Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the Project Glasswing front,

  • Politico reports on June 18,
    • “The White House and Anthropic are working on a framework that would assess the severity of security flaws in new AI models and guide potential government intervention, according to a senior White House official and an administration official familiar with the matter granted anonymity to discuss it.
    • “The effort comes after the White House imposed export controls on Anthropic, which forced the company to suspend access for all users to Fable 5 and Mythos 5, its latest powerful AI models over a perceived security flaw, known in the industry as a jailbreak.
    • Administration officials and Anthropic CEO Dario Amodei disagreed over the severity of the jailbreak, POLITICO previously reported, but the technology has outpaced the government infrastructure to define and assess such disputes.
    • “The attempt to create a standardized method to evaluate this and future such incidents underscores how the administration is racing to establish guardrails for new and powerful models that some fear can, if left unchecked, threaten economic and national security.
    • “The negotiations between Anthropic and the administration also reflect an understanding that no AI model can be completely immune to hacking — part of Anthropic’s initial defense of its model — and that government should lay out the rules for companies to measure security risks by, a sentiment relayed by other leading AI companies and country leaders at G7 meetings earlier this week in France.”
  • Bloomberg adds also on June 18,
    • “Some firms have preserved their access to a preview version of the Mythos AI model through Project Glasswing, despite a US government order.
    • “Businesses including banks and technology firms are accessing Mythos Preview to hunt for cyber vulnerabilities, with companies like Dragos Inc. and Cisco Systems Inc. confirming they have access.
    • “The US government order led to the shutdown of other versions of the Mythos AI model, but it didn’t explicitly address the Preview version, and Anthropic hasn’t directly addressed its availability.”
  • Cyberscoop points out,
    • “While Washington D.C. frets over the potential impact of Anthropic’s Claude Fable 5, security researchers continue to track how the integration of frontier AI tools are transforming the digital security landscape for malicious hackers and defenders alike.
    • “The breakneck speed of model releases may be creating short, silent security gaps for developers who must choose between performance and security, according to a new report.”
  • Cybersecurity Dive notes
    • “More than one-fifth of organizations running macOS networks have lost money or experienced a cyberattack because of their use of AI tools, according to a report that network management vendor Jamf released on Tuesday.
    • “Roughly six in 10 macOS-based organizations expect an AI-related incident in the near future, the survey found.
    • “The report, based on interviews with 687 IT and security leaders managing MacOS network environments, also describes system administrators’ AI implementation priorities, the largest areas of risk they face and Jamf’s recommendations for mitigating those risks.”

