Cybersecurity Saturday - Ermer and Suter PLLC

From the cybersecurity policy and law enforcement front,

Federal News Network tells us,
- “The House Homeland Security Committee plans to convene in early September to mark up a reauthorization bill for a soon-to-expire cybersecurity law that’s viewed as critical to cyber collaboration across government and industry.
- “In a statement, House Homeland Security Committee Chairman Andrew Garbarino (R-N.Y.) confirmed the committee will mark up a reauthorization bill for the Cybersecurity Information Sharing Act of 2015 once Congress returns from August recess.
- “Reauthorizing the Cybersecurity and Information Sharing Act is essential as the deadline nears and as threats evolve,” Garbarino said. “The House Committee on Homeland Security plans to mark up our legislative text for its reauthorization shortly after Congress returns from recess in September. In a 10-year extension, I will preserve the privacy protections in the law, and I aim to provide enhanced clarity to certain pre-existing provisions to better address the evolving threat landscape.”
- “CISA 2015, as it’s known, expires at the end of September. The law provides liability protections and privacy guardrails to especially encourage private sector organizations to voluntarily share data with each other and government agencies.”

Cybersecurity Dive reports,
- “The Cybersecurity and Infrastructure Security Agency (CISA) has updated its recommendations for the minimum features of a software bill of materials (SBOM), the latest step in the agency’s campaign to encourage transparency in the software market.
- “The updates and additions included in this document will better position Federal Government agencies and other SBOM consumers to address a range of use cases, understand the generation process, and improve data quality,” CISA said in the new publication, which it released on Thursday [August 21].” * * *
- “The publication, which is open for public comment through Oct. 3, is aimed primarily at government agencies but is also designed to help other organizations understand what to expect from their vendors’ SBOMs.”
and
- “The National Institute of Standards and Technology [NIST] wants public feedback on a plan to develop guidance for how companies can implement various types of artificial intelligence systems in a secure manner.
- “NIST on Thursday [August 14] released a concept paper about creating control overlays for securing AI systems based on the agency’s widely used SP 800-53 framework. The overlays are designed to help ensure that companies implement AI in a way that maintains the integrity and confidentiality of the technology and the data it uses in a series of different test cases.
- “The agency also created a Slack channel to collect community feedback on the development of the overlays.”

Per NIST news releases,
- “NIST SP 800-171, R3, Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems, is a set of recommended security requirements for protecting the confidentiality of CUI.
- “NIST has released a supplementary small business primer to SP 800-171, R3 to help smaller, under-resourced organizations better protect CUI.” * * *
- “This is the first part of an effort to begin breaking down components of 800-171, R3 for the small business community. Future resources will expand upon the primer’s content.”
and
- “NIST has released the initial public draft (IPD) of Special Publication (SP) 1331, Quick-Start Guide for Using CSF 2.0 to Improve the Management of Emerging Cybersecurity Risks, for public comment. The document highlights the topic of emerging cybersecurity risks and explains how organizations can improve their ability to address such risks through existing practices within the cyber risk discipline in conjunction with the NIST Cybersecurity Framework (CSF) 2.0. The guide also emphasizes the importance of integrating these practices with organizational enterprise risk management (ERM) to proactively address emerging risks before they occur.
- “The comment period is open through September 21, 2025, at 11:59 PM. Please send your feedback about this draft publication to csf@nist.gov.”

Per an HHS news release,
- “Today [August 18], the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with BST & Co. CPAs, LLP (“BST”), a New York public accounting, business advisory, and management consulting firm, concerning a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. BST is a HIPAA business associate and receives financial information that also contains protected health information (PHI) from a HIPAA covered entity.” * * *
- “The settlement resolves an investigation of BST that OCR initiated after receiving a breach report that BST filed on February 16, 2020. BST reported that on December 7, 2019, BST discovered that part of its network was infected with ransomware, impacting the PHI of its covered entity client. OCR’s investigation determined that BST had failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by BST.
- “Under the terms of the resolution agreement, BST agreed to implement a corrective action plan that will be monitored by OCR for two years and paid $175,000 to OCR.”

