Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the War with Iran front,

  • Cybersecurity Dive reports,
    • “The Cybersecurity and Infrastructure Security Agency, FBI and other federal authorities warned Tuesday [June 2] that hackers have targeted automatic tank gauge systems in threat activity across multiple industry sectors.
    • “Tank gauge, or ATG, systems are used to measure temperature, check fuel or other liquid levels and detect leaks, according to guidance released by the agencies. Hackers have targeted internet-exposed devices and used command execution to disable alerts or otherwise obscure the monitoring of these devices.” * * *
    • “Federal authorities have not attributed the attacks to any specific group, but CNN previously reported an investigation into the hack of ATG systems that serve gas stations in multiple U.S. states. The threat activity is suspected to be connected to Iran-linked hackers, but federal officials are not publicly making that link. 
    • “OT security experts cautioned there are limits to how a hacker might manipulate these devices. 
    • “A malicious actor could take control of an ATG and disrupt its functions, including leak detection, but they cannot cause a leak with an ATG,” said Markus Mueller, field CISO at Nozomi Networks. “Similarly, a malicious actor could disrupt the ability to fill or use a tank to fill a vehicle.” 

From the Project Glasswing front,

  • Cybersecurity Dive reports,
    • “Anthropic is significantly expanding the number of organizations that have access to its powerful Claude Mythos Preview AI model, a move that reflects growing interest in Mythos’s vulnerability-hunting capabilities within government agencies and critical infrastructure sectors.
    • “Following several weeks of close collaboration with our Project Glasswing partners, the security industry, open-source software maintainers, and the U.S. government, we’re extending the partnership to approximately 150 new organizations,” Anthropic said in a statement on Tuesday [June 2].
    • “The new organizations, which are based in more than 15 countries, include infrastructure operators in sectors that weren’t represented in Project Glasswing’s membership, such as power, water, healthcare and telecommunications. Other new members include hardware vendors and critical software maintainers, including nonprofit groups.”
  • Beckers Hospital Review adds,
    • “Health system leaders told Becker’s they’re encouraged by AI developer Anthropic opening up its Project Glasswing cybersecurity initiative to healthcare.”
  • Cybersecurity Dive notes,
    • One of the most important jobs for CISOs in the AI era is to stay calm and carefully assess their organizations’ risk exposure, experts said this week at the annual Gartner Security & Risk Management Summit here.
    • “Don’t panic,” Katell Thielemann, a VP analyst at Gartner, said during a talk on Tuesday about AI’s impact on the security of cyber-physical systems such as industrial control equipment.
    • “Yes, things are changing fast,” Thielemann said, “but there are some low-hanging fruit” that CISOs can tackle, such as disconnecting critical devices from the internet and monitoring remote access to the remaining infrastructure.

From the cybersecurity policy front,

  • Cyberscoop reports,
    • “The Trump administration issued a revised executive order Tuesday [June 2] focused on artificial intelligence, offering a significantly pared-back vision for the federal government’s role vetting AI systems compared with a draft version that was spiked weeks ago.
    • “The order keeps in place the administration’s largely voluntary framework for companies to engage with the federal government around testing new models before release, but appears to considerably weaken or loosen provisions that had been opposed by industry.
    • “Under the order, AI companies would voluntarily provide the federal government access to frontier models before release, but now it will be for “up to” 30 days instead of the 90-day timeline included in previous drafts.
    • “It also explicitly states that nothing in the program will be construed as mandatory or part of a federal licensing or permitting regime, and gives AI companies significant influence to help define what models would and would not be covered under for testing.
    • “It also states that all federal testing and access to the models would be subject to “confidentiality, cybersecurity, insider-risk, and intellectual-property protection, use, and nondisclosure requirements.”
  • Federal News Network relates,
    • During a House Homeland Security Committee hearing on Wednesday June 3, Homeland Security Secretary Markwayne Mullin “said the Cybersecurity and Infrastructure Security Agency needs to hire hundreds of additional staff. CISA’s staff has gone from roughly 3,400 people to 2,200 under the Trump administration, with many taking deferred resignations or early retirements.
    • “We probably need somewhere around [2,800] if we can actually have the partnerships we need with states and to be able to use the grants, the monies that stayed with CISA to be able to invest with local and state municipalities,” Mullin said. “We’re not going to fail on the mission that we have in front of us, and cyber attacks are only getting stronger, and they’re attacking our private partnership the most.”
    • “Mullin’s comments somewhat conflict with the Trump administration’s fiscal 2027 budget request for CISA, which would reduce the agency’s budget by $707 million compared to 2025 spending levels.” * * *
    • “Mullin also teased that Trump may be close to naming a new CISA director nominee. Former DHS official Sean Plankey’s nomination for CISA director was rescinded earlier this year after facing lengthy delays in the Senate.
    • “We’ve got a person soon to be nominated that will be running CISA that has the ability to recruit and focus on the authorities we have,” Mullin said. “We want CISA to be the leader in cybersecurity. They should be, and they will be.”
  • The American Hospital Association News tells us,
    • “The Health Sector Coordinating Council’s Cybersecurity Working Group has released a guide to help healthcare organizations establish cyber governance frameworks for secure artificial intelligence implementation. The guide addresses challenges in identifying and mitigating AI-specific cyber risks, including data poisoning, model drift and adversarial attacks, while ensuring compliance with current regulations. It also explores a spectrum of AI technologies used in healthcare, including traditional machine learning models, generative AI and agentic AI systems capable of autonomous action. 
    • “This comprehensive guide is a must-read for all healthcare organizations, vendors and suppliers as the development and implementation of various forms of AI into healthcare settings has become widespread at tremendous speed and scale,” said John Riggi, AHA national advisor for cybersecurity and risk. “The secure-by-design and implementation recommendations offered in this guide will help mitigate unintended cybersecurity risk and consequences of AI use in healthcare and help prevent adversarial exploitation of AI-related technical flaws. Mitigating AI cybersecurity risk is part of cyber safety, and cyber safety is patient safety.” 

