Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy and law enforcement front,

  • Nextgov/FCW reports,
    • “A top Cybersecurity and Infrastructure Security Agency official said the agency is prepared to accept any extension Congress authorizes for a fundamental cybersecurity threat intelligence-sharing law, which is set to expire Sept. 30 unless renewed by lawmakers.
    • “We’ll take whatever the Congress decides to authorize us, wherever they see fit within their purview, to authorize and to give us our authorities to be able to use,” Nick Andersen, CISA’s executive assistant director for cybersecurity, told reporters Thursday [September 11] on the sidelines of the Billington Cyber Summit.
    • “The Cybersecurity Information Sharing Act of 2015 lets private sector providers freely transmit cyber threat information to government partners with key liability protections in place, shielding firms from lawsuits and regulatory penalties when sharing threat data with the government.
    • “So at this point, I think my primary concern is if it lapses,” Andersen added. “Give us 30 days for the Congress to do what they need to do. Give us two years. Give us ten years. Give us 50. Whatever you take, we’ll take it. Obviously, we love stability for the organization and stability for our partners to understand how we’re going to protect and exchange information. But really, that’s up to Congress.”
  • Cyberscoop tells us,
    • “The Cybersecurity and Infrastructure Agency is delaying finalization of a rule until May of next year that will require critical infrastructure owners and operators to swiftly report major cyber incidents to the federal government, according to a recent regulatory notice.
    • “Under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022, CISA was supposed to produce a final rule enacting the law by October of this year. But last week, the Office of Management and Budget’s Office of Information and Regulatory Affairs published an update that moved the final rule’s arrival to May 2026.
    • “A CISA official told CyberScoop that the move would give the agency time to consider streamlining and reducing the burden on industry of a previously proposed version of the rule, citing public comments in response to that version, as well as harmonizing the law with other agencies’ cyber regulations.”
  • Cybersecurity Dive lets know,
    • “National Cyber Director Sean Cairncross said [on September 9] the Trump administration plans a whole-of-nation approach in order to combat the threat of malicious cyberattacks from the U.S.’s top geopolitical rivals. 
    • “Cairncross delivered the opening keynote at the Billington Cybersecurity Summit, saying the administration will push forward an aggressive new posture to counter the risks presented by authoritarian regimes like China.” * * *
    • “The Billington keynote marks the first major public remarks by Cairncross since he won Senate confirmation to lead the Office of the National Cyber Director in August.” 
  • FedScoop informs us,
    • “The U.S. government’s acting chief information security officer outlined his three priorities for federal cyber officials over the next year at a cybersecurity event in Washington on Tuesday [September 9], emphasizing the need for collaboration across the government.  
    • “During a fireside chat at the Billington Cybersecurity Summit, acting cyber chief Michael Duffy said focusing enterprise cyber defense, increasing operational resilience, and securing a modern U.S. government are the areas he’s outlined as priorities for the next year in conversations with the federal cyber leaders on the CISO Council. 
    • “He also previewed an upcoming tabletop exercise the CISO Council will be doing in the next month to address operational resilience.” 
  • Cybersecurity Dive points out,
    • “The Cybersecurity and Infrastructure Security Agency said it remains firmly committed to supporting and further enhancing the Common Vulnerabilities and Exposures program, which is a critical program for identifying and mitigating software flaws that can expose computer systems to exploitation. 
    • “Nick Andersen, the new executive assistant director for cybersecurity at CISA, expressed staunch support for the CVE program during a discussion on Thursday at the Billington Cybersecurity Summit in Washington, D.C. 
    • “CISA on Wednesday [September 10] released a road map that outlined its priorities for the CVE program, with the full intention to further develop the program and create a plan for robust funding and wider participation. 
    • Andersen told reporters after the presentation that it’s “exceedingly important” for CISA to be able to grow and expand the program.
    • “The feedback that we’ve gotten consistently is people are looking for somebody to call objective balls and strikes out there,” Andersen said. 
  • Per Federal News Network,
    • “The Pentagon will soon issue more details on its much-hyped effort to “blow up” the Risk Management Framework used to accredit software.
    • “Katie Arrington, who is performing the duties of the Defense Department chief information officer, said DoD will unveil the “10 commandments” of the “new RMF” in the next couple of weeks. DoD’s work to revamp how it accredits software has been a top discussion point in federal technology circles in recent months.
    • “It’s the 10 tenants of the new RMF,” Arrington said at the Billington Cyber Summit on Thursday.
  • Cyberscoop notes,
    • “The Department of Justice unsealed an indictment against a Ukrainian national alleged to be central to a ransomware campaign affecting hundreds of companies worldwide. 
    • “Volodymyr Viktorovych Tymoshchuk, known online as “deadforz,” “Boba,” “msfv,” and “farnetwork,” is accused of developing and deploying ransomware variants Nefilim, LockerGoga, and MegaCortex, all of which have been used in attacks on prominent organizations in the United States, Europe, and elsewhere since at least 2018.
    • “According to the indictment, filed in the Eastern District of New York, Tymoshchuk and his alleged co-conspirators are believed to have extorted more than 250 companies across the U.S. and hundreds more globally, generating tens of millions of dollars in damages. Victims suffered not just the loss of data and disabling of business operations, but high mitigation and recovery costs. * * *
    • “Additionally, the State Department announced rewards totaling up to $10 million for information leading to the arrest or conviction of Tymoshchuk, with a separate reward of up to $1 million for information on other key leaders of the groups deploying the ransomware variants.”

