Cybersecurity Saturday

From the renewed war with Iran front,

  • Dark Reading offers an opinion piece explaining that “Iran’s Cyber Crosshairs Focus Beyond Critical Infrastructure.”
    • “Obscurity isn’t a defense. If your company has any Internet-facing vulnerability, you’re at risk from multiple threats.” * * *
    • “The groups behind recent attacks, including Handala, Ababil of Minab, and others operating within Iran’s cyber-influence ecosystem, cloak themselves in the mask of cyber activism, or “hacktivism.” They are largely opportunistic. They aren’t specifically hunting targets; they are on “Shodan Safaris” hunting easily exploited vulnerabilities or insecure systems. A law firm or logistics hub with an exposed programmable logic controller or an unpatched VPN is an easy, appealing target.
    • “Many companies don’t realize how much of their infrastructure is externally accessible, or how little it takes to exploit what’s exposed. Handala, which the US Justice Department has attributed to Iran’s Ministry of Intelligence and Security, remotely wiped over 200,000 hosts in an attack on Stryker, a medical device manufacturer, in March. The incident disrupted manufacturing and impacted their first-quarter earnings. More recently, Ababil of Minab compromised Vyncs, a GPS tracking platform used across the logistics sector, taking systems offline and defacing its website. In the Stryker incident, the attack was likely made possible through credentials stolen via commodity malware and provided for sale via illicit channels — emphasizing the opportunistic nature of these events.”
  • Security Week adds,
    • “An Iran-linked advanced persistent threat (APT) actor has been using a modular command-and-control (C&C) framework in recent attacks targeting organizations in Israel, Check Point reports.
    • “Tracked as Cavern Manticore, the APT focuses on government entities and IT providers, and appears linked to Iran’s MOIS (Ministry of Intelligence and Security), with possible ties to the OilRig subgroup Lyceum (also known as Hexane and SiameseKitten).
    • ‘Cavern Manticore’s C&C framework includes an adaptable toolset built using .NET, with various compilation formats used across components, used as an anti-analysis layer.”

From the Project Glasswing front,

  • Crypto Briefing reports,
    • “The U.S. government has begun utilizing AI technology developed by Anthropic to identify vulnerabilities in its software systems. This initiative, part of Project Glasswing, leverages Anthropic’s Mythos model to detect bugs within hours, a significant improvement over traditional methods. Despite previous concerns over security risks associated with the Mythos model, its deployment underscores the government’s commitment to strengthening cybersecurity measures. The move is seen as a strategic effort to protect critical infrastructure and enhance national security.”
  • Bleeping Computer adds,
    • Microsoft says Windows users should expect to see an increase in security updates as the company increasingly relies on artificial intelligence to discover vulnerabilities in its codebase.
    • In a blog post published today, Microsoft said advances in AI have significantly accelerated vulnerability discovery, allowing engineers to identify more security issues before they can be exploited in zero-day attacks.
    • “The pace of vulnerability discovery is changing with advances in AI making it possible to find more issues, faster, across more code, with new mechanisms that can accelerate both discovery and analysis,”  Microsoft said. * * *
    • “This announcement comes two days [July 8] after Reuters reported that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has begun using Anthropic’s Fable AI model to scan government software for vulnerabilities that cybercriminals or foreign intelligence services could exploit.
    • “According to the report, the AI-assisted code audits have already uncovered numerous vulnerabilities, though officials did not disclose how many or provide details on their severity.”
  • SC Media lets us know “what our industry learned the past 90 days since the Mythos announcement.”
    • “For years, security leaders have discussed the possibility that AI would eventually accelerate offensive cyber operations. Mythos transformed that discussion from a future-looking hypothesis into an immediate operational concern.
    • “Over the past three months, the industry has begun adjusting to a new reality. We no longer view AI simply as a productivity tool that helps developers write code or assists analysts with investigations. It’s emerged as a force multiplier for vulnerability discovery, capable of identifying weaknesses at a pace that challenges traditional security workflows. As the time between vulnerability discovery and exploitation shrinks, organizations are now forced to rethink long-standing assumptions about patch management, vulnerability prioritization, and cyber defense.
    • “This shift extends well beyond one AI model or one vendor. Whether organizations use commercial frontier models, open-weight alternatives, or internally developed AI systems, the underlying trend remains the same: AI has dramatically compressed the window defenders have to identify, validate, and remediate software flaws before attackers can weaponize them. In many ways, the security industry has entered an era in which the speed of decision-making may become just as important as the quality of detection.”