Cybersecurity Dive informs us,
- “Federal prosecutors on Tuesday [August 19] charged an Oregon man for allegedly running a global botnet-for-hire operation called Rapper Bot that used hacked IoT devices to conduct large-scale distributed denial-of-service (DDoS) attacks.
- “Authorities charged Ethan Foltz, 22, with one count of aiding and abetting computer intrusions. Police executed a search warrant at Foltz’s house on Aug. 6, shut down the botnet and took control of its infrastructure, according to the U.S. Department of Justice.
- “Rapper Bot allegedly used between 65,000 and 95,000 infected devices for DDoS attacks that often measured between two and three terabits per second. The largest attack may have exceeded six terabits per second, prosecutors said.
- “Rapper Bot was “one of the most powerful DDoS botnets to ever exist,” said Michael Heyman, the U.S. attorney in Alaska, where authorities believe the botnet infected at least five devices.”

Cyberscoop adds,
- “A 20-year-old Florida man received a 10-year federal prison sentence Wednesday for his role in the notorious Scattered Spider cybercrime organization, marking the first conviction of a member from the group responsible for breaching more than 130 major companies.
- “Noah Michael Urban, 20, of Palm Coast, Fla., pleaded guilty to conspiracy, wire fraud and aggravated identity theft charges in two separate federal cases spanning Florida and California. A federal judge sentenced Urban to 120 months in prison with three years of supervised release and ordered him to pay $13 million in restitution to victims.
- “The sentence exceeded federal prosecutors’ recommendation of eight years, reflecting the scope of Urban’s criminal activities that investigators say caused between $9.5 million and $25 million in total losses.”

From the cybersecurity vulnerabilities and breaches front,

The American Hospital Association News informs us,
- “The FBI Aug. 20 released an advisory warning of malicious activity by Russian cyber actors targeting end-of-life devices running an unpatched vulnerability in Cisco Smart Install software. The agency said the actors, attributed to the Russian Federal Security Service’s Center 16, have been detected collecting configuration files for thousands of networking devices associated with U.S. entities across critical infrastructure sectors. On some devices, the files were modified to enable unauthorized access to the devices. The vulnerability was initially publicized in 2018.
- “If you have vulnerable equipment in your network, please pay particular attention to ensuring that it is patched and running as securely as possible,” said Scott Gee, AHA deputy national advisor of cybersecurity and risk. “It is recommended that hospitals also make this equipment a priority for replacement since it’s no longer supported for updates by Cisco. It is also a good time to review the process for patch management and equipment upgrades, particularly focusing on patching known exploited vulnerabilities. The Cybersecurity Infrastructure and Security Agency maintains a catalog of KEVs.”

CISA added two known exploited vulnerabilities to that catalog this week.
- August 18, 2025
  - CVE-2025-54948 Trend Micro Apex One OS Command Injection Vulnerability
    - Cybersecurity News discusses this KVE here.
- August 21, 2025
  - CVE-2025-43300 Apple iOS, iPadOS, and macOS Out-of-Bounds Write Vulnerability
    - Cyberscoop discusses this KVE here.

Cyberscoop adds,
- “The Chinese state-backed threat group Silk Typhoon has raised the pace of attacks targeting government, technology, legal and professional services in North America since late spring, according to CrowdStrike.
- “We were calling this jokingly, ‘the summer of Murky Panda,’ because we’ve seen so much activity from them over the last couple of months,” said Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, using the firm’s nomenclature for the cyberespionage group.
- “CrowdStrike has worked on more than a dozen cases involving Murky Panda during the past few months, including two active incident response cases, Meyers said. The group, which has been active since at least 2023, is “one of the top-tier Chinese threats that we’ve been seeing a lot this summer,” he said.
- “Murky Panda exemplifies how Chinese attackers are gaining access to victim networks and infrastructure via vulnerabilities, unmanaged devices, the cloud and pivots between cloud services.
- “The group’s advanced techniques in cloud environments are evident, as it enables prolonged access and lateral movement to downstream victims by abusing delegated administrative privileges in cloud solution providers, CrowdStrike said in a research report released Thursday. [August 21].
Bleeping Computer reports,
- “Hackers have stolen the personal information of 1.1 million individuals in a Salesforce data theft attack, which impacted U.S. insurance giant Allianz Life in July.
- “Allianz Life has nearly 2,000 employees in the United States and is a subsidiary of Allianz SE, which has over 128 million customers worldwide and ranks as the world’s 82nd largest company based on revenue.
- “As the company disclosed last month, information belonging to the “majority” of its 1.4 million customers was stolen by attackers who gained access to a third-party cloud CRM system on July 16th.” * * *
- “On Monday, data breach notification service Have I Been Pwned revealed the extent of the incident, reporting that the email addresses, names, genders, dates of birth, phone numbers, and physical addresses of 1.1 million Allianz Life customers were stolen during the breach.
- “Bleeping Computer has also confirmed with multiple people affected by this breach that their data (including their tax IDs, phone numbers, email addresses, and other information) in the leaked files is accurate.
- “Many other high-profile companies worldwide were also breached in this campaign, including Google, Adidas, Qantas, Louis Vuitton, Dior, Tiffany & Co., Chanel, and, most recently, human resources giant Workday.”

