Cybersecurity Saturday - Ermer and Suter PLLC

From the cybersecurity policy and law enforcement front,

Health ISAC reminds us,
- “Despite widespread public and private interest in reauthorizing the U.S. Cybersecurity Information Sharing Act of 2015 (“CISA 2015”)[i], we are rapidly approaching September 30th, the date when the Act is set to expire barring congressional action to extend it. With time running short, let’s assess the options still being considered and breakdown how and why reauthorization is going down to the wire.” * * *
- “The current most likely path for a CISA 2015 reauthorization is not a simple standalone bill that is quickly passed by both chambers. Instead, the most likely path runs through a short term extension as part of a continuing resolution (“CR”) and then through the National Defense Authorization Act (“NDAA”).
- “For those who are unfamiliar, a CR is a “temporary spending [bill] that [allows] federal government operations to continue when final appropriations have not been approved by Congress and the President. Without final appropriations or a CR, there could be a lapse in funding that results in a government shutdown.”[ii] The NDAA is an annual end of year bill that provides appropriations for the Department of Defense (“DOD”). It is generally considered to be a “must pass” piece of legislation that lawmakers attempt to add otherwise unrelated policy matters.”

Nextgov/FCW tells us,
- “Greg Barbaccia, the federal chief information officer, says that the Office of Management and Budget is backing the General Services Administration’s overhaul of FedRAMP, the government’s cloud security assessment and authorization program.
- “GSA launched FedRAMP 20x — meant to use more automation in place of annual assessments, cut red tape and speed up authorizations — in March. It announced its phase two pilot on Wednesday.
- “Barbaccia acknowledged the past problems with FedRAMP at a Wednesday event held by the Alliance for Digital Innovation.
- “I have done FedRAMP in my past life,” said Barbaccia, who previously worked at Palantir and more recently at a machine-learning enabled asset manager. “What a pain in the butt.”
- “The FedRAMP program is planning on pursuing 10 pilot authorizations at the Moderate security level as part of the new phase of FedRAMP 20x, said FedRAMP Director Pete Waterman.”

Per a Cybersecurity and Infrastructure Security Agency (“CISA”) news release,
- Today [September 23, 2025], the Cybersecurity and Infrastructure Security Agency (CISA) announced the appointment of Stephen L. Casapulla as the Executive Assistant Director for Infrastructure Security.
- “I am pleased to have Steve expand his role on CISA’s leadership team,” said Acting Director Madhu Gottumukkala. “With his extensive experience in critical infrastructure security and working with stakeholders, he is perfectly poised to lead our efforts in securing the nation’s critical infrastructure. I look forward to working with him on this important mission.”
- Prior to joining CISA, Casapulla served as the Director for Critical Infrastructure Cybersecurity in the Office of the National Cyber Director. He previously spent over thirteen years at CISA and its predecessor, holding a variety of senior roles. His prior federal service includes work at the Small Business Administration and at the Department of State in Iraq. He also serves as an officer in the U.S. Navy Reserve, with over twenty years of service and multiple overseas deployments.

From the cybersecurity vulnerabilities and breaches front,

Cybersecurity Dive reports,
- “The Cybersecurity and Infrastructure Security Agency on Thursday [September 25, 2025,] ordered U.S. government agencies to patch multiple vulnerabilities in Cisco networking products, saying an “advanced threat actor” was using them in a “widespread” campaign.
- “This activity presents a significant risk to victim networks,” CISA said in an emergency directive that laid out a mandatory timeline for agencies to identify, analyze and patch vulnerable devices.
- “The hacking campaign — an extension of the sophisticated “ArcaneDoor” operation that Cisco first revealed in April 2024 — has compromised multiple federal agencies, two U.S. officials told Cybersecurity Dive. Both officials requested anonymity to discuss a sensitive and evolving investigation.”

Cyberscoop adds,
- “Cisco said it began investigating attacks on multiple government agencies linked to the state-sponsored campaign in May. The vendor, which attributes the attacks to the same threat group behind an early 2024 campaign targeting Cisco devices it dubbed “ArcaneDoor,” said the new zero-days were exploited to “implant malware, execute commands, and potentially exfiltrate data from the compromised devices.”
- “Cisco disclosed three vulnerabilities affecting its Adaptive Security Appliances — CVE-2025-20333, CVE-2025-20363 and CVE-2025-20362 — but said “evidence collected strongly indicates CVE-2025-20333 and CVE-2025-20362 were used by the attacker in the current attack campaign.”
- “The Cybersecurity and Infrastructure Security Agency said those two zero-days pose an “unacceptable risk” to federal agencies and require immediate action.”