From the cybersecurity policy and law enforcement front,

  • Cybersecurity Dive reports,
    • “U.S. cybersecurity resilience in the face of sophisticated threats from China and other adversaries will increasingly depend on critical infrastructure’s ability to weather major disruptions, a top U.S. cyber official said Wednesday.
    • “Each and every one of us is operating right now on the front lines of a war that is never going to be cleared,” Nick Andersen, the acting director of the Cybersecurity and Infrastructure Security Agency (CISA), said at ICS Village and the Institute for Security and Technology’s Critical Effect conference.
    • “We are going to see an adversarial disruption of our critical infrastructure,” Andersen said. “It’s going to have significant not just technical impact, it’s going to have a significant psychological impact on the safety of the American people. … We need to start operating like that’s the reality of where we’re at — that we’re not going to be able to keep everything persistently online and available as much as we would like.”
    • “CISA’s emphasis on resilience marks a shift from earlier government cybersecurity doctrines that focused on preventing intrusions. In recent years, advanced nation-state hacking campaigns — especially Beijing’s Volt Typhoon espionage operation — have increasingly convinced government and industry strategists that their primary goal should be ensuring that infrastructure can continue operating during an attack.”
  • Federal News Network adds,
    • “A new White House memo aims to strengthen the cybersecurity of sensitive government systems by centralizing oversight of those systems, while also setting aggressive deadlines for updating incident response procedures and other policies.
    • “In a national security presidential memorandum signed out Friday, President Donald Trump re-establishes and updates the Committee on National Security Systems (CNSS), a decades-old interagency body that sets security policies for military and intelligence systems, as well as systems that process classified information. It charges the committee with leading a policy aimed at fostering “a proactive, adaptive, and resilient cybersecurity ecosystem for all NSS to better safeguard the nation against persistent cyber threats from sophisticated adversaries.”
    • “The memo gives the committee the power to establish “baseline cybersecurity requirements” for all national security systems. It formalizes the director of the National Security Agency’s role as the “national manager” for national security systems. That role involves identifying emerging threats and providing minimum security protections, including through emergency directives.
    • “The memo includes the federal chief information officer on the reconstituted CNSS body, along with the deputy national manager at the NSA and the CIOs at the Defense Department and the intelligence community, respectively.
    • “It also mandates that national security systems should meet or exceed the level of cybersecurity standards issued by the National Institute of Standards and Technology.”
  • Cyberscoop relates,
    • “Authorities on Thursday [June 18] disrupted a botnet, a malware framework and seized infrastructure that Evil Corp and other cybercrime groups used to steal data and break into various networks.
    • “The globally coordinated effort targeted SocGholish, multi-stage malware that has compromised websites, redirected users to traffic distribution systems (TDS) and slipped malware into their networks since 2017.
    • “The malware establishes an initial foothold into victim computers, collectively known as a botnet, and is then used by threat actors for further targeting with ransomware campaigns and espionage,” the FBI’s cyber division said in a statement. 
    • “Cybersecurity firms, researchers and officials from the United States, Canada, Germany, the Netherlands and Europol took down 106 servers and remediated nearly 15,000 sites that were infected with the malware. Officials also disabled the botnet and notified victims.
    • “Sites infected with SocGholish, which are primarily hosted on WordPress, were widespread and provided everyday services including restaurants and auto repair shops, according to the Dutch National Police
    • “The botnet, also known as “FakeUpdates,” is linked to the Russian cybercrime group Evil Corp. It also provided initial access to other ransomware variants, including DoppelPaymer, WastedLoocker, Hades Ransomware, LockBit, RansomHub and others, according to Infoblox, which participated in the takedown.” 
  • Per an HHS news release,
    • “The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) today announced a settlement with Spencer Gifts LLC Flexible Benefits and Welfare Benefit Plans (the Plan), the employer-sponsored group health plan of Spencer Gifts LLC, a national retail company, over potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.” * * *
    • “The settlement resolves an investigation that OCR initiated after the Plan filed a breach report on January 24, 2022. The Plan had received employee complaints that employees were unable to connect to the virtual private network. The Plan discovered that in November 2021, an unauthorized actor accessed the company’s network and deployed ransomware, encrypting data on the company’s systems, including servers storing the Plan’s PHI, and demanding a ransom. The PHI of 10,023 individuals was potentially affected by the breach, including health plan members’ names, addresses, zip codes, phone numbers, email addresses, and Social Security numbers.” * * *
    • “The resolution agreement and corrective action plan can be found at: https://www.hhs.gov/sites/default/files/ocr-ra-cap-spencer.pdf [PDF, 654 KB].”
  • Security Week tells us,
    • “A Ukrainian national pleaded guilty in a US court to his role in the notorious Conti ransomware group, the Department of Justice announced.
    • “The man, Oleksii Oleksiyovych Lytvynenko, 44, of Cork, Ireland, was arrested in Ireland in 2023 and was extradited to the US in October 2025 to face Conti-related charges.
    • “Lytvynenko admitted in court to joining the Conti operation in September 2021 and working on the development of a malware loader for the group. He also admitted to possessing data from 12 victims, including eight in the US.
    • “Authorities in the US believe that the Ukrainian national continued to engage in cybercriminal activities after the Conti operation shut down.
    • “Lytvynenko pleaded guilty to wire fraud conspiracy and faces up to 20 years in prison. He is scheduled for sentencing on September 10, 2026.
    • “One of the most prolific ransomware groups half a decade ago, Conti was used in attacks against over 1,000 organizations in the US and abroad between 2020 and 2022.”

