Cybersecurity Saturday - Ermer and Suter PLLC

From the cybersecurity policy front,

Federal News Network reports,
- “The Cybersecurity and Infrastructure Security Agency typically marks October’s awareness month with a range of public engagements and outreach campaigns. But under the ongoing government shutdown, CISA has furloughed nearly two-thirds of its staff and curtailed most public communication.
- “CISA is not actively managing its website under the shutdown. But the agency did establish a landing webpage for cybersecurity awareness month prior to the shutdown, detailing the campaign’s theme and linking to a toolkit.
- “CISA Director of Public Affairs Marci McCarthy said, “CISA remains fully committed to safeguarding the nation’s critical infrastructure,” as part of a statement.” * * *
- “Chris Cummiskey, a former state chief information officer and former chief management officer at DHS, said CISA typically retains enough employees to staff the agency’s watch floor, maintain technology that monitors federal networks for cyber threats, and collaborate with cyber defenders at other federal organizations, like U.S. Cyber Command.
- “But if a major cyber incident were to occur, CISA may not have enough staff immediately on hand to manage the event.
- “A key concern is, do you need to start recalling people?” Cummiskey said. “You probably wouldn’t have the onsite capacity to cover a major exploit without the additional help.”
- “In addition to the shutdown, key privacy and liability protections under the Cybersecurity Information Sharing Act of 2015 expired on Sept. 30. Those protections had been pivotal to encouraging the private companies to share cyber threat data with each other and with government agencies, including CISA.
- “Cyber experts say companies may be more hesitant to share information about new cyber threats and vulnerabilities without the statute’s protections.”

Cybersecurity Dive adds,
- “Michael Daniel, president of the Cyber Threat Alliance, an information-sharing group, predicted that some companies will “suspend some sharing activities with the government,” but he added that a lot will depend on “each company’s risk tolerance.”
- “I think some collaboration will continue,” he said, “but likely at reduced levels and requiring more human oversight.”
- “Ari Schwartz, managing director of cybersecurity services at the law firm Venable, said, “There will just be many more lawyers involved, and it will all go slower, particularly new sharing agreements.” Venable has advised clients on what to consider when establishing such agreements.
- “As for companies sharing information with each other, that likely will continue for now because of a lack of near-term concern about antitrust investigations, Daniel said. But companies’ attitudes could change if the program isn’t reauthorized.”

The National Institute of Standards announced on September 29, 2025,
- “As part of ongoing efforts to strengthen the protections for securing controlled unclassified information (CUI) in nonfederal systems [which includes FEHB and PSHB claims data], NIST has released the following drafts for comment:
- “SP 800-172r3 (Revision 3) fpd (final public draft), Enhanced Security Requirements for Protecting Controlled Unclassified Information, provides new enhanced security requirements that support cyber resiliency objectives, focus on protecting CUI, and are consistent with the source controls in SP 800-53r5.
- “SP 800-172Ar3 ipd (initial public draft), Assessing Enhanced Security Requirements for Controlled Unclassified Information, provides a set of assessment procedures for the enhanced security requirements. These procedures are based on the source assessment procedures in SP 800-53Ar5.” * * *
- “A public comment period will be open from September 29 through November 14, 2025. Reviewers should submit comments on all or parts of the drafts to 800-171comments@list.nist.gov.”

Cybersecurity Dive tells us,
- “Barely any U.S. defense contractors say they’re fully prepared to comply with the Department of Defense’s new cybersecurity assessment program.
- “Only 1% of companies say they’re completely ready to be assessed through the Cybersecurity Maturity Model Certification (CMMC) program, which takes effect on Nov. 10, according to a report that the managed security provider CyberSheath published on Wednesday.
- “The percentage of respondents expressing confidence in their readiness has dropped over the past two years.”

From the cybersecurity vulnerabilities and breaches front,

NextGov/FCW reports on September 29, 2025,
- “A “widespread cybersecurity incident” at the Federal Emergency Management Agency allowed hackers to make off with employee data from both the disaster management office and U.S. Customs and Border Protection, according to a screenshot of an incident overview presentation obtained by Nextgov/FCW.
- “The hack is also suspected to have later triggered the dismissal of two dozen Federal Emergency Management Agency technology employees announced late last month, according to internal meeting notes and a person familiar with the matter.
- “The initial compromise began June 22, when hackers accessed Citrix virtual desktop infrastructure inside FEMA using compromised login credentials. Data was exfiltrated from Region 6 servers, the image says. That FEMA region services Arkansas, Louisiana, New Mexico, Oklahoma and Texas, as well as nearly 70 tribal nations.” * * *
- “DHS security operations staff were notified of the breach on July 7, the screenshot adds. On July 14, the unnamed threat actor used an account with high-level access and attempted to install virtual networking software that could allow them to extract information. Initial remediation steps were taken on July 16.
- “On Sept. 5, additional remediation actions were taken, including changing FEMA Zscaler policies and blocking certain websites, the screenshot says. Those actions were previously reported by Nextgov/FCW.”

