Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the Project Glasswing front,

  • Tech Crunch reports,
    • “The U.S. government on Friday ordered Anthropic to immediately shut off access to two of its most powerful AI models — Claude Fable 5 and Claude Mythos 5 — citing national security concerns. Anthropic announced on X that it has complied, but it made clear it thinks the government got this one wrong.
    • “The directive, which Anthropic said it received on Friday [June 12] at 5:21 pm ET, forces the company to disable both models for all users worldwide — not just the foreign nationals the government’s export control order was nominally aimed at. Access to Anthropic’s other models isn’t affected.” * * *
    • “Fable 5, released just three days ago, was Anthropic’s answer to the obvious commercial pressure: a version of Mythos fitted with guardrails that block responses in high-risk areas like cybersecurity and biology, making it safe enough for general release, the company argued. It was immediately the most capable AI model available to the public, according to benchmark tests from Vals AI, a company that tracks AI tech performance.” * * *
    • “Anthropic is widely expected to pursue an IPO this year and has staked much of its public identity on being the safety-conscious alternative to its rivals. The irony isn’t lost on observers that the very caution Anthropic displayed in restricting Mythos — which it promoted as a model so dangerous it couldn’t be released publicly — has now apparently attracted exactly the kind of government scrutiny that could disrupt its business most.”

From the cybersecurity policy and law enforcement front,

  • Federal News Network reminds us,
    • “The Cybersecurity and Infrastructure Security Agency is restarting public engagements on delayed cyber incident reporting rules that will likely cover tens of thousands of critical infrastructure organizations.
    • “The meetings come as CISA faces pressure to issue the final regulations quickly, while some lawmakers and industry groups also want the agency to amend the draft rules to be less broad and burdensome.
    • “Starting Monday, CISA will host a series of virtual town halls to get feedback on the draft regulations to implement the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). The meetings will run through Wednesday.”
  • Cyberscoop reports,
    • “The Cybersecurity and Infrastructure Security Agency on Wednesday [June 10] ordered federal agencies to prioritize vulnerabilities based on four criteria, as part of push to “patch smarter, not harder.”
    • “Federal agencies should emphasize patches for vulnerabilities that affect a publicly exposed asset, allow an attacker to fully automate exploitation, give attackers the ability to take over control of a system or relate to evidence of active, real-world exploitation, CISA declared.
    • “CISA acting director Nick Andersen previewed the binding operational directive (BOD) Tuesday [June 9], framing it as a rethinking of vulnerability management more broadly.” * * *
    • BOD 26-04 sets forth timelines for how quickly agencies must fix a vulnerability based on how many of the four criteria it meets. If it meets all four, for example, agencies need to fix it within three days and carry out a “forensic triage” to assess whether their systems were compromised. 
    • “More generally, agencies must immediately update their vulnerability management policies, including establishing a process for ongoing remediation of known, exploited vulnerabilities (KEVs) on CISA’s “must-patch” list. Within 60 days, agencies need to update their processes for remediating common vulnerabilities, and within 180 days, agencies must meet the order’s remediation timelines.
    • “The directive is motivated in part by how artificial intelligence is shifting the window from vulnerability discovery to weaponization, and CISA said it reflects priorities in an executive order on AI that President Donald Trump signed last week.”
  • and
    • “The FBI, along with Google and Lumen Technologies, took down a major cybercrime network based in China that was responsible for an estimated $1.9 billion in losses, officials said Friday. 
    • “Outsider, which provided phishing kits and hosted infrastructure for cybercriminals since July 2023, facilitated a wave of phishing attacks against people and businesses in 55 countries, including the United States, the FBI said in a LinkedIn post.
    • “The jointly coordinated effort dubbed “Operation Ghost Hook” netted the seizure of several domains of the group’s core admin servers, a Shopify storefront, roughly $100,000 from Outsider payment wallets and thousands of domains registered through U.S.-based providers, officials said.
    • “The FBI said it also used an Outsider Telegram bot to access information on the cybercrime network’s customers.”
  • and
    • “A longtime former member of Conti, a ransomware group that attacked more than 1,000 organizations globally before it disbanded in 2022, pleaded guilty to participating in some of those attacks in federal court Wednesday [June 10], the Justice Department said.
    • “Oleksii Oleksiyovych Lytvynenko, also known as Alexsey Alexseevich Litvinenko, admitted he joined the prolific cybercrime group in September 2021 and held data on 12 victims, including eight based in the United States. The 44-year-old told the court he developed malware that Conti used in some of its attacks, according to officials.” 
  • Bleeping Computer adds,
    • “Law enforcement has dismantled the “AudiA6” cryptocurrency service allegedly used by ransomware actors and other cybercriminals to launder more than $380 million.
    • “Europol says that the service has been linked to more than 15 distinct international investigations of ransomware attacks.
    • “It is believed that the platform acted as a central money laundering hub between 2022 and 2025.”