From the cybersecurity vulnerabilities and breaches front,

  • Bleeping Computer reports,
    • “A data breach at the dental benefits administrator DentaQuest has reportedly exposed the sensitive data of 2.6 million accounts.
    • “The security incident came to light last month, when the infamous extortion group ShinyHunters listed the company on its data leak site and claimed to have stolen more than 234 GB of data.
    • “Following what the threat actor describes as a failure to reach an agreement with the company, the data was publicly leaked.” * * *
    • “On June 2, DentaQuest confirmed on its website that its networks had been breached and the incident caused “limited disruption” in customer service.
    • “DentaQuest is actively managing a cybersecurity incident involving unauthorized access to a limited portion of our network,” reads the statement.” * * *
    • “Yesterday, [June 3], data breach alerting service Have I Been Pwned (HIBP) analyzed the leaked information and found that it contained records for 2.6 million accounts.”
  • The HIPAA Journal has been keeping track of all healthcare data breaches since 2009.
    • “There was a sharp increase in data breaches between 2018 and 2021, with data breaches doubling in just three years as cybercriminals aggressively adopted ransomware and actively targeted the healthcare sector. The large annual increases in data breaches came to an end in 2021, increasing by around 4% between 2022 and 2023, and again by around 4% from 2024 to 2025, when a new annual record was set with 772 large data breaches reported.”
  • CISA added five known exploited vulnerabilities to its catalog this week.
  • Cybersecurity Dive adds,
    • “Cisco on Thursday [June 4] warned of a zero-day vulnerability in its Catalyst SD-WAN product that could allow an attacker to execute arbitrary commands as root. 
    • “The vulnerability, tracked as CVE-2026-20245, is the result of insufficient validation of user-supplied input. The flaw, which has a severity score of 7.8, could allow an attacker to conduct command-injection attacks and elevate privileges as the root user. 
    • “The company said it has confirmed a limited number of cases where the flaw was exploited, leading to a configuration change being pushed to edge devices.”
    • “Cisco has thus far not released any patches and has no current workarounds. 
    • “The vulnerability was disclosed by Mandiant.” 
  • and
    • “Researchers on Monday [June 1] warned that more than 30 Red Hat npm packages have been compromised in a supply-chain attack that used a credential-stealing worm. 
    • A total of 96 versions across 32 packages have been identified as compromised, according to researchers at Aikido Security. The accumulated downloads exceed 116,000, according to researchers. 
    • “The packages were published through the GitHub Actions OIDC, which indicates the compromise was linked to the continuous integration/continuous delivery pipeline, instead of a npm token, researchers noted.” 
  • The American Hospital Association News informs us,
    • “The FBI and international agencies have released an alert on Chinese military intelligence services using professional networking sites and online job platforms to target government, military and any other personnel with access to classified or privileged information. The agencies said intelligence officers or affiliates pose as employees of private consultancies, research institutions or human resources firms, and post job advertisements online for foreign policy and defense analysts. Successful candidates are then pressured to provide “non-public” information for unspecified clients associated with the Chinese government.
    • “This alert is important for healthcare since many individuals in the sector have current or former access to classified information,” said John Riggi, AHA national advisor for cybersecurity and risk. “Many healthcare organizations are also engaged in highly sensitive, taxpayer-funded medical research, innovation and clinical trials. For decades, the Chinese government has been engaged in an aggressive campaign to legitimately acquire, steal or hack the results of this research and innovation for their own strategic national security priorities, economic advantage or weaponization. Use of social media platforms to engage and compromise individuals with access to classified or unclassified, but sensitive information is one of their most effective tactics. As such, we should remain wary of connecting with unknown individuals on these platforms seeking to discuss research, or provide unusually lucrative offers for employment, speaking engagements, opinions or research — especially those which may involve foreign contacts or travel.”
  • Dark Reading identifies “4 Critical Threats Where Attackers Have the Advantage
    • “Gartner analysts issued a call to action to bolster defenses against several emerging critical threats, such as deepfakes and prompt injections.”