Dark Reading points out,
- “The Cybersecurity and Infrastructure Security Agency (CISA) this week disclosed that threat actors breached a federal agency last year by exploiting a critical vulnerability in the open source GeoServer mapping server.
- “In the advisory, CISA said it conducted incident response at a large, unnamed federal civilian executive branch (FCEB) agency after malicious activity was flagged by the agency’s endpoint detection and response (EDR) platform, but found the agency’s response playbook to be lacking; so lacking in fact that it hampered CISA’s investigation and allowed the attackers to burrow deeper into the network unchecked.

Cybersecurity Dive adds,
- “[On September 23, 2025,] the Cybersecurity and Infrastructure Security Agency urged security teams to monitor their systems following a massive supply chain attack that struck the Node Package Manager ecosystem.
- “The attack, tracked under the name Shai-Hulud, involved a self-replicating worm that compromised more than 500 software packages, according to StepSecurity.
- “After gaining access, a malicious attacker injected malware and scanned the environment for sensitive credentials. The credentials included GitHub Personal Access Tokens and application programming interface keys for various cloud services, including Amazon Web Services, Google Cloud Platform and Microsoft Azure.
- “The stolen credentials were uploaded to an endpoint controlled by the attacker and then uploaded to a public repository called Shai-Hulud.
- “Researchers at Palo Alto Networks said the attacker used an LLM to write the malicious script, according to an updated blog post released Tuesday.”

CISA added one known exploited vulnerability to its catalog this week.
- September 23, 2025
  - CVE-2025-10585 Google Chromium V8 Type Confusion Vulnerability
    - Cybersecurity News discusses this KVE here.

Cybersecurity Dive relates,
- “Hackers are conducting brute force attacks against the MySonicWall.com portal in order to access the company’s cloud backup service for firewalls, SonicWall and federal authorities warned in advisories released Monday [September 22, 2025].
- “SonicWall said its investigation found that hackers gained access to 5% of backup firewall preference files. The company warned that while credentials inside the files were encrypted, the files contained other information that could help attackers exploit the firewall, according to the advisory.
- “SonicWall also released a video explaining the scope of the incident.
- “In an advisory on Monday, the Cybersecurity and Infrastructure Security Agency urged customers to log into their accounts to determine whether their devices are at risk.”

Cyberscoop reports,
- “The Secret Service said Tuesday [September 23, 2025] that it disrupted a network of electronic devices in the New York City area that posed imminent telecommunications-based threats to U.S. government officials and potentially the United Nations General Assembly meeting currently underway.
- “The range of threats included enabling encrypted communications between threat groups and criminals or disabling cell towers and conducting denial-of-service attacks to shut down cell communications in the region. Matt McCool, special agent in charge of the Secret Service’s New York field office, said the agency’s early analysis of the network indicated “cellular communications between foreign actors and individuals that are known to federal law enforcement.”
- “In all, the agency said it discovered more than 300 servers and 100,000 SIM cards spread across multiple sites within 35 miles of the U.N. meeting. The Secret Service announcement came the same day President Donald Trump was scheduled to deliver a speech to the General Assembly.
- “The potential for disruption to our country’s telecommunications posed by this network of devices cannot be overstated,” U.S. Secret Service Director Sean Curran said in a news release.”

Cyberscoop warns,
- “Ambitious, suspected Chinese hackers with a slew of goals — stealing intellectual property, mining intelligence on national security and trade, developing avenues for future advanced cyberattacks — have been setting up shop inside U.S. target networks for exceptionally long stretches of time, in a breach that the researchers who uncovered it said could present problems for years to come.
- “Mandiant and Google Threat Intelligence Group (GTIG) researchers described the campaign as exceptionally sophisticated, stealthy and complex, calling those behind it a “next-level threat.” But they don’t yet have a full handle on who the hackers are behind the malware they’ve dubbed Brickstorm, or how far it stretches. A blog post the company posted Wednesday sheds light on the group.
- “The primary targets are legal services organizations and tech companies that provide security services, the researchers said. But the hackers aren’t limiting their interest to the primary targets, since they’ve used that access to infiltrate “downstream” customers. The researchers declined to describe those downstream customers or say whether U.S. federal agencies are among those targeted. A great many of them don’t know yet that they’re victims, they said.
- “By stealing intellectual property from security-as-a-service (SaaS) firms, the hackers aim to find future zero-day vulnerabilities, a kind of vulnerability that is previously unknown and unpatched and thus highly prized, in order to enable more attacks down the line, the researchers from Mandiant and its parent company Google said.”