From the cybersecurity breaches and vulnerabilities front,

  • Bleeping Computer reports,
    • “Danish pharmaceutical giant Novo Nordisk, the world’s largest producer of insulin, disclosed a data breach affecting patient information from some clinical trials.
    • “Founded in 1923, Novo Nordisk now employs around 67,900 people across 80 offices worldwide and is the maker of viral GLP-1 receptor agonist drugs Wegovy and Ozempic.
    • “The company revealed on Thursday [June 11] that attackers gained access to its internal IT systems and data related to patients participating in some clinical trials, including their patient IDs (random alphanumeric strings) and information on trial participation, sex, year of birth, biomarkers, health/immunogenicity data, and lifestyle factors (e.g., smoking, alcohol use, BMI).
    • “However, Novo Nordisk said that this data was pseudonymized and that the attackers can’t use it to identify any affected patients by name.
    • “While our investigation and response are ongoing, we have discovered that certain non-public data, including personal data, was copied externally without authorisation. We are informing the impacted parties as appropriate,” the company said.”
  • HIPAA Journal tells us,
    • “Episource, a provider of medical coding, risk adjustment services, and software solutions, experienced a cyberattack in early 2025, in which files containing patient data were exfiltrated from its network. In June 2025, the forensic investigation had progressed, and it was confirmed that 5.4 million individuals had been affected.
    • “The investigation has since revealed the data breach was more extensive, involving unauthorized access to the electronic protected health information of 6,725,572 individuals, according to updated figures provided to the HHS’ Office for Civil Rights. With more than 6.7 million affected individuals, the data breach currently ranks as the third-largest healthcare data breach of 2025, behind the 13.9 million-record data breach at Aflac and the 62.2 million-record data breach at Conduent Business Services, and ranks as the 16th-largest healthcare data breach of all time. The threat group behind the incident remains unknown.”
  • Industrial Cyber relates,
    • “Global cyberattack activity eased in May 2026 following April’s sharp rebound, but the broader threat landscape remained volatile, according to research from Check Point Research. Organizations experienced an average of 2,055 weekly cyberattacks during the month, representing a 2% increase year-over-year despite a 7% decline from April. Education remained the most targeted sector, averaging 4,641 weekly attacks per organization, while government and telecommunications also continued to face elevated attack volumes. 
    • “The report noted notable year-over-year increases in attacks targeting agriculture, hospitality, travel, recreation, and construction sectors as digitalization expands across these industries. The most significant trend was a sharp rise in ransomware activity. Check Point recorded 698 ransomware attacks globally in May, a 48% increase compared to the same month last year and the highest year-over-year growth rate recorded in 2026. Business services accounted for 35% of all ransomware victims, while consumer goods and industrial manufacturing also experienced substantial increases. 
    • “The report found that ransomware activity has become increasingly fragmented, with 61 active groups operating during the month. Qilin emerged as the most active ransomware group, responsible for 14% of published attacks, followed by The Gentlemen and DragonForce.”
  • Dark Reading adds,
    • “Phishing attacks are down across most industries, yet researchers argue the phishing threat is higher today than ever, as the fewer attacks that are perpetrated are becoming more dangerous.