From the cybersecurity vulnerabilities and breaches front,

  • CISA added one known exploited vulnerability to its catalog this week.
  • Cybersecurity Dive reports,
    • “A sophisticated phishing-as-a-service operation has been targeting Google and Microsoft accounts and can bypass traditional defense mechanisms, including multifactor authentication, researchers at Okta Threat Intelligence warned in a blog post on Thursday, 
    • “The phishing operation, dubbed VoidProxy, uses adversary-in-the-middle techniques to bypass normal authentication flow. 
    • “Researchers first learned of attacks linked to the operation in January, but Dark Web advertisements for VoidProxy appear to have begun as early as August 2024, according to Okta researchers. The attacks are ongoing, and Okta said they have targeted valuable accounts.”  * * *
    • “Google agrees with recommendations in the Okta report that users should adopt passkeys as a strong method to protect against phishing, the spokesperson added.
    • “Microsoft declined to comment, however a spokesperson provided a link with general mitigation guidance.”
  • Dark Reading adds,
    • “A recent phishing campaign that used the Salty2FA phishing kit demonstrates how the cybercriminal enterprise continues to evolve to the point where adversarial tools are nearly on par with enterprise-grade software, experts said.
    • “Researchers from Ontinue tracked a campaign using the phishing kit that shows various technical innovations in which cybercriminals are approaching phishing infrastructure “with the same methodical planning that enterprises use for their own systems,” Rhys Downing, an Ontinue threat researcher, wrote in a blog post published Tuesday.”
  • CSO tells us,
    • “Attackers are increasingly exploiting generative AI by embedding malicious prompts in macros and exposing hidden data through parsers.
    • “The switch in adversarial tactics — noted in a recent State of File Security study from OPSWAT — calls for enterprises to extend the same type of protection they already apply to software development pipelines into AI environments, according to experts in AI security polled by CSO.
    • “Broadly speaking, this threat vector — ‘malicious prompts embedded in macros’ — is yet another prompt injection method,” Roberto Enea, lead data scientist at cybersecurity services firm Fortra, told CSO. “In this specific case, the injection is done inside document macros or VBA [Visual Basic for Applications] scripts and is aimed at AI systems that analyze files.”
    • “Enea added: “Typically, the end goal is to mislead the AI system into classifying malware as safe.”
  • Per InfoSecurity Magazine,
    • “People are often described as one of the biggest security threats to any organization. At first glance, it would be hard to argue with such a sweeping statement.
    • “Whether the result of malice or negligence, the ‘human element’ featured in around 60% of data breaches over the past year, according to Verizon. A recent spate of attacks targeting corporate Salesforce instances highlights the evolving nature of the social engineering threat – and just what’s at stake.
    • “The challenge for CISOs is that insider risk is not just about negligence. Those intent on wrongdoing are usually harder to spot and exact a much heavier toll on their employer. To coincide with International Insider Threat Awareness Month, we take a look at what CISOs can do to push back the tide.”
    • Check it out.