From the cybersecurity breaches and vulnerabilities front,

  • Tech Target identifies the largest healthcare data breaches so far reported to HHS OCR this year.
  • Dark Reading reports,
    • “A recent — and likely massive — breach at Novo Nordisk, where attackers reportedly gained an initial foothold using a single GitHub access token, underscores how code repositories and developer environments have become ground zero for attackers seeking intellectual property, credentials, and software supply chain assets.
    • “Novo Nordisk, the Danish pharmaceutical giant behind blockbuster drugs Ozempic and Wegovy, disclosed the breach June 11 after detecting unauthorized access to what it claimed were a “limited number of its internal IT systems.” 
  • Bleeping Computer relates on June 19,
    • “The Texas Parks and Wildlife Department (TPWD) disclosed a data breach at its license system vendor that exposed personal information for more than three million individuals.
    • “The Texas Cyber Command discovered the intrusion and launched an investigation to determine the extent and impact of the unauthorized access. The state authority found that Social Security Numbers (SSNs), dates of birth, or any financial information, such as credit cards, have not been impacted.
    • “However, the threat actor may have obtained personally identifiable information that includes the data types [identified in the article] associated with 3,087,721 Texas hunting and fishing license customers,
  • and
    • “The U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged Fortinet customers to secure their devices after nearly 74,000 firewall and VPN credentials were exposed in a data leak dubbed “FortiBleed.”
    • “This warning comes after threat actors used compromised credentials to target internet-accessible Fortinet devices across government and private-sector organizations worldwide.
    • “CISA is aware of global reports that malicious cyber actors have targeted internet-accessible Fortinet devices across government and private sector organizations using compromised credentials,” it said.
    • “This activity, referred to as FortiBleed, involves the exposure of leaked credentials associated with approximately 74,000 Fortinet devices, including firewalls and virtual private network (VPN) gateways.”
    • ‘The agency called on affected FortiGate appliance owners to terminate all SSL VPN and administrative sessions, reset all VPN and administrative passwords, enable phishing-resistant multifactor authentication, and review logs for signs of unauthorized access or lateral movement.
    • “CISA also advised Fortinet customers to store admin credentials using the modern Password-Based Key Derivation Function 2 (PBKDF2) hashing algorithm, and to restrict firewall management interfaces from public internet access and remove any unauthorized accounts to reduce the attack surface as much as possible.”
  • CISA added four known exploited vulnerabilities to its catalog this week.
    • June 15, 2026
      • CVE-2026-20262 Cisco Catalyst SD-WAN Manager Directory or Path Traversal Vulnerability
      • CVE-2026-54420 LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability
        • Security Affairs discusses these KVE here.
    • June 16, 2026
      • CVE-2026-48907 Widget Factory Joomla Content Editor Improper Access Control Vulnerability
        • Bleeping Computer discusses this “patch by Sunday June 21” KVE here.
    • June 18, 2026
      • CVE-2026-20253 Splunk Enterprise Missing Authentication for Critical Function Vulnerability
        • Bleeping Computer discusses this “patch by Sunday June 21” KVE here.
  • Security Week informs us,
    • Microsoft on Wednesday published an advisory acknowledging the public disclosure of a vulnerability in Defender that could lead to privilege escalation.
    • The security defect, now tracked as CVE-2026-50656 (CVSS score of 7.8), was dropped last week by security researcher Nightmare Eclipse (also known as Chaotic Eclipse).
    • “Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender publicly referred to as ‘RoguePlanet’,” the tech giant’s advisory reads.
    • “We are working to provide a high-quality security update that addresses this vulnerability. We will provide information in this CVE when the update is available,” Microsoft adds.
    • RoguePlanet, Nightmare Eclipse explained last week, targets a race condition in Microsoft Defender and allows attackers to gain System privileges.
    • The researcher released a proof-of-concept (PoC) exploit that demonstrates local privilege escalation (LPE) on Windows 11 and Windows 10 systems with the June 2026 patches installed.
  • and
    • “Cybersecurity firms Huntress and Recorded Future have disclosed the impact of a supply chain attack that hit market intelligence platform Klue.
    • “The attack started on June 11 and affected systems associated with software platform integrations. The hackers connected to Klue’s backend servers and executed unauthorized commands, pushing a code update to harvest OAuth tokens for customers’ Klue integrations.
    • “Klue notified customers of the incident on June 12, warning that it had deactivated OAuth tokens for all customers and disabled integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack.
    • According to ReliaQuest, the hackers abused the Salesforce REST API to exfiltrate large volumes of customer relationship management (CRM) data over a 24-hour window, “including a concentrated burst of nearly a thousand queries in 15 minutes and sustained extraction windows lasting over 6 hours”. * * *
    • “On Thursday [June 18], both Huntress and Recorded Future confirmed that they were among the companies affected by the supply chain attack.”
  • The Wall Street Journal reports,
    • “Millions of digital home devices in the U.S. have pre-installed backdoor software, creating residential proxy networks used by nation-state hackers to mask cyberattacks.
    • “Government agencies from nine countries warned that Chinese state-sponsored hackers use these networks to conduct operations, making attribution challenging.
    • “Midnight Blizzard, a Russian hacking group that broke into Microsoft, used residential proxy networks to steal Microsoft 365 credentials by logging in from U.S. home networks.” * * *
    • “This is a bigger problem because of the sheer numbers,” said Noopur Davis, Comcast’s head of information security. It is one of the most worrying problems the telecommunications company has seen, she said.
    • “[This story explains how to protect yourself from a sneaky back door that can let hackers into your home.]”

