during key-pair generation.
      • “Key-pair generation now has options for derivation similar to symmetric keys and new methods for “seed expansion,” which allows for the limited use of SHAKE and deterministic random bit generators (DRBGs).
      • “Key-encapsulation mechanisms (KEMs) are discussed as a key-establishment option for symmetric key generation, and post-quantum cryptography (PQC) references have been added throughout (e.g., the new PQC signatures).
      • “Text has been reworded to address random number generation in alignment with SP 800-90C.
    • “Comments are especially requested regarding:
      • “Hardware security module (HSM) design — How do these requirements align with common practice and existing systems using a root seed/secret value?
      • “PQC implementations and protocol — How do these requirements fit with storing keys as seeds (e.g., for ML-KEM) and performing hybrid (i.e., combined classical and post-quantum) implementations?”
  • Here is a link to Dark Reading’s CISO Corner.

Leave a Reply

Your email address will not be published. Required fields are marked *