Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy and law enforcement front.

  • Cyberscoop tells us,
    • “A top Senate Democrat introduced legislation Thursday to extend and rename an expired information-sharing law, and make it retroactive to cover the lapse that began Oct. 1.
    • “Michigan Sen. Gary Peters, the ranking member of the Homeland Security and Governmental Affairs Committee, introduced the Protecting America from Cyber Threats (PACT) Act, to replace the expired Cybersecurity and Information Sharing Act of 2015 (CISA 2015) that has provided liability protections for organizations that share cyber threat data with each other and the federal government. Industry groups and cyber professionals have called those protections vital, sometimes describing the 2015 law as the most successful cyber legislation ever passed.
    • “The 2015 law shares an acronym with the Cybersecurity and Infrastructure Security Agency, which some Republicans — including the chairman of Peters’ panel, Rand Paul of Kentucky — have accused of engaging in social media censorship. As CISA 2015 has lapsed and Peters has tried to renew it, “some people think that’s a reauthorization of the agency,” Peters told reporters Thursday in explaining the new bill name.” * * *
    • “Michael Daniel, leader of the Cyber Threat Alliance made up of cybersecurity companies, told CyberScoop that his organization hasn’t been affected by the lapse yet, but that’s partially because it’s an organization that was set up with the long term in mind, with a formalized structure that included information-sharing requirements for members.
    • “The lapse might also not immediately affect other organizations, he said, comparing it to the risks of the government shutdown underway.
    • “An hour-long lapse doesn’t really do very much, but the longer it goes on, the more you have time for organizations to say, ‘Well, maybe we need to reconsider what we’re doing, maybe we need to think about it differently,’” Daniel said. “The longer it goes on, you start having questions about, ‘Maybe this thing won’t get reauthorized down the road.’ And once you start questioning the long-term prospects, that’s when people start making changes in their behavior.”
  • The American Hospital Association News (“AHA”) informs us,
    • “The Health Sector Coordinating Council Oct. 7 released its Sector Mapping and Risk Toolkit, created to help health care providers and other organizations visualize key services that support essential health care workflows and determine which of them present critical risk of cyberattack disruption capable of impacting care delivery, operations and liquidity. The toolkit consists of 17 health care workflow maps and usage guidelines and encourages organizations to prioritize their risks, mitigate them where possible and develop recovery and continuity plans that cannot be controlled or mitigated.
    • “The SMART initiative was created in April 2024 as a response to the cyberattack on Change Healthcare two months earlier. The AHA contributed the development of this project, which has helped identify these systemically important, mission-critical services for health care.”
  • AHA President and CEO Rick Pollack writes in the AHA News about his thoughts on this Cybersecurity Awareness Month.
    • “This week, the FBI issued an urgent warning to all users — including hospitals — of a critical security soft spot within Oracle’s E-Business Suite, stating “This is ‘stop-what-you’re-doing and patch immediately vulnerability.’”
    • “The vulnerability has allowed cyber bad actors to carry out data theft ransomware attacks. Oracle is offering a patch to address the security problem.
    • “This latest threat reminds us that cybercrime is ever-present, and health care has been the No. 1 target for years. Hospitals and health systems are committed to taking every possible precaution to protect system operability and patients’ personal data, and the good news is their defenses block most attacks.
    • “But no individual hospital can defend against all of these very sophisticated criminal and nation-state sponsored attacks. That’s why we need a whole-of-government approach to preventing and mitigating cyberattacks, including the federal government going after the bad guys as it has effectively done in counterterrorism.
    • “As we observe Cybersecurity Awareness Month this October, we must remain aware that the scope, frequency and sophistication of cyber incursions into health care have increased steadily. The evolving tactics used by bad actors to steal information, encrypt systems, delay and disrupt patient care, and shut down vital systems continue to put patient care and safety at risk.”
  • Dark Reading adds,
    • “Last night [October 9, 2025], the FBI, in coordination with law enforcement in France, seized the latest version of the BreachForums’ underground forum domain, which was converted earlier this month into an extortion site used by Scattered Lapsus$ Hunters, the gang behind the recent high-profile spate of Salesforce data heists.
    • Scattered Lapsus$ Hunters is an apparent combination of the Scattered Spider, Lapsus$, and ShinyHunters cybercriminal groups that first emerged this past summer. It has been busy compromising Salesforce data and claims that Salesforce victims have up until midnight Eastern Time today, Oct. 10, to meet its ransom demands before it will start publishing the stolen records. 
    • “Despite the BreachForums site being taken down, the group’s Tor Dark Web site is still accessible, and will be used to leak the data, the threat actors claimed.
    • “Aside from Salesforce data, Scattered Lapsus$ Hunters claims to have 1 billion records and 39 victim organizations listed on the site with sample data, such as Chanel, Disney and Hulu, Marriot, Google, Toyota, FedEx, and many more.
    • “For its part, Salesforce has issued its own statement, acknowledging the extortion attempts and reiterating that there is no indication that the Salesforce platform itself had been compromised.”