From the ransomware front,

  • Industrial Cyber reports,
    • “CYFIRMA reported that healthcare organizations are facing an increasingly hostile cyber threat environment, with ransomware emerging as the sector’s most significant risk. Over the past 90 days, healthcare accounted for 216 verified ransomware victims, representing 9.05% of ransomware victims globally and ranking the sector third among 14 industries. The report found that ransomware attacks against healthcare increased 8.5% quarter over quarter, with April alone recording 90 victims, well above the sector’s previous six-month average. 
    • “In a new report, CYFIRMA identified healthcare victims in 42 countries, up from 33 in the prior period, while 50 of 81 active ransomware gangs targeted healthcare organizations, highlighting broad criminal interest in hospitals, pharmaceutical firms, and specialized medicine providers. The report also warned that nation-state activity and supply chain risks are compounding the threat landscape. Healthcare organizations appeared in 10 of 33 observed advanced persistent threat (APT) campaigns, up from three of 19 campaigns in the previous reporting period. North Korea-linked Lazarus Group led observed activity, while Russia-, China-, and Iran-linked actors also targeted the sector. 
    • “The researchers further noted that web applications, operating systems, web portals, and access management platforms remain key targets as attackers pursue credential theft and patient data. The company further identified supply chain concentration as a defining structural risk, warning that breaches involving specialized healthcare IT providers can cascade across multiple hospitals and healthcare networks simultaneously, amplifying operational disruption and cyber exposure.” 
  • Security Week relates,
    • “Commercial printing and imaging technologies company Kodak has confirmed suffering a data breach after the ShinyHunters cybercrime group claimed to have stolen information from its systems. 
    • “Kodak was named on the ShinyHunters website on June 15, with the hackers claiming to have obtained more than 2.2 million records of customer personal information and other corporate data. 
    • “The hackers threatened to leak the stolen data on June 18 unless the company pays a ransom.
    • Contacted by SecurityWeek, Kodak said it’s conducting an investigation with the aid of external cybersecurity experts and promised to share additional information “as appropriate”.
    • “Kodak recently discovered that an unauthorized third party illegally gained access to a limited amount of company data,” said a spokesperson for Kodak.
    • “Although our investigation is ongoing, we are confident the incident was limited in scope and has been contained and that there is no threat to our systems or operations as a result of the incident,” the spokesperson added. “We have also notified law enforcement and are continuing to support their investigation.”
  • Dark Reading tells us,
    • “INC is a ransomware group that has excelled in the ransomware-as-a-service (RaaS) space through doing the basics effectively — alongside a bit of good timing.
    • “Researchers with security vendor Acronis today published a blog post covering RaaS gang INC, a group that emerged in 2023 and has claimed more than 800 victims to date. INC is a ransomware actor that greatly benefited from the shutdown of ALPHV/BlackCat and the disruption of LockBit; this is an attribute shared with other ascendant gangs, such as The Gentlemen.”
    • “And according to the Acronis Threat Research Unit (TRU), the group is one of the most active of its kind right now. On the surface, INC doesn’t stand out so much. It’s a double extortion ransomware actor (meaning it uses encryptionand data leaking to get victims to pay up), drawing victims from manufacturing, legal services, healthcare, technology, construction, and educational sectors, among others. The group appears to have a certain preference for organizations with especially sensitive data to add extra extortion pressure.” 
       