From the cybersecurity policy and law enforcement front,

  • On July 3, the Office of Management and Budget’s Office for Information and Regulatory Affairs posted the federal government’s 2026 unified regulatory agenda.
    • Fierce Healthcare tells us,
      • “Federal regulators have delayed a major overhaul of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, pushing back final action on the rule by a year.
      • “The Department of Health and Human Services (HHS) had proposed a May 2026 release for a final rule that makes significant changes to the HIPAA Security Rule and marks the first major update to the 23-year-old rule in more than 10 years.
      • “The U.S. Office of Management and Budget (OMB) website was updated and indicates that the final rule was pushed back to July 2027.”
    • Federal News Network lets us know,
      • “[The unified agenda] shows that the Cybersecurity and Infrastructure Security Agency expects to issue a final rule for the Cyber Incident Reporting for Critical Infrastructure Act in September 2026. Earlier this summer, CISA held a series of townhalls to get some final feedback on the regulations.” * * *
      • “Meanwhile, the Unified Agenda also shows that a federal contracting rule that standardizes cybersecurity requirements for unclassified IT systems will also be finalized in September 2026.
      • “The rule “will ensure federal information systems are better positioned to protect from cybersecurity threats by standardizing common cybersecurity contractual requirements across agencies for unclassified federal information systems,” according to the regulatory preview.
      • “And another federal contracting rule on “cyber threat and incident reporting and information sharing” is also projected to be finalized in September, the Unified Agenda shows.
      • “Both the CUI rule and the incident reporting rule have been long anticipated, with proposed rules dating back to 2023. They each represent landmark rules for the government contracting community, which is also grappling with the roll out of the Defense Department’s Cybersecurity Maturity Model Certification (CMMC) requirements.
      • “The CMMC regulations went into effect late last year, but DoD has been slowly ramping up the requirements for third-party audits. This November, however, the requirement for a third-party CMMC assessment is expected to become standard in all applicable contracts.
      • “DoD also expects to shortly issue more details on how the cybersecurity standards that underpin CMMC will be updated.
      • “The Unified Agenda shows that this month, DoD will adopt an interim final rule for the CMMC program that details the deadline for shifting to the National Institute of Standards and Technology Special Publication 800-171 Revision 3. Currently, CMMC assessments are tied to Revision 2 of the NIST standards.”
  • Fedscoop informs us,
    • “Greg Barbaccia is stepping down as federal CIO and leaving government at the end of August, he said in an email to the CIO Council Tuesday [June 7, 026].
    • “I’m writing to share that I’ve made the difficult decision to leave government, and my time as Federal CIO is coming to an end,” Barbaccia wrote to CIOs on the council in his email, obtained by FedScoop. 
    • “Barbaccia, who joined the Trump administration as its top IT official in January 2025, said his last day in the role will be Aug. 31.
    • “Barbaccia’s departure comes just months after he brought on former Department of Education CIO Thomas Flagg to be his deputy. Flagg would be the default acting official with Barbaccia’s departure, a government chief information officer told FedScoop on the condition of anonymity to be more candid.”
  • Cyberscoop observes,
    • “The AI-focused executive order President Donald Trump signed last monthgave the Treasury Department, the National Security Agency, and the Cybersecurity and Infrastructure Security Agency (CISA) 30 days to establish a new “AI cybersecurity clearinghouse.” The deadline passed last week.
    • “The clearinghouse is meant to coordinate the scanning, discovery, and validation of software vulnerabilities in critical infrastructure, and then prioritize how those vulnerabilities get patched and distributed.
    • “It’s the right problem to solve. The question now is whether what is created will actually solve it.”
  • and
    • “A major credential leak spurred the Cybersecurity and Infrastructure Security Agency to strengthen protections for its sensitive materials, improve how researchers can report agency vulnerabilities and develop plans for similar incidents, the agency said in a forensic report released Thursday.
    • The blog post outlines CISA’s response to the leak that the researcher who discovered it in May called one of the worst he had ever seen, which also drew congressional scrutiny.”
  • Cyberscoop adds,
    • “”A former ransomware negotiator for DigitalMint was sentenced to 70 months in jail for deceiving his employer’s clients and conspiring with ransomware affiliates to extort a combined $75.3 million from five U.S. companies he was entrusted to aid during their moments of extreme crisis, the Justice Department said Thursday. 
    • Angelo John Martino III shared confidential information he gained from his work as a ransomware negotiator, including victim organizations’ negotiating positions and insurance policy limits, to extract the maximum payment for himself and other BlackCat affiliates he colluded with in backchannels.”
  • and
    • “An Armenian national who was extradited from Ukraine to the United States last year pleaded guilty to participating in a series of attacks in 2019 and 2020 involving Ryuk ransomware, the Justice Department said Thursday.
    • “Karen Serobovich Vardanyan pleaded guilty to computer fraud and conspiracy to commit fraud and extortion. He agreed to pay nearly $1.2 million million in restitution and faces up to 15 years in jail.
    • “The 34-year-old admitted to participating in cybercrime from November 2019 to April 2020 when he and his co-conspirators deployed Ryuk ransomware against three U.S.-based organizations while living in Ukraine and Russia.”