Per Dark Reading,
- “Salesforce Web forms can be manipulated by the company’s “Agentforce” autonomous agent into exfiltrating customer relationship management (CRM) data — a concerning development as legacy software-as-a-service (SaaS) providers race to integrate agentic AI into their platforms to zhuzh up the user experience and generate buzz among investors.
- “Agentforce is an agentic AI platform built into the Salesforce ecosystem, which allows users to spin up autonomous agents for most conceivable tasks. As the story often goes though, the autonomous technology appears to be the victim of the complexity of AI prompt training, according to researchers at Noma Security.
- “To wit: The researchers have identified a critical vulnerability chain in Agentforce, carrying a 9.4 out of 10 score on the CVSS vulnerability-severity scale. In essence it’s a cross-site scripting (XSS) play for the AI era — an attacker plants a malicious prompt into an online form, and when an agent later processes it, it leaks internal data. In keeping with all of the other prompt injection proofs-of-concept (PoCs) coming out these days, Noma has named its trick “ForcedLeak.”

From the ransomware front,

Cybersecurity Dive reports,
- “RTX Corp., the parent firm of Collins Aerospace, confirmed that ransomware was used in the hack of its airline passenger processing software, in a filing with federal regulators.
- “The attack, discovered on Sept. 19, has disrupted flights across Europe since last week, including at London’s Heathrow Airport, Brussels Airport, and airports in Berlin and Dublin.
- “The Multi-User System Environment software, known as MUSE, is used by multiple airlines to check-in and board passengers and is also used to track baggage, according to the filing with the U.S. Securities and Exchange Commission.
- “Virginia-based RTX said the MUSE system operates on a customer-specific network outside of the company’s enterprise network.
- “U.K. authorities said Wednesday that a man in his 40s had been arrested on suspicion of violating the Computer Misuse Act. The police investigation is ongoing.”

Dark Reading points out,
- “Volvo Group North America (Volvo NA) has been breached via a third-party human resources (HR) software provider.
- “At the root of the story is Miljödata, a Swedish company specializing in occupational software-as-a-service (SaaS), whose cloud infrastructure was breached in August. Thanks to its centralized, multi-tenant arrangement, hundreds of customers and millions of individuals have been affected. In a recent letter to its staff, Volvo NA, whose parent company is based in Sweden, revealed itself to be one such victim.
- “Like other Miljödata customers, Volvo NA’s systems were untouched by the attack. Still, its employees’ names and Social Security numbers (SSNs) were stolen, and potentially published to the Dark Web. According to its website, Volvo NA employs just shy of 20,000 people.
- “For municipalities, universities, and even big corporations like Volvo, this isn’t just a security issue, it’s an integrity issue,” says Anders Askasen, vice president of product marketing at Radiant Logic. “People suddenly wonder whether the systems handling their most sensitive data are fit for the purpose, and with good reason. That loss of confidence is as damaging as the leak itself.”

Industrial Cyber tells us,
- “The Rhysida ransomware gang claimed responsibility for a late-August data breach at the Maryland Transit Administration. Exposed data includes names, surnames, dates of birth, driver’s licenses, SSNs, passports, and confidential information.
- “The group is said to have demanded a ransom of 30 bitcoin, around US $3.4 million at the time of writing, to be paid within seven days. To support its claim, Rhysida posted images of documents allegedly stolen from the MTA, including scans of a Social Security card, driver’s license, passport, and several other records.
- “Comparitech identified that to prove its claim, Rhysida posted images of what it says are documents stolen from the MTA. They include scans of a Social Security card, driver’s license, passport, and several other documents.
- “The Maryland Transit Administration is a division of the state’s Department of Transportation. It operates buses, light rail, subways, commuter trains, taxis, and a paratransit system. The MTA specifically mentioned the paratransit system, MobilityLink, being disrupted by the cyber attack.”