Cybersecurity Dive notes,
- The attack [on WorkDay] follows a string of social-engineering intrusions linked to ShinyHunters, a hacker group associated with an underground cybercrime collective known as The Com. The Com also has ties to the notorious hacker team Scattered Spider, which has targeted companies in multiple industries over the past several months, including retail, insurance and aviation.
- ShinyHunters has launched numerous attacks in recent months targeting Salesforce instances, according to researchers at Google. The group targeted one of Google’s own Salesforce instances earlier this month.
- Reliaquest recently published evidence of possible collaboration between ShinyHunters and Scattered Spider, including ticket-themed phishing domains and Salesforce credential-harvesting pages.

Per Dark Reading,
- “In this interview from Black Hat USA 2025, Philippe Laulheret, a senior vulnerability researcher at Cisco Talos, discusses his discovery of the “ReVault” vulnerability affecting millions of Dell business laptops.
- “Laulheret found that the Control Vault (also called a unified secure hub) — a control board connecting peripherals like fingerprint readers and smart card readers to Dell Latitude and Precision laptops — contained multiple security flaws that allow any user to communicate with the board through undocumented APIs, potentially leading to memory corruption, code execution, extraction of secret keys, and permanent firmware modification.”

Per Bleeping Computer,
- “Six major password managers with tens of millions of users are currently vulnerable to unpatched clickjacking flaws that could allow attackers to steal account credentials, 2FA codes, and credit card details.
- “Threat actors could exploit the security issues when victims visit a malicious page or websites vulnerable to cross-site scripting (XSS) or cache poisoning, where attackers overlay invisible HTML elements over the password manager interface.
- “While users believe they are interacting with harmless clickable elements, they trigger autofill actions that leak sensitive information.
- “The flaws were presented during the recent DEF CON 33 hacker conference by independent researcher Marek Tóth. Researchers at cybersecurity company Socket later verified the findings and helped inform impacted vendors and coordinate public disclosure.
- “The researcher tested his attack on certain versions of 1Password, Bitwarden, Enpass, iCloud Passwords, LastPass, and LogMeOnce, and found that all their browser-based variants could leak sensitive info under certain scenarios.”
and
- “A new infostealer malware targeting Mac devices, called ‘Shamos,’ is targeting Mac devices in ClickFix attacks that impersonate troubleshooting guides and fixes.
- “The new malware, which is a variant of the Atomic macOS Stealer (AMOS), was developed by the cybercriminal group “COOKIE SPIDER,” and is used to steal data and credentials stored in web browsers, Keychain items, Apple Notes, and cryptocurrency wallets.
- “CrowdStrike, which detected Shamos, reports that the malware has attempted infections against over three hundred environments worldwide that they monitor since June 2025.”