From the cybersecurity breaches and vulnerabilities front,

  • Dark Reading reports,
    • “In February, a ransomware attack against the University of Mississippi Medical Center disrupted operations for more than two weeks. In March, a cyberattack on German medical-billing provider Unimed, which services 95% of the nation’s university hospitals and more than half of large clinics, resulted in the theft of sensitive health data for tens of thousands of patients.
    • “In the first half of 2026, cyberattacks on the healthcare sector jumped 14%, slightly more than the overall increase of 11% across all industries, according to data from technology research firm Comparitech. While healthcare providers — such as hospitals and doctors’ offices — saw a moderate rise in attacks, healthcare businesses suffered a significant increase of 35% compared with the second half of 2025 and 110% compared with the same six months from the previous year.
    • “Much of the shift in focus is likely because attackers have recognized that compromising a single provider can provide access to multiple hospitals, says Rebecca Moody, head of data research at Comparitech.”
  • Cybersecurity Dive relates,
    • “A threat actor claims to have stolen a vast trove of sensitive data from the consulting giant Accenture in a recent cyberattack.
    • “The compromised data includes source code, Microsoft Azure personal access tokens, RSA encryption keys and SSH keys, a hacker calling themselves “888” said in a dark-web post shared by Bleeping Computer.
    • “The actor says they hacked roughly 35GB of data from Accenture during the intrusion, which occurred in early July.
    • “Accenture downplayed the incident in a statement to Cybersecurity Dive.
    • “We are aware of this isolated matter and we have remediated its source,” spokesperson Peter Soh said. “There is no impact to Accenture operations and service delivery.”
    • “The stolen data could put Accenture and its clients at significant risk of further attacks. “Source code can help attackers understand internal application logic, identify weak implementation patterns, and search for hardcoded secrets or exploitable paths in custom systems,” the threat intelligence firm SOCRadar said in an analysis of the incident. Meanwhile, the exposed access keys could let hackers roam freely through code repositories and cloud storage services.”
  • and
    • “AssuranceAmerica, a closely held provider of auto and renters insurance, was the target of a cyberattack earlier this year that impacted more than 6.9 million customers, according to state regulatory filings. 
    • “The Atlanta-based firm said the incident was detected on March 17, stemming from an attack that targeted one of its employees a day earlier, according to a filing with the California Attorney General’s office. 
    • “An investigation found an unauthorized party gained access to the company’s IT department and copied a number of data files. The company said it notified law enforcement about the attack. 
    • “According to a filing with the Maine Attorney General’s office, the breach involved more than 6.9 million people. This included nearly 880 people within the state of Maine. The Maine AG discontinued posting new notices on its public site in June after its breach reporting system was the target of an attack.”
  • and
    • “An initial access broker weaponized a critical vulnerability known as CitrixBleed 2 in a series of attacks during the first half of 2026 across multiple organizations, according to a report released Thursday [July 9] by the security company Huntress. 
    • “After exploiting the vulnerability, the hackers escalated privileges, created rogue local administrator accounts and established persistence with legitimate remote access tools, including ScreenConnect and Zoho Assist. 
    • “About a half-dozen cases between January and June followed a consistent playbook. In the most advanced case, the attackers deployed DragonForce ransomware, Huntress researchers said.”
  • Healthcare Dive adds,
    • “AdaptHealth disclosed last week that a recent cyberattack resulted in patient data being stolen.