    • “In its 2026 annual phishing report, Zscaler researchers framed the trend not as a drop but as a “rebalancing” — threat actors moving from wide spray-and-pray campaigns to more focused attacks with higher conversion rates.”
  • CISA added seven known exploited vulnerabilities to its catalog this week.
    • June 8, 2026
      • CVE-2026-42271 BerriAI LiteLLM Command Injection Vulnerability
      • CVE-2026-50751 Check Point Security Gateway Improper Authentication Vulnerability
        • Infosec discusses the BerriAI KVE here.
        • Cybersecurity Dive discusses the Check Point KVE here.
    • June 9, 2026
      • CVE-2026-7473 Arista Extensible Operating System Incomplete Comparison with Missing Factors Vulnerability
      • CVE-2026-11645 Google Chromium V8 Out-of-Bounds Read and Write Vulnerability
      • CVE-2026-20245 Cisco Catalyst SD-WAN Manager Improper Encoding or Escaping of Output Vulnerability
        • Scorifya discusses the Arista KVE here.
        • Cybersecurity News discusses the Google KVE here.
        • Cybersecurity Dive discusses the Cisco KVE here.
    • June 11, 2026
      • CVE-2026-10520. Ivanti Sentry OS Command Injection Vulnerability
        • Dark Reading discusses this KVE here.
    • June 12, 2026
      • CVE-2026-35273 Oracle PeopleSoft Enterprise PeopleTools Missing Authentication for Critical Function Vulnerability
        • Cybersscoop discusses this KVE here.
  • Info Security Magazine informs us,
    • “Cybersecurity software regularly fails to detect and prevent the cyber-attacks they are designed to protect organizations from, especially within the bowser layer, research by Menlo Security has warned.
    • “Published on June 9, Menlo Security’s 2026 Browser Threat Report found that one in five phishing attacks which target the enterprise browser users go completely undetected by the tools which are supposed to protect the network and its users from attacks.
    • “Based on platform telemetry across millions of active browser sessions in enterprise customer environments between January 1 and March 31 2026, the research warned that threat actors are gaining entry to enterprise environments through the browser session layer.
    • “The problem, the paper said, is that attacks via the browser target areas which many traditional enterprise cybersecurity products are not designed to identify or prevent suspicious activity in.
  • Cybersecurity Dive points out,
    • “Financial services organizations are widely using AI agents for common business operations, but many of them aren’t sure whether their AI tools have opened the door for hackers, according to a new report.
    • “Sixty-two percent of financial services firms have deployed AI agents, and 93% of those firms have given them some level of autonomy, the Cloud Security Alliance (CSA) said in its Tuesday report.
    • “The report’s authors said the main conclusion from their survey, which consisted of interviews with 340 global IT and security professionals between Jan. 15 and March 1, is that “financial institutions have deployed AI faster than they have secured it.”
  • Per Security Week,
    • Palo Alto Networks drew attention to a high-severity security flaw in the Cortex XSOAR and Cortex XSIAM platforms that could allow attackers to access and modify restricted resources.
    • “Tracked as CVE-2026-0274, the issue is described as the improper validation of credentials in the CommvaultSecurityIQ integration of the affected products and does not require a special configuration to be triggered.
    • “The company also rolled out patches for eight medium and low-severity security defects in PAN-OS, Prisma Access Agent, Cortex XSOAR, and GlobalProtect App.
    • “Palo Alto Networks says it is not aware of any of these vulnerabilities being exploited in the wild.
    • “On Wednesday [June 10], Splunk published a dozen advisories detailing security weaknesses in its products and third-party libraries they use.”