From the ransomware front,

  • Per Security Week,
    • “Ransomware remains the primary digital threat to business. Phishing, often the initial point of failure, further expands into voice triggered transfer fraud.
    • “An analysis of risk based on cyberinsurance claims history provides an accurate overview of the true risk of cybercrime. It doesn’t provide a full global picture of risk since it can only be drawn from known cyberinsurance claims. Resilience is a cyberinsurance provider with a deep knowledge of cybersecurity.
    • “There are three major takeaways from the 2025 Midyear Cyber Risk Report produced by Resilience: vendor-related risk is down but still significant; ransomware remains the main threat; and phishing has leapt to clear prominence as the most common point of failure (aided in scale and sophistication by AI).
    • “The report notes a reduction in vendor-related risk (down from 22% of incurred losses in 2024 to 15% in H1 2025), but stresses that the downstream loss to affected companies remains high. “While incidents dropped in frequency, clients who experienced business interruption from a vendor-related incident had significant losses that rivaled losses from companies directly affected by ransomware.” This is an unseen risk that can only be addressed by continuously monitoring the vendors’ security posture.”
  • Per Check Point Research,
    • “First observed on September 5, Yurei is a newly emerged ransomware group that targeted a Sri Lankan food manufacturing company as its first leaked victim. The group follows a double-extortion model: they encrypt the victim’s files and exfiltrate sensitive data and then demand a ransom payment to decrypt and refrain from publishing the stolen information.
    • “Check Point Research (CPR) determined that Yurei’s ransomware is derived with only minor modifications from Prince-Ransomware, an open-source ransomware family written in Go. This highlights how open-source malware significantly lowers the barrier to entry for cybercriminals, enabling even less-skilled threat actors to launch ransomware operations.
    • “Yurei’s ransomware contains a flaw that may allow partial recovery through Shadow Copies, but the group primarily relies on data-theft-based extortion. As they stated on their blog, the fear and implications of data leakage are their main pressure point to get victims to pay the ransom.
    • “Since the first victim was listed on September 5, the number of victims has risen to three so far, pointing to a fast-growing operation.
    • “The investigation revealed hints that the threat actor’s origins may be in Morocco.”
  • Per Cyberscoop,
    • “Researchers and authorities are warning that Akira ransomware attacks involving exploits of a year-old vulnerability affecting SonicWall firewalls are on the rise. 
    • “A burst of about 40 attacks linked to CVE-2024-40766 hit SonicWall firewalls between mid-July and early August. Researchers have since observed another wave of ransomware attacks linked to active exploits of the defect, which affects the secure sockets layer (SSL) VPN protocol in multiple versions of SonicWall firewalls, and configuration errors. 
    • “Rapid7 has responded to a “double-digit number of attacks” related to the vulnerability and a series of misconfigurations in victim environments, the company said, expanding on a blog it published earlier this week.
    • “The Australian Cyber Security Centre also issued an advisory Wednesday noting that it, too, is responding to a recent increase in active exploitation of the defect. “We are aware of the Akira ransomware targeting vulnerable Australian organizations through SonicWall SSL VPNs,” the agency said.”
  • Per PC World,
    • “It’s a story almost as old as time: malware is wreaking havoc on Android devices again. Usually, Android malware aims to steal sensitive data and passwords in order to gain access to online accounts. Less commonly, it installs ransomware to extort large sums of money from users.
    • “A particularly dangerous malware variant that combines both techniques has now been discovered by security experts at ThreatFabric. Known as RatOn, the Trojan infiltrates an Android phone, accesses data, empties bank accounts, then locks the device to blackmail the owner.” * * *
    • “In the case of RatOn, the Trojan likely lands on Android devices through fake apps. Users are redirected to pages that imitate the Google Play Store, where attackers offer applications disguised as common social media apps like TikTok—except it’s malware.: * * *
    • To protect yourself, you should always check whether an app comes from a trustworthy provider. You should also always activate Google Play Protect in the Google Play Store so that apps are scanned for viruses and malware before they’re installed on your device.
  • Bleeping Computer warns,
    • “A recently discovered ransomware strain called HybridPetya can bypass the UEFI Secure Boot feature to install a malicious application on the EFI System Partition.
    • “HybridPetya appears inspired by the destructive Petya/NotPetya malware that encrypted computers and prevented Windows from booting in attacks in 2016 and 2017 but did not provide a recovery option.
    • “Researchers at cybersecurity company ESET found a sample of HybridPetya on VirusTotal. They note that this may be a research project, a proof-of-concept, or an early version of a cybercrime tool still under limited testing.
  • Cyberscoop adds,
    • “Researchers at New York University have taken credit for creating a piece of malware found by third-party researchers that uses prompt injection to manipulate a large language model into assisting with a ransomware attack.
    • “Last month, researchers at ESET claimed to have discovered the first piece of “AI-powered ransomware” in the wild, flagging code found on VirusTotal. The code, written in Golang and given the moniker “PromptLock,” also included instructions for an open weight version of OpenAI’s ChatGPT to carry out a series of tasks — such as inspecting file systems, exfiltrating data and writing ransom notes.
    • “ESET researchers told CyberScoop at the time that the code appeared to be unfinished or a proof of concept. Other than knowing it was uploaded by a user in the United States, the company had no further information about the malware’s origin. 
    • “Now, researchers at NYU’s Tandon School of Engineering have confirmed that they created the code as part of a project meant to illustrate the potential harms of AI-powered malware.”
    • In a corresponding academic paper, the researchers call the project “Ransomware 3.0” and describe it as a new attack method. This technique “exploits large language models (LLMs) to autonomously plan, adapt, and execute the ransomware attack lifecycle.”