    • “A threat actor gained unauthorized access to company systems through a social engineering attack and exfiltrated data, including certain personally identifiable information, protected health information of patients and stored password files associated with insurance billing, according to a July 2 filing with the Securities and Exchange Commission.
    • “Based on information obtained to date, AdaptHealth believes that the threat actor gained unauthorized access to certain cloud-based business applications, including internal patient management systems and document storage platforms. The company also confirmed that certain external electronic health record system portals were accessed.”
  • CISA added six known exploited vulnerabilities to its catalog this week.
    • July 7, 2026 (two releases; “Per BOD 26-04, federal agencies are required to patch all four security weaknesses by July 10.”)
      • CVE-2026-48282 Adobe ColdFusion Path Traversal Vulnerability
      • CVE-2026-48908 JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous Type Vulnerability
      • CVE-2026-55255 Langflow Authorization Bypass Through User-Controlled Key Vulnerability  
      • CVE-2026-56290 Joomlack Page Builder Improper Access Control Vulnerability
        • Security Week discusses these KVEs here.
    • July 10, 2026
      • CVE-2026-48939 iCagenda Unrestricted Upload of File with Dangerous Type Vulnerability
      • CVE-2026-56291 Balbooa Forms Unrestricted Upload of File with Dangerous Type Vulnerability
        • Mallory discusses these KVEs here.
  • Dark Reading adds,
    • “Microsoft has tackled yet another zero-day vulnerability published by a disgruntled security researcher with a vendetta against the software giant.
    • “On Wednesday, Microsoft issued an out-of-band patch for RoguePlanet, an elevation-of-privilege vulnerability in Windows Defender, tracked as CVE-2026-50656. The high-severity flaw, which received a 7.8 CVSS score from Microsoft, could allow an attacker to escalate privileges on a Windows device from a basic user to the highest SYSTEM-level access, which would give them complete control over the device.” * * *
      “Despite a public exploit being available for RoguePlanet, it’s unclear if the vulnerability has been exploited in the wild. Microsoft’s updated advisory states the flaw has not been exploited, and CISA has not added CVE-2026-50656 to its Known Exploited Vulnerabilities (KEV) catalog. Qualys, meanwhile, published a threat report on June 18 stating that RoguePlanet has been “exploited in attacks,” though no details were provided.”
  • Security Week relates,
    • “Organizations across multiple sectors have been targeted in a vishing campaign aimed at harvesting Microsoft 365 credentials, Okta warns.
    • “The campaign started in April and has involved voice calls directing the victims to fake Microsoft Entra ID login pages under the pretense that they need to register a new passkey.
    • “Tracked as O-UNC-066 and also known as CL-CRI-1147 and Pink, the hacking group has been targeting automotive, aviation, construction, food and beverage, healthcare, and technology organizations, mainly for data extortion.
    • “As part of the observed attacks, the threat actor has been registering domains incorporating the word ‘passkey’, and has been directing victims to pages that closely mirror the Microsoft passkey enrollment process.
    • “It appears engineered to convince a targeted user they are in the process of enrolling a passkey with Microsoft, while the threat actor simultaneously registers their own passkey in the targeted user’s Microsoft account,” Okta says.”
  • and
    • “A critical prompt injection vulnerability in GitHub Agentic Workflows could allow unauthenticated attackers to leak private repository data, Noma Labs warns.
    • “GitHub Agentic Workflows allows users to write workflows in natural language using markdown files that an AI agent will use as GitHub Actions, thus automating the interaction with code repositories.
    • “Because of the security defect, named GitLost, unauthenticated attackers can hide indirect prompts in crafted GitHub Issues posted on the public repositories of an organization that also maintains private repositories, and the AI agent will follow the instructions.”