CISA added ten known exploited vulnerabilities to its catalog this week.
- September 29, 2025
  - CVE-2021-21311 Adminer Server-Side Request Forgery Vulnerability
  - CVE-2025-20352 Cisco IOS and IOS XE Software SNMP Denial of Service and Remote Code Execution Vulnerability
  - CVE-2025-10035 Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability
  - CVE-2025-59689 Libraesva Email Security Gateway Command Injection Vulnerability
  - CVE-2025-32463 Sudo Inclusion of Functionality from Untrusted Control Sphere Vulnerability
    - CyberExpress discusses these KVEs.
- October 2, 2025
  - CVE-2014-6278 GNU Bash OS Command Injection Vulnerability
  - CVE-2015-7755 Juniper ScreenOS Improper Authentication Vulnerability
  - CVE-2017-1000353 Jenkins Remote Code Execution Vulnerability
  - CVE-2025-4008 Smartbedded Meteobridge Command Injection Vulnerability
  - CVE-2025-21043 Samsung Mobile Devices Out-of-Bounds Write Vulnerability
    - The Hacker New discusses these KVEs.

Following up on last Saturday’s post about the Cisco KVEs, Cybersecurity Dive lets us know,
- “Nearly 50,000 Cisco firewall devices with recently disclosed vulnerabilities are connected to the internet, according to new data.
- “Statistics from the Shadowserver Foundation illustrate the extent of the world’s exposure to the three flaws in Cisco’s Adaptive Security Appliance devices and Firepower Threat Defense devices, which earned a rare emergency patching directive from the Cybersecurity and Infrastructure Security Agency (CISA) after the Sept. 25 disclosure.
- “The United States has by far the most devices that have not been patched to block exploitation of the flaws, with Shadowserver tallying more than 19,000 vulnerable U.S. devices. The U.K. ranks second, with more than 2,700 vulnerable devices, followed by Japan, Germany and Russia. Other European countries have fewer than 1,000 vulnerable devices each.
- “Shadowserver’s records will reveal how quickly different countries are reducing their exposure as the organization continues collecting data in the coming days and weeks.
- “A sophisticated threat actor has been using two of the new Cisco flaws, CVE-2025-20362 and CVE-2025-20333, in a stealthy cyberattack campaign that has breached multiple federal agencies and other organizations worldwide. Both vulnerabilities involve improper validation of HTTPS requests, which could allow Cisco firewalls to accept malicious requests that bypass authentication. CVE-2025-20362 could allow hackers to access restricted VPN-related URLs, while CVE-2025-20333 could let intruders run arbitrary code as root.”

Cyberscoop points out,
- “Red Hat on Thursday [October, 2, 2025] confirmed an attacker gained access to and stole data from a GitLab instance used by its consulting team, exposing some customer data. The open-source software company, a subsidiary of IBM, said the breach is contained and an investigation into the attack is underway.
- “Upon detection, we promptly launched a thorough investigation, removed the unauthorized party’s access, isolated the instance, and contacted the appropriate authorities,” Red Hat said in a security update. “Our investigation, which is ongoing, found that an unauthorized third party had accessed and copied some data from this instance.”
- “Red Hat said the compromised GitLab instance contained work related to consulting engagements with some customers, including project specifications, example code snippets and internal communications about the consulting services.
- “This GitLab instance typically does not house sensitive personal data,” Red Hat said. “While our analysis remains ongoing, we have not identified sensitive personal data within the impacted data at this time.”
Dark Reading informs us,
- “The month-long outage for luxury car maker Jaguar Land Rover appears to be at an end, with the company working through a “controlled, phased restart” of its manufacturing operations this week, following a massive cyberattack that forced the company to shut down its systems.
- “JLR said on Sept. 2 that it had “proactively” shut down operations following a cyber incident, initially stating that customer data did not seem to be stolen, but revising that statement a week later. JLR, a subsidiary of Tata Motors, likely suffered $50 million to $70 million in lost revenue per week, with the total cost of the incident estimated at a staggering $1.7 billion to $2.4 billion.
- “The attack, and its vast impact, should be a warning for companies, says Chris Gibson, executive director of the Forum of Incident Response and Security Teams (FIRST).
- “The outage “highlights that even large corporations with substantial resources can be completely disrupted and that critical industries may be more vulnerable than previously thought,” he says. “This was far beyond data theft; it was a complete operational outage.”