From the cybersecurity vulnerabilities and breaches front,

  • Cyberscoop reports,
    • “A brute-force attack exposed firewall configuration files of every SonicWall customer who used the company’s cloud backup service, the besieged vendor said Wednesday.
    • “An investigation aided by Mandiant confirmed the totality of compromise that occurred when unidentified attackers hit a customer-facing system of SonicWall controls. The company previously said less than 5% of its firewall install base stored backup firewall configuration files in the cloud-based service.
    • “SonicWall did not answer questions about the extent to which the investigation revealed a more widespread impact for its customers, or if its assessment of that 5% figure remained accurate. The company initially revised its disclosure to clarify the scope of exposure was less than 5% of firewalls as of Sept. 17 but has since removed that detail from the blog post. 
    • “The investigation confirmed that an unauthorized party accessed firewall configuration backup files for all customers who have used SonicWall’s cloud backup service,” the company said in a statement.” * * *
    • “Fourteen defects affecting the vendor’s products have been added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities (KEV) catalog since late 2021. Nine of those defects are known to be used in ransomware campaigns, according to CISA, including a wave of about 40 Akira ransomware attacks between mid-July and early August.
    • “While those attacks were linked to exploited vulnerabilities in SonicWall devices, the latest attack marked a direct hit on SonicWall’s internal infrastructure and practices.”
  • Security Week tells us,
    • Law firm Williams & Connolly said state-sponsored hackers breached some of its systems and gained access to attorney email accounts.
    • “The prominent Washington, DC-based law firm is known for representing political figures and government officials, including Barack Obama and the Clintons, as well as major companies such as Intel, Samsung, Google, Disney, and Bank of America. 
    • “According to a statement issued by the company, an investigation conducted with the assistance of CrowdStrike showed that the hackers exploited an unspecified zero-day vulnerability to gain access to a “small number” of attorneys’ email accounts. 
    • “The probe showed that the attack was likely the work of a state-sponsored hacker group known to have recently targeted law firms and other companies. 
    • “Williams & Connolly said there was no evidence that confidential client data was stolen or that other parts of its IT system had been compromised. 
    • “While the company’s statement does not mention China, The New York Times learned that Chinese hackers targeted Williams & Connolly, along with other law firms.”
  • The Cybersecurity and Infrastructure Security Agency (CISA) added nine known exploited vulnerabilities to its catalog this week.
  • Per Bleeping Computer,
    • “Threat actors are exploiting a zero-day vulnerability (CVE-2025-11371) in Gladinet CentreStack and Triofox products, which allows a local attacker to access system files without authentication.
    • “At least three companies have been targeted so far. Although a patch is not yet available, customers can apply mitigations.
    • “CentreStack and Triofox are Gladinet’s business solutions for file sharing and remote access that allow using a company’s own storage as a cloud. According to the vendor, CentreStack “is used by thousands of businesses from over 49 countries.”
  • Cardiovascular Business relates,
    • “The U.S. Food and Drug Administration (FDA) has announced another new recall for Johnson & Johnson MedTech’s Automated Impella Controller (AIC) due to a significant cybersecurity risk. 
    • “If the identified cybersecurity vulnerabilities are exploited, it may affect the essential performance of the AIC,” according to the FDA’s advisory.
    • “At this time, no cyberattacks have been tied to this specific issue. This is the fourth time in three months the FDA has shared serious safety concerns related to these devices, which serve as the primary user control interface for Impella catheters.” 
  • Per Cybersecurity Dive,
    • “AI isn’t yet transforming how hackers launch phishing attacks, although it is helping them clean up their lures, the security firm Intel 471 said in a report published on Wednesday.
    • “Several factors have combined to keep AI in an evolutionary rather than revolutionary role, the report found.
    • “Still, business and government leaders need to pay attention to several increasingly common AI-assisted attack strategies.”