From the cybersecurity business and defenses front,

  • Cyberscoop informs us,
    • “Major cyber intrusions by the Chinese hacking groups known as Salt Typhoon and Volt Typhoon have forced the FBI to change its methods of hunting sophisticated threats, a top FBI cyber official said Wednesday.
    • “U.S. officials, allied governments and threat researchers have identified Salt Typhoon as the group behind the massive telecommunications hack revealed last fall but that could have been ongoing for years. Investigators have pointed at Volt Typhoon as a group that has infiltrated critical infrastructure to cause disruptions in the United States if China invades Taiwan and Americans intervene.
    • “Those hacks were stealthier than in the past, and more patient, said Jason Bilnoski, deputy assistant director of the FBI’s cyber division. The Typhoons have focused on persistent access and gotten better at hiding their infiltration by using “living off the land” techniques that involve using legitimate tools within systems to camouflage their efforts, he said. That in turn has complicated FBI efforts to share indicators of compromise (IOCs).
    • “We’re having to now hunt as if they’re already on the network, and we’re hunting in ways we hadn’t before,” he said at the Billington Cybersecurity Summit. “They’re not dropping tools and malware that we used to see, and perhaps there’s not a lot of IOCs that we’d be able to share in certain situations.”
  • The Wall Street Journal reports,
    • “Japanese industrial giant Mitsubishi Electric said Tuesday that it intends to acquire U.S. cybersecurity company Nozomi Networks in a deal valued at about $1 billion.
    • “Nozomi will become a wholly owned subsidiary of Mitsubishi Electric under the terms of the deal and operate independently. The transaction value includes $883 million in cash as well as previous equity.
    • “Nozomi raised $100 million in a 2024 Series E funding round that included several heavyweights in operational technology, such as Mitsubishi Electric and Schneider Electric. Previous investors included Honeywell; the U.S. Central Intelligence Agency’s venture arm, In-Q-Tel; and Johnson Controls. 
    • “Nozomi Chief Executive Edgard Capdevielle said the company will continue to provide services to those prior investors and other companies after the acquisition, which is expected to close in the fourth quarter. 
    • “The fact that we’re now a wholly owned subsidiary of Mitsubishi does not change the fact that we will continue to be vendor-agnostic,” he said.”
  • Dark Reading adds,
    • “F5, a software company that improves application speed and security, today announced its plans to acquire CalypsoAI, a provider of adaptive artificial intelligence (AI) security capabilities. CalypsoAI’s technology will be integrated into the F5 Application Delivery and Security Platform (ADSP), F5 said.
    • Founded in 2018, CalypsoAI focuses on real-time protection against threats targeting AI applications and models, such as prompt injection and jailbreaking. The platform brings threat defense, red teaming at scale, and data security to businesses preparing to launch or adopt generative and agentic AI. CalypsoAI came in second place at RSAC Conference’s Innovation Sandbox earlier this year as a company that protects models and agents with prompt firewalls.
    • “By integrating CalypsoAI features into ADSP, F5 hopes to build modern firewalls and point solutions that can secure AI models, agents, and data flows. Traditional options “can’t keep up,” said François Locoh-Donou, president and CEO of F5, in a statement.”
  • Here’s a link to Dark Reading’s CISO Corner.