From the ransomware front,

  • Cybersecurity Dive reports,
    • “Ransomware activity grew slightly between the first and second quarters of 2026 but significantly year over year, and there were more hacker groups active during April, May and June than in any previous quarter, researchers said on Thursday [July 9].
    • “Cybercrime actors claimed breaches of 2,279 victims in Q2 2026, a 7% increase over Q1 2026 but a 43% year-over-year increase compared with Q2 2025, GuidePoint Security said in a quarterly report.
    • “The Qilin ransomware gang led the quarter, accounting for 13% of attacks, but the relatively new group The Gentlemen has grown quickly and now accounts for almost as much activity, GuidePoint said.” * * *
    • “Qilin, The Gentlemen, Akira and DragonForce compromise what GuidePoint calls the “four-headed monster” of high-volume ransomware groups. The lack of a “singular monolithic figure” could make the ransomware community more resilient to law-enforcement takedowns, the security firm said, because there are now “multiple franchises poised to absorb displaced affiliates if another were to disappear overnight.”
  • Tech Crunch relates,
    • “Last week, researchers at cloud security firm Sysdig said they’d documented the first known case of “agentic ransomware.” It was an extortion operation, dubbed JadePuffer, in which an AI agent — not a human — handled the technical execution of a real-world cyberattack from start to finish. The agent broke into a vulnerable server, stole credentials, moved through the target’s network, encrypted files, and even wrote its own ransom note, adapting to obstacles along the way like a human hacker would. Coverage of the operation described it as run “without any human oversight,” with “no human at the keyboard.”
    • “That’s not quite the full picture. In an interview on Monday with CyberScoop, Sysdig’s Michael Clark, the company’s senior director of threat research, clarified that a human was still very much involved — just not in the technical execution. “A human still set up and pointed the operation and provisioned the infrastructure behind it, the command-and-control server, the staging server used for the stolen data and chose a victim,” Clark said. The credentials used to break into the victim’s database, he added, weren’t harvested by the AI agent itself; someone obtained them separately, through a prior compromise, and handed them to the operation.
    • “None of this contradicts Sysdig’s original claim, and the technical details of the attack remain notable on their own — wild, even. The agent got in through a known bug in Langflow, a popular open source tool for building LLM apps, then moved on to a production MySQL server and exploited another known flaw to gain admin access. It encrypted over 1,300 configuration records and not only left behind a ransom note that it wrote itself but it left a Bitcoin address where the ransom could be sent. Sysdig hasn’t disclosed who was targeted.”
  • Dark Reading tells us,
    • “A newly rebranded ransomware outfit is sneaking malware into American organizations using a malicious yet Microsoft-approved driver.
    • “Researchers at Symantec recently observed a cyberattack from a group known as “Hyadina.” Hyadina is a 4-year-old ransomware-as-a-service (RaaS) operation with a new locker, “GodDamn,” an iteration on its previous lockers, “Beast” and “Monster.” It typically attacks American organizations, and it also has a distinct distaste for former Soviet countries. Its targets have spanned sectors that include healthcare, manufacturing, education, and wherever else it finds opportunity.
    • In a recent case against an unidentified organization, Hyadina used a smorgasbord of dual-use hacking tools, including legitimate remote monitoring and management (RMM) software, and more than a dozen penetration testing programs. The real kicker, though, was a malicious program with kernel access on Windows, capable of killing any and all processes, including security software.

From the cybersecurity business and defenses front,

  • Cybersecurity Dive reports,
    • “U.S. companies are merging cyber risk issues into their overall enterprise risk strategy, at a time when AI adoption and business resilience are leading to significant shifts in business priorities, according to a report released Tuesday [July 7] by Information Services Group, a technology research and advisory firm.
    • “Cybersecurity is increasingly seen as a business-critical concern, as companies accelerate their adoption of agentic AI and transform much of their technology and data infrastructure to hybrid or multicloud environments. 
    • “Enterprise leaders are closely integrating cyber spending decisions with overall IT strategy. In addition, C-suite and board members are taking greater accountability for business continuity, financial exposure and regulatory compliance.”
  • Info-Security Magazine relates,
    • “Chris Betz has officially taken the helm as the new CISO of Google Cloud. Transitioning from his previous role as Google’s VP of infrastructure security, Betz is stepping up to lead the company’s security posture at a critical turning point in the industry.
    • “In his very first interview since assuming the CISO title [which is found in the article], he shared his vision on the role generative AI will play in defending global enterprises.
    • “Coinciding with his transition, Betz published a key blog post on the Google Cloud blog titled Cloud CISO Perspectives: The 4 lessons that guided AI threat defense. In the article, he lays out Google’s playbook for using AI to defend against AI, advocating for a multi-model approach, robust security harnesses and the irreplaceable value of human expertise in modern cyber defense.”
  • Tech Target offers “a roadmap to zero trust maturity.”
    • “Transforming an organization to take on a zero-trust posture is no small affair. A phased, thoughtful approach can bolster security while supporting business outcomes.”
    • “Zero trust is not a product, control or single technology deployment; it’s a strategic architecture and operating model designed to reduce risk and improve the security posture of organizations that have traditional, perimeter-based security models. Perimeter-based models — which assume clearly defined “inside” and “outside” boundaries — fail to address modern threats because they were designed for a world that no longer exists.
    • “Zero trust relies on three foundational principles:
      • “Explicit verification. Every access request is authenticated and authorized using components such as user identity, device health, location and behavior.
      • Least-privilege access enforcement. Users and devices receive only the minimum access required, and only for as long as needed.
      • Assume breach. Security operates under the assumption that attackers are already present, with controls designed to limit access and damage.”
  • and sugggests an approach for “evaluating secure enterprise browsers vs. security plugins
    • “Malicious actors have long targeted and exploited browser vulnerabilities. The widespread adoption of AI increases the risk, forcing CISOs to reevaluate browser security options.” * * *
    • “In this moment of renewed attention to browser security and the risks of it failing, CISOs face two options for improving browser security: deploying secure enterprise browsers and deploying browser security plugins.”
  • Here is a link to Dark Reading’s CISO Corner.

Leave a Reply

Your email address will not be published. Required fields are marked *