From the ransomware front,

  • Sophos shares its 2025 report on the state of ransomware in healthcare.
    • “Sophos’ latest annual study explores the real-world ransomware experiences of 292 healthcare providers hit by ransomware in the past year. The report examines how the causes and consequences of these attacks have evolved over time. This year’s edition also sheds new light on previously unexplored areas, including the organizational factors that left providers exposed and the human toll ransomware takes on retail IT and cybersecurity teams.”
  • TRM Labs point out “Nine Emerging Groups Shaping the Ransomware Landscape.”
    • “Artificial intelligence (AI) has lowered the barrier to entry for cybercriminals, allowing ransomware threat actors to automate coding, generate polymorphic malware — which alters its code with each infection to evade detection — and create more convincing social engineering lures. As a result, new groups are emerging rapidly, and established groups are scaling their operations. 
    • “In this post, we take a closer look at nine emerging ransomware groups and examine how their off-chain and on-chain tactics are reshaping the ecosystem.”
  • The Hacker News relates,
    • “Three prominent ransomware groups DragonForceLockBit, and Qilin have announced a new strategic ransomware alliance, once underscoring continued shifts in the cyber threat landscape.
    • “The coalition is seen as an attempt on the part of the financially motivated threat actors to conduct more effective ransomware attacks, ReliaQuest said in a report shared with The Hacker News.
    • “Announced shortly after LockBit’s return, the collaboration is expected to facilitate the sharing of techniques, resources, and infrastructure, strengthening each group’s operational capabilities,” the company noted in its ransomware report for Q3 2025.
    • “This alliance could help restore LockBit’s reputation among affiliates following last year’s takedown, potentially triggering a surge in attacks on critical infrastructure and expanding the threat to sectors previously considered low risk.”
  • Per Cyberscoop,
    • “Microsoft Threat Intelligence said a cybercriminal group it tracks as Storm-1175 has exploited a maximum-severity vulnerability in GoAnywhere MFT to initiate multi-stage attacks including ransomware. Researchers observed the malicious activity Sept. 11, Microsoft said in a blog post Monday.
    • “Microsoft’s research adds another substantive chunk of evidence to a growing collection of intelligence confirming the defect in Fortra’s file-transfer service was exploited as a zero-day before the company disclosed and patched CVE-2025-10035 on Sept. 18.
    • ‘Despite this mounting pile of evidence, Fortra has yet to confirm the vulnerability is under active exploitation. The company has not answered questions or provided additional information since it updated its security advisory Sept. 18 to include indicators of compromise. 
    • “Storm-1175, a financially motivated cybercrime group known for exploiting public vulnerabilities to gain access and deploy Medusa ransomware, exploited CVE-2025-10035 to achieve remote code execution, according to Microsoft.”
  • Per Dark Reading,
    • “A China-based threat group known as Storm-2603 has added a new weapon to its hacking arsenal.
    • “Cisco Talos researchers observed Storm-2603 abusing Velociraptor, an open-source digital forensics and incident response (DFIR) tool, in a recent ransomware attack. The open-source project, which was acquired by Rapid7 in 2021, was designed by security researcher Michael Cohen to assist incident response teams with endpoint monitoring and investigations. However, it seems attackers have turned the tables on defenders and are now leveraging Velociraptor to conceal their malicious activity.”
    • “Storm-2603 initially burst on to the threat landscape in July as one of several threat groups exploiting a set of SharePoint vulnerabilities in an attack chain known as “ToolShell.” There, the threat actors gained access to SharePoint servers, moved laterally in the victims’ networks, and deployed Warlock ransomware. In a blog post published Thursday, Cisco Talos researchers said they responded to a different incident in August, in which threat actors dropped three different types of ransomware on the victim’s VMware ESXi servers — Warlock, LockBit, and Babuk — and caused severe disruption to the organization.
    • “In addition to the ransomware trio, Cisco Talos found Storm-2603 actors had also deployed Velociraptor to aid their attack. It was a shift in strategy; the researchers noted that the tool had not been definitively tied to ransomware attacks prior to August.”
  • and
    • “Chaos ransomware has gotten a significant facelift with an “aggressive” new variant that adds destructive tactics and clipboard hijacking for cryptocurrency theft, as well as other capabilities to bolster its operations for speed and effectiveness.
    • “Researchers from FortiGuard Labs have identified a new version of Chaos ransomware written in C++, the first not written in .NET, they revealed in a report published Wednesday. This evolution also introduces a host of new features that make the ransomware harder to disrupt once it’s in execution, as well as more destructive than previous versions.
    • “This evolution underscores Chaos’s shift toward more aggressive methods, amplifying both its operational impact and the financial risk it poses to victims,” FortiGuard researcher Yen-Ting Lee wrote in the report.”