From the ransomware front,

  • Industrial Cyber reports,
    • “Microsoft Threat Intelligence detailed a growing RaaS (ransomware-as-a-service) operation known as The Gentlemen, tracked by Microsoft as Storm-2697, warning that the threat combines strong file encryption with aggressive self-propagation capabilities that can compromise entire enterprise networks. The analysis disclosed that the Go-based ransomware uses per-file ephemeral key encryption built on Curve25519 and XChaCha20, while simultaneously leveraging multiple lateral movement techniques to spread across connected systems, significantly increasing the speed and impact of attacks once initial access is obtained. 
    • “Researchers mentioned that The Gentlemen emerged in mid-2025 before evolving into a RaaS platform that recruits affiliates to conduct attacks at scale. The company noted that the malware’s self-propagation module enables broad network compromise, making it more dangerous than conventional ransomware focused solely on file encryption. The operation has been linked to widespread attacks across multiple sectors and regions, with threat actors using the ransomware alongside data theft and extortion tactics to maximize pressure on victims. 
    • “In addition to using per-file ephemeral Curve25519 keys with XChaCha20 stream cipher, The Gentlemen ransomware attempts to spread across an environment using a series of simultaneous, distinct lateral movement methods, increasing likelihood of widespread impact once initial access is achieved. Microsoft has observed The Gentlemen ransomware impacting organizations across education, transportation, healthcare, and financial industries in North America, South America, Europe, Africa, and Asia.”
  • Bleeping Computer relates,
    • “A threat actor is using an AI-built ransomware attack toolkit that automates Active Directory discovery and helps evade endpoint detection and response (EDR) solutions.
    • “Tool and payload development was assisted by Cursor and Claude Opus agents in various stages, including initial coding, analysis, and revisioning. Additionally, some agents were tasked with checking security research posts for various bypass techniques.
    • “Some of the malware created this way was tested in virtual environments against EDR tools from Sophos, CrowdStrike, and Microsoft.
    • “Despite the malware research and development orchestrated using AI technology, the researchers note that the workflow is entirely human-driven.”
  • Cybersecurity Insiders informs us,
    • “The traditional pattern of ransomware attacks appears to be changing, according to a recent analysis published by Ransomnews. For years, cybersecurity experts observed that many ransomware groups preferred launching attacks during weekends, particularly on Fridays and Sundays, when organizations often operated with reduced staffing levels.
    • “However, new data suggests that cybercriminals have shifted their tactics and are now focusing more heavily on weekdays, especially between Monday and Friday.
    • “The research indicates that ransomware incidents are increasingly occurring during standard European business hours rather than late at night or during weekends. This marks a significant departure from previous attack strategies, which were designed to exploit periods when IT teams and security personnel were less likely to be available to respond quickly.
    • “According to the findings, Sunday has become the least active day for ransomware-related activity. In contrast, October stands out as the busiest month of the year, recording the highest number of ransomware attacks. While the reasons behind the October surge are not entirely clear, experts believe that threat actors may take advantage of increased business activity during the final quarter of the year, when organizations are often focused on meeting annual targets and may have less time to dedicate to cybersecurity preparedness.”

From the cybersecurity business and defenses front,

  • Cybersecurity Dive reports,
    • “CrowdStrike reported better-than-expected earnings during the fiscal first quarter, as accelerating demand for AI is pushing more enterprises to focus on tighter cybersecurity controls. 
    • “CrowdStrike CEO George Kurtz said demand for AI and the introduction of Anthropic’s Mythos created an inflection point that demonstrated to the market that cybersecurity is an essential part of the AI ecosystem. 
    • “AI has now directly entered the world of cybersecurity across two dimensions,” Kurtz said during the company earnings call Wednesday. “First, you need cybersecurity to secure AI itself. Deploying AI across the enterprise is simply too risky without cybersecurity from the start.” * * *
    • The company said revenue increased 26%, to $1.39 billion, during the fiscal first quarter ended April 30, compared with year-ago revenue of $1.1 billion. * * *
    • “On Tuesday, CrowdStrike rival Palo Alto Networks reported a 31% increase in revenue, to $3 billion, during the company’s fiscal third quarter. 
    • “These results are materializing as AI fundamentally redefines the enterprise tech stack, elevating cybersecurity to a mission-critical priority for every organization,” Nikesh Arora, chairman and CEO of Palo Alto Networks, said during his company conference call on Tuesday.”
  • Dark Reading points out “Cyber Insurance Rates Are Dropping, but Exclusions Widen.”
    • “Cyber insurance coverage is slowly changing, and some policies may not provide coverage for social engineering attacks like ClickFix.”
  • Tech Target calls attention to “Lost in translation: Cybersecurity board reporting for CISOs.”
    • “Cybersecurity board reports don’t always land. At the Security and Risk Management Summit 2026, Gartner analysts suggested a novel way to communicate cyber-risk to corporate directors.”
  • A Cybersecurity Dive commentator delves into “Turning tension into collaboration: How CIOs and CISOs can lead together.”
    • If properly managed and channeled, age-old friction between IT and cybersecurity can create a more resilient organization.
  • Here is a link to Dark Reading’s CISO Corner.

Leave a Reply

Your email address will not be published. Required fields are marked *