Security Week adds,
- “Japanese brewing giant Asahi Group Holdings on Monday [September 29, 2025] announced that its operations in the country have been disrupted by a cyberattack.
- “The incident, the company said, resulted in system failures that affected orders and shipments at all its subsidiaries in the country, as well as call center operations, customer service desks included.
- “Reuters reported that production at some of Asahi’s 30 domestic factories has been suspended due to the cyberattack.
- “At this time, there has been no confirmed leakage of personal information or customer data to external parties,” the company said in a Monday notice.
- “Asahi said it is investigating the attack and working on restoring the affected systems but could not provide an estimated timeline for recovery.
- “The system failure is limited to our operations within Japan,” it said.
- “The company has not disclosed the nature of the cyberattack it fell victim to, but the system-wide outage could indicate that file-encrypting ransomware might have been used.”

From the ransomware front,

Cybersecurity Dive reports,
- “Corporate executives are being targeted in an email-based extortion campaign by a threat actor claiming affiliation with the notorious Clop ransomware gang, according to security researchers from Google Threat Intelligence Group and Kroll.
- “The hacker claims to have data stolen from breached Oracle E-Business Suite applications and has been demanding payment from various corporate executives, according to a LinkedIn post from Austin Larsen, principal threat analyst at GTIG.
- “While researchers have not been able to substantiate the claims of a data breach, they have confirmed important links to a financially motivated threat group tracked under the name FIN11, which has prior associations with Clop.”

Cyberscoop provides us with “the email Clop attackers sent to Oracle customers. The emails, which are littered with broken English, aim to instill fear, apply pressure, threaten public exposure and seek negotiation for a ransom payment.”

Dark Reading adds,
- After announcing its farewell last month, the cyber extortion group known as Scattered Lapsus$ Hunters returned on Friday with a website featuring stolen Salesforce data and a list of dozens of alleged victims.
- Scattered Lapsus$ Hunters is an apparent combination of the Scattered Spider, Lapsus$, and ShinyHunters cybercriminal groups, which first emerged over the summer in a public Telegram channel. However, just a few weeks later, the collective published a goodbye letter on Telegram and the Dark Web marketplace BreachForums, saying the three groups, as well as other threat actors, had “decided to go dark.”
- “But Scattered Lapsus$ Hunters burst back into the limelight this week with a Dark Web leak site devoted to the recent spate of Salesforce data thefts; one of the two distinct campaigns targeting Salesforce environments recently has been attributed to a threat group tracked by Google as UNC6040, which has claimed to be ShinyHunters in its extortion attempts.
- “According to Google, UNC6040 actors used vishing calls to convince IT support personnel at targeted organizations to grant them access to or credentials for the organizations’ Salesforce environments. Mandiant researchers this week said the threat actors have impersonated third-party vendors in the vishing calls and had also targeted users in victim organizations with elevated access to other SaaS applications.’

The American Hospital Association points out,
- “A Health-ISAC (Information Sharing and Analysis Center) bulletin released Oct. 1 warns of a recently released LockBit 5.0 ransomware variant that poses a threat to health care and other sectors. LockBit 5.0 is the latest version of the ransomware-as-a-service group that has previously attacked hospitals and other organizations in the U.S. and abroad. The notice said the new variant directly targets virtual environments and has improved and enhanced technical capabilities, evasion techniques and affiliate engagement. The variant is known to target Windows, Linux and VMware ESXi software. Health-ISAC said the new variant’s technical capabilities make it faster, more flexible for affiliates and harder for security to detect and analyze. LockBit was disrupted by authorities last year before resurfacing last month.
- “This is a very technical bulletin, but it’s important to note that it addresses a new version of a well-known ransomware,” said Scott Gee, AHA deputy national advisor for cybersecurity and risk. “Hospitals should ensure that they have defensive measures in place and that those measures are tuned and working properly.”

HackRead reports on September 29,
- “The Medusa ransomware group is claiming responsibility for a ransomware attack on Comcast Corporation, a global media and technology company best known for its broadband, television, and film businesses.
- “According to the group’s dark web leak site, they exfiltrated 834.4 gigabytes of data and are demanding $1.2 million for interested buyers to download it. The same sum has been set as ransom for Comcast if the company wants the data deleted rather than leaked or sold.
- “To back its claims, Medusa has posted around 20 screenshots allegedly showing internal Comcast files. The group also shared a massive file listing of 167,121 entries, suggesting access to actuarial reports, product management data, insurance modelling scripts, and claim analytics.” * * *
- “Medusa ransomware is known for publishing file listings and partial screenshots as proof of compromise while holding back the bulk of the data to increase ransom pressure. In this case, the nature of the files points toward actuarial and financial datasets, some of which appear to involve insurance calculations, customer data processing, and claim management systems.”
HelpNetSecurity provides us background about and advice on how to avoid Akira ransomware.

Wired notes that “Google has launched a new AI-based protection in Drive for desktop that can shut down a [ransomware] attack before it spreads—but its benefits have their limits.”