  • Bleeping Computer adds,
    • “The Gentlemen ransomware-as-a-service (RaaS) is actively developing and maintaining a suite of endpoint detection and response (EDR) killers to help affiliates evade detection in attacks.
    • “The gang employs a collection of EDR-killing tools, most notably a utility that researchers dubbed GentleKiller. The tool has at least eight variants and impersonates various legitimate security products, including Kaspersky, Valorant, Javelin, and WatchDog.
    • “The gang is using a suite of EDR killers, the most frequently used being a custom tool that researchers named GentleKiller, which has at least eight variants impersonating various legitimate products.
    • The Gentlemen ransomware-as-a-service (RaaS) is actively developing and maintaining a suite of endpoint detection and response (EDR) killers to help affiliates evade detection in attacks.
    • “An EDR killer is typically used to disable defenses in the early phases of an attack, and in ransomware incidents, they ensure that data theft or encryption processes run unencumbered.
    • “These tools work by leveraging the ‘bring your own vulnerable driver’ (BYOVD) technique to elevate privileges and disable security engines.”
  • and
    • “DragonForce ransomware used a custom malware named ‘Backdoor.Turn’ to hide command-and-control traffic inside Microsoft Teams relay infrastructure.
    • “The backdoor abuses the Traversal Using Relays around NAT (TURN) protocol used by Microsoft Teams to distribute messages when a direct connection to the client is unavailable (e.g., clients on a private network).
    • “DragonForce is a ransomware operation active since at least 2023, that adopted a cartel-style organizational structure and has been linked to the infamous Scattered Spider threat group.

From the cybersecurity business and defenses front,

  • Cyberscoop reports,
    • “Accenture announced Thursday it would acquire a majority stake in industrial cybersecurity firm Dragos for $3.25 billion and purchase two smaller security companies outright, essentially making a $4.18 billion bet that defending the IT networks of power grids, pipelines, factories and critical infrastructure sectors will become one of the defining challenges of the AI era.
    • “The deals — which also include two Austin, Texas-based companies, runZero and NetRise —  represent a significant strategic pivot for Accenture toward operational technology (OT) security,  a segment of the cybersecurity market that has long been underfunded relative to traditional IT defenses. The announcement comes as the consulting giant faces pressure on its core business from the same AI tools reshaping the threat environment it is now moving to address.”
  • HIPAA Journal adds,
    • “Compliancy Group has acquired Healthicity in a deal that combines two healthcare compliance software companies and expands Compliancy Group’s platform to include healthcare compliance, workforce compliance, risk assessment, third-party risk management, incident management, provider auditing, coding auditing, and documentation auditing.
    • “The acquisition was announced on June 17, 2026. Financial terms of the transaction were not disclosed. Compliancy Group said the combined organization will serve more than 3,000 healthcare organizations across the United States and selected global markets.”
  • Dark Reading advises,
    • “Get Out of Security Debt by Tackling the Exposure Problem.
      • “Teams digging out of security debt need to answer only two simple questions: Which vulnerabilities in our systems are exposed, and how long should they stay that way?”
  • Tech Target adds,
    • “It’s time to update incident response for the AI era”
    • “Your latest cybersecurity incident might not be a threat actor, but an internal AI agent doing what it’s authorized to do. Incident response must evolve to accommodate AI.”
  • ZDNet offers
    • “10 signs that someone is monitoring or accessing your accounts – how to stop them
      • “Learn how to spot the signs of account monitoring and compromise – and take back control.”
  • and
    • “5 steps to ensure HIPAA compliance on mobile devices
      • “HIPAA compliance on mobile devices depends on governing access to PHI across both managed and personal endpoints. Here are five steps to achieving compliance in clinical settings.”
  • Security Week lets us know about
    • “AI and Cybersecurity – Everything You Wanted to Know, But Were Afraid to Ask
      • “From defending networks to enabling attacks, artificial intelligence is changing every aspect of cybersecurity. Here’s what dozens of experts say security leaders need to understand now.”
  • Here’s a link to Dark Readings’s CISO Corner.

Leave a Reply

Your email address will not be published. Required fields are marked *