From the ransomware front,

Cybersecurity Dive reports on August 20,
- “The pharmaceutical and biotechnology company Inotiv Inc. is investigating a cyberattack that led to hackers encrypting the firm’s data, it said in a filing on Monday with the U.S. Securities and Exchange Commission.
- “The Aug. 8 attack disrupted access to certain data storage and business applications, according to Innotiv. The company said it is working to bring certain systems back online and has moved some operations to offline alternatives in order to maintain business continuity.
- The company has restricted access to its systems, retained third-party experts and notified law enforcement, according to its SEC filing.” * * *
- “The hackers behind the Qilin ransomware have claimed credit for the attack, according to researchers at Huntress and Kroll.”
Bleeping Computer adds on August 22,
- “Kidney dialysis firm DaVita has confirmed that a ransomware gang that breached its network stole the personal and health information of nearly 2.7 million individuals.
- “DaVita serves over 265,400 patients across 3,113 outpatient dialysis centers, 2,660 in the United States, and 453 centers in 13 other countries worldwide. The company reported revenues of over $12 billion in 2024 and of $3.3 billion for the second quarter of 2025.
- “In April, the healthcare provider revealed in a filing with the U.S. Securities and Exchange Commission (SEC) that its operations were disrupted after attackers partially encrypted its network over the weekend.
- “According to a dedicated website with more information regarding the resulting data breach, the attackers gained access to DaVita’s network on March 24 and were evicted after the company detected the incident on April 12.” * * *
- “Although the kidney dialysis firm hasn’t linked the attack to a specific ransomware operation, the Interlock ransomware gang claimed responsibility for the breach in late April.
- “Interlock also leaked the allegedly stolen data on its dark web portal after negotiations with DaVita had failed, claiming it had stolen roughly 1.5 terabytes of data from the company’s compromised systems, or nearly 700,000 files containing what appeared to be sensitive patient records, insurance details, user account information, and financial data.”

Dark Reading points out that “Researchers highlight how Warlock, a new ransomware heavyweight, uses its sophisticated capabilities to target on-premises SharePoint instances.”

From the cybersecurity business and defenses front,

Cybersecurity Dive reports,
- “Enterprise software spending will sustain double-digit growth through 2029, according to Forrester projections. Vendor revenues grew 11% on average during the first quarter of the year, the analyst firm said in a July report.
- “Infrastructure software spend will lead the charge, increasing 13.3% over the next four years, as enterprises stock up on cloud services, security tools and AI capabilities. The market for application software, a category that includes IT operations management, enterprise resource planning, and supply chain tools, will see slower growth of 9.5%, the firm said.
- “Database management services will help shore up software market growth, as enterprises lay the groundwork for generative AI and agentic automation tools. The firm previously estimated off-the-shelf AI governance software spend to more than quadruple from 2024 to 2030, nearing $16 billion and capturing 7% of the software market.”
and
- “Many business leaders still aren’t following cybersecurity best practices to protect their organizations from costly intrusions, according to a report that the consulting giant Unisys published on Tuesday [August 21].
- “Only 62% of organizations have or are setting up a zero-trust network architecture, only 61% are prioritizing post-incident recovery and only 45% deploy or plan to deploy managed detection and response software.
- “Only 42% of organizations said they use or plan to use digital identity and access management services, which are considered essential for stopping attacks that exploit legitimate credentials.”

Dark Reading informs us,
- “Cyber insurers are testing out new ways to hold policyholders accountable for outdated security, limiting payouts when policyholders fall prey to attacks that use older vulnerabilities or take advantage of holes in the organizations’ defenses.
- “Potential risk-limiting approaches include a sliding scale of accountability — and payouts — based on an unpatched vulnerability’s half-life, or whether a company failed to fix a critical vulnerability within a certain number of days, according to a blog post penned by cyber insurer Coalition, which does not support such approaches. Dubbed CVE exclusions, after the Common Vulnerabilities and Exposures (CVE) system widely used to assign identifiers to software security issues, the tactic is not yet widely adopted, and most examples are from insurers outside the US, the firm stated.
- The limits could start showing up in companies’ policies, however, if demand for cyber insurance continues to grow, creating a seller’s market, says John Coletti, head of cyber underwriting at Coalition
- “While we will not name names, there are specific examples of this occurring within the industry,” he says. “A company should be highly skeptical of buying a policy with a CVE exclusion.”
Info-Security Magazine relates,
- “The US National Institute of Standards and Technology (NIST) has published new guidelines it claims will help organizations optimize their efforts to detect face morphing software.
- “Face morphing is a type of deepfake technology that enables threat actors to blend the photos of two people into a single image. In doing so, it simplifies identity fraud by tricking face recognition systems into erroneously identifying an image as belonging to both original individuals.
- “In this way, individual A can assume the identity of individual B and vice versa, NIST said.
- “The new report, Face Analysis Technology Evaluation (FATE) MORPH 4B: Considerations for Implementing Morph Detection in Operations (NISTIR 8584), offers an introduction to the topic and key detection methods.
- “It focuses mainly on the pros and cons of various investigatory techniques, and ways to prevent morphs from entering operational systems in locations such as passport application offices and border crossings.”

Here is a link to Dark Reading’s CISO Corner.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Subscribe to FEHBlog