From the ransomware front,

  • Health Exec reports,
    • “A health system in Mississippi has revealed a December 2025 data breach of its network resulted in records on 53,888 patients being stolen by hackers. Meanwhile an infamous cybercrime cell has claimed credit for the attack, posting proof on the dark web.
    • “Last month Singing River Health System reported official numbers from the incident to the U.S. Department of Health and Human Services’ Office for Civil Rights, which operates a data breach tracker. This came after an investigation into what it called a “cybersecurity incident” that staff at Singing River discovered a few days after cybercriminals were already inside its network.
    • “According to the health system, which said it worked with a third-party cybersecurity firm on its investigation, its network was compromised from Dec. 19 to 21, 2025, before the unauthorized access was discovered and containment protocols were deployed.” * * *
    • “Researchers at Comparitech released a report last week showing that Anubis—a cybercrime syndicate known for its ransomware attacks against healthcare entities—had claimed credit for the data breach in a post on its own dark web leak site.
    • “The group claims to have 293 GB of data from Singing River, much of it containing sensitive patient information. It posted samples to prove it had the goods, including what Comparitech described as “intimate images of surgeries and injuries.”
  • The Hacker News relates,
    • “A new analysis of The Gentlemen operation has revealed that the financially motivated threat group initially operated as an affiliate responsible for conducting double extortion attacks, while leveraging resources from various ransomware-as-a-service (RaaS) schemes like LockBit (aka Tenacious Mantis), Qilin (aka Pestilent Mantis), and Medusa (aka Venomous Mantis).
    • “According to a detailed report published by PRODAFT, the group, which it tracks as Phantom Mantis, is led by a Russian-speaking cybercriminal it calls LARVA-368, who goes by the online aliases hastalamuerte, ArmCorp, zeta88, nobody0, and santamuerte. The Gentlemen is known to be active since March 2025, claiming a total of 478 victims to date, per data from Ransomware.Live.”
  • Cybersecurity Insiders tells us,
    • “In recent years, ransomware has evolved from simple file-encrypting malware into highly sophisticated cyber weapons capable of disrupting entire organizations. Among these emerging threats, Time Bomb Ransomware has gained significant attention due to its ability to remain dormant within systems before launching a coordinated attack. This delayed-execution strategy makes it particularly dangerous for backup engines, which serve as the last line of defense against data loss and cyber incidents.
    • “Time Bomb Ransomware operates by infiltrating an organization’s network and remaining undetected for an extended period. Instead of immediately encrypting files, the malware silently spreads across systems, identifies critical assets, and waits for a predetermined trigger date or condition. 
    • “During this dormant phase, it can infect data backup repositories, storage servers, and disaster recovery environments without raising suspicion. As a result, organizations may unknowingly back up infected data for weeks or even months- depending on the backup engine configuration that can range on weekly to monthly time intervals.
    • “The primary danger lies in the ransomware’s ability to compromise backup engines before activating its payload. Traditional backup solutions are designed to create multiple copies of data to ensure business continuity. However, when ransomware infiltrates these backup systems, it can encrypt, corrupt, or delete backup copies along with the primary data. Consequently, organizations lose their ability to recover information, forcing them to either pay the ransom or suffer significant operational disruptions.”

From the Cybersecurity defenses front,

  • The Wall Street Journal reports,
    • “Frontier artificial intelligence models, like Anthropic’s Mythos, are forcing organizations to rethink cybersecurity by rapidly identifying attack chains.
    • “Visa developed a “Mean Time to Adapt” metric and the VVAH framework to automate vulnerability fixing and testing.
    • “Mean Time to Adapt,” measures how quickly an organization identifies, triages and fixes vulnerabilities once discovered.
    • “The rapid AI-driven discovery of flaws creates pressure on organizations, especially smaller vendors and the public sector, to automate defenses.”
  • JP Morgan Chase suggests ten actions to take now for AI-ready cyber resilience.
    • Run the Latest Software Versions
    • Manage Assets and Software Components with Reference Data
    • Build and Operate a Robust Vulnerability Management Program
    • Stress Test Incident Response and Resiliency Plans
    • Know Your Major SaaS and Outsourced Dependencies
    • Optimize Change Management for Speed
    • Aggressively Filter Outbound Traffic from Production Systems
    • Remove Standing Privileges from Employee Entitlements
    • Manage Remote Access and Segment Where Possible
    • Embed Security into the AI Development and Deployment Lifecycle
  • Bleeping Computer adds,
    • “AI is transforming the speed and scale of cybercrime in ways traditional security operations were never designed to handle.
    • Gartner predicts AI agents will cut the time it takes to exploit account exposures by 50% by 2027. Phishing campaigns that once took days to craft can now be generated in minutes, free of the telltale errors that once gave them away, while vulnerabilities that once required manual reconnaissance can now be identified and exploited automatically.
    • “For MSPs, the stakes are clear. Those still relying on a fragmented security stack will not just be slower to respond but will also struggle to prove to clients that their environments are fully protected.
    • “Keeping pace with AI-driven threats requires a more unified, AI-powered approach that strengthens security, simplifies operations and delivers greater value without putting additional pressure on margins.’
  • CSO raises “15 tough cybersecurity questions every CISO must answer.”
  • Here is a link to Dark Reading’s CISO Corner.

Leave a Reply

Your email address will not be published. Required fields are marked *