Per the Record,
- “Ransomware hackers stole Social Security numbers, financial information and more during a recent cyberattack on Union County in Ohio.
- “The county government began sending out breach notifications to 45,487 local residents and county employees this week. The letters say ransomware was detected on the county’s network on May 18, prompting officials to hire cybersecurity experts and notify federal law enforcement agencies.
- “The hackers stole documents that had names, Social Security numbers, driver’s license numbers, financial account information, fingerprint data, medical information, passport numbers and more.
- “No ransomware gang has taken credit for the attack publicly, and the letters said the county has been monitoring internet sources but have not found any indication the stolen information was released or offered for sale.
- “The county has about 71,000 residents and is 45 minutes outside of Columbus — which dealt with its own ransomware attack one year ago.”

HIPAA Journal lets us know,
- “There’s good and bad news on the ransomware front. Attacks are down year-over-year; however, successful attacks are proving even costlier to mitigate, according to the Mid-Year Risk Report from the cyber risk management company Resilience. The company saw a 53% reduction in cyber insurance claims in the first half of the year, which indicates organizations are getting better at preventing attacks; however, when ransomware attacks succeed, they have been causing increased financial harm, with losses 17% year-over-year. While ransomware accounted for just 9.6% of claims in H1, 2025, ransomware attacks accounted for 91% of incurred losses.
- “On average, a successful ransomware attack causes $1.18 million in damages, up from $1.01 million in 2024, and the cost is even higher in healthcare. Resilience’s healthcare clients suffered average losses of $1.3 million in 2024, and in the first half of 2025, some healthcare providers faced extortion demands as high as $4 million. While it is too early to tell what the severity of claims will be in 2025 until claims are settled, Resilience said there are indications that the average severity of incurred losses for healthcare ransomware attacks this year could be $2 million, up from an average of $705,000 in 2024 and $1.6 million in 2023.”

From the cybersecurity defenses front,

Cyberscoop advises,
- “Artificial intelligence is no longer a future concept; it is being integrated into critical infrastructure, enterprise operations and security missions around the world. As we embrace AI’s potential and accelerate its innovation, we must also confront a new reality: the speed of cybersecurity conflict now exceeds human capacity. The timescale for effective threat response has compressed from months or days to mere seconds.
- “This acceleration requires removing humans from the tactical security loop. To manage this profound shift responsibly, we must evolve our thinking from abstract debates on “AI safety” to the practical, architectural challenge of “AI security.” The only way to harness the power of probabilistic AI is to ground it with deterministic controls.”

A Dark Reading commentator recommends that “With the emergence of AI-driven attacks and quantum computing, and the explosion of hyperconnected devices, zero trust remains a core strategy for security operations.”

Per a CISA news releases,
- “In today’s increasingly interconnected industrial landscape, operational technology (OT) systems are no longer isolated islands of automation—they’re deeply entwined with information technology and business networks, making them prime targets for cyber threats. Recognizing this growing risk, the Cybersecurity and Infrastructure Security Agency (CISA) collaborated with three U.S. federal agencies and five international partners and received contributions from twelve private sector stakeholders to develop and publish, “Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators”.
- “This key resource helps owners and operators of OT systems create stronger, more secure infrastructures by building a clear inventory and classification of their assets. By identifying, organizing, and managing OT assets effectively, organizations can not only improve cybersecurity but also enhance operational reliability, safety, and resilience.”

Per National Institute of Standards news releases,
- “NIST has released Special Publication (SP) 800-88r2 (Revision 2), Guidelines for Media Sanitization.
- “Media sanitization is a process that renders access to the target data on media infeasible for a given level of effort. This guide will assist organizations and system owners in setting up a media sanitization program with proper and applicable methods and controls for sanitization and disposal based on the sensitivity of their information.”
and
- “NIST has released Special Publication (SP) 800-90C, Recommendation for Random Bit Generator (RBG) Constructions. It is the final document in the SP 800-90 series, which supports the generation of high-quality random bits for cryptographic and non-cryptographic use.
- “SP 800-90C specifies constructions for implementing random bit generators (RBGs) that include deterministic random bit generator (DRBG) mechanisms as specified in SP 800-90A and use entropy sources as specified in SP 800-90B.”

Here is a link to Dark Reading’s CISO Corner.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Subscribe to FEHBlog