From the cybersecurity defenses front,

  • Cybersecurity Dive reports,
    • “Managing cyber risk has become a point of emphasis in the insurance and asset management sector, with companies boosting annual expenditures and increasing oversight at the board level, according to a report released Wednesday by Moody’s.
    • “Almost seven of every 10 companies have a chief information security officer overseeing corporate cyber risk, while another 10% of companies have a chief information officer overseeing cybersecurity. 
    • “More than 95% of organizations have their CISOs provide briefings directly to the chief executive officer at least on a semiannual basis. This compared with 88% using that practice in 2023.
    • “In addition, seven of 10 companies have their CISO brief the corporate board of directors, at least on a semiannual basis. This compares with 54% in 2023. Four of every 10 companies link CEO compensation to the company’s cybersecurity performance, a sharp increase from just 24% in 2023.” 
  • The Wall Street Journal adds,
    • “Security chiefs are emerging as sought-after advisers as companies plunge headlong into artificial intelligence.
    • “Although the rising threat of cyberattacks has elevated the role of chief information security officers in recent years, some say they are appearing more frequently before their boards and senior executives to help unpack the risks associated with AI.
    • “Often jokingly referred to as the “Department of No” inside companies, security staff are now being actively consulted on AI implementations. This includes explaining risks to management and collaborating with other parts of the business that haven’t typically worked closely with cybersecurity.
    • “Security was always thought of as the boat anchor; what I want is to be the boat motor,” said Pablo De La Rosa, vice president of information security at electric vehicle infrastructure specialist Vontier.”
  • Dark Reading discusses the cyber-risks associated with AI note takers. “Transcription applications are joining your online meetings. Here’s how to create policies for ensuring compliance and security of your information.”
  • Security Week notes,
    • “Google has several projects focusing on the use of AI for the discovery of vulnerabilities in software. The tech giant recently reported that its Big Sleep agent discovered a critical SQLite vulnerability and thwarted efforts to exploit it in the wild.
    • “Its latest product is CodeMender, an AI agent that not only finds security holes but also patches them. The company argues that such tools are needed because as AI gets better at discovering flaws, it will be difficult for humans to keep up with patching.” 
  • Here is a link to Dark Reading’s CISO Corner.