From the cybersecurity defenses front,

Per ISACA,
- “Cybersecurity professionals from around the world recently weighed in on some of the key findings from ISACA’s latest State of Cybersecurity survey report. Aparna Achanta, security leader, IBM (US); Simon Backwell, head of information security, Benefex (UK); Donavan Cheah, senior cybersecurity consultant, Thales (Singapore); Jenai Marinkovic, vCISO/CTO, Tiro Security, and CEO & chairman of the board, GRCIE (US); Kannammal Gopalakrishnan, cybersecurity and GRC professional (India), and Carlos Portuguez, Sr. Director BISO, Concentrix (Costa Rica)—all of whom are also members of ISACA’s Emerging Trends Working Group—reflect on how these stats show up for them in the profession.”
and
- “Phishing has escalated beyond masquerading techniques. Traditional attacks depended on typos, being in a rush and not so well-disguised social engineering. But hackers today use generative AI, such as WormGPT or FraudGPT, and even deepfakes, to create perfect messages with contextual background that can effortlessly be mixed with everyday corporate messages. Cofense has noted that it receives an AI-enhanced malicious email every 42 seconds, with that pace expected to accelerate in the months to come. This hypergrowth is an indication that phishing is not an outlying issue anymore but a mainstream cyber-crime, now with AI-driven precision.
- “The next pivot is neuro-phishing, which can tie in the details of biometric and psycho-physiological indicators, like the EEG, micro-hesitation spikes, blink frequency, and the focus of the eyes, to see the response of the user in real-time and work a different approach. Previous and extensive studies have already established the reliability of finding recognition and stress using the EEG, when users are stimulated with phishing. This is not passive baiting anymore, but a dynamic, cognitive feedback loop, which transforms human users into interactive targets.”
- The article offers advice on creating resilience against neuro-phishing.
Dark Reading adds,
- “Email security has long dominated the enterprise security conversation — and rightfully so. It remains a key vector for phishing, credential theft, and social engineering. But in 2025, the threat landscape has shifted. Quietly yet decisively, attackers increasingly are bypassing the inbox and expanding their reach across multiple channels.
- “Recent data from TechMagic shows that 41% of phishing incidents now employ multichannel tactics, including SMS (smishing), voice calls (vishing), and QR codes (quishing). The trend is clear: While email still matters, adversaries are shifting to mobile-first platforms like text, iMessage, WhatsApp, and social direct messages. These attacks are harder to spot, more difficult to control, and more likely to succeed, because they target the most vulnerable point in the chain: the human behind the screen.
- “To address this growing threat to mobile platforms, new security approaches are emerging that leverage AI-driven defenses to identify and prevent social engineering attacks in real-time. By training large language models (LLMs) to understand the content and intent behind messages, these systems can flag suspicious activity and enforce protective measures before users fall victim. Whether it’s a text message posing as IT support or impersonating a vendor, these next-generation solutions focus on stopping threats at the human layer — not just at the device.”
Infosecurity Magazine explains how “AI-Generated Code Used in Phishing Campaign Blocked by Microsoft.”

Per CISO Online,
- “A surge in vulnerabilities and exploits leaving overloaded security teams with little recourse but to embrace risk-based approaches to patching what they can.
- “Enterprise attack surfaces continue to expand rapidly, with more than 20,000 new vulnerabilities disclosed in the first half of 2025, straining already hard-pressed security teams.
- “Nearly 35% (6,992) of these vulnerabilities have publicly available exploit code, according to the Global Threat Intelligence Index study by threat intel firm Flashpoint.
- “The volume of disclosed vulnerabilities has more than tripled while the amount of exploit code has more than doubled since the end of February 2025 alone.
- “These increases make it no longer feasible for most organizations to triage, remediate, or mitigate every vulnerability, Flashpoint argues, suggesting enterprises need to apply a risk-based patching framework. But some experts quizzed by CSO went further — arguing a complete operational overhaul of vulnerability management practices is needed.
- The article delves into that approach.

Per the National Institute of Standards,
- “The NIST National Cybersecurity Center of Excellence (NCCoE) has finalized a guide, NIST Special Publication (SP) 1334, Reducing the Cybersecurity Risks of Portable Storage Media in Operational Technology (OT) Environments, to help organizations protect their industrial control systems from cybersecurity threats when using removable media devices.
- “Portable storage media devices, like USB flash drives, are commonly used to transfer data between computers. However, using them in OT environments and industrial control systems, such as those used in power plants or manufacturing facilities, can pose a cybersecurity risk. If a USB device is infected with malware, it can spread to the industrial control system and cause problems, such as disrupting operations or compromising safety.
- “This NCCoE resource suggests implementing physical and technical controls to limit access to these devices and ensure they are used securely.”

Here is a link to Dark Readings’ CISO Corner.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Subscribe to FEHBlog